SRA genai bedrock capability one (#277)

* working on sns fanout (for config 1st)

* handle getting params for sns

* updating get accts and regions; updating delete operation

* working to download rule zip locally

* more updates for rule zip

* updates for s3 download

* add tracing for s3 downloads

* updating s3 key

* updating local path

* moving metrics/alarms to sns fanout

* working on metric/filters deployed via sns config

* still need rule_accouts, rule_regions

* must have mgmt account added

* handle blank rule/metric regions/accounts

* working on parameter validation; not functional yet

* finishing param validation function; needs testing

* adding state table

* Refactor Lambda packaging script to target src folder only

* fix template errors

* add sns topic state table record

* add iam+lambda resources to state table

* config state record

* update for config arn

* fix cfn sns resource type error; fix dynamodb resource error

* update component type

* adding tracing for dynamodb module

* fixing role state record

* fixing lambda state record

* kms key state records

* alarms sns topic state record

* metric filter state record

* add kms module tracing

* added state record function

* sink/link state records

* update description for record

* removal of state records

* update config rule search

* added todo comment

* need to use all bedrock accts and regions for delete

* fix remove state table record function

* fix kms key alias Arn format

* change docstring; update return val

* fix delete logic

* more fixes to delete logic

* change state table solution

* making lambda summary message accurate

* making lambda summary message accurate again

* add CFN_RESPONSE_DATA debug tracing

* add more CFN_RESPONSE_DATA debug tracing

* fixed action summary

* error handling for state table record removal

* add removal of dashboard on delete

* add sns fanout action to the count

* add attach policy actions to dry_run data

* simulate topic_arn for dry_run

* must create topic for fanout in dry_run mode

* handle nosuchentity error

* handle sink arn in dry_run mode

* update dry run sns publish message

* add run data logging to sns fanout

* create/upload dry_run data file

* upload sns dry run data to s3

* handle errors on cfn delete when dry_run is true

* removing completed todo comments

* switched from SECURITY_ACCOUNT to ssm_params.SRA_SECURITY_ACCT

* testing dynamodb client typechecking (related to mypy)

* added tracing

* moving DynamoDBServiceResource out of if statement

* update project.toml to support dynamodb in mypy

* add debug tracing

* try adding mypy boto3 dynamodb to requirements

* testing new method for dynamodb typechecking

* fixing extra char in line

* moved dynamodb client and resource to class module

* add more debug for assume role

* remove dynamodb client/resource function arguments

* remove config rule if deploy set to false (testing)

* ensure mgmt acct client for sns config topic

* moved config rule delete operation to functions

* moving metric filters and alarms deletes to separate function (testing)

* update filter to filter_name

* still updating filter to filter_name

* updating delete logic; separating delete filter/alarn from kms/sns topic

* add lambda function record to state table

* add delete operations for lambda function and iam execution role state records

* update execution role arn for state record

* update get execution role function

* updating execution role name for state record

* add/remove cw dashboard state table record

* removed hardcoded aws partition

* check for permissions on lambda first

* infer execution role arn on delete

* fixing ResourceNotFoundException bug (in progress)

* working on function not found bug

* add tracing for lambda bug

* rearranging code for retries

* update kms permissions (malformed)

* updating kms key policy

* update kms policy execution role statement

* update lambda client

* update for lambda data update in state table

* initial work for least privilege lambda execution role (still work to be done)

* add tracing; update permissions

* least privilege lambda execution role

* remove comments and completed todos

* type checking fixes

* kms assume_role not accessed (used in sts module)

* removing unused params from kms module

* search for kms key before creating; remove comments/cleanup

* update to include boto3 config

* permissions update; fix type error for kms policy

* update perms; filter out pending deletion keys

* updating key examination

* updating log message

* fix linting issues

* mypy fixes

* minor update to fix return response bug

* remove scope from create_config_rule

* change config rule found log message

* fix mypy errors

* fixing mypy issues

* fix mypy issues

* fix mypy issues; remove unused code and parameters (commented out for now)

