Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SRA genai bedrock capability one #277

Merged
merged 398 commits into from
Feb 3, 2025
Merged

SRA genai bedrock capability one #277

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
398 commits
Select commit Hold shift + click to select a range
f87dda0
working on sns fanout (for config 1st)
liamschn Nov 4, 2024
4a410bd
handle getting params for sns
liamschn Nov 5, 2024
2a660c7
updating get accts and regions; updating delete operation
liamschn Nov 5, 2024
e4e86ed
working to download rule zip locally
liamschn Nov 5, 2024
7f00ce6
more updates for rule zip
liamschn Nov 5, 2024
4f27d3c
updates for s3 download
liamschn Nov 5, 2024
ef2a0ad
add tracing for s3 downloads
liamschn Nov 5, 2024
7e546b4
updating s3 key
liamschn Nov 5, 2024
c4e6192
updating local path
liamschn Nov 5, 2024
1643e63
moving metrics/alarms to sns fanout
liamschn Nov 5, 2024
d5e03a0
working on metric/filters deployed via sns config
liamschn Nov 6, 2024
5fec504
still need rule_accouts, rule_regions
liamschn Nov 7, 2024
0f798d3
must have mgmt account added
liamschn Nov 7, 2024
21878ad
handle blank rule/metric regions/accounts
liamschn Nov 7, 2024
b7c5249
working on parameter validation; not functional yet
liamschn Nov 8, 2024
a9438cd
finishing param validation function; needs testing
liamschn Nov 9, 2024
16e7315
adding state table
liamschn Nov 11, 2024
e77bf62
Refactor Lambda packaging script to target src folder only
liamschn Nov 15, 2024
05e5307
fix template errors
liamschn Nov 18, 2024
8b30fc1
add sns topic state table record
liamschn Nov 18, 2024
4a66f58
add iam+lambda resources to state table
liamschn Nov 18, 2024
2a8f21b
config state record
liamschn Nov 18, 2024
b153186
update for config arn
liamschn Nov 18, 2024
5827383
fix cfn sns resource type error; fix dynamodb resource error
liamschn Nov 18, 2024
7b48225
update component type
liamschn Nov 18, 2024
457b01e
adding tracing for dynamodb module
liamschn Nov 18, 2024
f439e42
fixing role state record
liamschn Nov 18, 2024
ebac544
fixing lambda state record
liamschn Nov 18, 2024
cbff778
kms key state records
liamschn Nov 18, 2024
003fbf0
alarms sns topic state record
liamschn Nov 18, 2024
cc8578f
metric filter state record
liamschn Nov 20, 2024
256e90f
add kms module tracing
liamschn Nov 20, 2024
74ecfdb
added state record function
liamschn Nov 20, 2024
2c92765
sink/link state records
liamschn Nov 20, 2024
61b3570
update description for record
liamschn Nov 21, 2024
c769ec8
removal of state records
liamschn Nov 21, 2024
aa2d496
update config rule search
liamschn Nov 21, 2024
ad42f90
added todo comment
liamschn Nov 21, 2024
f7ea39d
need to use all bedrock accts and regions for delete
liamschn Nov 21, 2024
3388407
fix remove state table record function
liamschn Nov 21, 2024
52b45a2
fix kms key alias Arn format
liamschn Nov 21, 2024
019007c
change docstring; update return val
liamschn Nov 21, 2024
b429242
fix delete logic
liamschn Nov 21, 2024
0fc4b0b
more fixes to delete logic
liamschn Nov 21, 2024
4e07da5
change state table solution
liamschn Nov 21, 2024
9d66c1d
making lambda summary message accurate
liamschn Nov 22, 2024
54a4a1f
making lambda summary message accurate again
liamschn Nov 22, 2024
edb1185
add CFN_RESPONSE_DATA debug tracing
liamschn Nov 22, 2024
5bd9c80
add more CFN_RESPONSE_DATA debug tracing
liamschn Nov 22, 2024
2671060
fixed action summary
liamschn Nov 22, 2024
e21d21d
error handling for state table record removal
liamschn Nov 22, 2024
3d060fa
add removal of dashboard on delete
liamschn Nov 22, 2024
fa2c7d3
add sns fanout action to the count
liamschn Nov 22, 2024
ef992f8
add attach policy actions to dry_run data
liamschn Nov 22, 2024
c1275f5
simulate topic_arn for dry_run
liamschn Nov 26, 2024
fb64ed0
must create topic for fanout in dry_run mode
liamschn Nov 26, 2024
2dd7862
handle nosuchentity error
liamschn Nov 26, 2024
34d71d3
handle sink arn in dry_run mode
liamschn Nov 26, 2024
c075d56
update dry run sns publish message
