Add CDK nag suppression directly to S3 policy statement to handle wildcard resource pattern

kris-szlapa · kris-szlapa · commit c51ecfdc4bb3 · 2025-08-04T12:23:46.000Z
diff --git a/packages/cdk/nagSuppressions.ts b/packages/cdk/nagSuppressions.ts
@@ -96,7 +96,6 @@ export const nagSuppressions = (stack: Stack) => {
         reason: "Bedrock Knowledge Base requires these permissions to access S3 documents and OpenSearch collection.",
         appliesTo: [
           "Action::bedrock:Delete*",
-          "Resource::<StorageDocsBucket*>/*",
           "Resource::arn:aws:bedrock:eu-west-2:undefined:knowledge-base/*",
           "Resource::arn:aws:bedrock:eu-west-2:591291862413:knowledge-base/*",
           "Resource::arn:aws:aoss:eu-west-2:undefined:collection/*",
diff --git a/packages/cdk/resources/IamResources.ts b/packages/cdk/resources/IamResources.ts
@@ -6,6 +6,7 @@ import {
   ManagedPolicy
 } from "aws-cdk-lib/aws-iam"
 import {Bucket} from "aws-cdk-lib/aws-s3"
+import {NagSuppressions} from "cdk-nag"
 
 // Amazon Titan embedding model for vector generation
 const EMBEDDING_MODEL = "amazon.titan-embed-text-v2:0"
@@ -66,6 +67,15 @@ export class IamResources extends Construct {
       conditions: {"StringEquals": {"aws:ResourceAccount": props.account}}
     })
 
+    // Suppress CDK-nag warning for S3 wildcard resource
+    NagSuppressions.addResourceSuppressions(s3AccessGetPolicy, [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Bedrock Knowledge Base requires wildcard access to read all objects in the S3 bucket",
+        appliesTo: [`Resource::${props.kbDocsBucket.bucketArn}/*`]
+      }
+    ])
+
     // KMS permissions for S3 bucket encryption
     const kmsAccessPolicy = new PolicyStatement({
       actions: ["kms:Decrypt", "kms:DescribeKey"],
