Update NAG suppression for SlackBot managed policy

kris-szlapa · kris-szlapa · commit 521995fe0f1b · 2025-07-29T15:07:30.000Z
diff --git a/packages/cdk/nagSuppressions.ts b/packages/cdk/nagSuppressions.ts
@@ -127,16 +127,17 @@ export const nagSuppressions = (stack: Stack) => {
   // Suppress wildcard permissions for SlackBot managed policy
   safeAddNagSuppression(
     stack,
-    "/EpsAssistMeStack/IamResources/SlackBotManagedPolicy/Resource",
+    "/EpsAssistMeStack/Functions/SlackBotManagedPolicy/Resource",
     [
       {
         id: "AwsSolutions-IAM5",
-        reason: "SlackBot Lambda needs access to all guardrails and functions for content filtering and self-invocation.",
+        reason: "SlackBot Lambda needs access to all guardrails, knowledge bases, and functions for content filtering and self-invocation.",
         appliesTo: [
           "Resource::arn:aws:lambda:eu-west-2:undefined:function:*",
           "Resource::arn:aws:lambda:eu-west-2:591291862413:function:*",
           "Resource::arn:aws:bedrock:eu-west-2:undefined:guardrail/*",
           "Resource::arn:aws:bedrock:eu-west-2:591291862413:guardrail/*",
+          "Resource::arn:aws:bedrock:eu-west-2:undefined:knowledge-base/*",
           "Resource::arn:aws:bedrock:eu-west-2:591291862413:knowledge-base/*"
         ]
       }

Original file line number	Diff line number	Diff line change
`@@ -127,16 +127,17 @@ export const nagSuppressions = (stack: Stack) => {`
`127`	`127`	`// Suppress wildcard permissions for SlackBot managed policy`
`128`	`128`	`safeAddNagSuppression(`
`129`	`129`	`stack,`
`130`		`- "/EpsAssistMeStack/IamResources/SlackBotManagedPolicy/Resource",`
	`130`	`+ "/EpsAssistMeStack/Functions/SlackBotManagedPolicy/Resource",`
`131`	`131`	`[`
`132`	`132`	`{`
`133`	`133`	`id: "AwsSolutions-IAM5",`
`134`		`- reason: "SlackBot Lambda needs access to all guardrails and functions for content filtering and self-invocation.",`
	`134`	`+ reason: "SlackBot Lambda needs access to all guardrails, knowledge bases, and functions for content filtering and self-invocation.",`
`135`	`135`	`appliesTo: [`
`136`	`136`	`"Resource::arn:aws:lambda:eu-west-2:undefined:function:*",`
`137`	`137`	`"Resource::arn:aws:lambda:eu-west-2:591291862413:function:*",`
`138`	`138`	`"Resource::arn:aws:bedrock:eu-west-2:undefined:guardrail/*",`
`139`	`139`	`"Resource::arn:aws:bedrock:eu-west-2:591291862413:guardrail/*",`
	`140`	`+ "Resource::arn:aws:bedrock:eu-west-2:undefined:knowledge-base/*",`
`140`	`141`	`"Resource::arn:aws:bedrock:eu-west-2:591291862413:knowledge-base/*"`
`141`	`142`	`]`
`142`	`143`	`}`