added kb s3 bucket check rule

cyphronix · cyphronix · commit 742f13af05d8 · 2025-03-01T12:09:36.000-07:00
diff --git a/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_s3_bucket/app.py b/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_kb_s3_bucket/app.py
@@ -0,0 +1,139 @@
+"""Config rule to check knowledge base S3 bucket configuration for Bedrock environments.
+
+Version: 1.0
+
+Config rule for SRA in the repo, https://github.com/aws-samples/aws-security-reference-architecture-examples
+
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: MIT-0
+"""
+import json
+import logging
+import os
+from typing import Any
+
+import boto3
+from botocore.exceptions import ClientError
+
+# Setup Default Logger
+LOGGER = logging.getLogger(__name__)
+log_level = os.environ.get("LOG_LEVEL", logging.INFO)
+LOGGER.setLevel(log_level)
+LOGGER.info(f"boto3 version: {boto3.__version__}")
+
+# Get AWS region from environment variable
+AWS_REGION = os.environ.get("AWS_REGION")
+
+# Initialize AWS clients
+bedrock_agent_client = boto3.client("bedrock-agent", region_name=AWS_REGION)
+s3_client = boto3.client("s3", region_name=AWS_REGION)
+config_client = boto3.client("config", region_name=AWS_REGION)
+
+def evaluate_compliance(rule_parameters: dict) -> tuple[str, str]:
+    """Evaluate if Bedrock Knowledge Base S3 bucket has required configurations.
+
+    Args:
+        rule_parameters (dict): Rule parameters from AWS Config rule.
+
+    Returns:
+        tuple[str, str]: Compliance status and annotation
+    """
+    try:
+        # Get all knowledge bases
+        non_compliant_buckets = []
+        paginator = bedrock_agent_client.get_paginator("list_knowledge_bases")
+        
+        for page in paginator.paginate():
+            for kb in page["knowledgeBaseSummaries"]:
+                kb_details = bedrock_agent_client.get_knowledge_base(knowledgeBaseId=kb["knowledgeBaseId"])
+                data_source = bedrock_agent_client.get_data_source(
+                    knowledgeBaseId=kb["knowledgeBaseId"],
+                    dataSourceId=kb_details["dataSource"]["dataSourceId"]
+                )
+                
+                # Extract bucket name from S3 path
+                s3_path = data_source["configuration"]["s3Configuration"]["bucketName"]
+                bucket_name = s3_path.split("/")[0]
+                
+                issues = []
+                
+                # Check retention
+                if rule_parameters.get("check_retention", "true").lower() == "true":
+                    try:
+                        lifecycle = s3_client.get_bucket_lifecycle_configuration(Bucket=bucket_name)
+                        if not any(rule.get("Expiration") for rule in lifecycle.get("Rules", [])):
+                            issues.append("retention")
+                    except ClientError as e:
+                        if e.response["Error"]["Code"] == "NoSuchLifecycleConfiguration":
+                            issues.append("retention")
+
+                # Check encryption
+                if rule_parameters.get("check_encryption", "true").lower() == "true":
+                    try:
+                        encryption = s3_client.get_bucket_encryption(Bucket=bucket_name)
+                        if not encryption.get("ServerSideEncryptionConfiguration"):
+                            issues.append("encryption")
+                    except ClientError:
+                        issues.append("encryption")
+
+                # Check server access logging
+                if rule_parameters.get("check_access_logging", "true").lower() == "true":
+                    logging_config = s3_client.get_bucket_logging(Bucket=bucket_name)
+                    if not logging_config.get("LoggingEnabled"):
+                        issues.append("access logging")
+
+                # Check object lock
+                if rule_parameters.get("check_object_locking", "true").lower() == "true":
+                    try:
+                        lock_config = s3_client.get_bucket_object_lock_configuration(Bucket=bucket_name)
+                        if not lock_config.get("ObjectLockConfiguration"):
+                            issues.append("object locking")
+                    except ClientError:
+                        issues.append("object locking")
+
+                # Check versioning
+                if rule_parameters.get("check_versioning", "true").lower() == "true":
+                    versioning = s3_client.get_bucket_versioning(Bucket=bucket_name)
+                    if versioning.get("Status") != "Enabled":
+                        issues.append("versioning")
+
+                if issues:
+                    non_compliant_buckets.append(f"{bucket_name} (missing: {', '.join(issues)})")
+
+        if non_compliant_buckets:
+            return "NON_COMPLIANT", f"The following KB S3 buckets are non-compliant: {'; '.join(non_compliant_buckets)}"
+        return "COMPLIANT", "All Knowledge Base S3 buckets meet the required configurations"
+
+    except Exception as e:
+        LOGGER.error(f"Error evaluating Knowledge Base S3 bucket configurations: {str(e)}")
+        return "ERROR", f"Error evaluating compliance: {str(e)}"
+
+def lambda_handler(event: dict, context: Any) -> None:
+    """Lambda handler.
+
+    Args:
+        event (dict): Lambda event object
+        context (Any): Lambda context object
+    """
+    LOGGER.info("Evaluating compliance for AWS Config rule")
+    LOGGER.info(f"Event: {json.dumps(event)}")
+
+    invoking_event = json.loads(event["invokingEvent"])
+    rule_parameters = json.loads(event["ruleParameters"]) if "ruleParameters" in event else {}
+
+    compliance_type, annotation = evaluate_compliance(rule_parameters)
+
+    evaluation = {
+        "ComplianceResourceType": "AWS::::Account",
+        "ComplianceResourceId": event["accountId"],
+        "ComplianceType": compliance_type,
+        "Annotation": annotation,
+        "OrderingTimestamp": invoking_event["notificationCreationTime"],
+    }
+
+    LOGGER.info(f"Compliance evaluation result: {compliance_type}")
+    LOGGER.info(f"Annotation: {annotation}")
+
+    config_client.put_evaluations(Evaluations=[evaluation], ResultToken=event["resultToken"])
+
+    LOGGER.info("Compliance evaluation complete.") 
diff --git a/aws_sra_examples/solutions/genai/bedrock_org/lambda/src/app.py b/aws_sra_examples/solutions/genai/bedrock_org/lambda/src/app.py
@@ -204,6 +204,10 @@ def load_sra_cloudwatch_dashboard() -> dict:
     + r'\[((?:"[a-z0-9-]+"(?:\s*,\s*)?)*)\],\s*"input_params"\s*:\s*(\{\})\}$',
     "SRA-BEDROCK-CHECK-KB-INGESTION-ENCRYPTION": r'^\{"deploy"\s*:\s*"(true|false)",\s*"accounts"\s*:\s*\[((?:"[0-9]+"(?:\s*,\s*)?)*)\],\s*"regions"\s*:\s*'
     + r'\[((?:"[a-z0-9-]+"(?:\s*,\s*)?)*)\],\s*"input_params"\s*:\s*(\{\})\}$',
+    "SRA-BEDROCK-CHECK-KB-S3-BUCKET": r'^\{"deploy"\s*:\s*"(true|false)",\s*"accounts"\s*:\s*\[((?:"[0-9]+"(?:\s*,\s*)?)*)\],\s*"regions"\s*:\s*'
+    + r'\[((?:"[a-z0-9-]+"(?:\s*,\s*)?)*)\],\s*"input_params"\s*:\s*\{(\s*"check_retention"\s*:\s*"(true|false)")?(\s*,\s*"check_encryption"\s*:\s*'
+    + r'"(true|false)")?(\s*,\s*"check_access_logging"\s*:\s*"(true|false)")?(\s*,\s*"check_object_locking"\s*:\s*"(true|false)")?(\s*,\s*'
+    + r'"check_versioning"\s*:\s*"(true|false)")?\s*\}\}$',
 }
 
