Add multi-region assessment support and Financial Services GenAI risk reporting#41
Merged
Merged
Conversation
Enable security assessments to scan multiple AWS regions in parallel using a Step Functions Map state. Each region gets its own Lambda invocation for Bedrock, SageMaker, and AgentCore assessments, providing linear performance scaling regardless of region count. Configuration: - Add TargetRegions CloudFormation parameter to all deployment templates (empty = single region, comma-separated list, or 'all') - Add ResolveRegions Lambda to resolve target regions for Map state - Use ItemSelector on Map state to inject region into each iteration Assessment changes: - Add Region field to all finding schemas and CSV reports - Refactor all assessment Lambdas to accept region from event payload and create boto3 clients with explicit region_name - Add graceful service-unavailability handling (N/A finding when a service is not available in a region) - Include region in S3 report filenames for per-region CSV outputs Report changes: - Add Region column, filter dropdown, and Risk by Region section to HTML report template - Update consolidate_html_reports.py to pass region data through Infrastructure: - Restructure Step Functions state machine with Map state - Fail CodeBuild when Step Function execution fails (previously only logged a warning) Documentation: - Streamline README (603 → 208 lines) by moving cleanup and troubleshooting content to dedicated docs - Add docs/CLEANUP.md with step-by-step removal instructions - Add upgrade guide and stack identification to Troubleshooting - Update Developer Guide with region-aware patterns - Correct check count from 52 to 51 (13 Bedrock + 25 SageMaker + 13 AgentCore)
…egion scans Refine multi-region scanning so global/IAM-only checks (e.g. AC-02/AC-03, BR-01/BR-03) run once on the primary region and are tagged with a "Global" region label, avoiding duplicate findings across scanned regions. Regional assessments now probe availability and skip opt-in/disabled regions and APIs unsupported in a region, tagging remaining findings with their region. Add test coverage for the consolidated report, report filenames, SageMaker template permissions, and the per-service multi-region check behavior.
Update .gitignore to exclude .codex/ and .pytest_cache/.
The post-build poll loop used a hardcoded 600s (10 min) wait for the Step Function, which is too short for all-region scans and caused false build failures when the assessment outlived the poll window. Derive the poll timeout from the CodeBuild timeout (passed through as the CODEBUILD_TIMEOUT_MINUTES env var) minus a buffer for build/deploy and report processing, with a floor guard and an SF_POLL_TIMEOUT override.
Clear all 25 ruff findings (F401 unused imports, F811 duplicate import, F541 extraneous f-string prefix) across the Python sources.
Global/IAM findings (Region == "Global") appear in the report tables but were absent from the Region filter dropdowns because "Global" is intentionally excluded from the region count/tiles. Surface a "Global" filter option when such findings exist, and show the dropdown whenever there is more than one distinct filterable value (regions + Global), without inflating the region count.
Probe regional Bedrock list APIs (guardrails, prompts, agents, knowledge bases, flows, custom models) and AgentCore runtimes before emitting findings. When no resources exist in a region, report BR-02, BR-05, and AC-08 as N/A/Informational instead of WARN/Failed, avoiding false positives in regions with no AI/ML footprint.
The CodeBuild env var TARGET_REGIONS allowed spaces after commas (e.g.
"us-east-1, us-east-2"). 'sam deploy --parameter-overrides' re-splits its
argument on spaces, so only the first chunk ("us-east-1,") reached the
stack and every other region was silently dropped — the cause of build
aws-samples#14 scanning a single region.
- buildspec.yml: strip all whitespace from TARGET_REGIONS before deploy
and validate the result, failing fast on invalid characters.
- Add AllowedPattern/ConstraintDescription to the TargetRegions parameter
in all four templates as defense-in-depth at the CloudFormation layer.
Gate model invocation logging (BR-04) and Bedrock CloudTrail coverage (BR-06) on the regional Bedrock footprint, reporting N/A when no resources exist instead of Failed. Return False from detect_bedrock_regional_footprint when any probe succeeds with no resources, so a single accessible empty API is enough to conclude the region is empty. For BR-09, treat Knowledge Base API errors (including AccessDenied) as N/A rather than a High/Failed finding.
CodeBuild reserves the CODEBUILD_ prefix for its own built-in environment variables and rejects user-defined variables that use it, causing UpdateProject to fail with InvalidInputException and the stack to enter UPDATE_FAILED. Rename the variable to BUILD_TIMEOUT_MINUTES in both CodeBuild project templates and update the consuming buildspec logic.
# Conflicts: # README.md # aiml-security-assessment/functions/security/generate_consolidated_report/app.py # aiml-security-assessment/functions/security/generate_consolidated_report/report_template.py # aiml-security-assessment/statemachine/assessments.asl.json # deployment/2-aiml-security-codebuild.yaml # deployment/aiml-security-single-account.yaml # docs/SECURITY_CHECKS.md
github-actions
Bot
added
documentation
# Conflicts: # aiml-security-assessment/functions/security/agentcore_assessments/schema.py # aiml-security-assessment/functions/security/bedrock_assessments/app.py # aiml-security-assessment/functions/security/bedrock_assessments/schema.py # aiml-security-assessment/functions/security/generate_consolidated_report/schema.py # aiml-security-assessment/functions/security/sagemaker_assessments/schema.py # aiml-security-assessment/template-multi-account.yaml # aiml-security-assessment/template.yaml # tests/conftest.py # tests/test_bedrock_checks.py
Contributor
|
/kiro review |
vivekmittal514
approved these changes
Jun 24, 2026
vivekmittal514
left a comment
vivekmittal514
left a comment
Contributor
There was a problem hiding this comment.
Thanks Agasthi. Reviewed the PR and did regression test for single and multi account. Looks good.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Key Changes
TargetRegionssupport with region resolution and per-region Step Functions fan-out.Deployment Notes
EnableFinServAssessmentremains opt-in.TargetRegionscontrols the regions scanned; empty/default behavior remains deployment-region scoped unless configured otherwise.Review Focus
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.