feat(aws): add bedrock_prompt_have_multiple_variants security check

Add new security check bedrock_prompt_have_multiple_variants for aws provider.
Includes check implementation, metadata, and unit tests.

Author: danibarranqueroo

prowler/CHANGELOG.md

@@ -6,6 +6,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 ### 🚀 Added
 
+- `bedrock_prompt_have_multiple_variants` check for aws provider [(#10905)](https://github.com/prowler-cloud/prowler/pull/10905)
 - `--repo-list-file` CLI flag for GitHub provider to load repositories from a file [(#10501)](https://github.com/prowler-cloud/prowler/pull/10501)
 - SARIF output format for the IaC provider, enabling GitHub Code Scanning integration via `--output-formats sarif` [(#10626)](https://github.com/prowler-cloud/prowler/pull/10626)
 - `repository_default_branch_dismisses_stale_reviews` check for GitHub provider to ensure stale pull request approvals are dismissed when new commits are pushed [(#10569)](https://github.com/prowler-cloud/prowler/pull/10569)

prowler/compliance/aws/iso27001_2022_aws.json

@@ -1240,6 +1240,7 @@
       "Checks": [
         "autoscaling_group_capacity_rebalance_enabled",
         "autoscaling_group_multiple_az",
+        "bedrock_prompt_have_multiple_variants",
         "cloudfront_distributions_multiple_origin_failover_configured",
         "directconnect_connection_redundancy",
         "directconnect_virtual_interface_redundancy",

prowler/compliance/aws/kisa_isms_p_2023_aws.json

@@ -2385,6 +2385,7 @@
         "autoscaling_group_multiple_az",
         "autoscaling_group_multiple_instance_types",
         "awslambda_function_vpc_multi_az",
+        "bedrock_prompt_have_multiple_variants",
         "cloudformation_stacks_termination_protection_enabled",
         "cloudfront_distributions_s3_origin_non_existent_bucket",
         "directconnect_connection_redundancy",

prowler/compliance/aws/kisa_isms_p_2023_korean_aws.json

@@ -2389,6 +2389,7 @@
         "autoscaling_group_multiple_az",
         "autoscaling_group_multiple_instance_types",
         "awslambda_function_vpc_multi_az",
+        "bedrock_prompt_have_multiple_variants",
         "cloudformation_stacks_termination_protection_enabled",
         "cloudfront_distributions_s3_origin_non_existent_bucket",
         "directconnect_connection_redundancy",

prowler/compliance/aws/nist_csf_2.0_aws.json

@@ -1389,6 +1389,7 @@
         "elb_cross_zone_load_balancing_enabled",
         "autoscaling_group_capacity_rebalance_enabled",
         "autoscaling_group_multiple_az",
+        "bedrock_prompt_have_multiple_variants",
         "vpc_vpn_connection_tunnels_up",
         "cloudfront_distributions_multiple_origin_failover_configured",
         "s3_bucket_cross_region_replication"

prowler/providers/aws/services/bedrock/bedrock_prompt_have_multiple_variants/__init__.py

@@ -0,0 +1,40 @@
+{
+  "Provider": "aws",
+  "CheckID": "bedrock_prompt_have_multiple_variants",
+  "CheckTitle": "Bedrock prompt ensures resilience through multiple configured variants for A/B testing",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices"
+  ],
+  "ServiceName": "bedrock",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "Other",
+  "ResourceGroup": "ai_ml",
+  "Description": "Bedrock prompts should have **multiple variants** configured to support A/B testing and improve resilience. Each variant can use different models, templates, or inference parameters, enabling prompt optimization and fallback strategies.",
+  "Risk": "A prompt with a **single variant** lacks fallback options and cannot support A/B testing:\n- **Availability**: if the underlying model experiences degradation, no alternative variant is available\n- **Optimization**: inability to compare prompt performance across different configurations\n- **Resilience**: single point of failure in prompt execution pipelines",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/bedrock/latest/userguide/prompt-management.html",
+    "https://docs.aws.amazon.com/bedrock/latest/userguide/prompt-management-create.html"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "aws bedrock-agent update-prompt --prompt-identifier <prompt_id> --name <prompt_name> --variants '[{\"name\":\"variant-1\",\"modelId\":\"<model_id_1>\",\"templateType\":\"TEXT\",\"templateConfiguration\":{\"text\":{\"text\":\"<template>\"}}},{\"name\":\"variant-2\",\"modelId\":\"<model_id_2>\",\"templateType\":\"TEXT\",\"templateConfiguration\":{\"text\":{\"text\":\"<template>\"}}}]'",
+      "NativeIaC": "",
+      "Other": "1. Open the Amazon Bedrock console\n2. Navigate to Prompt management\n3. Select the prompt\n4. Add a new variant with a different model or configuration\n5. Save the prompt",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Configure **multiple variants** for each Bedrock prompt to enable A/B testing and improve resilience. Use different models, inference parameters, or prompt templates across variants to optimize performance and ensure fallback options are available.",
+      "Url": "https://hub.prowler.com/check/bedrock_prompt_have_multiple_variants"
+    }
+  },
+  "Categories": [
+    "gen-ai",
+    "resilience"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}

prowler/providers/aws/services/bedrock/bedrock_prompt_have_multiple_variants/bedrock_prompt_have_multiple_variants.metadata.json