liamschn Nov 27, 2024
3801304
add run data logging to sns fanout
liamschn Nov 27, 2024
c2a75c2
create/upload dry_run data file
liamschn Nov 27, 2024
c0eac29
upload sns dry run data to s3
liamschn Nov 27, 2024
a933738
handle errors on cfn delete when dry_run is true
liamschn Nov 27, 2024
38ec59c
removing completed todo comments
liamschn Nov 27, 2024
885282d
switched from SECURITY_ACCOUNT to ssm_params.SRA_SECURITY_ACCT
liamschn Nov 29, 2024
8bd47b6
testing dynamodb client typechecking (related to mypy)
liamschn Nov 29, 2024
ec2febe
added tracing
liamschn Nov 29, 2024
eef986e
moving DynamoDBServiceResource out of if statement
liamschn Nov 29, 2024
9f8a670
update project.toml to support dynamodb in mypy
liamschn Nov 29, 2024
9e692d4
add debug tracing
liamschn Nov 29, 2024
9d29ab0
try adding mypy boto3 dynamodb to requirements
liamschn Nov 29, 2024
0930bf2
testing new method for dynamodb typechecking
liamschn Nov 29, 2024
ef8631d
fixing extra char in line
liamschn Nov 29, 2024
1cbeec1
moved dynamodb client and resource to class module
liamschn Nov 29, 2024
f496172
add more debug for assume role
liamschn Nov 29, 2024
7d6c6c5
remove dynamodb client/resource function arguments
liamschn Nov 30, 2024
f045a22
remove config rule if deploy set to false (testing)
liamschn Dec 2, 2024
0145619
ensure mgmt acct client for sns config topic
liamschn Dec 2, 2024
a91d13e
moved config rule delete operation to functions
liamschn Dec 2, 2024
ed998e0
moving metric filters and alarms deletes to separate function (testing)
liamschn Dec 2, 2024
3de6457
update filter to filter_name
liamschn Dec 2, 2024
c685d28
still updating filter to filter_name
liamschn Dec 2, 2024
eb7465a
updating delete logic; separating delete filter/alarn from kms/sns topic
liamschn Dec 3, 2024
fb14c2d
add lambda function record to state table
liamschn Dec 3, 2024
3b974b5
add delete operations for lambda function and iam execution role stat…
liamschn Dec 3, 2024
2a28291
update execution role arn for state record
liamschn Dec 3, 2024
652e602
update get execution role function
liamschn Dec 3, 2024
6dbc72b
updating execution role name for state record
liamschn Dec 3, 2024
74d2057
add/remove cw dashboard state table record
liamschn Dec 3, 2024
7560580
removed hardcoded aws partition
liamschn Dec 3, 2024
aabdf46
check for permissions on lambda first
liamschn Dec 3, 2024
fe81294
infer execution role arn on delete
liamschn Dec 4, 2024
87fda8b
fixing ResourceNotFoundException bug (in progress)
liamschn Dec 4, 2024
ac24225
working on function not found bug
liamschn Dec 4, 2024
a4a628e
add tracing for lambda bug
liamschn Dec 4, 2024
0e0a486
rearranging code for retries
liamschn Dec 4, 2024
a8a55f0
update kms permissions (malformed)
liamschn Dec 4, 2024
d5ddc07
updating kms key policy
liamschn Dec 4, 2024
97ed3c6
update kms policy execution role statement
liamschn Dec 4, 2024
e333e12
update lambda client
liamschn Dec 4, 2024
cb8f50f
update for lambda data update in state table
liamschn Dec 4, 2024
de15f9c
initial work for least privilege lambda execution role (still work to…
liamschn Dec 5, 2024
3fec5a1
add tracing; update permissions
liamschn Dec 5, 2024
6b01556
least privilege lambda execution role
liamschn Dec 6, 2024
2b166cf
remove comments and completed todos
liamschn Dec 6, 2024
c4d2279
type checking fixes
liamschn Dec 6, 2024
5bb3ff8
kms assume_role not accessed (used in sts module)
liamschn Dec 6, 2024
26aa9ac
removing unused params from kms module
liamschn Dec 6, 2024
04edf02
search for kms key before creating; remove comments/cleanup
liamschn Dec 6, 2024
f95a2db
update to include boto3 config
liamschn Dec 6, 2024
cbb3fdf
permissions update; fix type error for kms policy
liamschn Dec 7, 2024
ed46361
update perms; filter out pending deletion keys
liamschn Dec 7, 2024
702bba6
updating key examination
liamschn Dec 7, 2024
2325ce4
updating log message
liamschn Dec 7, 2024
e72bb1b
fix linting issues
liamschn Dec 7, 2024
d5cbb35
mypy fixes
liamschn Dec 7, 2024
fe03b6f
