Skip to content

Commit a762331

Browse files
cyphronixcyphronix
authored
SRA genai bedrock capability one (aws-samples#277)
* working on sns fanout (for config 1st) * handle getting params for sns * updating get accts and regions; updating delete operation * working to download rule zip locally * more updates for rule zip * updates for s3 download * add tracing for s3 downloads * updating s3 key * updating local path * moving metrics/alarms to sns fanout * working on metric/filters deployed via sns config * still need rule_accouts, rule_regions * must have mgmt account added * handle blank rule/metric regions/accounts * working on parameter validation; not functional yet * finishing param validation function; needs testing * adding state table * Refactor Lambda packaging script to target src folder only * fix template errors * add sns topic state table record * add iam+lambda resources to state table * config state record * update for config arn * fix cfn sns resource type error; fix dynamodb resource error * update component type * adding tracing for dynamodb module * fixing role state record * fixing lambda state record * kms key state records * alarms sns topic state record * metric filter state record * add kms module tracing * added state record function * sink/link state records * update description for record * removal of state records * update config rule search * added todo comment * need to use all bedrock accts and regions for delete * fix remove state table record function * fix kms key alias Arn format * change docstring; update return val * fix delete logic * more fixes to delete logic * change state table solution * making lambda summary message accurate * making lambda summary message accurate again * add CFN_RESPONSE_DATA debug tracing * add more CFN_RESPONSE_DATA debug tracing * fixed action summary * error handling for state table record removal * add removal of dashboard on delete * add sns fanout action to the count * add attach policy actions to dry_run data * simulate topic_arn for dry_run * must create topic for fanout in dry_run mode * handle nosuchentity error * handle sink arn in dry_run mode * update dry run sns publish message * add run data logging to sns fanout * create/upload dry_run data file * upload sns dry run data to s3 * handle errors on cfn delete when dry_run is true * removing completed todo comments * switched from SECURITY_ACCOUNT to ssm_params.SRA_SECURITY_ACCT * testing dynamodb client typechecking (related to mypy) * added tracing * moving DynamoDBServiceResource out of if statement * update project.toml to support dynamodb in mypy * add debug tracing * try adding mypy boto3 dynamodb to requirements * testing new method for dynamodb typechecking * fixing extra char in line * moved dynamodb client and resource to class module * add more debug for assume role * remove dynamodb client/resource function arguments * remove config rule if deploy set to false (testing) * ensure mgmt acct client for sns config topic * moved config rule delete operation to functions * moving metric filters and alarms deletes to separate function (testing) * update filter to filter_name * still updating filter to filter_name * updating delete logic; separating delete filter/alarn from kms/sns topic * add lambda function record to state table * add delete operations for lambda function and iam execution role state records * update execution role arn for state record * update get execution role function * updating execution role name for state record * add/remove cw dashboard state table record * removed hardcoded aws partition * check for permissions on lambda first * infer execution role arn on delete * fixing ResourceNotFoundException bug (in progress) * working on function not found bug * add tracing for lambda bug * rearranging code for retries * update kms permissions (malformed) * updating kms key policy * update kms policy execution role statement * update lambda client * update for lambda data update in state table * initial work for least privilege lambda execution role (still work to be done) * add tracing; update permissions * least privilege lambda execution role * remove comments and completed todos * type checking fixes * kms assume_role not accessed (used in sts module) * removing unused params from kms module * search for kms key before creating; remove comments/cleanup * update to include boto3 config * permissions update; fix type error for kms policy * update perms; filter out pending deletion keys * updating key examination * updating log message * fix linting issues * mypy fixes * minor update to fix return response bug * remove scope from create_config_rule * change config rule found log message * fix mypy errors * fixing mypy issues * fix mypy issues * fix mypy issues; remove unused code and parameters (commented out for now) * fix mypy issues * changing definition * update imports * update imports * add mypy_boto3_dynamodb to requirements * change output types to Any; remove mypy dynamodb import * fix mypy issues * fixing mypy issues; closing other todos * fix mypy errors * fixing mypy errors * fixing mypy errors * fix mypy errors in ssm param module * update for mypy errors * fix mypy errors in app * fixing more mypy issues with app * fixing mypy errors in config rules * fixing mypy errors in config rules * fixing mypy issues in config rules * fixing mypy errors for config rules * fixing mypy errors for config rules * fixing mypy issues with config rules * fixing mypy errors in config rules * fixing mypy errors in config * fix mypy errors in ami bakery * updated formatting * fixing mypy issues again in dynamodb * fixing flake8 errors; adding docstrings * fixing flake8 issues * fix flake8 errors in app * fixing flake8 errors in app and cloudwatch module * fix flake8 errors in config module * reverting some flake8 updates temporarily * fix flake8 issues in dynamodb module * fixing flake8 issues in iam module * fix flake8 issues in kms module * fixes for flake8 in lambda module * working on flake8 issues in repo module * fix mypy and flake8 issues in s3 module * fixing flake8 issues in sns module * fixing flake8 issues in ssm params module * fixing flake8 issues in sts module * fixing mypy errors * fix flake8 issues for config rules * fix flake8 issues in config rules * fix flake8 issues in config rules * fix flake8 issues with config rules * fix flake8 errors in config rules * fix flake8 issues in config rules * fix flake8 config issues * fix flake8 issues with config rules * fix flake8 issues with config rules * fix code for new sts class name * update test params in template * fix flake8 issues in app * updating log message * fix for checkov errors; added DLQ and concurrency * fix issues for isort linting * remove/update/eval/defer todos * fix flake8 errors * resolving mypy errors * black lint reformat * resolving checkov errors * adding documentation * update diagram * updating readme * update readme * update readme * updating diagram * fix logic issue * updating default value * skip filter deploy if log group doesn't exist * fixing flake8 issues * fixing dry_run/state_table issue * skipping checkov error * updating perms * spelling error * fix constraint description * fix multiple accounts for eval job * update param validation * fix regex * update constraintdescription * updating regex * fix ast error; fix deployment to multi-region bug * add error handling for entityalreadyexists * update example bucketname in template * update example bucketnameprefix * update regex for param validation * fix mypy error * fix flake8 issue * CreateRoleResponseTypeDef and CreatePolicyResponseTypeDef error fix * working on access denied / encrypted guardrail issue * handling access denied encrypted guardrail error * error handling update * fix NoSuchLifecycleConfiguration issue * switch to on-demand dynamodb * update comment * ensuring the policy template remains a template * invalidparameterexception arn validation failed handling * ensure global region used for iam resources * update permissions for other accts * updating README * re organizing README * updating readme * updating readme * reorganizing readme * updating readme - links * update readme - link * uppdate readme * update readme section title * update toc * get_partition_for_region mypy error * reverted back to orig * update readme * fixing mypy errors * fix flake8 issues * fixing black formatter issues * update config rule annotation wording * formatting * update description of zip URL param * updating URL in readme * update description * add solution to main readme * sorting readme spreadsheet * update changelog
1 parent d7d71f9 commit a762331

