kiro-agent-team 1.0.0

package/.kiro/documentation/docs_cli_privacy-and-security.md

@@ -0,0 +1,83 @@
+# Privacy and security
+Kiro is an AWS application that works as a standalone agentic IDE. Kiro's security framework is built around AWS's security infrastructure and follows practices to protect your development environment and data. Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations.
+Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security of the cloud and security in the cloud:
+  * Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to Kiro, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/).
+  * Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations
+
+
+This documentation helps you understand how to apply the shared responsibility model when using Kiro. It shows you how to configure Kiro to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your Kiro resources.
+## URL fetching[](https://kiro.dev/docs/cli/privacy-and-security/#url-fetching)
+In the Kiro chat module, you can paste a specific URL for your device to fetch and use it as context to help Kiro answer your query or solve your task. You are responsible for the URL content that you fetch and ensuring that your use complies with any applicable third-party terms and laws.
+## Autopilot versus supervised mode[](https://kiro.dev/docs/cli/privacy-and-security/#autopilot-versus-supervised-mode)
+In Kiro, Autopilot is enabled by default. You can toggle between Autopilot and Supervised mode at any time. Autopilot mode enables the agent to execute code changes, such as creating, modifying, searching, and deleting files in your codebase and run commands that impact the filesystem.
+### Autopilot mode[](https://kiro.dev/docs/cli/privacy-and-security/#autopilot-mode)
+In Autopilot mode, Kiro works autonomously:
+  * Kiro executes multiple steps without requiring approval for each one
+  * Kiro makes decisions based on its understanding of your requirements
+  * You can toggle autopilot on/off in the chat interface
+  * You can interrupt autopilot at any time to regain manual control
+
+
+### Supervised mode[](https://kiro.dev/docs/cli/privacy-and-security/#supervised-mode)
+In supervised mode, Kiro works interactively with the user, requiring their approval and guidance at each step:
+  * Kiro suggests actions such as file creation, modification and deletion, but waits for user confirmation before proceeding
+  * Kiro asks clarifying questions when needed
+  * You can review and approve each generated document or code change, thus maintaining full control over the development process
+
+
+When operating in either of these modes, you can view individual or all file changes made by the agent by selecting **View all changes** in the **Chat** module. Additionally, you can also select **Revert all changes** or revert to a [checkpoint](https://kiro.dev/docs/chat/checkpoints) to restore your files to their previous state in the filesystem locally.
+## Trusted commands[](https://kiro.dev/docs/cli/privacy-and-security/#trusted-commands)
+By default, Kiro requires approval before running any command. You can create your own trusted commands list by searching for **Kiro Agent: Trusted Commands** in your settings.
+Kiro uses simple string prefix matching to determine if a command should be automatically trusted:
+  * **Exact matching** : Commands must match exactly (e.g., `npm install`)
+  * **Wildcard matching** : Use `*` to trust command variations (e.g., `npm *` trusts all npm commands)
+  * **Universal trust** : Use `*` alone to trust all commands (use with extreme caution)
+
+
+The system treats entire commands as single strings and only checks if they start with trusted patterns. It does not analyze command structure, chains, or special characters, putting full responsibility on you to carefully configure trusted patterns.
+## Best practices[](https://kiro.dev/docs/cli/privacy-and-security/#best-practices)
+Kiro provides a number of security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations rather than prescriptions.
+### Protecting your resources[](https://kiro.dev/docs/cli/privacy-and-security/#protecting-your-resources)
+When using GitHub or Google authentication with Kiro, be aware that the Kiro agent operates within your local environment and may access:
+  * Local files and repositories
+  * Environment variables
+  * AWS credentials stored in your environment
+  * Other configuration files with sensitive information
+
+
+### Recommendations[](https://kiro.dev/docs/cli/privacy-and-security/#recommendations)
+  1. **Workspace Isolation**
+     * Keep sensitive projects in separate workspaces
+     * Use .gitignore to prevent access to sensitive files
+     * Consider using workspace trust features in your IDE
+  2. **Use a Clean Environment**
+     * Consider creating a dedicated user account or container environment for Kiro
+     * Limit access to only the repositories and resources needed for your current project
+  3. **Manage AWS Credentials Carefully**
+     * Use temporary credentials with appropriate permissions
+     * Consider using AWS named profiles to isolate Kiro's access
+     * For sensitive work, remove AWS credentials from your environment when not needed
+  4. **Repository Access Control**
+     * When using GitHub authentication, review which repositories Kiro can access
+     * Use repository-specific access tokens when possible
+     * Regularly audit access permissions
+
+
+## Remote extensions security[](https://kiro.dev/docs/cli/privacy-and-security/#remote-extensions-security)
+**Warning**
+**Security Note** : Using remote extensions opens a connection between your local machine and the remote machine. Only connect to secure remote machines that you trust and that are owned by a party whom you trust. A compromised remote could use the connection to execute code on your local machine. Third-party extensions including remote extensions are not developed, maintained, or managed by Kiro. We are not responsible for third-party extensions and cannot guarantee their stability, compatibility, or ongoing support.
+Kiro supports Open VSX extensions, including remote SSH extensions (the community-maintained [Open Remote - SSH](https://open-vsx.org/extension/jeanp413/open-remote-ssh) extension on Open VSX is a popular choice), to provide a familiar development experience. For comprehensive information about extension compatibility and support in Kiro, see our [extension compatibility guide](https://kiro.dev/docs/guides/migrating-from-vscode/#extension-compatibility).
+By following these practices, you can enjoy Kiro's capabilities while maintaining appropriate security boundaries for your development environment.
+Page updated: December 12, 2025
+[Concepts](https://kiro.dev/docs/cli/enterprise/concepts/)
+[Data protection](https://kiro.dev/docs/cli/privacy-and-security/data-protection/)
+On this page
+  * [URL fetching](https://kiro.dev/docs/cli/privacy-and-security/#url-fetching)
+  * [Autopilot versus supervised mode](https://kiro.dev/docs/cli/privacy-and-security/#autopilot-versus-supervised-mode)
+  * [Autopilot mode](https://kiro.dev/docs/cli/privacy-and-security/#autopilot-mode)
+  * [Supervised mode](https://kiro.dev/docs/cli/privacy-and-security/#supervised-mode)
+  * [Trusted commands](https://kiro.dev/docs/cli/privacy-and-security/#trusted-commands)
+  * [Best practices](https://kiro.dev/docs/cli/privacy-and-security/#best-practices)
+  * [Protecting your resources](https://kiro.dev/docs/cli/privacy-and-security/#protecting-your-resources)
+  * [Recommendations](https://kiro.dev/docs/cli/privacy-and-security/#recommendations)
+  * [Remote extensions security](https://kiro.dev/docs/cli/privacy-and-security/#remote-extensions-security)