 # Instantiate sra class objects
diff --git a/aws_sra_examples/solutions/genai/bedrock_org/lambda/src/sra_config_lambda_iam_permissions.json b/aws_sra_examples/solutions/genai/bedrock_org/lambda/src/sra_config_lambda_iam_permissions.json
@@ -153,5 +153,33 @@
         "Resource": "*"
       }
     ]
+  },
+  "sra-bedrock-check-kb-s3-bucket": {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Sid": "AllowKnowledgeBaseAccess",
+        "Effect": "Allow",
+        "Action": [
+          "bedrock:ListKnowledgeBases",
+          "bedrock:GetKnowledgeBase",
+          "bedrock:ListDataSources",
+          "bedrock:GetDataSource"
+        ],
+        "Resource": "*"
+      },
+      {
+        "Sid": "AllowS3BucketAccess",
+        "Effect": "Allow",
+        "Action": [
+          "s3:GetBucketLifecycleConfiguration",
+          "s3:GetBucketEncryption",
+          "s3:GetBucketLogging",
+          "s3:GetBucketObjectLockConfiguration",
+          "s3:GetBucketVersioning"
+        ],
+        "Resource": "arn:aws:s3:::*"
+      }
+    ]
   }
 }
diff --git a/aws_sra_examples/solutions/genai/bedrock_org/templates/sra-bedrock-org-main.yaml b/aws_sra_examples/solutions/genai/bedrock_org/templates/sra-bedrock-org-main.yaml
@@ -303,6 +303,20 @@ Parameters:
       Example: {\"deploy\": \"true\", \"accounts\": [\"123456789012\"], \"regions\": [\"us-east-1\"], \"input_params\": {}} or
       {\"deploy\": \"false\", \"accounts\": [], \"regions\": [], \"input_params\": {}}"
 