File tree

43 files changed

+8394
-57
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

43 files changed

+8394
-57
lines changed

CHANGELOG.md

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,25 @@
5757
All notable changes to this project will be documented in this file.
5858

5959
---
60+
61+
## 2025-02-04
62+
63+
### Added<!-- omit in toc -->
64+
65+
- Added [Bedrock](aws_sra_examples/solutions/genai/bedrock_org) solution to deploy the sra-bedrock-org solution for GenAI deep-dive Bedrock capability one security controls. See https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1u3sd7f8n)
66+
67+
## 2025-01-21
68+
69+
### Updated<!-- omit in toc -->
70+
71+
- Updated [Config Management Account](aws_sra_examples/solutions/config/config_management_account) solution to use service-linked role for AWS Config.
72+
73+
## 2025-01-08
74+
75+
### Updated<!-- omit in toc -->
76+
77+
- Updated [Common Prerequisites](aws_sra_examples/solutions/common/common_prerequisites) staging util script to fix lambda layer deploy when using solution_directory.
78+
6079
## 2024-09-18
6180

6281
### Added<!-- omit in toc -->

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -140,6 +140,7 @@ Please follow the instructions for SRA Terraform deployments in the [SRA Terrafo
140140
| :---------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
141141
| [Account Alternate Contacts](aws_sra_examples/solutions/account/account_alternate_contacts) | Sets the billing, operations, and security alternate contacts for all accounts within the organization. | | |
142142
| [AMI Bakery](aws_sra_examples/solutions/ami_bakery/ami_bakery_org) | Creates and configures an AMI image management pipeline. | | |
143+
| [Bedrock](aws_sra_examples/solutions/genai/bedrock_org) | Enables and configures security controls for Bedrock GenAI deep-dive capability one. | | |
143144
| [CloudTrail](aws_sra_examples/solutions/cloudtrail/cloudtrail_org) | Organization trail with defaults set to configure data events (e.g. S3 and Lambda) to avoid duplicating the Control Tower configured CloudTrail. Options for configuring management events. | CloudTrail enabled in each account with management events only. | |
144145
| [Config Management Account](aws_sra_examples/solutions/config/config_management_account) | Enables AWS Config in the Management account to allow resource compliance monitoring. | Configures AWS Config in all accounts except for the Management account in each governed region. | <ul><li>AWS Control Tower</li></ul> |
145146
| [Config Organization Aggregator](aws_sra_examples/solutions/config/config_aggregator_org) | **Not required for most Control Tower environments.** Deploy an Organization Config Aggregator to a delegated admin other than the Audit account. | Organization Config Aggregator in the Management account and Account Config Aggregator in the Audit account. | <ul><li>AWS Control Tower</li><li>[Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)</li></ul> |

aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/codepipeline.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -90,7 +90,7 @@ def create_codepipeline(
9090
"roleArn": "arn:" + aws_partition + ":iam::" + account_id + ":role/" + codepipeline_role_name,
9191
"artifactStore": {"type": "S3", "location": bucket_name},
9292
"stages": [
93-
{ # type: ignore
93+
{
9494
"name": pipeline_name + "-CodeCommitSource",
9595
"actions": [
9696
{
@@ -104,7 +104,7 @@ def create_codepipeline(
104104
}
105105
],
106106
},
107-
{ # type: ignore
107+
{
108108
"name": pipeline_name + "-DeployEC2ImageBuilder",
109109
"actions": [
110110
{

aws_sra_examples/solutions/config/config_org/lambda/src/config.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -92,7 +92,7 @@ def set_config_in_org(
9292
configuration_recorder: ConfigurationRecorderTypeDef = {
9393
"name": recorder_name,
9494
"roleARN": role_arn,
95-
"recordingGroup": { # type: ignore
95+
"recordingGroup": {
9696
"allSupported": all_supported,
9797
"includeGlobalResourceTypes": include_global_resource_types,
9898
"resourceTypes": resource_types,

0 commit comments

Comments
 (0)