package/.kiro/documentation/docs_cli_privacy-and-security_compliance-validation.md

@@ -0,0 +1,17 @@
+# Compliance validation for Kiro
+To learn whether an AWS service is within the scope of specific compliance programs, see [AWS services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/) and choose the compliance program that you are interested in. For general information, see [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/).
+You can download third-party audit reports using AWS Artifact. For more information, see [Downloading Reports in AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/downloading-documents.html). If you are signing in to Kiro with GitHub or Google, you will not be able to download third-party audit reports using AWS Artifact.
+Your compliance responsibility when using AWS services is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. AWS provides the following resources to help with compliance:
+  * [Security Compliance & Governance](https://aws.amazon.com/solutions/security/security-compliance-governance/) – These solution implementation guides discuss architectural considerations and provide steps for deploying security and compliance features.
+  * [HIPAA Eligible Services Reference](https://aws.amazon.com/compliance/hipaa-eligible-services-reference/) – Lists HIPAA eligible services. Not all AWS services are HIPAA eligible.
+  * [AWS Compliance Resources](https://aws.amazon.com/compliance/resources/) – This collection of workbooks and guides might apply to your industry and location.
+  * [AWS Customer Compliance Guides](https://d1.awsstatic.com/whitepapers/compliance/AWS_Customer_Compliance_Guides.pdf) in the _AWS Config Developer Guide_ – Understand the shared responsibility model through the lens of compliance. The guides summarize the best practices for securing AWS services and map the guidance to security controls across multiple frameworks (including National Institute of Standards and Technology (NIST), Payment Card Industry Security Standards Council (PCI), and International Organization for Standardization (ISO)).
+  * [Evaluating Resources with Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) – The AWS Config service assesses how well your resource configurations comply with internal practices, industry guidelines, and regulations.
+  * [AWS Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) – This AWS service provides a comprehensive view of your security state within AWS. Security Hub uses security controls to evaluate your AWS resources and to check your compliance against security industry standards and best practices. For a list of supported services and controls, see [Security Hub controls reference](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html).
+  * [Amazon GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html) – This AWS service detects potential threats to your AWS accounts, workloads, containers, and data by monitoring your environment for suspicious and malicious activities. GuardDuty can help you address various compliance requirements, like PCI DSS, by meeting intrusion detection requirements mandated by certain compliance frameworks.
+  * [AWS Audit Manager](https://docs.aws.amazon.com/audit-manager/latest/userguide/what-is.html) – This AWS service helps you continuously audit your AWS usage to simplify how you manage risk and compliance with regulations and industry standards.
+
+
+Page updated: November 12, 2025
+[Data protection](https://kiro.dev/docs/cli/privacy-and-security/data-protection/)
+[Infrastructure security](https://kiro.dev/docs/cli/privacy-and-security/infrastructure-security/)