@@ -0,0 +1,32 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.bedrock.bedrock_agent_client import (
+    bedrock_agent_client,
+)
+
+
+class bedrock_prompt_have_multiple_variants(Check):
+    """Ensure that Bedrock prompts have multiple variants configured.
+
+    This check evaluates whether each Bedrock prompt has more than one variant
+    configured to enable A/B testing and improved resilience.
+    - PASS: The Bedrock prompt has multiple variants configured.
+    - FAIL: The Bedrock prompt has fewer than 2 variants configured.
+    """
+
+    def execute(self) -> list[Check_Report_AWS]:
+        """Execute the Bedrock prompt multiple variants check.
+
+        Returns:
+            A list of reports containing the result of the check.
+        """
+        findings = []
+        for prompt in bedrock_agent_client.prompts.values():
+            report = Check_Report_AWS(metadata=self.metadata(), resource=prompt)
+            report.status = "FAIL"
+            num_variants = len(prompt.variants)
+            report.status_extended = f"Bedrock Prompt {prompt.name} has only {num_variants} variant{'s' if num_variants != 1 else ''} configured, multiple variants are recommended for A/B testing and resilience."
+            if num_variants > 1:
+                report.status = "PASS"
+                report.status_extended = f"Bedrock Prompt {prompt.name} has {num_variants} variants configured for A/B testing and resilience."
+            findings.append(report)
+        return findings

prowler/providers/aws/services/bedrock/bedrock_prompt_have_multiple_variants/bedrock_prompt_have_multiple_variants.py

@@ -122,11 +122,17 @@ class Guardrail(BaseModel):
 
 
 class BedrockAgent(AWSService):
+    """Bedrock Agent service class for managing agents and prompts."""
+
     def __init__(self, provider):
+        """Initialize the BedrockAgent service."""
         # Call AWSService's __init__
         super().__init__("bedrock-agent", provider)
         self.agents = {}
+        self.prompts = {}
         self.__threading_call__(self._list_agents)
+        self.__threading_call__(self._list_prompts)
+        self.__threading_call__(self._get_prompt, self.prompts.values())
         self.__threading_call__(self._list_tags_for_resource, self.agents.values())
 
     def _list_agents(self, regional_client):
@@ -153,7 +159,43 @@ def _list_agents(self, regional_client):
                 f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
             )
 
+    def _list_prompts(self, regional_client):
+        """List all Bedrock prompts in a region."""
+        logger.info("Bedrock Agent - Listing Prompts...")
+        try:
+            paginator = regional_client.get_paginator("list_prompts")
+            for page in paginator.paginate():
+                for prompt in page.get("promptSummaries", []):
+                    prompt_arn = prompt["arn"]
+                    if not self.audit_resources or (
+                        is_resource_filtered(prompt_arn, self.audit_resources)
+                    ):
+                        self.prompts[prompt_arn] = Prompt(
+                            id=prompt["id"],
+                            name=prompt["name"],
+                            arn=prompt_arn,
+                            region=regional_client.region,
+                        )
+        except Exception as error:
+            logger.error(
+                f"{regional_client.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+
+    def _get_prompt(self, prompt):
+        """Get detailed prompt information including variants."""
+        logger.info("Bedrock Agent - Getting Prompt...")
+        try:
+            prompt_info = self.regional_clients[prompt.region].get_prompt(
+                promptIdentifier=prompt.id
+            )
+            prompt.variants = prompt_info.get("variants", [])
+        except Exception as error:
+            logger.error(
+                f"{prompt.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+
     def _list_tags_for_resource(self, resource):
+        """List tags for a Bedrock Agent resource."""
         logger.info("Bedrock Agent - Listing Tags for Resource...")
         try:
             agent_tags = (
@@ -170,9 +212,22 @@ def _list_tags_for_resource(self, resource):
 
 
 class Agent(BaseModel):
+    """Model for a Bedrock Agent resource."""
+
     id: str
     name: str
     arn: str
     guardrail_id: Optional[str] = None
     region: str
     tags: Optional[list] = []
+
+
+class Prompt(BaseModel):
+    """Model for a Bedrock Prompt resource."""
+
+    id: str
+    name: str
+    arn: str
+    region: str
+    variants: Optional[list] = []
+    tags: Optional[list] = []