Is your feature request related to a problem? Please describe.
The framework currently ships 14 Amazon Bedrock checks (BR-01..14), with scope to assess newer high-value GenAI security controls. As teams adopt newer Bedrock capabilities — cross-account guardrail policies, guardrail tiers/content/PII/contextual-grounding filters, automated reasoning, custom/imported model KMS encryption, batch-inference output encryption, agent action-group IAM, knowledge base encryption, model and RAG evaluation, and CloudWatch alarms — there is no automated check to confirm these are configured securely.
Separately, some existing Bedrock checks report a hard Failed when a resource type or feature simply doesn't exist in a region/account (e.g. no evaluation jobs, region-unsupported APIs, account feature gates). These false failures can add noise.
Describe the solution you'd like
Expand the Bedrock assessment from 25 to 32 checks by adding BR-15..32, and fix the false-failure behavior so "resource/feature absent" is reported as N/A rather than Failed:
New checks:
- BR-15 Cross-account guardrails enforcement (AWS Organizations
BEDROCK_POLICY)
- BR-16 Guardrail tier validation
- BR-17 Custom model customer-managed KMS encryption
- BR-18 Model evaluation implementation
- BR-19 Prompt flow validation
- BR-20 Knowledge base KMS encryption enhancement
- BR-21 Agent action-group IAM least privilege
- BR-22 Model invocation throttling limits (service quotas)
- BR-23 Guardrail content-filter coverage
- BR-24 Automated reasoning policy implementation
- BR-25 RAG evaluation jobs
- BR-26 Guardrail sensitive-information (PII) filters
- BR-27 Guardrail contextual grounding
- BR-28 Agent guardrail association
- BR-29 Agent idle session TTL
- BR-30 Imported model customer-managed KMS encryption
- BR-31 Batch inference output encryption
- BR-32 CloudWatch alarms on AWS/Bedrock metrics
Is your feature request related to a problem? Please describe.
The framework currently ships 14 Amazon Bedrock checks (BR-01..14), with scope to assess newer high-value GenAI security controls. As teams adopt newer Bedrock capabilities — cross-account guardrail policies, guardrail tiers/content/PII/contextual-grounding filters, automated reasoning, custom/imported model KMS encryption, batch-inference output encryption, agent action-group IAM, knowledge base encryption, model and RAG evaluation, and CloudWatch alarms — there is no automated check to confirm these are configured securely.
Separately, some existing Bedrock checks report a hard Failed when a resource type or feature simply doesn't exist in a region/account (e.g. no evaluation jobs, region-unsupported APIs, account feature gates). These false failures can add noise.
Describe the solution you'd like
Expand the Bedrock assessment from 25 to 32 checks by adding BR-15..32, and fix the false-failure behavior so "resource/feature absent" is reported as N/A rather than Failed:
New checks:
BEDROCK_POLICY)