package/.kiro/documentation/docs_cli_privacy-and-security_data-protection.md

@@ -0,0 +1,104 @@
+# Data protection
+The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in Kiro. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/).
+## Data storage[](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#data-storage)
+Kiro stores your questions, its responses, and additional context, such as code, to generate new responses to your requests. For information about how data is encrypted, see [Data encryption](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#data-encryption). For information about how AWS may use some questions that you ask Kiro and its responses to improve our services, see [Kiro service improvement](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#service-improvement).
+### AWS regions where content is stored and processed[](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#aws-regions-where-content-is-stored-and-processed)
+If you are a Kiro Free Tier user or a Kiro individual subscriber, your content, such as prompts and responses, will be stored in the US East (N. Virginia) Region.
+If you are a [Kiro enterprise user](https://kiro.dev/docs/cli/enterprise/concepts/#kiro-enterprise-user), your content will be stored in the AWS Region where your Kiro profile was created.
+With cross-region inferencing, your content may be processed in a different Region within the geography where your content is stored. For more information, see [Cross-region processing](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#cross-region-processing).
+## Cross-region processing[](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#cross-region-processing)
+The following sections describe how cross-region inference and cross-region calls are used to provide the Kiro service.
+### Cross-region inference[](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#cross-region-inference)
+Kiro is powered by Amazon Bedrock, and uses cross-region inference to distribute traffic across different AWS Regions to enhance large language model (LLM) inference performance and reliability. With cross-region inference, you get increased throughput and resilience during high demand periods, as well as improved performance.
+Cross region inference doesn’t affect where your data is stored. For information on where data is stored when you use Kiro, see [AWS Regions where content is stored and processed](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#aws-regions-where-content-is-stored-and-processed).
+### Supported regions for Kiro cross-region inference[](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#supported-regions-for-kiro-cross-region-inference)
+For models or capabilities under the experimental tag, see “[Global cross-region inference for experimental features](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#global-cross-region-inference-for-experimental-features)”.
+Supported Kiro geography | Inference regions  
+---|---  
+United States | 
+  * US East (N. Virginia) (`us-east-1`)
+  * US West (Oregon) (`us-west-2`)
+  * US East (Ohio) (`us-east-2`)
+
+  
+Europe | 
+  * Europe (Frankfurt) (`eu-central-1`)
+  * Europe (Ireland) (`eu-west-1`)
+  * Europe (Paris) (`eu-west-3`)
+  * Europe (Stockholm) (`eu-north-1`)
+  * Europe (Milan) (`eu-south-1`)
+  * Europe (Spain) (`eu-south-2`)
+
+  
+### Global cross-region inference for experimental features[](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#global-cross-region-inference-for-experimental-features)
+Kiro may introduce new models and capabilities under an experimental tag, which process data differently than in the table above. When a model is launched as experimental, Kiro may use global cross-region inference to improve performance, increase throughput, and take advantage of available capacity across supported commercial AWS Regions worldwide. Global cross-region inference applies only to models and features explicitly designated as experimental.
+For models and capabilities marked as experimental:
+  * Inference requests may be processed in multiple AWS Regions globally, including Regions outside the one associated with your Kiro profile.
+  * The Region where your data is stored is not affected by global cross-region inference.
+  * This global routing is used to optimize resource availability and allow consistent performance for experimental model launches.
+
+
+## Data encryption[](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#data-encryption)
+This topic provides information specific to Kiro about encryption in transit and encryption at rest.
+### Encryption in transit[](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#encryption-in-transit)
+All communication between customers and Kiro and between Kiro and its downstream dependencies is protected using TLS 1.2 or higher connections.
+### Encryption at rest[](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#encryption-at-rest)
+Kiro encrypts your data using AWS owned encryption keys from AWS Key Management Service (AWS KMS). You don’t have to take any action to protect the AWS managed keys that encrypt your data. For more information, see [AWS owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) in the _AWS Key Management Service Developer Guide_.
+When you subscribe with Kiro enterprise, administrators have the option to create customer managed keys to encrypt your data. Customer managed keys are KMS keys in your AWS account that you create, own, and manage to directly control access to your data by controlling access to the KMS key. Only symmetric keys are supported. For information on creating your own KMS key, see [Creating keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) in the _AWS Key Management Service Developer Guide_.
+To set up a customer managed key to encrypt data as a Kiro enterprise administrator, you need permissions to use AWS KMS. The required KMS permissions are included in the [example IAM policy](https://kiro.dev/docs/cli/privacy-and-security/data-protection/). After creating a customer managed KMS key, you must provide the key in the Kiro console to use it to encrypt data.
