<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: NaoyukiFujita</title>
    <description>The latest articles on DEV Community by NaoyukiFujita (@naoyukifujita).</description>
    <link>https://dev.to/naoyukifujita</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3849443%2F51572429-c499-4e0e-98cd-1def6f017635.jpg</url>
      <title>DEV Community: NaoyukiFujita</title>
      <link>https://dev.to/naoyukifujita</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/naoyukifujita"/>
    <language>en</language>
    <item>
      <title>Let's try threat modeling with AWS Security Agent.</title>
      <dc:creator>NaoyukiFujita</dc:creator>
      <pubDate>Mon, 22 Jun 2026 13:10:49 +0000</pubDate>
      <link>https://dev.to/aws-builders/lets-try-threat-modeling-with-aws-security-agent-3fcp</link>
      <guid>https://dev.to/aws-builders/lets-try-threat-modeling-with-aws-security-agent-3fcp</guid>
      <description>&lt;h1&gt;
  
  
  Introduction
&lt;/h1&gt;

&lt;p&gt;This article is an English translation of the following article.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://qiita.com/amarelo_n24/items/997a8fb958e14291ce94" rel="noopener noreferrer"&gt;https://qiita.com/amarelo_n24/items/997a8fb958e14291ce94&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;At the AWS Summit New York City on June 17, 2026, the public preview of the AWS Security Agent threat modeling feature was announced.&lt;/p&gt;

&lt;p&gt;Having previously conducted a code review, I wanted to try out various aspects of the threat modeling feature during its public preview, and so I did.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://aws.amazon.com/jp/about-aws/whats-new/2026/06/aws-security-agent-threat-modeling/" rel="noopener noreferrer"&gt;https://aws.amazon.com/jp/about-aws/whats-new/2026/06/aws-security-agent-threat-modeling/&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://aws.amazon.com/jp/blogs/aws/aws-security-agent-adds-threat-modeling-kiro-power-and-claude-code-plugin-and-more/" rel="noopener noreferrer"&gt;https://aws.amazon.com/jp/blogs/aws/aws-security-agent-adds-threat-modeling-kiro-power-and-claude-code-plugin-and-more/&lt;/a&gt;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;This article represents the author's personal views. As it is based on personal testing, please use it only as a reference.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h1&gt;
  
  
  What is Threat Modeling?
&lt;/h1&gt;

&lt;p&gt;Let's start by explaining what "threat modeling" is.&lt;/p&gt;

&lt;p&gt;Threat modeling is a series of activities aimed at improving security by identifying threats and defining measures to prevent or mitigate their impact on a system.&lt;/p&gt;

&lt;p&gt;*Quoted from the OWASP website&lt;br&gt;
&lt;a href="https://owasp.org/www-community/Threat_Modeling" rel="noopener noreferrer"&gt;https://owasp.org/www-community/Threat_Modeling&lt;/a&gt;&lt;/p&gt;

&lt;h1&gt;
  
  
  About AWS Security Agent Threat Modeling
&lt;/h1&gt;

&lt;p&gt;This feature identifies threats and suggests recommended countermeasures using the STRIDE framework, based on an overview of the application architecture from design documents or application source code.&lt;/p&gt;

&lt;p&gt;SEC01-BP07 of the AWS Well-Architected Framework's security pillar describes identifying threats using threat models. I believe the Security Agent threat modeling feature was released to assist in building according to the Well-Architected Framework.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://docs.aws.amazon.com/ja_jp/wellarchitected/latest/security-pillar/sec_securely_operate_threat_model.html" rel="noopener noreferrer"&gt;https://docs.aws.amazon.com/ja_jp/wellarchitected/latest/security-pillar/sec_securely_operate_threat_model.html&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  What is STRIDE?
&lt;/h2&gt;

&lt;p&gt;The following is an acronym for major threats. It is one of the threat modeling analysis methods that analyzes threats from these perspectives.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Category&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;strong&gt;S&lt;/strong&gt;poofing&lt;/td&gt;
&lt;td&gt;Impersonation&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;strong&gt;T&lt;/strong&gt;ampering&lt;/td&gt;
&lt;td&gt;Tampering&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;strong&gt;R&lt;/strong&gt;epudiation&lt;/td&gt;
&lt;td&gt;Denial&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;strong&gt;I&lt;/strong&gt;nformation disclosure&lt;/td&gt;
&lt;td&gt;Information disclosure&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;strong&gt;D&lt;/strong&gt;enial of service&lt;/td&gt;
&lt;td&gt;Denial of service&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;strong&gt;E&lt;/strong&gt;levation of privilege&lt;/td&gt;
&lt;td&gt;Privilege escalation&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;&lt;a href="https://learn.microsoft.com/ja-jp/azure/security/develop/threat-modeling-tool-threats#stride-model" rel="noopener noreferrer"&gt;https://learn.microsoft.com/ja-jp/azure/security/develop/threat-modeling-tool-threats#stride-model&lt;/a&gt;&lt;/p&gt;

&lt;h1&gt;
  
  
  Trying out threat modeling
&lt;/h1&gt;

