Suppress S3 wildcard permissions for SyncKnowledgeBase Lambda default policy

kris-szlapa · kris-szlapa · commit 011c23b88615 · 2025-08-06T12:57:36.000Z
diff --git a/packages/cdk/nagSuppressions.ts b/packages/cdk/nagSuppressions.ts
@@ -49,6 +49,25 @@ export const nagSuppressions = (stack: Stack) => {
     ]
   )
 
+  // Suppress S3 wildcard permissions for SyncKnowledgeBase Lambda default policy
+  safeAddNagSuppression(
+    stack,
+    "/EpsAssistMeStack/Functions/SyncKnowledgeBaseFunction/LambdaRole/DefaultPolicy/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "S3 wildcard permissions are required for Lambda to read from knowledge base documents bucket.",
+        appliesTo: [
+          "Action::s3:GetBucket*",
+          "Action::s3:GetObject*",
+          "Action::s3:List*",
+          `Resource::<StorageDocsBucket${stackName}Docs075F648F.Arn>/*`,
+          `Resource::<StorageDocsBucket${stackName}DocsF25F63F1.Arn>/*`
+        ]
+      }
+    ]
+  )
+
   // Suppress API Gateway validation warning for Apis construct
   safeAddNagSuppression(
     stack,