+## Service improvement[](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#service-improvement)
+To help Kiro provide the most relevant information, we may use certain content from Kiro, such as questions that you ask Kiro, other inputs you provide, and the responses and code that Kiro generates, for service improvement. This page explains what content we use and how to opt out.
+### Kiro content used for service improvement[](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#kiro-content-used-for-service-improvement)
+We may use certain content from Kiro Free Tier and Kiro individual subscribers for service improvement. Users that have a paid Kiro subscription and access it through a social login provider (like GitHub or Google) or through AWS Builder ID are considered _individual subscribers_. Content that Kiro may use for service improvement includes, for example, your questions to Kiro, other inputs you provide, and the responses and code that Kiro generates. Kiro may use this content, for example, to provide better responses to common questions, fix Kiro operational issues, for de-bugging, or for model training.
+We do not use content from [Kiro enterprise users](https://kiro.dev/docs/cli/enterprise/concepts/#kiro-enterprise-user) for service improvement.
+**Info**
+If you have an Amazon Q Developer Pro subscription and access Kiro through your AWS account with the Amazon Q Developer Pro subscription, then Kiro will not use your content for service improvement.
+## Opt out of data sharing[](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#opt-out-of-data-sharing)
+By default, Kiro collects usage data, errors, crash reports, and other metrics as well as content for service improvement from Kiro Free Tier users and Kiro individual subscribers. This section explains how to opt out of sharing your data in Kiro for Kiro Free Tier and Kiro individual subscribers. For information on how Kiro uses this data, see [Kiro service improvement](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#service-improvement).
+[Kiro enterprise users](https://kiro.dev/docs/cli/enterprise/concepts/#kiro-enterprise-user) are automatically opted out of telemetry and content collection by AWS. Telemetry collection settings for [user activity reports](https://kiro.dev/docs/cli/enterprise/monitor-and-track/user-activity/) are controlled by the administrator in the Kiro console and cannot be configured by Kiro enterprise users. For more information, see [Kiro enterprise settings](https://kiro.dev/docs/cli/enterprise/settings).
+### Opting out of sharing data in the IDE[](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#opting-out-of-sharing-data-in-the-ide)
+To opt out of sharing your client-side telemetry and content in the Kiro IDE, use this procedure:
+  1. Open **Settings** in Kiro.
+  2. Switch to the **User** sub-tab.
+  3. Choose **Application** , and then choose **Telemetry and Content**.
+  4. To opt out of telemetry collection, uncheck the box for **Data Sharing and Prompt Logging: Usage Analytics And Performance Metrics**. To opt out of content collection, uncheck the box for **Data Sharing and Prompt Logging: Content Collection for Service Improvement**.
+
+
+### Opting out of sharing data in the CLI[](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#opting-out-of-sharing-data-in-the-cli)
+To opt out of sharing your client-side telemetry and content in the Kiro CLI, use this procedure:
+  1. Open **Preferences** in the Kiro CLI application.
+  2. To opt out of telemetry collection, toggle off the **Telemetry** setting. To opt out of content collection, toggle off the **Share Kiro content with AWS** setting.
+
+
+## Types of telemetry collected[](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#types-of-telemetry-collected)
+  * **Usage data** — Information such as the Kiro version, operating system (Windows, Linux, or macOS), and the anonymous machine ID.
+  * **Performance metrics** — The request count, errors, and latency for various features: 
+    * Login
+    * Tab completion
+    * Code generation
+    * Steering
+    * Hooks
+    * Spec generation
+    * Tools
+    * MCP
+
+
+Page updated: November 24, 2025
+[Privacy and security](https://kiro.dev/docs/cli/privacy-and-security/)
+[Compliance validation](https://kiro.dev/docs/cli/privacy-and-security/compliance-validation/)
+On this page
+  * [Data storage](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#data-storage)
+  * [AWS regions where content is stored and processed](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#aws-regions-where-content-is-stored-and-processed)
+  * [Cross-region processing](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#cross-region-processing)
+  * [Cross-region inference](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#cross-region-inference)
+  * [Supported regions for Kiro cross-region inference](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#supported-regions-for-kiro-cross-region-inference)
+  * [Global cross-region inference for experimental features](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#global-cross-region-inference-for-experimental-features)
+  * [Data encryption](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#data-encryption)
+  * [Encryption in transit](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#encryption-in-transit)
+  * [Encryption at rest](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#encryption-at-rest)
+  * [Service improvement](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#service-improvement)
+  * [Kiro content used for service improvement](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#kiro-content-used-for-service-improvement)
+  * [Opt out of data sharing](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#opt-out-of-data-sharing)
+  * [Opting out of sharing data in the IDE](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#opting-out-of-sharing-data-in-the-ide)
+  * [Opting out of sharing data in the CLI](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#opting-out-of-sharing-data-in-the-cli)
+  * [Types of telemetry collected](https://kiro.dev/docs/cli/privacy-and-security/data-protection/#types-of-telemetry-collected)