&lt;p&gt;Let's try out the AWS Security Agent threat model.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;When starting the Security Agent for the first time, you need to create an agent space. Instructions for creating an agent space are described in a previous article from a code review.&lt;br&gt;
&lt;a href="https://dev.to/aws-builders/its-not-too-late-make-your-aws-security-agent-debut-with-a-code-review-5egk"&gt;https://dev.to/aws-builders/its-not-too-late-make-your-aws-security-agent-debut-with-a-code-review-5egk&lt;/a&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;① Open the Security Agent screen.&lt;br&gt;
② Click "Start with web app".&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F35jcvzu7qla38m8dgcel.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F35jcvzu7qla38m8dgcel.png" alt=" " width="800" height="136"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;③ Click "Create threat model".&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F631wdamd5xbamuktkoid.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F631wdamd5xbamuktkoid.png" alt=" " width="800" height="161"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;④ Select the repository where you want to run the threat model, the functional specification (design document, etc.), the service role to grant access to, and the CloudWatch log group, then create the threat model.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fai4yiufplg0cbutqni79.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fai4yiufplg0cbutqni79.png" alt=" " width="800" height="560"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;⑤ Click "Start Running" to begin running the threat model.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fm50d9kl7qd4jt0rrbrgh.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fm50d9kl7qd4jt0rrbrgh.png" alt=" " width="798" height="208"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;*You can also view the processing details of the threat model while it's running.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F9a29wiygz4xw7zu166vf.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F9a29wiygz4xw7zu166vf.png" alt=" " width="800" height="496"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;⑥ When the status changes to "Completed," the threat model execution is finished. This time it took about an hour.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fa2xappmcvmeawcc5yn49.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fa2xappmcvmeawcc5yn49.png" alt=" " width="800" height="300"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h1&gt;
  
  
  Checking Threat Model Execution Results and Outputting Reports
&lt;/h1&gt;

&lt;p&gt;Clicking on a completed threat model allows you to view the total detection results, threats by category, and analysis results for the target web application.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F9wi98eq4u0raxy3i7hh5.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F9wi98eq4u0raxy3i7hh5.png" alt=" " width="799" height="429"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Clicking the "Threat" tag allows you to view details of the detected threats.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ffp4wy7kc5vuqsy54e6zi.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ffp4wy7kc5vuqsy54e6zi.png" alt=" " width="800" height="485"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Clicking "Generate Report" in the upper right corner of the screen will generate a PDF report. This allows you to share information with people who cannot access the Security Agent.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fz8pz19uuuy09wy9zq1k6.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fz8pz19uuuy09wy9zq1k6.png" alt=" " width="663" height="586"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fms5kg3ra5hrd73pgm69f.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fms5kg3ra5hrd73pgm69f.png" alt=" " width="717" height="845"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;I ran it in the Tokyo region, but the execution result screen and report were in English. I hope for Japanese language support in future updates.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h1&gt;
  
  
  (Question) Does it not detect web applications created for vulnerability assessment tool verification?
&lt;/h1&gt;

&lt;p&gt;While not exactly a major setback, we encountered a case where the threat model failed to identify (or could not identify) a threat.&lt;/p&gt;

&lt;p&gt;Initially, we ran the threat model on a repository containing a web application created for Security Agent verification (created using a generative AI, but I won't go into detail about which one). However, Security Agent determined that there was no threat.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fqeun5qyx6857lsxi7027.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fqeun5qyx6857lsxi7027.png" alt=" " width="800" height="403"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Reading the purpose of the execution target analyzed by the Security Agent, there was a description that determined that "the defect is not a bug to be fixed, but rather something to be evaluated"...&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fly8d99qiuqugazb0gu8w.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fly8d99qiuqugazb0gu8w.png" alt=" " width="800" height="130"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Possible Cause
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;When instructing the generating AI to create a test application, "Security Agent Because it included the phrase "for operational verification," the repository name suggested a Security Agent PoC (Proof of Concept).&lt;/li&gt;
&lt;li&gt;The README also stated that it was a "site dedicated to security testing."&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;*Part of the README content&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fvnnlg12ehq8acuoc6sxe.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fvnnlg12ehq8acuoc6sxe.png" alt=" " width="800" height="262"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;It's possible that the Security Agent learned of this information while running the threat model and determined that there was no problem even if a threat existed. Since these two things haven't been changed and run, this remains speculation, but if traces suggesting it was for security tool verification remain in the repository, it's possible it might be judged as not being a problem.&lt;/p&gt;

&lt;p&gt;After this, the repository was recreated. The instructions for recreating the repository were made without including any instructions such as "for Security Agent operational verification" or "for vulnerability assessment tool testing." We were able to detect threats by running a threat model on that repository.&lt;/p&gt;

&lt;h1&gt;
  
  
  Impressions: Implementing threat modeling solely through human effort is extremely difficult.
&lt;/h1&gt;

&lt;p&gt;As I also realized when conducting code reviews, identifying vulnerabilities and threats solely through human effort is incredibly challenging. There aren't many people with the necessary knowledge, and I realized the enormous resources required to create a secure environment.&lt;/p&gt;

&lt;p&gt;I also realized that effectively using agents like Security Agent to identify vulnerabilities and threats can significantly improve the resolution of the impact on the system.&lt;/p&gt;

