Use wildcard permissions as recommended by AWS docs for Bedrock prompt management

Author: kris-szlapa

packages/cdk/nagSuppressions.ts

@@ -145,12 +145,10 @@ export const nagSuppressions = (stack: Stack) => {
     [
       {
         id: "AwsSolutions-IAM5",
-        reason: "SlackBot Lambda requires wildcard access for Lambda, KMS, and Bedrock resources.",
+        reason: "SlackBot Lambda uses wildcard permissions as recommended by AWS docs for Bedrock prompt management.",
         appliesTo: [
           `Resource::arn:aws:lambda:eu-west-2:${account}:function:*`,
-          `Resource::arn:aws:bedrock:eu-west-2:${account}:prompt/*`,
-          `Resource::arn:aws:bedrock:eu-west-2::foundation-model/*`,
-          `Resource::arn:aws:bedrock:eu-west-2:${account}:inference-profile/*`,
+          "Resource::*",
           "Action::kms:GenerateDataKey*",
           "Action::kms:ReEncrypt*"
         ]

packages/cdk/resources/RuntimePolicies.ts

@@ -62,6 +62,7 @@ export class RuntimePolicies extends Construct {
       ]
     })
 
+    // Compehensive Bedrock prompt policy - includes all prompt management permissions
     const slackBotPromptPolicy = new PolicyStatement({
       actions: [
         "bedrock:CreatePrompt",
@@ -80,11 +81,7 @@ export class RuntimePolicies extends Construct {
         "bedrock:UntagResource",
         "bedrock:ListTagsForResource"
       ],
-      resources: [
-        `arn:aws:bedrock:${props.region}:${props.account}:prompt/*`,
-        `arn:aws:bedrock:${props.region}::foundation-model/*`,
-        `arn:aws:bedrock:${props.region}:${props.account}:inference-profile/*`
-      ]
+      resources: ["*"] // Use wildcard as recommended by AWS docs
     })
 
     const slackBotKnowledgeBasePolicy = new PolicyStatement({