Remove invalid suppressions and add correct BucketNotificationsHandler suppressions

kris-szlapa · kris-szlapa · commit aac6b333b1aa · 2025-08-06T10:45:01.000Z
diff --git a/packages/cdk/nagSuppressions.ts b/packages/cdk/nagSuppressions.ts
@@ -214,28 +214,29 @@ export const nagSuppressions = (stack: Stack) => {
     ]
   )
 
-  // Suppress custom resource IAM permissions for S3 Lambda notification
+  // Suppress AWS managed policy usage in BucketNotificationsHandler
   safeAddNagSuppression(
     stack,
-    "/EpsAssistMeStack/S3ToSyncKnowledgeBase/BucketNotification/CustomResourcePolicy/Resource",
+    "/EpsAssistMeStack/BucketNotificationsHandler050a0587b7544547bf325f094a3db834/Role/Resource",
     [
       {
-        id: "AwsSolutions-IAM5",
-        reason: "Custom resource requires wildcard permissions to manage S3 bucket notifications and Lambda permissions.",
+        id: "AwsSolutions-IAM4",
+        reason: "Auto-generated CDK role uses AWS managed policy for basic Lambda execution.",
         appliesTo: [
-          "Resource::*"
+          "Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
         ]
       }
     ]
   )
 
+  // Suppress wildcard permissions for BucketNotificationsHandler default policy
   safeAddNagSuppression(
     stack,
-    "/EpsAssistMeStack/S3ToSyncKnowledgeBase/LambdaPermission/CustomResourcePolicy/Resource",
+    "/EpsAssistMeStack/BucketNotificationsHandler050a0587b7544547bf325f094a3db834/Role/DefaultPolicy/Resource",
     [
       {
         id: "AwsSolutions-IAM5",
-        reason: "Custom resource requires wildcard permissions to manage Lambda permissions.",
+        reason: "Auto-generated CDK role requires wildcard permissions for S3 bucket notifications.",
         appliesTo: [
           "Resource::*"
         ]

Original file line number	Diff line number	Diff line change
`@@ -214,28 +214,29 @@ export const nagSuppressions = (stack: Stack) => {`
`214`	`214`	`]`
`215`	`215`	`)`
`216`	`216`
`217`		`- // Suppress custom resource IAM permissions for S3 Lambda notification`
	`217`	`+ // Suppress AWS managed policy usage in BucketNotificationsHandler`
`218`	`218`	`safeAddNagSuppression(`
`219`	`219`	`stack,`
`220`		`- "/EpsAssistMeStack/S3ToSyncKnowledgeBase/BucketNotification/CustomResourcePolicy/Resource",`
	`220`	`+ "/EpsAssistMeStack/BucketNotificationsHandler050a0587b7544547bf325f094a3db834/Role/Resource",`
`221`	`221`	`[`
`222`	`222`	`{`
`223`		`- id: "AwsSolutions-IAM5",`
`224`		`- reason: "Custom resource requires wildcard permissions to manage S3 bucket notifications and Lambda permissions.",`
	`223`	`+ id: "AwsSolutions-IAM4",`
	`224`	`+ reason: "Auto-generated CDK role uses AWS managed policy for basic Lambda execution.",`
`225`	`225`	`appliesTo: [`
`226`		`- "Resource::*"`
	`226`	`+ "Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"`
`227`	`227`	`]`
`228`	`228`	`}`
`229`	`229`	`]`
`230`	`230`	`)`
`231`	`231`
	`232`	`+ // Suppress wildcard permissions for BucketNotificationsHandler default policy`
`232`	`233`	`safeAddNagSuppression(`
`233`	`234`	`stack,`
`234`		`- "/EpsAssistMeStack/S3ToSyncKnowledgeBase/LambdaPermission/CustomResourcePolicy/Resource",`
	`235`	`+ "/EpsAssistMeStack/BucketNotificationsHandler050a0587b7544547bf325f094a3db834/Role/DefaultPolicy/Resource",`
`235`	`236`	`[`
`236`	`237`	`{`
`237`	`238`	`id: "AwsSolutions-IAM5",`
`238`		`- reason: "Custom resource requires wildcard permissions to manage Lambda permissions.",`
	`239`	`+ reason: "Auto-generated CDK role requires wildcard permissions for S3 bucket notifications.",`
`239`	`240`	`appliesTo: [`
`240`	`241`	`"Resource::*"`
`241`	`242`	`]`