&lt;p&gt;However, I don't believe that all the results from the agent are always correct. Depending on the web application's configuration, there may be over-detection, and some low-risk threats may require early intervention. &lt;strong&gt;The final decision on whether to address the results and the final triage of threats absolutely must be made by a human.&lt;/strong&gt;&lt;/p&gt;

&lt;h1&gt;
  
  
  In conclusion
&lt;/h1&gt;

&lt;p&gt;Although I was familiar with the term "threat modeling," I hadn't delved deeply into what it entailed or what it could reveal. Therefore, I'm glad I was able to experience a part of it by implementing the Security Agent threat model.&lt;/p&gt;

&lt;p&gt;Since it will likely cost a considerable amount once it becomes generally available (GA), I plan to use Security Agent in the preview version, where there are no costs involved, to learn more about code review and threat modeling. I hope Security Agent will be a good opportunity to make vulnerability assessment and threat modeling more accessible.&lt;/p&gt;

&lt;p&gt;I hope this article is helpful to someone.&lt;/p&gt;

&lt;p&gt;Thank you for reading to the end!&lt;/p&gt;

</description>
      <category>aws</category>
      <category>securityagent</category>
    </item>
    <item>
      <title>I tried out the AWS FinOps Agent as soon as it was released in public preview.</title>
      <dc:creator>NaoyukiFujita</dc:creator>
      <pubDate>Thu, 11 Jun 2026 16:45:58 +0000</pubDate>
      <link>https://dev.to/aws-builders/i-tried-out-the-aws-finops-agent-as-soon-as-it-was-released-in-public-preview-2o9b</link>
      <guid>https://dev.to/aws-builders/i-tried-out-the-aws-finops-agent-as-soon-as-it-was-released-in-public-preview-2o9b</guid>
      <description>&lt;h1&gt;
  
  
  Introduction
&lt;/h1&gt;

&lt;p&gt;This article is an English translation of the article at the following URL, which was originally written in Japanese.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://qiita.com/amarelo_n24/items/9f1457a999510a5714a4" rel="noopener noreferrer"&gt;https://qiita.com/amarelo_n24/items/9f1457a999510a5714a4&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;On June 9, 2026, AWS FinOps Agent was released as a public preview.&lt;/p&gt;

&lt;p&gt;Following the Security Agent and DevOps Agent, another Agent service has been made available.&lt;/p&gt;

&lt;p&gt;I didn't get a chance to try the previous two during their previews, so I told myself &lt;strong&gt;I absolutely have to try FinOps Agent while it's still in preview!&lt;/strong&gt; — and dove right in.&lt;/p&gt;

&lt;p&gt;Here are my findings and impressions!&lt;/p&gt;

&lt;p&gt;&lt;a href="https://aws.amazon.com/jp/about-aws/whats-new/2026/06/aws-finops-agent-preview/" rel="noopener noreferrer"&gt;https://aws.amazon.com/jp/about-aws/whats-new/2026/06/aws-finops-agent-preview/&lt;/a&gt;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; This article reflects the author's personal opinions. The results are based on personal use only, so please treat them as a reference.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; This article was written based on information as of June 11, 2026. At the time of writing, the service is only available in the US East (N. Virginia) region.&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h1&gt;
  
  
  What is AWS FinOps Agent?
&lt;/h1&gt;

&lt;p&gt;It is a cutting-edge agent that continuously monitors costs across your cloud environment, investigates anomalies, and makes it easy to identify optimization opportunities.&lt;/p&gt;

&lt;p&gt;It supports:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Cost anomaly investigation triggered by events&lt;/li&gt;
&lt;li&gt;Cost queries in natural language&lt;/li&gt;
&lt;li&gt;Periodic cost reporting&lt;/li&gt;
&lt;li&gt;Responses using context files and memory&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;It appears to work in conjunction with the following services:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;AWS Cost Explorer&lt;/li&gt;
&lt;li&gt;AWS Cost Anomaly Detection&lt;/li&gt;
&lt;li&gt;AWS Cost Optimization Hub&lt;/li&gt;
&lt;li&gt;AWS Compute Optimizer&lt;/li&gt;
&lt;li&gt;AWS CloudTrail&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;em&gt;Cited from AWS official documentation&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://docs.aws.amazon.com/finops-agent/latest/userguide/what-is.html" rel="noopener noreferrer"&gt;https://docs.aws.amazon.com/finops-agent/latest/userguide/what-is.html&lt;/a&gt;&lt;/p&gt;




&lt;h1&gt;
  
  
  Setup
&lt;/h1&gt;

&lt;p&gt;I followed this guide during setup:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://aws.amazon.com/jp/blogs/news/aws-finops-agent-is-now-public-preview/" rel="noopener noreferrer"&gt;https://aws.amazon.com/jp/blogs/news/aws-finops-agent-is-now-public-preview/&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Deciding the Agent Name and Creating an IAM Role
&lt;/h2&gt;

&lt;p&gt;Open the FinOps Agent console and create an agent by clicking "Get Started."&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw4smxp62mbv8y74i2w1y.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw4smxp62mbv8y74i2w1y.png" alt=" " width="800" height="296"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Once you've decided on an agent name, create an IAM role with the following permissions:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Permissions for the agent to access AWS resources&lt;/li&gt;
&lt;li&gt;Permissions for the web app to access the agent&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Third-Party App Integration
&lt;/h2&gt;