* fix mypy issues

* changing definition

* update imports

* update imports

* add mypy_boto3_dynamodb to requirements

* change output types to Any; remove mypy dynamodb import

* fix mypy issues

* fixing mypy issues; closing other todos

* fix mypy errors

* fixing mypy errors

* fixing mypy errors

* fix mypy errors in ssm param module

* update for mypy errors

* fix mypy errors in app

* fixing more mypy issues with app

* fixing mypy errors in config rules

* fixing mypy errors in config rules

* fixing mypy issues in config rules

* fixing mypy errors for config rules

* fixing mypy errors for config rules

* fixing mypy issues with config rules

* fixing mypy errors in config rules

* fixing mypy errors in config

* fix mypy errors in ami bakery

* updated formatting

* fixing mypy issues again in dynamodb

* fixing flake8 errors; adding docstrings

* fixing flake8 issues

* fix flake8 errors in app

* fixing flake8 errors in app and cloudwatch module

* fix flake8 errors in config module

* reverting some flake8 updates temporarily

* fix flake8 issues in dynamodb module

* fixing flake8 issues in iam module

* fix flake8 issues in kms module

* fixes for flake8 in lambda module

* working on flake8 issues in repo module

* fix mypy and flake8 issues in s3 module

* fixing flake8 issues in sns module

* fixing flake8 issues in ssm params module

* fixing flake8 issues in sts module

* fixing mypy errors

* fix flake8 issues for config rules

* fix flake8 issues in config rules

* fix flake8 issues in config rules

* fix flake8 issues with config rules

* fix flake8 errors in config rules

* fix flake8 issues in config rules

* fix flake8 config issues

* fix flake8 issues with config rules

* fix flake8 issues with config rules

* fix code for new sts class name

* update test params in template

* fix flake8 issues in app

* updating log message

* fix for checkov errors; added DLQ and concurrency

* fix issues for isort linting

* remove/update/eval/defer todos

* fix flake8 errors

* resolving mypy errors

* black lint reformat

* resolving checkov errors

* adding documentation

* update diagram

* updating readme

* update readme

* update readme

* updating diagram

* fix logic issue

* updating default value

* skip filter deploy if log group doesn't exist

* fixing flake8 issues

* fixing dry_run/state_table issue

* skipping checkov error

* updating perms

* spelling error

* fix constraint description

* fix multiple accounts for eval job

* update param validation

* fix regex

* update constraintdescription

* updating regex

* fix ast error; fix deployment to multi-region bug

* add error handling for entityalreadyexists

* update example bucketname in template

* update example bucketnameprefix

* update regex for param validation

* fix mypy error

* fix flake8 issue

* CreateRoleResponseTypeDef and CreatePolicyResponseTypeDef error fix

* working on access denied / encrypted guardrail issue

* handling access denied encrypted guardrail error

* error handling update

* fix NoSuchLifecycleConfiguration issue

* switch to on-demand dynamodb

* update comment

* ensuring the policy template remains a template

* invalidparameterexception arn validation failed handling

* ensure global region used for iam resources

* update permissions for other accts

* updating README

* re organizing README

* updating readme

* updating readme

* reorganizing readme

* updating readme - links

* update readme - link

* uppdate readme

* update readme section title

* update toc

* get_partition_for_region mypy error

* reverted back to orig

* update readme

* fixing mypy errors

* fix flake8 issues

* fixing black formatter issues

* update config rule annotation wording

* formatting

* update description of zip URL param

* updating URL in readme

* update description

* add solution to main readme

* sorting readme spreadsheet

* update changelog

Author: liamschn

CHANGELOG.md

@@ -57,6 +57,25 @@
 All notable changes to this project will be documented in this file.
 
