Skip to content

Commit 5c1adc8

Browse files
kris-szlapakris-szlapa
committed
Add suppressions for fallback ACCOUNT_ID
1 parent a68b0f5 commit 5c1adc8

File tree

1 file changed

+12
-42
lines changed

1 file changed

+12
-42
lines changed

packages/cdk/nagSuppressions.ts

Lines changed: 12 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -115,8 +115,10 @@ export const nagSuppressions = (stack: Stack) => {
115115
"Action::bedrock:Delete*",
116116
"Resource::arn:aws:bedrock:eu-west-2:undefined:knowledge-base/*",
117117
"Resource::arn:aws:bedrock:eu-west-2:591291862413:knowledge-base/*",
118+
"Resource::arn:aws:bedrock:eu-west-2:123456789012:knowledge-base/*",
118119
"Resource::arn:aws:aoss:eu-west-2:undefined:collection/*",
119120
"Resource::arn:aws:aoss:eu-west-2:591291862413:collection/*",
121+
"Resource::arn:aws:aoss:eu-west-2:123456789012:collection/*",
120122
"Resource::*"
121123
]
122124
}
@@ -135,7 +137,9 @@ export const nagSuppressions = (stack: Stack) => {
135137
"Resource::arn:aws:aoss:eu-west-2:undefined:collection/*",
136138
"Resource::arn:aws:aoss:eu-west-2:undefined:index/*",
137139
"Resource::arn:aws:aoss:eu-west-2:591291862413:collection/*",
138-
"Resource::arn:aws:aoss:eu-west-2:591291862413:index/*"
140+
"Resource::arn:aws:aoss:eu-west-2:591291862413:index/*",
141+
"Resource::arn:aws:aoss:eu-west-2:123456789012:collection/*",
142+
"Resource::arn:aws:aoss:eu-west-2:123456789012:index/*"
139143
]
140144
}
141145
]
@@ -152,10 +156,13 @@ export const nagSuppressions = (stack: Stack) => {
152156
appliesTo: [
153157
"Resource::arn:aws:lambda:eu-west-2:undefined:function:*",
154158
"Resource::arn:aws:lambda:eu-west-2:591291862413:function:*",
159+
"Resource::arn:aws:lambda:eu-west-2:123456789012:function:*",
155160
"Resource::arn:aws:bedrock:eu-west-2:undefined:guardrail/*",
156161
"Resource::arn:aws:bedrock:eu-west-2:591291862413:guardrail/*",
162+
"Resource::arn:aws:bedrock:eu-west-2:123456789012:guardrail/*",
157163
"Resource::arn:aws:bedrock:eu-west-2:undefined:knowledge-base/*",
158-
"Resource::arn:aws:bedrock:eu-west-2:591291862413:knowledge-base/*"
164+
"Resource::arn:aws:bedrock:eu-west-2:591291862413:knowledge-base/*",
165+
"Resource::arn:aws:bedrock:eu-west-2:123456789012:knowledge-base/*"
159166
]
160167
}
161168
]
@@ -171,7 +178,9 @@ export const nagSuppressions = (stack: Stack) => {
171178
reason: "SyncKnowledgeBase Lambda needs access to knowledge bases and data sources for synchronization.",
172179
appliesTo: [
173180
"Resource::arn:aws:bedrock:eu-west-2:undefined:knowledge-base/*",
174-
"Resource::arn:aws:bedrock:eu-west-2:undefined:knowledge-base/*/data-source/*"
181+
"Resource::arn:aws:bedrock:eu-west-2:undefined:knowledge-base/*/data-source/*",
182+
"Resource::arn:aws:bedrock:eu-west-2:123456789012:knowledge-base/*",
183+
"Resource::arn:aws:bedrock:eu-west-2:123456789012:knowledge-base/*/data-source/*"
175184
]
176185
}
177186
]
@@ -241,45 +250,6 @@ export const nagSuppressions = (stack: Stack) => {
241250
}
242251
]
243252
)
244-
245-
// Suppress CFN Guard rule for S3 to Lambda permission
246-
safeAddNagSuppression(
247-
stack,
248-
"/EpsAssistMeStack/S3ToSyncKnowledgeBaseLambdaPermission",
249-
[
250-
{
251-
id: "LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED",
252-
reason: "S3 service principal is required for bucket notifications to Lambda"
253-
}
254-
]
255-
)
256-
257-
// Suppress CFN Guard rule for API Gateway Lambda permissions
258-
safeAddNagSuppressionGroup(
259-
stack,
260-
[
261-
"/EpsAssistMeStack/Apis/EpsAssistApiGateway/ApiGateway/Default/slack/ask-eps/POST/ApiPermission.EpsAssistMeStackApisEpsAssistApiGateway1E1CF19C.POST..slack.ask-eps",
262-
"/EpsAssistMeStack/Apis/EpsAssistApiGateway/ApiGateway/Default/slack/ask-eps/POST/ApiPermission.Test.EpsAssistMeStackApisEpsAssistApiGateway1E1CF19C.POST..slack.ask-eps"
263-
],
264-
[
265-
{
266-
id: "LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED",
267-
reason: "API Gateway service principal is required for Lambda invocation"
268-
}
269-
]
270-
)
271-
272-
// Suppress CFN Guard rule for auto-generated S3 bucket notification permission
273-
safeAddNagSuppression(
274-
stack,
275-
"/EpsAssistMeStack/Storage/DocsBucket/epsam-Docs/AllowBucketNotificationsToEpsAssistMeStackFunctionsSyncKnowledgeBaseFunctionepsamSyncKnowledgeBaseFunction94D011F3",
276-
[
277-
{
278-
id: "LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED",
279-
reason: "S3 service principal is required for bucket notifications to Lambda"
280-
}
281-
]
282-
)
283253
}
284254

285255
const safeAddNagSuppression = (stack: Stack, path: string, suppressions: Array<NagPackSuppression>) => {

0 commit comments

Comments
 (0)