&lt;p&gt;You can connect either Jira or Slack to FinOps Agent. I chose to integrate with Slack.&lt;br&gt;
Set up your Slack workspace and channel beforehand.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Steps to create a Slack workspace and channel are omitted here.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Select Slack and configure the integration via the "Add Integration" button.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2sbdb3sdvfsgvsajowod.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2sbdb3sdvfsgvsajowod.png" alt=" " width="800" height="408"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Click the "Authorize with Slack" button to grant the FinOps Agent app access.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Warning:&lt;/strong&gt; I was unable to configure agent permissions without first disabling multi-session in the AWS Management Console. Be sure to disable multi-session beforehand.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frsmmcuv9i58vmjidn5tf.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frsmmcuv9i58vmjidn5tf.png" alt=" " width="799" height="284"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgdtdtxy94g43kmj1emjj.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgdtdtxy94g43kmj1emjj.png" alt=" " width="800" height="435"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;I thought the agent was successfully created — but then got an error...&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F56jb6m8dt01imsutb64h.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F56jb6m8dt01imsutb64h.png" alt=" " width="800" height="460"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;It turned out that the FinOps Agent App needed to be added as a member of the Slack channel, but there was no prior explanation of this. While you can set up the Slack integration later, it would have been helpful to have clearer instructions upfront.&lt;/p&gt;

&lt;p&gt;After adding the App as a channel member and then configuring the integration, everything worked fine.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc7dwr3pfdxeev9wnmmjr.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc7dwr3pfdxeev9wnmmjr.png" alt=" " width="800" height="293"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;h1&gt;
  
  
  Running the Agent
&lt;/h1&gt;

&lt;p&gt;Next, run FinOps Agent from the web app by clicking "Open" in the Open Agent section.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwkdjbj20uuicxn37bzls.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwkdjbj20uuicxn37bzls.png" alt=" " width="800" height="184"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The FinOps Agent chat screen opens. Enter a prompt and it returns an answer. Japanese prompts are accepted, but responses were returned in English.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff62whshjapkmt612n3mv.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff62whshjapkmt612n3mv.png" alt=" " width="800" height="531"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Costs with credits applied were not included in the totals. When I rewrote the prompt to calculate costs before credit application, it was able to aggregate them correctly.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fby6fd26j0ezdban87gqc.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fby6fd26j0ezdban87gqc.png" alt=" " width="800" height="445"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;h1&gt;
  
  
  Tasks
&lt;/h1&gt;

&lt;p&gt;On the left side of the FinOps Agent screen, there is a "Task" menu.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm6ri57k9k8jsswcrw2uc.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm6ri57k9k8jsswcrw2uc.png" alt=" " width="445" height="377"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Tasks run in the background without interrupting your conversation. When you ask the agent to create a task, it processes it in the background.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://docs.aws.amazon.com/finops-agent/latest/userguide/task-management.html" rel="noopener noreferrer"&gt;https://docs.aws.amazon.com/finops-agent/latest/userguide/task-management.html&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Tasks come in three types:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Run once&lt;/li&gt;
&lt;li&gt;Scheduled execution&lt;/li&gt;
&lt;li&gt;Event-triggered execution&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Interestingly, clicking "Run Once" displays "Create Task," but clicking "Run on a Schedule" switches to the "Automations" selection, and the "Create Task" button at the top of the screen changes to "Create Automation."&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6dy3oj2dbxaiulvju2z4.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6dy3oj2dbxaiulvju2z4.png" alt=" " width="800" height="377"&gt;&lt;/a&gt;&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi1jp4txtbn99nrec53rv.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi1jp4txtbn99nrec53rv.png" alt=" " width="799" height="380"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;I was curious about the difference between Tasks and Automations and noticed this while looking into it. This kind of quirk is perhaps expected in a preview version — it's interesting!&lt;/p&gt;

&lt;h2&gt;
  
  
  Running a Task
&lt;/h2&gt;

&lt;p&gt;I created and ran a one-time task ("Run Once"). It calculated usage charges for May (before credit application), compiled the results into a PDF report, and sent it to Slack.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkc48soilt0adnrkezicm.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkc48soilt0adnrkezicm.png" alt=" " width="800" height="479"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The PDF report was delivered to Slack. It was neatly organized and easy to read.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxs02mqj1o6nq5nbfebmv.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxs02mqj1o6nq5nbfebmv.png" alt=" " width="799" height="434"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The analysis results were also stored in Artifacts.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0r12sh6l3qvl5q0ot1o5.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0r12sh6l3qvl5q0ot1o5.png" alt=" " width="799" height="244"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Scheduled Execution (Automations)
&lt;/h2&gt;

&lt;p&gt;I set up a task to send a weekly report to Slack every Thursday at 8:00 AM (Wednesday 11:00 PM UTC).&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsyaepoz7pxwolozswmfo.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsyaepoz7pxwolozswmfo.png" alt=" " width="800" height="461"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;On Thursday, June 11 at 8:02 AM, the aggregated results were sent to Slack. It took 2 minutes for the aggregation and Slack delivery, but I was able to confirm that the scheduled execution worked correctly.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F97ep5qshqt8j413ak77w.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F97ep5qshqt8j413ak77w.png" alt=" " width="800" height="507"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;h1&gt;
  