+  pBedrockKBS3BucketRuleParams:
+    Type: String
+    Default: '{"deploy": "true", "accounts": ["444455556666"], "regions": ["us-west-2"], "input_params": {"check_retention": "true", "check_encryption": "true", "check_access_logging": "true", "check_object_locking": "true", "check_versioning": "true"}}'
+    Description: Bedrock Knowledge Base S3 Bucket Config Rule Parameters
+    AllowedPattern: ^\{"deploy"\s*:\s*"(true|false)",\s*"accounts"\s*:\s*\[((?:"[0-9]+"(?:\s*,\s*)?)*)\],\s*"regions"\s*:\s*\[((?:"[a-z0-9-]+"(?:\s*,\s*)?)*)\],\s*"input_params"\s*:\s*\{(\s*"check_retention"\s*:\s*"(true|false)")?(\s*,\s*"check_encryption"\s*:\s*"(true|false)")?(\s*,\s*"check_access_logging"\s*:\s*"(true|false)")?(\s*,\s*"check_object_locking"\s*:\s*"(true|false)")?(\s*,\s*"check_versioning"\s*:\s*"(true|false)")?\s*\}\}$
+    ConstraintDescription: >
+      Must be a valid JSON string containing: 'deploy' (true/false), 'accounts' (array of account numbers),
+      'regions' (array of region names), and 'input_params' object with optional parameters:
+      'check_retention', 'check_encryption', 'check_access_logging', 'check_object_locking', 'check_versioning'.
+      Each parameter in 'input_params' should be either "true" or "false".
+      Arrays can be empty. 
+      Example: {"deploy": "true", "accounts": ["123456789012"], "regions": ["us-east-1"], "input_params": {"check_retention": "true", "check_encryption": "true", "check_access_logging": "true", "check_object_locking": "true", "check_versioning": "true"}} or
+      {"deploy": "false", "accounts": [], "regions": [], "input_params": {}}
+
 Metadata:
   AWS::CloudFormation::Interface:
     ParameterGroups:
@@ -345,6 +359,7 @@ Metadata:
           - pBedrockGuardrailEncryptionRuleParams
           - pBedrockKBLoggingRuleParams
           - pBedrockKBIngestionEncryptionRuleParams
+          - pBedrockKBS3BucketRuleParams
       - Label:
           default: Bedrock CloudWatch Metric Filters
         Parameters:
@@ -416,6 +431,8 @@ Metadata:
         default: Bedrock Knowledge Base Logging Config Rule Parameters
       pBedrockKBIngestionEncryptionRuleParams:
         default: Bedrock Knowledge Base Data Ingestion Encryption Config Rule Parameters
+      pBedrockKBS3BucketRuleParams:
+        default: Bedrock Knowledge Base S3 Bucket Config Rule Parameters
 
 Resources:
   rBedrockOrgLambdaRole:
@@ -698,6 +715,7 @@ Resources:
       SRA-BEDROCK-CENTRAL-OBSERVABILITY: !Ref pBedrockCentralObservabilityParams
       SRA-BEDROCK-CHECK-KB-LOGGING: !Ref pBedrockKBLoggingRuleParams
       SRA-BEDROCK-CHECK-KB-INGESTION-ENCRYPTION: !Ref pBedrockKBIngestionEncryptionRuleParams
+      SRA-BEDROCK-CHECK-KB-S3-BUCKET: !Ref pBedrockKBS3BucketRuleParams
 
   rBedrockOrgLambdaInvokePermission:
     Type: AWS::Lambda::Permission
