Remove all appliesTo arrays to use blanket NAG suppressions

kris-szlapa · kris-szlapa · commit af44ed9208d1 · 2025-08-26T11:39:21.000Z
diff --git a/packages/cdk/nagSuppressions.ts b/packages/cdk/nagSuppressions.ts
@@ -4,18 +4,14 @@ import {NagPackSuppression, NagSuppressions} from "cdk-nag"
 
 export const nagSuppressions = (stack: Stack) => {
   const stackName = stack.node.tryGetContext("stackName") || "epsam"
-  const account = Stack.of(stack).account
   // Suppress granular wildcard on log stream for SlackBot Lambda
   safeAddNagSuppression(
     stack,
     "/EpsAssistMeStack/Functions/SlackBotLambda/LambdaPutLogsManagedPolicy/Resource",
     [
       {
         id: "AwsSolutions-IAM5",
-        reason: "Wildcard permissions for log stream access are required and scoped appropriately.",
-        appliesTo: [
-          "Resource::<FunctionsSlackBotLambdaLambdaLogGroup3597D783.Arn>:log-stream:*"
-        ]
+        reason: "Wildcard permissions for log stream access are required and scoped appropriately."
       }
     ]
   )
@@ -27,10 +23,7 @@ export const nagSuppressions = (stack: Stack) => {
     [
       {
         id: "AwsSolutions-IAM5",
-        reason: "Wildcard permissions are required for log stream access under known paths.",
-        appliesTo: [
-          "Resource::<FunctionsCreateIndexFunctionLambdaLogGroupB45008DF.Arn>:log-stream:*"
-        ]
+        reason: "Wildcard permissions are required for log stream access under known paths."
       }
     ]
   )
@@ -42,10 +35,7 @@ export const nagSuppressions = (stack: Stack) => {
     [
       {
         id: "AwsSolutions-IAM5",
-        reason: "Wildcard permissions are required for log stream access under known paths.",
-        appliesTo: [
-          "Resource::<FunctionsSyncKnowledgeBaseFunctionLambdaLogGroupB19BE2BE.Arn>:log-stream:*"
-        ]
+        reason: "Wildcard permissions are required for log stream access under known paths."
       }
     ]
   )
@@ -109,15 +99,7 @@ export const nagSuppressions = (stack: Stack) => {
     [
       {
         id: "AwsSolutions-IAM5",
-        reason: "Bedrock Knowledge Base requires these permissions to access S3 documents and OpenSearch collection.",
-        appliesTo: [
-          "Resource::<StorageDocsBucketepsamDocsF25F63F1.Arn>/*",
-          "Resource::<StorageDocsBucketepsampr27Docs28B71689.Arn>/*",
-          "Action::bedrock:Delete*",
-          `Resource::arn:aws:bedrock:eu-west-2:${account}:knowledge-base/*`,
-          `Resource::arn:aws:aoss:eu-west-2:${account}:collection/*`,
-          "Resource::*"
-        ]
+        reason: "Bedrock Knowledge Base requires these permissions to access S3 documents and OpenSearch collection."
       }
     ]
   )
@@ -129,11 +111,7 @@ export const nagSuppressions = (stack: Stack) => {
     [
       {
         id: "AwsSolutions-IAM5",
-        reason: "Lambda needs access to all OpenSearch collections and indexes to create and manage indexes.",
-        appliesTo: [
-          `Resource::arn:aws:aoss:eu-west-2:${account}:collection/*`,
-          `Resource::arn:aws:aoss:eu-west-2:${account}:index/*`
-        ]
+        reason: "Lambda needs access to all OpenSearch collections and indexes to create and manage indexes."
       }
     ]
   )
@@ -145,13 +123,7 @@ export const nagSuppressions = (stack: Stack) => {
     [
       {
         id: "AwsSolutions-IAM5",
-        reason: "SlackBot Lambda uses wildcard permissions as recommended by AWS docs for Bedrock prompt management.",
-        appliesTo: [
-          `Resource::arn:aws:lambda:eu-west-2:${account}:function:*`,
-          "Resource::*",
-          "Action::kms:GenerateDataKey*",
-          "Action::kms:ReEncrypt*"
-        ]
+        reason: "SlackBot Lambda uses wildcard permissions as recommended by AWS docs for Bedrock prompt management."
