Prerequisites Access the threat modeling setup wizard Step 1: Connect source code repositories (optional)Step 2: Optional configurations After setup Next steps

Enable threat modeling

Configure your Agent Space to enable threat modeling by connecting source code repositories and configuring AWS resources. Threat modeling analyzes your application’s architecture and identifies security threats from source code, design documents, or both.

Setting up threat modeling configurations is an Agent Space-wide operation. The integrations and S3 buckets you connect are shared across capabilities, including threat modeling, code review, and penetration testing.

After completing setup, users can create and run threat models in the AWS Security Agent web application.

Note

If you already have repositories or S3 buckets connected to your Agent Space (for example, through code review or penetration testing setup), threat modeling may already be enabled. You can go directly to the web application to create a threat model. See Create a threat model.

Prerequisites

Before you begin, ensure you have:

An Agent Space created in the AWS Management Console (see Create an Agent Space)
Permissions to configure integrations for your Agent Space
(Optional) A GitHub, GitLab, or Bitbucket organization with the AWS Security Agent app installed (see Connect AWS Security Agent to GitHub repositories, Connect AWS Security Agent to GitLab repositories, or Connect AWS Security Agent to Bitbucket repositories)

Access the threat modeling setup wizard

Navigate to the threat modeling configuration for your Agent Space.

In the AWS Security Agent console, select your Agent Space.
Choose Configure threat model from the Threat model card, or from the Threat model tab.

You’ll be directed to the Configure threat model wizard, which has two optional steps.

Step 1: Connect source code repositories (optional)

Connect the GitHub, GitLab, or Bitbucket repositories you want to enable threat modeling for. Threat models themselves are created and viewed in the web application.

Important

Integrations configured here are shared across your Agent Space. Changes apply to threat modeling, code review, and penetration testing capabilities.

Connect repositories

In the Connected integrations section, choose Add.
Select the registration that contains the repositories you want to use.
Select the checkbox for each repository you want to connect.
Choose Save to apply your selections.

Note

If you haven’t registered an integration yet, choose Settings to navigate to the Integrations page where you can authorize the AWS Security Agent app. For more information, see Connect AWS Security Agent to GitHub repositories, Connect AWS Security Agent to GitLab repositories, or Connect AWS Security Agent to Bitbucket repositories.

Choose Next to proceed to optional configurations.

Step 2: Optional configurations

Configure S3 buckets, CloudWatch logging, and service access settings for your threat modeling environment. These settings are shared with other capabilities on your Agent Space.

S3 buckets (optional)

Add S3 buckets containing source code you want the agent to use as context during threat modeling.

In the S3 buckets section, choose Add S3 resource.
Enter the S3 URI for the bucket or prefix.
Choose Add.

Note

You can add up to 10 S3 resources.

CloudWatch logs (optional)

Configure CloudWatch log groups to capture and analyze application behavior during threat model runs.

In the CloudWatch logs section, select one or more existing CloudWatch log groups from your AWS account.

Service access

Configure the IAM service role that AWS Security Agent uses to access your AWS resources such as S3 buckets and CloudWatch logs for threat modeling. A service role is required to enable threat modeling.

In the Service access section, select an existing IAM service role from the dropdown, or leave it empty to have a service role automatically created.

Note

A service role will be automatically created if you don’t select an existing role.

Choose Save to complete the configuration.

After setup

After completing the threat modeling configuration:

The Threat model card on your Agent Space page shows a Ready status.
Users can launch the web application and create threat models from connected source code, uploaded scope docs, Confluence pages, or a combination of these inputs.

Next steps

After enabling threat modeling:

Launch the web application to create and run threat models (see Create a threat model)
Connect additional repositories or S3 buckets as your codebase grows
Connect Confluence to enable selecting pages as scope documents (see Connect AWS Security Agent to Confluence)

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Enable code review

Manage security requirements