Add comprehensive Bedrock Prompt Management permissions

kris-szlapa · kris-szlapa · commit c1f4bb4794c1 · 2025-08-22T20:31:31.000Z
diff --git a/packages/cdk/nagSuppressions.ts b/packages/cdk/nagSuppressions.ts
@@ -145,11 +145,12 @@ export const nagSuppressions = (stack: Stack) => {
     [
       {
         id: "AwsSolutions-IAM5",
-        reason: "SlackBot Lambda needs wildcard access for Lambda functions (self-invocation), KMS operations, and Bedrock prompts.",
+        reason: "SlackBot Lambda requires wildcard access for Lambda, KMS, and Bedrock resources.",
         appliesTo: [
           `Resource::arn:aws:lambda:eu-west-2:${account}:function:*`,
           `Resource::arn:aws:bedrock:eu-west-2:${account}:prompt/*`,
-          `Resource::arn:aws:bedrock:eu-west-2:${account}:prompt/${stackName}-queryReformulation:*`,
+          `Resource::arn:aws:bedrock:eu-west-2::foundation-model/*`,
+          `Resource::arn:aws:bedrock:eu-west-2:${account}:inference-profile/*`,
           "Action::kms:GenerateDataKey*",
           "Action::kms:ReEncrypt*"
         ]
diff --git a/packages/cdk/resources/RuntimePolicies.ts b/packages/cdk/resources/RuntimePolicies.ts
@@ -63,10 +63,27 @@ export class RuntimePolicies extends Construct {
     })
 
     const slackBotPromptPolicy = new PolicyStatement({
-      actions: ["bedrock:GetPrompt"],
+      actions: [
+        "bedrock:CreatePrompt",
+        "bedrock:UpdatePrompt", 
+        "bedrock:GetPrompt",
+        "bedrock:ListPrompts",
+        "bedrock:DeletePrompt",
+        "bedrock:CreatePromptVersion",
+        "bedrock:OptimizePrompt",
+        "bedrock:GetFoundationModel",
+        "bedrock:ListFoundationModels",
+        "bedrock:GetInferenceProfile",
+        "bedrock:ListInferenceProfiles",
+        "bedrock:RenderPrompt",
+        "bedrock:TagResource",
+        "bedrock:UntagResource",
+        "bedrock:ListTagsForResource"
+      ],
       resources: [
-        `arn:aws:bedrock:${props.region}:${props.account}:prompt/${props.promptName}`,
-        `arn:aws:bedrock:${props.region}:${props.account}:prompt/${props.promptName}:*`
+        `arn:aws:bedrock:${props.region}:${props.account}:prompt/*`,
+        `arn:aws:bedrock:${props.region}::foundation-model/*`,
+        `arn:aws:bedrock:${props.region}:${props.account}:inference-profile/*`
       ]
     })
 

Original file line number	Diff line number	Diff line change
`@@ -145,11 +145,12 @@ export const nagSuppressions = (stack: Stack) => {`
`145`	`145`	`[`
`146`	`146`	`{`
`147`	`147`	`id: "AwsSolutions-IAM5",`
`148`		`- reason: "SlackBot Lambda needs wildcard access for Lambda functions (self-invocation), KMS operations, and Bedrock prompts.",`
	`148`	`+ reason: "SlackBot Lambda requires wildcard access for Lambda, KMS, and Bedrock resources.",`
`149`	`149`	`appliesTo: [`
`150`	`150`	`Resource::arn:aws:lambda:eu-west-2:${account}:function:*`,
`151`	`151`	`Resource::arn:aws:bedrock:eu-west-2:${account}:prompt/*`,
`152`		- `Resource::arn:aws:bedrock:eu-west-2:${account}:prompt/${stackName}-queryReformulation:*`,
	`152`	+ `Resource::arn:aws:bedrock:eu-west-2::foundation-model/*`,
	`153`	+ `Resource::arn:aws:bedrock:eu-west-2:${account}:inference-profile/*`,
`153`	`154`	`"Action::kms:GenerateDataKey*",`
`154`	`155`	`"Action::kms:ReEncrypt*"`
`155`	`156`	`]`