Add exact S3 bucket resource pattern to BedrockExecutionManagedPolicy suppression

kris-szlapa · kris-szlapa · commit 32ad0c292ae3 · 2025-08-04T12:46:05.000Z
diff --git a/packages/cdk/nagSuppressions.ts b/packages/cdk/nagSuppressions.ts
@@ -96,6 +96,7 @@ export const nagSuppressions = (stack: Stack) => {
         reason: "Bedrock Knowledge Base requires these permissions to access S3 documents and OpenSearch collection.",
         appliesTo: [
           "Action::bedrock:Delete*",
+          "Resource::<StorageDocsBucketepsamDocsF25F63F1.Arn>/*",
           "Resource::arn:aws:bedrock:eu-west-2:undefined:knowledge-base/*",
           "Resource::arn:aws:bedrock:eu-west-2:591291862413:knowledge-base/*",
           "Resource::arn:aws:aoss:eu-west-2:undefined:collection/*",
diff --git a/packages/cdk/resources/IamResources.ts b/packages/cdk/resources/IamResources.ts
@@ -6,7 +6,6 @@ import {
   ManagedPolicy
 } from "aws-cdk-lib/aws-iam"
 import {Bucket} from "aws-cdk-lib/aws-s3"
-import {NagSuppressions} from "cdk-nag"
 
 // Amazon Titan embedding model for vector generation
 const EMBEDDING_MODEL = "amazon.titan-embed-text-v2:0"
@@ -87,15 +86,6 @@ export class IamResources extends Construct {
       ]
     })
 
-    // Suppress CDK-nag warning for S3 wildcard resource
-    NagSuppressions.addResourceSuppressions(bedrockExecutionManagedPolicy, [
-      {
-        id: "AwsSolutions-IAM5",
-        reason: "Bedrock Knowledge Base requires wildcard access to read all objects in the S3 bucket",
-        appliesTo: [`Resource::${props.kbDocsBucket.bucketArn}/*`]
-      }
-    ])
-
     // Create Bedrock execution role with managed policy
     this.bedrockExecutionRole = new Role(this, "EpsAssistMeBedrockExecutionRole", {
       assumedBy: new ServicePrincipal("bedrock.amazonaws.com"),