       }
     ]
   )
@@ -175,7 +147,7 @@ export const nagSuppressions = (stack: Stack) => {
     [
       {
         id: "AwsSolutions-SMG4",
-        reason: "Slack bot token rotation is handled manually as part of the Slack app configuration process."
+        reason: "Slack secrets rotation is handled manually as part of the Slack app configuration process."
       }
     ]
   )
@@ -203,10 +175,7 @@ export const nagSuppressions = (stack: Stack) => {
       [
         {
           id: "AwsSolutions-IAM4",
-          reason: "Auto-generated CDK role uses AWS managed policy for basic Lambda execution.",
-          appliesTo: [
-            "Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
-          ]
+          reason: "Auto-generated CDK role uses AWS managed policy for basic Lambda execution."
         }
       ]
     )
@@ -217,10 +186,7 @@ export const nagSuppressions = (stack: Stack) => {
       [
         {
           id: "AwsSolutions-IAM5",
-          reason: "Auto-generated CDK role requires wildcard permissions for S3 bucket notifications.",
-          appliesTo: [
-            "Resource::*"
-          ]
+          reason: "Auto-generated CDK role requires wildcard permissions for S3 bucket notifications."
         }
       ]
     )

Original file line number	Diff line number	Diff line change
`@@ -4,18 +4,14 @@ import {NagPackSuppression, NagSuppressions} from "cdk-nag"`
`4`	`4`
`5`	`5`	`export const nagSuppressions = (stack: Stack) => {`
`6`	`6`	`const stackName = stack.node.tryGetContext("stackName") \|\| "epsam"`
`7`		`- const account = Stack.of(stack).account`
`8`	`7`	`// Suppress granular wildcard on log stream for SlackBot Lambda`
`9`	`8`	`safeAddNagSuppression(`
`10`	`9`	`stack,`
`11`	`10`	`"/EpsAssistMeStack/Functions/SlackBotLambda/LambdaPutLogsManagedPolicy/Resource",`
`12`	`11`	`[`
`13`	`12`	`{`
`14`	`13`	`id: "AwsSolutions-IAM5",`
`15`		`- reason: "Wildcard permissions for log stream access are required and scoped appropriately.",`
`16`		`- appliesTo: [`
`17`		`- "Resource::<FunctionsSlackBotLambdaLambdaLogGroup3597D783.Arn>:log-stream:*"`
`18`		`- ]`
	`14`	`+ reason: "Wildcard permissions for log stream access are required and scoped appropriately."`
`19`	`15`	`}`
`20`	`16`	`]`
`21`	`17`	`)`
`@@ -27,10 +23,7 @@ export const nagSuppressions = (stack: Stack) => {`
`27`	`23`	`[`
`28`	`24`	`{`
`29`	`25`	`id: "AwsSolutions-IAM5",`
`30`		`- reason: "Wildcard permissions are required for log stream access under known paths.",`
`31`		`- appliesTo: [`
`32`		`- "Resource::<FunctionsCreateIndexFunctionLambdaLogGroupB45008DF.Arn>:log-stream:*"`
`33`		`- ]`
	`26`	`+ reason: "Wildcard permissions are required for log stream access under known paths."`
`34`	`27`	`}`
`35`	`28`	`]`
`36`	`29`	`)`
`@@ -42,10 +35,7 @@ export const nagSuppressions = (stack: Stack) => {`
`42`	`35`	`[`
`43`	`36`	`{`
`44`	`37`	`id: "AwsSolutions-IAM5",`
`45`		`- reason: "Wildcard permissions are required for log stream access under known paths.",`
`46`		`- appliesTo: [`
`47`		`- "Resource::<FunctionsSyncKnowledgeBaseFunctionLambdaLogGroupB19BE2BE.Arn>:log-stream:*"`
`48`		`- ]`
	`38`	`+ reason: "Wildcard permissions are required for log stream access under known paths."`
`49`	`39`	`}`
`50`	`40`	`]`
`51`	`41`	`)`
`@@ -109,15 +99,7 @@ export const nagSuppressions = (stack: Stack) => {`
`109`	`99`	`[`