 ---
+
+## 2025-02-04
+
+### Added<!-- omit in toc -->
+
+- Added [Bedrock](aws_sra_examples/solutions/genai/bedrock_org) solution to deploy the sra-bedrock-org solution for GenAI deep-dive Bedrock capability one security controls.  See https://github.com/aws-samples/aws-security-reference-architecture-examples (sra-1u3sd7f8n)
+
+## 2025-01-21
+
+### Updated<!-- omit in toc -->
+
+- Updated [Config Management Account](aws_sra_examples/solutions/config/config_management_account) solution to use service-linked role for AWS Config.
+
+## 2025-01-08
+
+### Updated<!-- omit in toc -->
+
+- Updated [Common Prerequisites](aws_sra_examples/solutions/common/common_prerequisites) staging util script to fix lambda layer deploy when using solution_directory.
+
 ## 2024-09-18
 
 ### Added<!-- omit in toc -->

README.md

@@ -140,6 +140,7 @@ Please follow the instructions for SRA Terraform deployments in the [SRA Terrafo
 | :---------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------------------------------------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | [Account Alternate Contacts](aws_sra_examples/solutions/account/account_alternate_contacts)           | Sets the billing, operations, and security alternate contacts for all accounts within the organization.                                                                                                                                      |                                                                                                              |                                                                                                                                                                                                                                         |
 | [AMI Bakery](aws_sra_examples/solutions/ami_bakery/ami_bakery_org)                                    | Creates and configures an AMI image management pipeline.                                                                                                                                                                                     |                                                                                                              |                                                                                                                                                                                                                                         |
+| [Bedrock](aws_sra_examples/solutions/genai/bedrock_org)                         | Enables and configures security controls for Bedrock GenAI deep-dive capability one.                                                                                                                                 |                                                                                                              |                                                                                                                                                                                                                                         |
 | [CloudTrail](aws_sra_examples/solutions/cloudtrail/cloudtrail_org)                                    | Organization trail with defaults set to configure data events (e.g. S3 and Lambda) to avoid duplicating the Control Tower configured CloudTrail. Options for configuring management events.                                                  | CloudTrail enabled in each account with management events only.                                              |                                                                                                                                                                                                                                         |
 | [Config Management Account](aws_sra_examples/solutions/config/config_management_account)              | Enables AWS Config in the Management account to allow resource compliance monitoring.                                                                                                                                                        | Configures AWS Config in all accounts except for the Management account in each governed region.             | <ul><li>AWS Control Tower</li></ul>                                                                                                                                                                                                     |
 | [Config Organization Aggregator](aws_sra_examples/solutions/config/config_aggregator_org)             | **Not required for most Control Tower environments.** Deploy an Organization Config Aggregator to a delegated admin other than the Audit account.                                                                                            | Organization Config Aggregator in the Management account and Account Config Aggregator in the Audit account. | <ul><li>AWS Control Tower</li><li>[Common Register Delegated Administrator](aws_sra_examples/solutions/common/common_register_delegated_administrator)</li></ul>                                                                        |

aws_sra_examples/solutions/ami_bakery/ami_bakery_org/lambda/src/codepipeline.py

@@ -90,7 +90,7 @@ def create_codepipeline(
         "roleArn": "arn:" + aws_partition + ":iam::" + account_id + ":role/" + codepipeline_role_name,
         "artifactStore": {"type": "S3", "location": bucket_name},
         "stages": [
-            {  # type: ignore
+            {
                 "name": pipeline_name + "-CodeCommitSource",
                 "actions": [
                     {
@@ -104,7 +104,7 @@ def create_codepipeline(
                     }
                 ],
             },
-            {  # type: ignore
+            {
                 "name": pipeline_name + "-DeployEC2ImageBuilder",
                 "actions": [
                     {

aws_sra_examples/solutions/config/config_org/lambda/src/config.py

@@ -92,7 +92,7 @@ def set_config_in_org(
     configuration_recorder: ConfigurationRecorderTypeDef = {
         "name": recorder_name,
         "roleARN": role_arn,
-        "recordingGroup": {  # type: ignore
+        "recordingGroup": {
             "allSupported": all_supported,
             "includeGlobalResourceTypes": include_global_resource_types,
             "resourceTypes": resource_types,