package/.kiro/documentation/docs_cli_privacy-and-security_firewalls.md

@@ -0,0 +1,26 @@
+# Configuring a firewall, proxy server, or data perimeter for Kiro
+If you're using a firewall, proxy server, or [data perimeter](https://aws.amazon.com/identity/data-perimeters-on-aws/), make sure to allowlist traffic to the following URLs and Amazon Resource Names (ARNs) so that Kiro works as expected.
+## General urls to allowlist[](https://kiro.dev/docs/cli/privacy-and-security/firewalls/#general-urls-to-allowlist)
+In the following URLs, replace:
+  * `idc-directory-id-or-alias` with your IAM Identity Center instance's directory ID or alias. For more information about IAM Identity Center, see [What is IAM Identity Center?](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) in the AWS IAM Identity Center User Guide.
+  * `sso-region` with the AWS Region where your IAM Identity Center instance is enabled.
+
+URL | Purpose  
+---|---  
+<idc-directory-id-or-alias>.awsapps.com | Authentication  
+oidc.<sso-region>.amazonaws.com | Authentication  
+*.sso.<sso-region>.amazonaws.com | Authentication  
+*.sso-portal.<sso-region>.amazonaws.com | Authentication  
+*.aws.dev | Authentication  
+*.awsstatic.com | Authentication  
+*.console.aws.a2z.com | Authentication  
+*.sso.amazonaws.com | Authentication  
+<https://aws-toolkit-language-servers.amazonaws.com/>* | Kiro, language processing  
+<https://aws-language-servers.us-east-1.amazonaws.com/>* | Kiro, language processing  
+<https://client-telemetry.us-east-1.amazonaws.com> | Kiro, telemetry  
+cognito-identity.us-east-1.amazonaws.com | Kiro, telemetry  
+Page updated: November 16, 2025
+[Infrastructure security](https://kiro.dev/docs/cli/privacy-and-security/infrastructure-security/)
+[VPC endpoints (AWS PrivateLink)](https://kiro.dev/docs/cli/privacy-and-security/vpc-endpoints/)
+On this page
+  * [General urls to allowlist](https://kiro.dev/docs/cli/privacy-and-security/firewalls/#general-urls-to-allowlist)

package/.kiro/documentation/docs_cli_privacy-and-security_infrastructure-security.md

@@ -0,0 +1,10 @@
+# Infrastructure security in Kiro
+As a managed service, Kiro is protected by AWS global network security. For information about AWS security services and how AWS protects infrastructure, see [AWS Cloud Security](https://aws.amazon.com/security/). To design your AWS environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/infrastructure-protection.html) in _Security Pillar AWS Well‐Architected Framework_. You use AWS published API calls to access Kiro through the network. Clients must support the following:
+  * Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.
+  * Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.
+
+
+Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the [AWS Security Token Service](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html) (AWS STS) to generate temporary security credentials to sign requests.
+Page updated: November 12, 2025
+[Compliance validation](https://kiro.dev/docs/cli/privacy-and-security/compliance-validation/)
+[Firewalls, proxies, and data perimeters](https://kiro.dev/docs/cli/privacy-and-security/firewalls/)