`110`	`100`	`{`
`111`	`101`	`id: "AwsSolutions-IAM5",`
`112`		`- reason: "Bedrock Knowledge Base requires these permissions to access S3 documents and OpenSearch collection.",`
`113`		`- appliesTo: [`
`114`		`- "Resource::<StorageDocsBucketepsamDocsF25F63F1.Arn>/*",`
`115`		`- "Resource::<StorageDocsBucketepsampr27Docs28B71689.Arn>/*",`
`116`		`- "Action::bedrock:Delete*",`
`117`		- `Resource::arn:aws:bedrock:eu-west-2:${account}:knowledge-base/*`,
`118`		- `Resource::arn:aws:aoss:eu-west-2:${account}:collection/*`,
`119`		`- "Resource::*"`
`120`		`- ]`
	`102`	`+ reason: "Bedrock Knowledge Base requires these permissions to access S3 documents and OpenSearch collection."`
`121`	`103`	`}`
`122`	`104`	`]`
`123`	`105`	`)`
`@@ -129,11 +111,7 @@ export const nagSuppressions = (stack: Stack) => {`
`129`	`111`	`[`
`130`	`112`	`{`
`131`	`113`	`id: "AwsSolutions-IAM5",`
`132`		`- reason: "Lambda needs access to all OpenSearch collections and indexes to create and manage indexes.",`
`133`		`- appliesTo: [`
`134`		- `Resource::arn:aws:aoss:eu-west-2:${account}:collection/*`,
`135`		- `Resource::arn:aws:aoss:eu-west-2:${account}:index/*`
`136`		`- ]`
	`114`	`+ reason: "Lambda needs access to all OpenSearch collections and indexes to create and manage indexes."`
`137`	`115`	`}`
`138`	`116`	`]`
`139`	`117`	`)`
`@@ -145,13 +123,7 @@ export const nagSuppressions = (stack: Stack) => {`
`145`	`123`	`[`
`146`	`124`	`{`
`147`	`125`	`id: "AwsSolutions-IAM5",`
`148`		`- reason: "SlackBot Lambda uses wildcard permissions as recommended by AWS docs for Bedrock prompt management.",`
`149`		`- appliesTo: [`
`150`		- `Resource::arn:aws:lambda:eu-west-2:${account}:function:*`,
`151`		`- "Resource::*",`
`152`		`- "Action::kms:GenerateDataKey*",`
`153`		`- "Action::kms:ReEncrypt*"`
`154`		`- ]`
	`126`	`+ reason: "SlackBot Lambda uses wildcard permissions as recommended by AWS docs for Bedrock prompt management."`
`155`	`127`	`}`
`156`	`128`	`]`
`157`	`129`	`)`
`@@ -175,7 +147,7 @@ export const nagSuppressions = (stack: Stack) => {`
`175`	`147`	`[`
`176`	`148`	`{`
`177`	`149`	`id: "AwsSolutions-SMG4",`
`178`		`- reason: "Slack bot token rotation is handled manually as part of the Slack app configuration process."`
	`150`	`+ reason: "Slack secrets rotation is handled manually as part of the Slack app configuration process."`
`179`	`151`	`}`
`180`	`152`	`]`
`181`	`153`	`)`
`@@ -203,10 +175,7 @@ export const nagSuppressions = (stack: Stack) => {`
`203`	`175`	`[`
`204`	`176`	`{`
`205`	`177`	`id: "AwsSolutions-IAM4",`
`206`		`- reason: "Auto-generated CDK role uses AWS managed policy for basic Lambda execution.",`
`207`		`- appliesTo: [`
`208`		`- "Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"`
`209`		`- ]`
	`178`	`+ reason: "Auto-generated CDK role uses AWS managed policy for basic Lambda execution."`
`210`	`179`	`}`
`211`	`180`	`]`
`212`	`181`	`)`
`@@ -217,10 +186,7 @@ export const nagSuppressions = (stack: Stack) => {`
`217`	`186`	`[`
`218`	`187`	`{`
`219`	`188`	`id: "AwsSolutions-IAM5",`
`220`		`- reason: "Auto-generated CDK role requires wildcard permissions for S3 bucket notifications.",`
`221`		`- appliesTo: [`
`222`		`- "Resource::*"`
`223`		`- ]`
	`189`	`+ reason: "Auto-generated CDK role requires wildcard permissions for S3 bucket notifications."`
`224`	`190`	`}`
`225`	`191`	`]`
`226`	`192`	`)`