  
  Impressions
&lt;/h1&gt;

&lt;p&gt;Being able to manage costs easily using natural language — without needing to build a cost management agent or dashboard from scratch — and being able to schedule those tasks is really great.&lt;/p&gt;

&lt;p&gt;I didn't configure it this time, but with event-triggered execution ("Run when an event occurs"), it seems like you could set up notifications for:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Which service is causing a sudden spike in costs&lt;/li&gt;
&lt;li&gt;Recommended actions for cost optimization&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;One thing I'm curious about is what the FinOps Agent usage fee will be once it reaches general availability (GA). Since I use AWS for personal purposes and can't spend too much, whether using FinOps Agent to optimize costs will yield a good return on investment is something I'll be keeping an eye on.&lt;/p&gt;

&lt;p&gt;It may be challenging to get impressive results with personal usage, but I still want to find interesting use cases.&lt;/p&gt;




&lt;h1&gt;
  
  
  Closing Thoughts
&lt;/h1&gt;

&lt;p&gt;Since I use AWS for personal purposes and pay out of pocket (or use credits), I try to be careful about cost management to avoid unexpected charges. Even so, I often end up leaving resources running by mistake and incurring unnecessary costs. With that in mind, I'd like to start leveraging FinOps Agent to better manage and optimize my costs going forward.&lt;/p&gt;

&lt;p&gt;I hope this article is helpful to someone out there.&lt;br&gt;
Thank you so much for reading all the way to the end!&lt;/p&gt;

</description>
      <category>aws</category>
      <category>finopsagent</category>
    </item>
    <item>
      <title>It's not too late! Make your AWS Security Agent debut with a code review!</title>
      <dc:creator>NaoyukiFujita</dc:creator>
      <pubDate>Sat, 30 May 2026 00:45:11 +0000</pubDate>
      <link>https://dev.to/aws-builders/its-not-too-late-make-your-aws-security-agent-debut-with-a-code-review-5egk</link>
      <guid>https://dev.to/aws-builders/its-not-too-late-make-your-aws-security-agent-debut-with-a-code-review-5egk</guid>
      <description>&lt;h1&gt;
  
  
  Introduction
&lt;/h1&gt;

&lt;p&gt;This article is an English translation of the article at the following URL, which was originally written in Japanese. The screenshots are still in Japanese. Sorry about that.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://qiita.com/amarelo_n24/items/e196b74f718c750a0e18" rel="noopener noreferrer"&gt;https://qiita.com/amarelo_n24/items/e196b74f718c750a0e18&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The penetration testing feature for AWS Security Agent (hereinafter referred to only as "Security Agent"), which was announced at AWS re:Invent 2025, has been generally available (GA). Code review and design review are still in preview as of May 25th, so those who haven't been able to try Security Agent yet can still try these features. I wasn't able to try penetration testing during the preview period , so I decided to at least experience code review and made my Security Agent debut!&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;This article reflects the author's personal views. It is based on personal testing and should be used for reference only. Furthermore, the author has no experience in app development, so the terminology used may not be entirely accurate. Any corrections or errors in the content would be greatly appreciated.&lt;br&gt;
This article was written based on information as of May 25, 2026.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h1&gt;
  
  
  What is a Security Agent?
&lt;/h1&gt;

&lt;p&gt;As mentioned above, this service was announced during AWS re:Invent 2025. It is a frontier agent that proactively protects applications throughout the entire development lifecycle in all environments (quoted from the official AWS page).&lt;/p&gt;

&lt;p&gt;&lt;a href="https://aws.amazon.com/security-agent/" rel="noopener noreferrer"&gt;https://aws.amazon.com/security-agent/&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;It includes three features that became generally available (GA) in April: penetration testing, design review, and code review (the subject of this article).&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Function name&lt;/th&gt;
&lt;th&gt;Feature Overview&lt;/th&gt;
&lt;th&gt;Status（As of 2026/5/25）&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Penetration testing&lt;/td&gt;
&lt;td&gt;Attempting to infiltrate the system from an external source to evaluate security measures.&lt;/td&gt;
&lt;td&gt;GA&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Design Review&lt;/td&gt;
&lt;td&gt;Analyze product specifications, architecture documents, and technical designs from a security risk perspective.&lt;/td&gt;
&lt;td&gt;Preview&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Code Review&lt;/td&gt;
&lt;td&gt;Inspect source code and repositories to detect code-level vulnerabilities.&lt;/td&gt;
&lt;td&gt;Preview&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Code security review (hereinafter referred to as "code review") is a web application diagnostic method that falls under "SAST" (Static Application Security Testing). It is considered a vulnerability assessment that checks for flaws in the source code during the development phase before it is deployed in a test environment, and detects vulnerabilities visible at the code level.&lt;/p&gt;

&lt;h1&gt;
  
  
  Security Agent Code Review
&lt;/h1&gt;

&lt;p&gt;From here, I will describe the steps to enable the Security Agent and run a code review.&lt;/p&gt;

&lt;h2&gt;
  
