Extract storage resources from stack and update nag suppressions

Author: kris-szlapa

packages/cdk/nagSuppressions.ts

@@ -91,7 +91,7 @@ export const nagSuppressions = (stack: Stack) => {
   // Suppress S3 warnings on EpsAssistDocsBucket
   safeAddNagSuppression(
     stack,
-    "/EpsAssistMeStack/EpsAssistDocsBucket/Resource",
+    "/EpsAssistMeStack/Storage/EpsAssistDocsBucket/Resource",
     [
       {
         id: "AwsSolutions-S1",
@@ -135,7 +135,7 @@ export const nagSuppressions = (stack: Stack) => {
   // Suppress warnings on access logs bucket
   safeAddNagSuppression(
     stack,
-    "/EpsAssistMeStack/EpsAssistAccessLogsBucket/Resource",
+    "/EpsAssistMeStack/Storage/EpsAssistAccessLogsBucket/Resource",
     [
       {
         id: "AwsSolutions-S10",
@@ -159,7 +159,7 @@ export const nagSuppressions = (stack: Stack) => {
   // Suppress SSL warning on actual access log bucket policy resource
   safeAddNagSuppression(
     stack,
-    "/EpsAssistMeStack/EpsAssistAccessLogsBucket/Policy/Resource",
+    "/EpsAssistMeStack/Storage/EpsAssistAccessLogsBucket/Policy/Resource",
     [
       {
         id: "AwsSolutions-S10",
@@ -177,7 +177,7 @@ export const nagSuppressions = (stack: Stack) => {
         id: "AwsSolutions-IAM5",
         reason: "Bedrock Knowledge Base requires these permissions to access S3 documents and OpenSearch collection.",
         appliesTo: [
-          "Resource::<EpsAssistDocsBucketD6886E55.Arn>/*",
+          "Resource::<StorageEpsAssistDocsBucketD6886E55.Arn>/*",
           "Action::aoss:*",
           "Resource::*",
           "Resource::<OsCollection.Arn>/*",

packages/cdk/resources/Storage.ts

@@ -0,0 +1,63 @@
+import {Construct} from "constructs"
+import {RemovalPolicy} from "aws-cdk-lib"
+import {
+  Bucket,
+  BucketEncryption,
+  BlockPublicAccess,
+  ObjectOwnership
+} from "aws-cdk-lib/aws-s3"
+import {Key} from "aws-cdk-lib/aws-kms"
+import * as iam from "aws-cdk-lib/aws-iam"
+
+export interface StorageProps {
+  bedrockExecutionRole: iam.Role
+}
+
+export class Storage extends Construct {
+  public readonly kbDocsBucket: Bucket
+  public readonly accessLogBucket: Bucket
+  public readonly kbDocsKey: Key
+
+  constructor(scope: Construct, id: string, props: StorageProps) {
+    super(scope, id)
+
+    // Define the S3 bucket for access logs
+    this.accessLogBucket = new Bucket(this, "EpsAssistAccessLogsBucket", {
+      blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
+      encryption: BucketEncryption.KMS,
+      removalPolicy: RemovalPolicy.DESTROY,
+      autoDeleteObjects: true,
+      enforceSSL: true,
+      versioned: false,
+      objectOwnership: ObjectOwnership.BUCKET_OWNER_ENFORCED
+    })
+
+    // Create a customer-managed KMS key
+    this.kbDocsKey = new Key(this, "KbDocsKey", {
+      enableKeyRotation: true,
+      description: "KMS key for encrypting knowledge base documents"
+    })
+
+    // Use the KMS key in your S3 bucket
+    this.kbDocsBucket = new Bucket(this, "EpsAssistDocsBucket", {
+      blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
+      encryption: BucketEncryption.KMS,
+      encryptionKey: this.kbDocsKey,
+      removalPolicy: RemovalPolicy.DESTROY,
+      autoDeleteObjects: true,
+      enforceSSL: true,
+      versioned: true,
+      objectOwnership: ObjectOwnership.BUCKET_OWNER_ENFORCED,
+      serverAccessLogsBucket: this.accessLogBucket,
+      serverAccessLogsPrefix: "s3-access-logs/"
+    })
+
+    // Grant Bedrock permission to decrypt
+    this.kbDocsKey.addToResourcePolicy(new iam.PolicyStatement({
+      effect: iam.Effect.ALLOW,
+      principals: [new iam.ArnPrincipal(props.bedrockExecutionRole.roleArn)],
+      actions: ["kms:Decrypt", "kms:DescribeKey"],
+      resources: ["*"]
+    }))
+  }
+}

packages/cdk/stacks/EpsAssistMeStack.ts

@@ -2,16 +2,8 @@ import {
   App,
   Stack,
   StackProps,
-  RemovalPolicy,
   CfnOutput
 } from "aws-cdk-lib"
-import {
-  Bucket,
-  BucketEncryption,
-  BlockPublicAccess,
-  ObjectOwnership
-} from "aws-cdk-lib/aws-s3"
-import {Key} from "aws-cdk-lib/aws-kms"
 import {
   CfnGuardrail,
   CfnGuardrailVersion,
@@ -28,6 +20,7 @@ import * as secretsmanager from "aws-cdk-lib/aws-secretsmanager"
 import {nagSuppressions} from "../nagSuppressions"
 import {Apis} from "../resources/Apis"
 import {Functions} from "../resources/Functions"
+import {Storage} from "../resources/Storage"
 
 const EMBEDDING_MODEL = "amazon.titan-embed-text-v2:0"
 const COLLECTION_NAME = "eps-assist-vector-db"
@@ -90,51 +83,6 @@ export class EpsAssistMeStack extends Stack {
       tier: ssm.ParameterTier.STANDARD
     })
 