minor update to fix return response bug
liamschn Dec 7, 2024
1c92eae
remove scope from create_config_rule
liamschn Dec 7, 2024
7b35ee0
change config rule found log message
liamschn Dec 7, 2024
bc75ee8
fix mypy errors
liamschn Dec 8, 2024
a3448f4
fixing mypy issues
liamschn Dec 8, 2024
72ec801
fix mypy issues
liamschn Dec 8, 2024
251cdfa
fix mypy issues; remove unused code and parameters (commented out for…
liamschn Dec 8, 2024
609370b
fix mypy issues
liamschn Dec 8, 2024
bcb3b43
changing definition
liamschn Dec 8, 2024
76bc145
update imports
liamschn Dec 8, 2024
58a2ce7
update imports
liamschn Dec 8, 2024
73ae2ba
add mypy_boto3_dynamodb to requirements
liamschn Dec 8, 2024
5a3cfb5
change output types to Any; remove mypy dynamodb import
liamschn Dec 8, 2024
21326f7
fix mypy issues
liamschn Dec 8, 2024
befada7
fixing mypy issues; closing other todos
liamschn Dec 8, 2024
19db3a7
fix mypy errors
liamschn Dec 8, 2024
d9af600
fixing mypy errors
liamschn Dec 8, 2024
d01f103
fixing mypy errors
liamschn Dec 9, 2024
2182aca
fix mypy errors in ssm param module
liamschn Dec 9, 2024
a6f6df4
update for mypy errors
liamschn Dec 9, 2024
e2afe1e
fix mypy errors in app
liamschn Dec 9, 2024
9aaaf82
fixing more mypy issues with app
liamschn Dec 9, 2024
9e1e42a
fixing mypy errors in config rules
liamschn Dec 9, 2024
532eae0
fixing mypy errors in config rules
liamschn Dec 9, 2024
c15eb31
fixing mypy issues in config rules
liamschn Dec 9, 2024
621552d
fixing mypy errors for config rules
liamschn Dec 9, 2024
c62cea4
fixing mypy errors for config rules
liamschn Dec 9, 2024
1b478b6
fixing mypy issues with config rules
liamschn Dec 9, 2024
9450746
fixing mypy errors in config rules
liamschn Dec 9, 2024
b37a393
fixing mypy errors in config
liamschn Dec 9, 2024
294245e
fix mypy errors in ami bakery
liamschn Dec 9, 2024
eecedd0
updated formatting
liamschn Dec 10, 2024
ec01b9f
fixing mypy issues again in dynamodb
liamschn Dec 10, 2024
49aac97
fixing flake8 errors; adding docstrings
liamschn Dec 10, 2024
903af2d
fixing flake8 issues
liamschn Dec 10, 2024
cd0fb1e
fix flake8 errors in app
liamschn Dec 11, 2024
b31dffd
fixing flake8 errors in app and cloudwatch module
liamschn Dec 11, 2024
df0920f
fix flake8 errors in config module
liamschn Dec 11, 2024
3adce3a
reverting some flake8 updates temporarily
liamschn Dec 11, 2024
c2a18f8
fix flake8 issues in dynamodb module
liamschn Dec 11, 2024
46ccafc
fixing flake8 issues in iam module
liamschn Dec 11, 2024
818bd5a
fix flake8 issues in kms module
liamschn Dec 11, 2024
f83042e
fixes for flake8 in lambda module
liamschn Dec 11, 2024
1eb62f6
working on flake8 issues in repo module
liamschn Dec 11, 2024
5e561f2
fix mypy and flake8 issues in s3 module
liamschn Dec 12, 2024
537d5b4
fixing flake8 issues in sns module
liamschn Dec 12, 2024
4f39f14
fixing flake8 issues in ssm params module
liamschn Dec 12, 2024
8248710
fixing flake8 issues in sts module
liamschn Dec 12, 2024
5848842
fixing mypy errors
liamschn Dec 12, 2024
ec522c0
fix flake8 issues for config rules
liamschn Dec 12, 2024
ec20c30
fix flake8 issues in config rules
liamschn Dec 12, 2024
6896d23
fix flake8 issues in config rules
liamschn Dec 12, 2024
dafd9dd
fix flake8 issues with config rules
liamschn Dec 12, 2024
2ae9582
fix flake8 errors in config rules
liamschn Dec 12, 2024
f7d3dde
fix flake8 issues in config rules
liamschn Dec 12, 2024
eb55bd1
fix flake8 config issues
liamschn Dec 12, 2024
7530e0e
fix flake8 issues with config rules
liamschn Dec 12, 2024
0399c3a
fix flake8 issues with config rules
liamschn Dec 12, 2024
92e9d06
fix code for new sts class name
liamschn Dec 12, 2024
a094cfa
update test params in template
liamschn Dec 12, 2024
f60401c
fix flake8 issues in app
liamschn Dec 12, 2024
09ae608
updating log message
liamschn Dec 12, 2024
18c65f8
fix for checkov errors; added DLQ and concurrency
liamschn Dec 12, 2024
f905c89
fix issues for isort linting
liamschn Dec 12, 2024
aa2d1fa
remove/update/eval/defer todos
liamschn Dec 12, 2024
a578174
Merge branch 'main' into sra-genai