  
  Enable Security Agent
&lt;/h2&gt;

&lt;p&gt;To start using Security Agent, you first need to enable it. Incidentally, simply enabling Security Agent will not incur any charges.&lt;/p&gt;

&lt;p&gt;① Click [Set up AWS Security Agent]&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmbvz72zrwl3bz865gxkj.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmbvz72zrwl3bz865gxkj.png" alt=" " width="799" height="419"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;② Enter [Agent Space name].&lt;br&gt;
③ Specify [User access configuration].&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;If you have enabled AWS Organizations and also enabled IAM Identity Center, you might want to select "Single sign-on (SSO) with IAM Identity Center." I chose this option because I also run a one-person organization. Even if you haven't enabled Organizations yet, this might be a good opportunity to try out a one-person organization.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzuarr6f8puspsa47j1gu.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzuarr6f8puspsa47j1gu.png" alt=" " width="799" height="322"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;④ Enter a service role name. If there is no suitable role available in your account, a new service role will be created.&lt;br&gt;
⑤ If you want to use KMS encryption, check the encryption option checkbox. If the default encryption is sufficient, uncheck the checkbox.&lt;br&gt;
⑥ Set tags as needed.&lt;br&gt;
⑦ Click [Set up AWS Security Agent].&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmrcpkw27crkf217dz7lw.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmrcpkw27crkf217dz7lw.png" alt=" " width="800" height="361"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;⑧ Once you see a message indicating that the application has been successfully enabled, the Security Agent has been successfully activated.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftk52by6jymcnolv2oxx5.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftk52by6jymcnolv2oxx5.png" alt=" " width="800" height="153"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h1&gt;
  
  
  Enable Code Review
&lt;/h1&gt;

&lt;p&gt;① Click "Enable code review".&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo3i8yvtsk9pyelu5eddr.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo3i8yvtsk9pyelu5eddr.png" alt=" " width="800" height="333"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;② Add a "Connected Integration". Click "Add".&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbj13sfftk2if7laf35nu.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbj13sfftk2if7laf35nu.png" alt=" " width="800" height="336"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;③ Select "Create a new account" and "GitHub," then click "Next."&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5msgw7heyf4v3z1qmz9a.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5msgw7heyf4v3z1qmz9a.png" alt=" " width="728" height="287"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;④ Click "Open AWS Security Agent on GitHub".&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff3nsn42l8fz5h19z9dxu.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff3nsn42l8fz5h19z9dxu.png" alt=" " width="799" height="389"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;⑤ You will be redirected to the GitHub page. Click "Install".&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs1i40g97a3fmr5064z0f.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs1i40g97a3fmr5064z0f.png" alt=" " width="800" height="290"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;⑥ Click on the GitHub account that contains the repository where you want to install the AWS Security Agent GitHub App.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frfkkapt3mztqfdw5ccvy.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frfkkapt3mztqfdw5ccvy.png" alt=" " width="800" height="374"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;⑦ Click "Only select repositories" and select the repository where you want to install the GitHub App from the "Select repositories" dropdown menu.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft37zemp28twzpsmjrtf3.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft37zemp28twzpsmjrtf3.png" alt=" " width="639" height="842"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;⑧ Click "Install," and the setup is complete when a screen like the one below appears.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjftau9a43jpaq5zm4nf5.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjftau9a43jpaq5zm4nf5.png" alt=" " width="800" height="397"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;⑨ Return to the following screen and click "Add" again.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpk6igbwztrrzz0l6b02y.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpk6igbwztrrzz0l6b02y.png" alt=" " width="798" height="174"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;⑩ Select the added integration and click "Next".&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F69nfqdqzoiomjfwzhgxc.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F69nfqdqzoiomjfwzhgxc.png" alt=" " width="720" height="301"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;⑪ Select the GitHub repository name and click "Next".&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fncm2j8utw4uekccx2kcl.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fncm2j8utw4uekccx2kcl.png" alt=" " width="793" height="172"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;⑫ Select the features to enable. If you want to perform code reviews, enable "Code review comments". If you want to automatically remediate detected vulnerabilities, enable "Automatic remediation". Click Connect and confirm that "Integration resource added" is displayed.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhjr1bq6xoxubuufwpdbw.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhjr1bq6xoxubuufwpdbw.png" alt=" " width="800" height="146"&gt;&lt;/a&gt;&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F91na7z7m9o70xw7raqzy.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F91na7z7m9o70xw7raqzy.png" alt=" " width="800" height="318"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;⑬ Select the code review settings and click "Next". I selected "Security requirements and vulnerability detection results," which is selected by default.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5y1ato54xapqrrt76qct.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5y1ato54xapqrrt76qct.png" alt=" " width="800" height="150"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;⑭ If you want to obtain application operation logs in CloudWatch Logs, select the log group where you want to store the logs (you need to create the log group beforehand).&lt;br&gt;
⑮ Create a role for service access. If you have already created one, click "Use existing service role". If the default role is acceptable, click "Create default role".&lt;br&gt;
⑯ Click "Save".&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F28514c91f6sj2izdrkt0.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F28514c91f6sj2izdrkt0.png" alt=" " width="799" height="376"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;This time, we created a default role, but I think it's necessary to create a role with carefully considered policy settings. I'll investigate what policies are necessary in the future.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;⑰When it displays as shown below and "Ready" appears in the code review section, code review is enabled.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwpt3nrh83fuam1bk0fco.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwpt3nrh83fuam1bk0fco.png" alt=" " width="799" height="154"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h1&gt;
  