-    // Define the S3 bucket for access logs
-    const accessLogBucket = new Bucket(this, "EpsAssistAccessLogsBucket", {
-      blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
-      encryption: BucketEncryption.KMS,
-      removalPolicy: RemovalPolicy.DESTROY,
-      autoDeleteObjects: true,
-      enforceSSL: true,
-      versioned: false,
-      objectOwnership: ObjectOwnership.BUCKET_OWNER_ENFORCED
-    })
-
-    // Create a customer-managed KMS key
-    const kbDocsKey = new Key(this, "KbDocsKey", {
-      enableKeyRotation: true,
-      description: "KMS key for encrypting knowledge base documents"
-    })
-
-    // Use the KMS key in your S3 bucket
-    const kbDocsBucket = new Bucket(this, "EpsAssistDocsBucket", {
-      blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
-      encryption: BucketEncryption.KMS,
-      encryptionKey: kbDocsKey,
-      removalPolicy: RemovalPolicy.DESTROY,
-      autoDeleteObjects: true,
-      enforceSSL: true,
-      versioned: true,
-      objectOwnership: ObjectOwnership.BUCKET_OWNER_ENFORCED,
-      serverAccessLogsBucket: accessLogBucket,
-      serverAccessLogsPrefix: "s3-access-logs/"
-    })
-
-    // Create an IAM policy for S3 access
-    const s3AccessListPolicy = new PolicyStatement({
-      actions: ["s3:ListBucket"],
-      resources: [kbDocsBucket.bucketArn]
-    })
-    s3AccessListPolicy.addCondition("StringEquals", {"aws:ResourceAccount": account})
-
-    // Create an IAM policy for S3 access
-    const s3AccessGetPolicy = new PolicyStatement({
-      actions: ["s3:GetObject", "s3:Delete*"],
-      resources: [`${kbDocsBucket.bucketArn}/*`]
-    })
-    s3AccessGetPolicy.addCondition("StringEquals", {"aws:ResourceAccount": account})
-
     // Create an IAM policy to invoke Bedrock models and access titan v1 embedding model
     const bedrockExecutionRolePolicy = new PolicyStatement()
     bedrockExecutionRolePolicy.addActions("bedrock:InvokeModel")
@@ -164,17 +112,29 @@ export class EpsAssistMeStack extends Stack {
     })
     bedrockExecutionRole.addToPolicy(bedrockExecutionRolePolicy)
     bedrockExecutionRole.addToPolicy(bedrockOSSPolicyForKnowledgeBase)
-    bedrockExecutionRole.addToPolicy(s3AccessListPolicy)
-    bedrockExecutionRole.addToPolicy(s3AccessGetPolicy)
     bedrockExecutionRole.addToPolicy(bedrockKBDeleteRolePolicy)
 
-    // Grant Bedrock permission to decrypt
-    kbDocsKey.addToResourcePolicy(new iam.PolicyStatement({
-      effect: iam.Effect.ALLOW,
-      principals: [new iam.ArnPrincipal(bedrockExecutionRole.roleArn)],
-      actions: ["kms:Decrypt", "kms:DescribeKey"],
-      resources: ["*"]
-    }))
+    // Create Storage construct
+    const storage = new Storage(this, "Storage", {
+      bedrockExecutionRole
+    })
+
+    // Create an IAM policy for S3 access
+    const s3AccessListPolicy = new PolicyStatement({
+      actions: ["s3:ListBucket"],
+      resources: [storage.kbDocsBucket.bucketArn]
+    })
+    s3AccessListPolicy.addCondition("StringEquals", {"aws:ResourceAccount": account})
+
+    // Create an IAM policy for S3 access
+    const s3AccessGetPolicy = new PolicyStatement({
+      actions: ["s3:GetObject", "s3:Delete*"],
+      resources: [`${storage.kbDocsBucket.bucketArn}/*`]
+    })
+    s3AccessGetPolicy.addCondition("StringEquals", {"aws:ResourceAccount": account})
+
+    bedrockExecutionRole.addToPolicy(s3AccessListPolicy)
+    bedrockExecutionRole.addToPolicy(s3AccessGetPolicy)
 
     // Create bedrock Guardrails for the slack bot
     const guardrail = new CfnGuardrail(this, "EpsGuardrail", {
@@ -400,7 +360,7 @@ export class EpsAssistMeStack extends Stack {
       dataSourceConfiguration: {
         type: "S3",
         s3Configuration: {
-          bucketArn: kbDocsBucket.bucketArn
+          bucketArn: storage.kbDocsBucket.bucketArn
         }
       }
     })