liamschn Dec 12, 2024
2b58f85
fix flake8 errors
liamschn Dec 12, 2024
d355eb6
resolving mypy errors
liamschn Dec 13, 2024
c3aef8c
black lint reformat
liamschn Dec 13, 2024
12d4e5c
resolving checkov errors
liamschn Dec 13, 2024
0156b95
adding documentation
liamschn Dec 13, 2024
a6fcce3
update diagram
liamschn Dec 13, 2024
8ab30b0
updating readme
liamschn Dec 13, 2024
4210e63
update readme
liamschn Dec 13, 2024
75c45b9
update readme
liamschn Dec 13, 2024
52d3bc6
updating diagram
liamschn Dec 13, 2024
0b7fbb9
fix logic issue
liamschn Dec 18, 2024
6c1a61f
updating default value
liamschn Dec 18, 2024
3b35473
skip filter deploy if log group doesn't exist
liamschn Dec 19, 2024
2e48252
fixing flake8 issues
liamschn Dec 19, 2024
a45c887
fixing dry_run/state_table issue
liamschn Dec 19, 2024
7db8cba
skipping checkov error
liamschn Dec 19, 2024
39a6b38
updating perms
liamschn Dec 19, 2024
314c66a
spelling error
liamschn Dec 19, 2024
effa7b7
fix constraint description
liamschn Dec 19, 2024
b5ba4b6
fix multiple accounts for eval job
liamschn Dec 20, 2024
e974430
update param validation
liamschn Dec 20, 2024
e7a0fef
fix regex
liamschn Dec 20, 2024
340b304
update constraintdescription
liamschn Dec 20, 2024
0867807
updating regex
liamschn Dec 20, 2024
1736d42
fix ast error; fix deployment to multi-region bug
liamschn Jan 13, 2025
a483130
add error handling for entityalreadyexists
liamschn Jan 14, 2025
5c85369
update example bucketname in template
liamschn Jan 14, 2025
5f2a857
update example bucketnameprefix
liamschn Jan 14, 2025
19ded41
update regex for param validation
liamschn Jan 15, 2025
1cc00d9
fix mypy error
liamschn Jan 16, 2025
9bbbbaa
fix flake8 issue
liamschn Jan 16, 2025
1396295
CreateRoleResponseTypeDef and CreatePolicyResponseTypeDef error fix
liamschn Jan 25, 2025
86b5324
working on access denied / encrypted guardrail issue
liamschn Jan 25, 2025
8622368
handling access denied encrypted guardrail error
liamschn Jan 25, 2025
2e7ff10
error handling update
liamschn Jan 25, 2025
382cf16
fix NoSuchLifecycleConfiguration issue
liamschn Jan 25, 2025
0df50f1
switch to on-demand dynamodb
liamschn Jan 27, 2025
20e9a0e
update comment
liamschn Jan 27, 2025
a24afae
ensuring the policy template remains a template
liamschn Jan 27, 2025
5a18c93
invalidparameterexception arn validation failed handling
liamschn Jan 28, 2025
f8525ea
ensure global region used for iam resources
liamschn Jan 28, 2025
bc90b19
update permissions for other accts
liamschn Jan 28, 2025
1414f07
updating README
liamschn Jan 29, 2025
daff71a
re organizing README
liamschn Jan 29, 2025
674a960
updating readme
liamschn Jan 29, 2025
dbfd184
updating readme
liamschn Jan 29, 2025
ad49fde
reorganizing readme
liamschn Jan 29, 2025
73a7b3c
updating readme - links
liamschn Jan 29, 2025
5ae4118
update readme - link
liamschn Jan 29, 2025
1494070
uppdate readme
liamschn Jan 29, 2025
fee6f9a
update readme section title
liamschn Jan 29, 2025
ad5629c
update toc
liamschn Jan 29, 2025
cb2560b
get_partition_for_region mypy error
liamschn Jan 29, 2025
aa1e14e
reverted back to orig
liamschn Jan 29, 2025
6d6f240
Merge branch 'main' into sra-genai
liamschn Jan 29, 2025
2dfa565
Merge branch 'main' into sra-genai
liamschn Jan 29, 2025
2fb9933
update readme
liamschn Jan 30, 2025
79a0c29
fixing mypy errors
liamschn Jan 30, 2025
c66b366
fix flake8 issues
liamschn Jan 30, 2025
a82f99a
fixing black formatter issues
liamschn Jan 30, 2025
8f7ef7e
update config rule annotation wording
liamschn Jan 31, 2025
2c0881d
formatting
liamschn Feb 3, 2025
bdc7e3c
update description of zip URL param
liamschn Feb 3, 2025
eaf927c
updating URL in readme
liamschn Feb 3, 2025
ebf5582
update description
liamschn Feb 3, 2025
5e4cdd3
add solution to main readme
liamschn Feb 3, 2025
2c3e459
sorting readme spreadsheet
liamschn Feb 3, 2025
9acc8ce
update changelog
liamschn Feb 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,25 @@
All notable changes to this project will be documented in this file.