  
  Application User Settings
&lt;/h1&gt;

&lt;p&gt;Add an IAM Identity Center user to allow code reviews from the application.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;For testing purposes, you can access it with "Administrator Access" without creating a user, but since administrators don't usually perform vulnerability assessments in normal operation, we'll configure a user even for testing purposes.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;① Return to the "Agent Spaces" top page and click "Add Users" from the "Web App" tab.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk9qlus8t2v26l6j6vcp6.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk9qlus8t2v26l6j6vcp6.png" alt=" " width="799" height="222"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;② Select the IAM Identity Center username you want to allow access to the Security Agent web app and click "Add users".&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frup1ukh5qxnsfupzmk92.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frup1ukh5qxnsfupzmk92.png" alt=" " width="800" height="199"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;③ Once the message indicating that the user has been added is displayed, click the Agent Web App URL.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo068d12kuz6bapa5o6wn.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo068d12kuz6bapa5o6wn.png" alt=" " width="800" height="339"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;④ When the following screen appears, click "Sign in" or wait a moment, and you will be redirected to the Agent Web App screen.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6tpddkdp49m307aeyjtf.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6tpddkdp49m307aeyjtf.png" alt=" " width="626" height="425"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;⑤ The screen will display as shown below, and you should confirm that the created Agent Space name is displayed.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsjws5rzoa39nawl6nbc6.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsjws5rzoa39nawl6nbc6.png" alt=" " width="800" height="219"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h1&gt;
  
  
  Running the Code Review
&lt;/h1&gt;

&lt;p&gt;Now, we will run the code review.&lt;/p&gt;

&lt;p&gt;① From the Agent Web App home screen, click "Create a code review."&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmadbym7777vnyx90ps35.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmadbym7777vnyx90ps35.png" alt=" " width="800" height="404"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;② Enter a title for the code review.&lt;br&gt;
③ Select the previously connected GitHub repository, the created service role, and the CloudWatch log group, and click "Create a code review."&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkmsjvvclcl2rjobegibg.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkmsjvvclcl2rjobegibg.png" alt=" " width="800" height="498"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;④ Once the message indicating that the code review has been created is displayed, click "Start review." A confirmation screen will appear, so click "Start review" again.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnyzjo5ofgjjd35dqkzpn.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnyzjo5ofgjjd35dqkzpn.png" alt=" " width="800" height="199"&gt;&lt;/a&gt;&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm0erw4xv83da8qchrfhg.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm0erw4xv83da8qchrfhg.png" alt=" " width="599" height="160"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;⑤ The message "Code review started" will be displayed. Reloading the screen will display "In progress."&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqo2abdfi5gh1ytqhf6r1.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqo2abdfi5gh1ytqhf6r1.png" alt=" " width="799" height="209"&gt;&lt;/a&gt;&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffr8kvqch1lfyc8hpoomz.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffr8kvqch1lfyc8hpoomz.png" alt=" " width="800" height="188"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;⑥ Clicking on the created code review will show the progress. Wait until completion.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F13gkc9dnzfj4zxa5b8s5.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F13gkc9dnzfj4zxa5b8s5.png" alt=" " width="800" height="483"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h1&gt;
  
  
  Code Review Results
&lt;/h1&gt;

&lt;p&gt;This time it was completed in about an hour.&lt;/p&gt;

&lt;p&gt;① Once completed, you can view the code review results.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj0buiv16stw4go6d1dmo.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj0buiv16stw4go6d1dmo.png" alt=" " width="800" height="319"&gt;&lt;/a&gt;&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fit0ywdrqt6ku5eov5mbi.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fit0ywdrqt6ku5eov5mbi.png" alt=" " width="800" height="365"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;② The scan results are displayed as follows. Well-known vulnerabilities such as SQL injection, cross-site scripting, and path traversal were detected.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;Although it says "Completed," it remained showing "Finalizing" for some reason.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8ohcwffuiwml5ls0tgtq.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8ohcwffuiwml5ls0tgtq.png" alt=" " width="800" height="499"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h1&gt;
  
  
  Downloading Code Review Results
&lt;/h1&gt;

&lt;p&gt;You can download the code review results as a PDF file. This is likely for requesting corrections or sharing information with developers who do not have an AWS account, or for storing it as evidence.&lt;/p&gt;

&lt;p&gt;① Click "Generate Report" in the upper right corner of the code review results screen.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl3g9wcqpre9crflb1cls.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl3g9wcqpre9crflb1cls.png" alt=" " width="800" height="150"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;② Edit the extraction criteria and click "Generate and Download." The code review results will be output as a PDF file to your PC's download folder.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F769lut9mr0xuimyu7oq4.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F769lut9mr0xuimyu7oq4.png" alt=" " width="597" height="639"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h1&gt;
  
  
  Automatic Remediation of Detected Vulnerabilities
&lt;/h1&gt;

