Add KMS wildcard permission suppressions for SlackBotManagedPolicy

kris-szlapa · kris-szlapa · commit 96ae0e231d19 · 2025-08-15T09:02:08.000Z
diff --git a/packages/cdk/nagSuppressions.ts b/packages/cdk/nagSuppressions.ts
@@ -134,7 +134,9 @@ export const nagSuppressions = (stack: Stack) => {
         appliesTo: [
           `Resource::arn:aws:lambda:eu-west-2:${account}:function:*`,
           `Resource::arn:aws:bedrock:eu-west-2:${account}:guardrail/*`,
-          `Resource::arn:aws:bedrock:eu-west-2:${account}:knowledge-base/*`
+          `Resource::arn:aws:bedrock:eu-west-2:${account}:knowledge-base/*`,
+          "Action::kms:GenerateDataKey*",
+          "Action::kms:ReEncrypt*"
         ]
       }
     ]

Original file line number	Diff line number	Diff line change
`@@ -134,7 +134,9 @@ export const nagSuppressions = (stack: Stack) => {`
`134`	`134`	`appliesTo: [`
`135`	`135`	`Resource::arn:aws:lambda:eu-west-2:${account}:function:*`,
`136`	`136`	`Resource::arn:aws:bedrock:eu-west-2:${account}:guardrail/*`,
`137`		- `Resource::arn:aws:bedrock:eu-west-2:${account}:knowledge-base/*`
	`137`	+ `Resource::arn:aws:bedrock:eu-west-2:${account}:knowledge-base/*`,
	`138`	`+ "Action::kms:GenerateDataKey*",`
	`139`	`+ "Action::kms:ReEncrypt*"`
`138`	`140`	`]`
`139`	`141`	`}`
`140`	`142`	`]`