---

## 2025-02-04

### Added<!-- omit in toc -->

- Added [Bedrock](aws_sra_examples/solutions/genai/bedrock_org) solution to deploy the sra-bedrock-org solution for GenAI deep-dive Bedrock capability one security controls. See https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1u3sd7f8n)

## 2025-01-21

### Updated<!-- omit in toc -->

- Updated [Config Management Account](aws_sra_examples/solutions/config/config_management_account) solution to use service-linked role for AWS Config.

## 2025-01-08

### Updated<!-- omit in toc -->

- Updated [Common Prerequisites](aws_sra_examples/solutions/common/common_prerequisites) staging util script to fix lambda layer deploy when using solution_directory.

## 2024-09-18

### Added<!-- omit in toc -->
Expand Down
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,7 @@ Please follow the instructions for SRA Terraform deployments in the [SRA Terrafo
| :---------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Account Alternate Contacts](aws_sra_examples/solutions/account/account_alternate_contacts) | Sets the billing, operations, and security alternate contacts for all accounts within the organization. | | |
| [AMI Bakery](aws_sra_examples/solutions/ami_bakery/ami_bakery_org) | Creates and configures an AMI image management pipeline. | | |
| [Bedrock](aws_sra_examples/solutions/genai/bedrock_org) | Enables and configures security controls for Bedrock GenAI deep-dive capability one. | | |
| [CloudTrail](aws_sra_examples/solutions/cloudtrail/cloudtrail_org) | Organization trail with defaults set to configure data events (e.g. S3 and Lambda) to avoid duplicating the Control Tower configured CloudTrail. Options for configuring management events. | CloudTrail enabled in each account with management events only. | |
| [Config Management Account](aws_sra_examples/solutions/config/config_management_account) | Enables AWS Config in the Management account to allow resource compliance monitoring. | Configures AWS Config in all accounts except for the Management account in each governed region. | <ul><li>AWS Control Tower</li></ul> |
| [Config Organization Aggregator](aws_sra_examples/solutions/config/config_aggregator_org) | **Not required for most Control Tower environments.** Deploy an Organization Config Aggregator to a delegated admin other than the Audit account. | Organization Config Aggregator in the Management account and Account Config Aggregator in the Audit account. | <ul><li>AWS Control Tower</li><li>[Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)</li></ul> |
Expand Down
4 changes: 2 additions & 2 deletions aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/codepipeline.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ def create_codepipeline(
"roleArn": "arn:" + aws_partition + ":iam::" + account_id + ":role/" + codepipeline_role_name,
"artifactStore": {"type": "S3", "location": bucket_name},
"stages": [
{ # type: ignore
{
"name": pipeline_name + "-CodeCommitSource",
"actions": [
{
Expand All @@ -104,7 +104,7 @@ def create_codepipeline(
}
],
},
{ # type: ignore
{
"name": pipeline_name + "-DeployEC2ImageBuilder",
"actions": [
{
Expand Down
2 changes: 1 addition & 1 deletion aws_sra_examples/solutions/config/config_org/lambda/src/config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ def set_config_in_org(
configuration_recorder: ConfigurationRecorderTypeDef = {
"name": recorder_name,
"roleARN": role_arn,
"recordingGroup": { # type: ignore
"recordingGroup": {
"allSupported": all_supported,
"includeGlobalResourceTypes": include_global_resource_types,
"resourceTypes": resource_types,
Expand Down
Loading