Remove appliesTo in Bedrock execution role policy suppressions

kris-szlapa · kris-szlapa · commit 76df7be0652b · 2025-08-26T11:07:14.000Z
diff --git a/packages/cdk/nagSuppressions.ts b/packages/cdk/nagSuppressions.ts
@@ -109,15 +109,7 @@ export const nagSuppressions = (stack: Stack) => {
     [
       {
         id: "AwsSolutions-IAM5",
-        reason: "Bedrock Knowledge Base requires these permissions to access S3 documents and OpenSearch collection.",
-        appliesTo: [
-          "Resource::<StorageDocsBucketepsamDocsF25F63F1.Arn>/*",
-          "Resource::<StorageDocsBucketepsampr20Docs075F648F.Arn>/*",
-          "Action::bedrock:Delete*",
-          `Resource::arn:aws:bedrock:eu-west-2:${account}:knowledge-base/*`,
-          `Resource::arn:aws:aoss:eu-west-2:${account}:collection/*`,
-          "Resource::*"
-        ]
+        reason: "Bedrock Knowledge Base requires these permissions to access S3 documents and OpenSearch collection."
       }
     ]
   )

Original file line number	Diff line number	Diff line change
`@@ -109,15 +109,7 @@ export const nagSuppressions = (stack: Stack) => {`
`109`	`109`	`[`
`110`	`110`	`{`
`111`	`111`	`id: "AwsSolutions-IAM5",`
`112`		`- reason: "Bedrock Knowledge Base requires these permissions to access S3 documents and OpenSearch collection.",`
`113`		`- appliesTo: [`
`114`		`- "Resource::<StorageDocsBucketepsamDocsF25F63F1.Arn>/*",`
`115`		`- "Resource::<StorageDocsBucketepsampr20Docs075F648F.Arn>/*",`
`116`		`- "Action::bedrock:Delete*",`
`117`		- `Resource::arn:aws:bedrock:eu-west-2:${account}:knowledge-base/*`,
`118`		- `Resource::arn:aws:aoss:eu-west-2:${account}:collection/*`,
`119`		`- "Resource::*"`
`120`		`- ]`
	`112`	`+ reason: "Bedrock Knowledge Base requires these permissions to access S3 documents and OpenSearch collection."`
`121`	`113`	`}`
`122`	`114`	`]`
`123`	`115`	`)`