Move CDK-nag suppression to apply to ManagedPolicy construct instead of PolicyStatement

kris-szlapa · kris-szlapa · commit acf74c324b03 · 2025-08-04T12:34:00.000Z
diff --git a/packages/cdk/resources/IamResources.ts b/packages/cdk/resources/IamResources.ts
@@ -67,15 +67,6 @@ export class IamResources extends Construct {
       conditions: {"StringEquals": {"aws:ResourceAccount": props.account}}
     })
 
-    // Suppress CDK-nag warning for S3 wildcard resource
-    NagSuppressions.addResourceSuppressions(s3AccessGetPolicy, [
-      {
-        id: "AwsSolutions-IAM5",
-        reason: "Bedrock Knowledge Base requires wildcard access to read all objects in the S3 bucket",
-        appliesTo: [`Resource::${props.kbDocsBucket.bucketArn}/*`]
-      }
-    ])
-
     // KMS permissions for S3 bucket encryption
     const kmsAccessPolicy = new PolicyStatement({
       actions: ["kms:Decrypt", "kms:DescribeKey"],
@@ -96,6 +87,15 @@ export class IamResources extends Construct {
       ]
     })
 
+    // Suppress CDK-nag warning for S3 wildcard resource
+    NagSuppressions.addResourceSuppressions(bedrockExecutionManagedPolicy, [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Bedrock Knowledge Base requires wildcard access to read all objects in the S3 bucket",
+        appliesTo: [`Resource::${props.kbDocsBucket.bucketArn}/*`]
+      }
+    ])
+
     // Create Bedrock execution role with managed policy
     this.bedrockExecutionRole = new Role(this, "EpsAssistMeBedrockExecutionRole", {
       assumedBy: new ServicePrincipal("bedrock.amazonaws.com"),