package/.kiro/documentation/docs_cli_privacy-and-security_vpc-endpoints.md

@@ -0,0 +1,41 @@
+# Kiro and interface endpoints (AWS PrivateLink)
+You can establish a private connection between your VPC and Kiro by creating an interface VPC endpoint. Interface endpoints are powered by [AWS PrivateLink](https://aws.amazon.com/privatelink/), a technology that enables you to privately access Kiro APIs without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with Kiro APIs. Traffic between your VPC and Kiro does not leave the Amazon network.
+Each interface endpoint is represented by one or more [Elastic Network Interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html) in your subnets.
+For more information, see [Interface VPC endpoints (AWS PrivateLink)](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html) in the Amazon VPC User Guide.
+## Considerations for Kiro VPC endpoints[](https://kiro.dev/docs/cli/privacy-and-security/vpc-endpoints/#considerations-for-kiro-vpc-endpoints)
+Before you set up an interface VPC endpoint for Kiro, ensure that you review [Interface endpoint properties and limitations](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#vpce-interface-limitations) in the Amazon VPC User Guide.
+Kiro supports making calls to all of its API actions from your VPC, in the context of services that are configured to work with Kiro.
+## Prerequisites[](https://kiro.dev/docs/cli/privacy-and-security/vpc-endpoints/#prerequisites)
+Before you begin any of the procedures below, ensure that you have the following:
+  * An AWS account with appropriate permissions to create and configure resources.
+  * A VPC already created in your AWS account.
+  * Familiarity with AWS services, especially Amazon VPC and Kiro.
+
+
+## Creating an interface VPC endpoint for Kiro[](https://kiro.dev/docs/cli/privacy-and-security/vpc-endpoints/#creating-an-interface-vpc-endpoint-for-kiro)
+You can create a VPC endpoint for Kiro using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see [Creating an interface endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint) in the Amazon VPC User Guide.
+Create the following VPC endpoints for Kiro using the following service names:
+  * com.amazonaws.us-east-1.q
+  * com.amazonaws.eu-central-1.q
+  * com.amazonaws.us-east-1.codewhisperer
+
+
+**Info**
+Kiro supports Amazon Q Developer profiles in the US East (N. Virginia) and Europe (Frankfurt) regions. Also, the Amazon CodeWhisperer endpoint (com.amazonaws.us-east-1.codewhisperer) is only supported in the US East (N. Virginia) Region.
+If you enable private DNS for the endpoint, you can make API requests to Kiro using its default DNS name for the Region, for example, `q.us-east-1.amazonaws.com`.
+For more information, see [Accessing a service through an interface endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#access-service-though-endpoint) in the Amazon VPC User Guide.
+## Using an on-premises computer to connect to a Kiro endpoint[](https://kiro.dev/docs/cli/privacy-and-security/vpc-endpoints/#using-an-on-premises-computer-to-connect-to-a-kiro-endpoint)
+This section describes the process of using an on-premises computer to connect to Kiro through a AWS PrivateLink endpoint in your AWS VPC.
+  1. [Create a VPN connection between your on-premises device and your VPC](https://docs.aws.amazon.com/vpn/latest/clientvpn-user/client-vpn-user-what-is.html).
+  2. [Create an interface VPC endpoint for Kiro](https://kiro.dev/docs/cli/privacy-and-security/vpc-endpoints/#creating-an-interface-vpc-endpoint-for-kiro).
+  3. [Set up an inbound Amazon Route 53 endpoint](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-vpc-interface-endpoint.html). This will enable you to use the DNS name of your Kiro endpoint from your on-premises device.
+
+
+Page updated: December 10, 2025
+[Firewalls, proxies, and data perimeters](https://kiro.dev/docs/cli/privacy-and-security/firewalls/)
+[CLI commands](https://kiro.dev/docs/cli/reference/cli-commands/)
+On this page
+  * [Considerations for Kiro VPC endpoints](https://kiro.dev/docs/cli/privacy-and-security/vpc-endpoints/#considerations-for-kiro-vpc-endpoints)
+  * [Prerequisites](https://kiro.dev/docs/cli/privacy-and-security/vpc-endpoints/#prerequisites)
+  * [Creating an interface VPC endpoint for Kiro](https://kiro.dev/docs/cli/privacy-and-security/vpc-endpoints/#creating-an-interface-vpc-endpoint-for-kiro)
+  * [Using an on-premises computer to connect to a Kiro endpoint](https://kiro.dev/docs/cli/privacy-and-security/vpc-endpoints/#using-an-on-premises-computer-to-connect-to-a-kiro-endpoint)