&lt;p&gt;Detected vulnerabilities need to be fixed. It is possible to fix them automatically instead of manually.&lt;/p&gt;

&lt;p&gt;① Select the vulnerability you want to automatically fix and click "Fix Code."&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhj0l3xfd8nnr7yn2rlac.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhj0l3xfd8nnr7yn2rlac.png" alt=" " width="800" height="372"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;② Code remediation will begin.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcv3ja7gplfq7mggjnfmx.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcv3ja7gplfq7mggjnfmx.png" alt=" " width="799" height="330"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;If "Automatic remediation" is not enabled, the following error will appear. In the GitHub repository's features management, turn on the "Automatic remediation" toggle button and save.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6lykvcdakmw7u35n8rqb.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6lykvcdakmw7u35n8rqb.png" alt=" " width="800" height="331"&gt;&lt;/a&gt;&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F28mx26yxmlvvif0ibva6.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F28mx26yxmlvvif0ibva6.png" alt=" " width="800" height="152"&gt;&lt;/a&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;③ Scroll to the bottom of the screen to see the detection results for the selected vulnerability. The code remediation status will be displayed. Once the fix is ​​complete and the status changes to "COMPLETED," a pull request is sent to GitHub.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F96z18k32h7wgacazc9ig.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F96z18k32h7wgacazc9ig.png" alt=" " width="651" height="300"&gt;&lt;/a&gt;&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffx50iob706m0xgru51m9.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffx50iob706m0xgru51m9.png" alt=" " width="525" height="116"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;④ Opening the pull request reveals that it was automatically created by Security Agent and details of the changes. If there are no issues with the content, merge it.&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjt3o6gzsrmb13c5h7zk5.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjt3o6gzsrmb13c5h7zk5.png" alt=" " width="800" height="368"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h1&gt;
  
  
  Impressions of Conducting a Code Review with Security Agent
&lt;/h1&gt;

&lt;h2&gt;
  
  
  Recognizing the Importance of SAST
&lt;/h2&gt;

&lt;p&gt;This code review detected many types of vulnerabilities. It's probably difficult to uncover all vulnerabilities through human code reviews alone. I believe it's an important service that complements human code reviews by inspecting for remaining vulnerabilities. Furthermore, I realized that web application security testing should not only utilize external attack-based testing methods like DAST (Dynamic Application Security Testing), but also SAST, which identifies vulnerabilities at the code level and provides a starting point for fixes.&lt;/p&gt;

&lt;h2&gt;
  
  
  Completely Eliminating Human Reviews is Not Yet Possible
&lt;/h2&gt;

&lt;p&gt;I realized that Security Agent doesn't completely replace human code reviews.&lt;/p&gt;

&lt;p&gt;After running the automatic fix and then performing another code review, the fixed vulnerabilities were not re-detected, but several new vulnerabilities were detected. It's possible that a detection method was added during the initial code review, or that it was a false positive, but it's also possible that a fix in one place affected the entire code or even the entire repository.&lt;/p&gt;

&lt;p&gt;As such, the results of the review and the recommended fixes for vulnerabilities are not always optimal for the whole system. Furthermore, there's a risk that applying automated fixes too readily could break the entire application. I think that unless people carefully review the fixes and decide whether to automate or manual fixes, it could lead to unnecessary work being done.&lt;/p&gt;

&lt;h2&gt;
  
  
  Wouldn't it be great if it could be integrated with CodeCommit?
&lt;/h2&gt;

&lt;p&gt;As of May 21, 2026, it's not possible to target CodeCommit repositories for code reviews. It was truly surprising that S3 could be targeted for code reviews, but CodeCommit couldn't. Currently, if a user of CodeCommit wants to perform code reviews with the Security Agent, they would have to either:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Store source code files in S3 and perform code reviews there&lt;/li&gt;
&lt;li&gt;Migrate the repository to GitHub.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Storing files in S3 is troublesome, and migrating to GitHub doesn't seem practical. I think it would be great if it could integrate with CodeCommit to easily perform code reviews.&lt;/p&gt;

&lt;p&gt;CodeCommit was such a valuable service that it was shut down once before returning to GA (General Availability), so I thought it was a bit of a shame that it couldn't be integrated. I guess we can only hope for future AWS updates.&lt;/p&gt;

&lt;h1&gt;
  
  
  Finally
&lt;/h1&gt;

&lt;p&gt;It's been almost six months since re:Invent 2025, but I finally got to try out Security Agent. Penetration testing, once GA is available, has become difficult to implement at an individual level. The preview period doesn't last forever. I strongly felt that you should try it as soon as possible after the announcement.&lt;/p&gt;

&lt;p&gt;You can still relatively easily experience Security Agent through code reviews, which are still in preview, so it's not too late! Why not make your Security Agent debut with a code review and use it as an opportunity to learn about web application security?&lt;/p&gt;

&lt;p&gt;Also, since design reviews are still in preview, I plan to try those out soon as well.&lt;/p&gt;

&lt;p&gt;I hope this article is helpful to someone. Thank you for reading to the end!&lt;/p&gt;

</description>
      <category>aws</category>
      <category>security</category>
      <category>securityagent</category>
    </item>
  </channel>
</rss>
