Skip to content

feat: Add security assessment module for AWS Bedrock Agent Registry (preview) #37

Description

@vivekmittal514

Summary

AWS Bedrock Agent Registry is a new service (currently in preview) that provides a centralized registry for Bedrock Agents. As the service becomes generally available, this framework should include a dedicated security assessment module for it.

Proposed Checks (non-exhaustive)

  • Registry access controls and IAM policies
  • Agent versioning and aliasing security configuration
  • Cross-account agent sharing permissions
  • Audit logging enablement for registry operations
  • Encryption configuration for registry metadata

Files Likely Touched

  • New directory: aiml-security-assessment/functions/security/agent_registry_assessments/ (following the pattern of existing assessors like agentcore_assessments/)
  • aiml-security-assessment/template.yaml — add new Lambda function resource and IAM permissions
  • aiml-security-assessment/statemachine/ — add parallel execution step for agent registry assessor
  • docs/SECURITY_CHECKS.md — add new Agent Registry section

Acceptance Criteria

  • New agent_registry_assessments Lambda following the existing module structure in DEVELOPER_GUIDE.md
  • At least 5 security checks covering IAM, logging, and access controls
  • Integrated into Step Functions parallel execution alongside existing assessors
  • Documented in docs/SECURITY_CHECKS.md

Notes

This is a preview-phase service — implementation should track API stability. A draft PR to discuss the check design is welcome before the API is finalized. Follow DEVELOPER_GUIDE.md for the module pattern.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requesthelp wantedExtra attention is needed

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions