- June 20, 2026 01:53:07 UTC
+ July 09, 2026 22:34:42 UTC3 Accounts
-
Security Checks
117
Evaluated across 3 regions
-
Total Findings
723
Across 3 accounts · 3 regions
-
Actionable Findings
268
High, Medium, and Low severity
-
High Severity
9/61
14.8% passed · Immediate action required
-
Medium Severity
39/190
20.5% passed · Should be addressed
-
Low Severity
9/17
52.9% passed · Best practices
+
Security Checks
161
Evaluated across 5 regions
+
Total Findings
1664
Across 3 accounts · 5 regions
+
Actionable Findings
598
High, Medium, and Low severity
+
High Severity
28/219
12.8% passed · Immediate action required
+
Medium Severity
82/280
29.3% passed · Should be addressed
+
Low Severity
30/99
30.3% passed · Best practices
Priority Recommendations
1
-
AgentCore IAM Full Access Policy
+
AgentCore Resource-Based Policies Missing
AgentCore
1
-
AgentCore IAM Wildcard Permissions
-
AgentCore
+
Agentic AI Gateway Tool Policy Enforcement Missing
+
Agentic AI
-
2
+
1
-
AgentCore Runtime VPC Configuration
-
AgentCore
+
Agentic AI Resource Policy Boundary
+
Agentic AI
1
-
AgentCore Stale Access
-
AgentCore
+
Amazon Bedrock private connectivity not used
+
Bedrock
@@ -279,16 +285,16 @@
Security Assessment Overview
All Security Findings
-
-
-
+
+
+
-
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
-
111111111111
-
ap-southeast-2
+
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
+
111122223333
+
ap-south-1
AC-01
AgentCore VPC Configuration Check
No AgentCore resources found
@@ -297,9 +303,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
111122223333
+
ap-south-1
AC-04
AgentCore Observability Check
No AgentCore resources found
@@ -308,9 +314,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
111122223333
+
ap-south-1
AC-05
AgentCore Encryption Check
No AgentCore resources found
@@ -319,9 +325,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
111122223333
+
ap-south-1
AC-06
AgentCore Browser Tool Recording Check
No AgentCore Runtimes found to check browser tool configuration
@@ -330,9 +336,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
111122223333
+
ap-south-1
AC-07
AgentCore Memory Configuration Check
No Memory resources found
@@ -341,9 +347,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
111122223333
+
ap-south-1
AC-13
AgentCore Gateway Configuration Check
No Gateway resources found
@@ -352,9 +358,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
111122223333
+
ap-south-1
AC-08
AgentCore VPC Endpoints Check
No AgentCore resources found
@@ -363,9 +369,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
111122223333
+
ap-south-1
AC-10
AgentCore Resource-Based Policies Check
No AgentCore resources found to check for resource-based policies
@@ -374,9 +380,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
111122223333
+
ap-south-1
AC-11
AgentCore Policy Engine Encryption Check
No Policy Engines found
@@ -385,9 +391,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
111122223333
+
ap-south-1
AC-12
AgentCore Gateway Encryption Check
No Gateways found
@@ -396,1644 +402,2212 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
+
+
111122223333
+
ap-south-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
+
111122223333
+
ap-south-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
No action required
-
-
Medium
-
Passed
+
+
Informational
+
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
+
+
111122223333
+
ap-south-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
+
111122223333
+
ap-south-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
No action required
-
-
Medium
-
Passed
-
-
-
111111111111
-
ap-southeast-2
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
+
+
111122223333
+
ap-south-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
+
+
111122223333
+
ap-south-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
+
+
111122223333
+
ap-south-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
+
+
111122223333
+
ap-south-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
+
+
111122223333
+
ap-south-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
+
+
111122223333
+
ap-south-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
+
+
111122223333
+
ap-south-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
+
+
111122223333
+
us-west-2
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
+
+
111122223333
+
us-west-2
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
+
+
111122223333
+
us-west-2
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
+
+
111122223333
+
us-west-2
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-15
-
SageMaker Feature Store Encryption Check
-
No feature groups with offline stores found
+
+
111122223333
+
us-west-2
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-16
-
SageMaker Data Quality Job Encryption Check
-
No data quality job definitions found
+
+
111122223333
+
us-west-2
+
AC-13
+
AgentCore Gateway Configuration Check
+
Found 1 Gateway resources
No action required
-
-
Informational
-
N/A
+
+
Medium
+
Passed
-
-
111111111111
-
ap-southeast-2
-
SM-17
-
SageMaker Processing Job Encryption Check
-
No processing jobs found
+
+
111122223333
+
us-west-2
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-18
-
SageMaker Transform Job Encryption Check
-
No transform jobs found
+
+
111122223333
+
us-west-2
+
AC-10
+
AgentCore Resource-Based Policies Missing
+
The following AgentCore resources do not have resource-based policies: Gateway 'aws-news-mcp'. Without RBPs, access control relies solely on identity-based policies.
+
Attach resource-based policies to AgentCore resources to:
+1. Implement defense-in-depth access control
+2. Enable cross-account access control
+3. Restrict access based on source VPC or IP
+4. Implement hierarchical authorization for Agent Runtimes
The following Gateways do not use customer-managed KMS encryption: 'aws-news-mcp'. Gateway configuration data uses AWS-managed keys.
+
1. Create gateways with customer-managed KMS keys for additional control
+2. AWS-managed keys are single-tenant and region-specific
+3. Consider CMK for enhanced audit capabilities and key rotation control
Agentic AI Gateway Tool Policy Enforcement Missing
+
Gateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.
+
Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
Gateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) does not expose DEBUG-level exception detail.
No action required
-
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-west-2
+
AG-27
+
Agentic AI Gateway WAF Protection Missing
+
Gateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) is not associated with an AWS WAF web ACL.
+
Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.
+
+
Low
+
Failed
+
+
+
111122223333
+
us-west-2
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-21
-
SageMaker AutoML Job Network Isolation Check
-
No AutoML jobs found
-
No action required
-
+
+
111122223333
+
us-west-2
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-22
-
Model Approval Workflow Check
-
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
+
+
111122223333
+
us-west-2
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
+
+
111122223333
+
us-west-2
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
Informational
+
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
+
+
111122223333
+
us-west-2
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: The following AgentCore resources do not have resource-based policies: Gateway 'aws-news-mcp'. Without RBPs, access control relies solely on identity-based policies.
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
High
+
Failed
-
-
111111111111
-
ap-southeast-2
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
+
+
111122223333
+
us-west-2
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
111111111111
-
Global
-
AC-02
-
AgentCore IAM Full Access Policy
-
The following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161
-
Replace with least-privilege policies scoped to specific AgentCore resources and actions
-
-
High
+
+
111122223333
+
us-west-2
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: The following Gateways do not use customer-managed KMS encryption: 'aws-news-mcp'. Gateway configuration data uses AWS-managed keys.
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Low
Failed
-
-
111111111111
+
+
111122223333
Global
-
AC-02
-
AgentCore IAM Wildcard Permissions
-
The following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-role
-
Scope permissions to specific AgentCore resources using resource ARNs
-
+
BR-01
+
AmazonBedrockFullAccess role check
+
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonBedrockFullAccess policy attached
+
Limit the AmazonBedrockFullAccess policy only to required access
+
High
Failed
-
-
111111111111
+
+
111122223333
Global
-
AC-03
-
AgentCore Stale Access
-
The following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (179 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (179 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (179 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (62 days)
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Medium
+
BR-01
+
AmazonBedrockFullAccess role check
+
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonBedrockFullAccess policy attached
+
Limit the AmazonBedrockFullAccess policy only to required access
+
+
High
Failed
-
-
111111111111
+
+
111122223333
Global
-
AC-03
-
AgentCore Unused Permissions
-
The following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW', role 'ReSCOAIMLMemberRole'
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Medium
+
BR-01
+
AmazonBedrockFullAccess role check
+
Role 'myAskMeAnything-role-kmsizqwf' has AmazonBedrockFullAccess policy attached
+
Limit the AmazonBedrockFullAccess policy only to required access
+
+
High
Failed
-
-
111111111111
+
+
111122223333
Global
-
AC-09
-
AgentCore Service-Linked Role Missing
-
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
-
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
-
-
Medium
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-cdk_agent_core'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
Failed
-
-
111111111111
-
us-east-1
-
AC-01
-
AgentCore Runtime VPC Configuration
-
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.
-
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
-
+
+
111122223333
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-neoCyan_Agent'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
High
Failed
-
-
111111111111
-
us-east-1
-
AC-01
-
AgentCore Runtime VPC Configuration
-
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.
-
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
-
+
+
111122223333
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_knnc9' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_knnc9'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
High
Failed
-
-
111111111111
-
us-east-1
-
AC-01
-
AgentCore Runtime VPC Configuration
-
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.
-
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
-
+
+
111122223333
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_qxqw2' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_qxqw2'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
High
Failed
-
-
111111111111
-
us-east-1
-
AC-01
-
AgentCore Runtime VPC Configuration
-
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.
-
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
-
+
+
111122223333
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'AmazonSageMaker-ExecutionRole-20250525T153161' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
High
Failed
-
-
111111111111
-
us-east-1
-
AC-01
-
AgentCore Runtime VPC Configuration
-
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.
-
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
-
+
+
111122223333
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
High
Failed
-
-
111111111111
-
us-east-1
-
AC-04
-
AgentCore Runtime CloudWatch Logs
-
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs for monitoring and troubleshooting
-
-
Medium
+
+
111122223333
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
Failed
-
-
111111111111
-
us-east-1
-
AC-04
-
AgentCore Runtime X-Ray Tracing
-
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabled
-
Enable X-Ray tracing for distributed tracing and performance analysis
-
-
Medium
+
+
111122223333
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'myAskMeAnything-role-kmsizqwf' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
Failed
-
-
111111111111
-
us-east-1
-
AC-04
-
AgentCore Runtime CloudWatch Logs
-
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs for monitoring and troubleshooting
-
-
Medium
+
+
111122223333
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
User 'BedrockAPIKey-20pp' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
Failed
-
-
111111111111
-
us-east-1
-
AC-04
-
AgentCore Runtime X-Ray Tracing
-
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabled
-
Enable X-Ray tracing for distributed tracing and performance analysis
-
-
Medium
+
+
111122223333
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
User 'BedrockAPIKey-yhc3' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
Failed
-
-
111111111111
-
us-east-1
-
AC-04
-
AgentCore Runtime CloudWatch Logs
-
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs for monitoring and troubleshooting
-
-
Medium
+
+
111122223333
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
User 'BedrockClientUser' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
Failed
-
-
111111111111
+
+
111122223333
us-east-1
-
AC-04
-
AgentCore Runtime X-Ray Tracing
-
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabled
-
Enable X-Ray tracing for distributed tracing and performance analysis
-
+
BR-02
+
Amazon Bedrock private connectivity not used
+
No Bedrock service VPC endpoints found in VPCs: vpc-03472be90d65c2f68, vpc-39319f44, vpc-064f3e808e378cbc8, vpc-02d020a365a06c7fe
+
Create a VPC endpoint in your VPC with any of the following Bedrock service endpoints that your application may be using:
+- com.amazonaws.region.bedrock
+- com.amazonaws.region.bedrock-runtime
+- com.amazonaws.region.bedrock-agent
+- com.amazonaws.region.bedrock-agent-runtime
+
Medium
Failed
-
-
111111111111
+
+
111122223333
us-east-1
-
AC-04
-
AgentCore Runtime CloudWatch Logs
-
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs for monitoring and troubleshooting
-
+
BR-04
+
Bedrock Model Invocation Logging Check
+
Model invocation logging is properly configured with delivery to: Amazon S3, CloudWatch Logs
+
No action required
+
Medium
-
Failed
+
Passed
-
-
111111111111
+
+
111122223333
us-east-1
-
AC-04
-
AgentCore Runtime X-Ray Tracing
-
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabled
-
Enable X-Ray tracing for distributed tracing and performance analysis
-
-
Medium
-
Failed
+
BR-05
+
Bedrock Guardrails Check
+
Amazon Bedrock Guardrails are properly configured with 1 guardrails
+
No action required. Continue monitoring and updating guardrails as needed.
+
+
High
+
Passed
-
-
111111111111
+
+
111122223333
us-east-1
-
AC-04
-
AgentCore Runtime CloudWatch Logs
-
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs for monitoring and troubleshooting
-
+
BR-06
+
Bedrock CloudTrail Logging Check
+
CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
+
No action required. Continue monitoring CloudTrail logs for Bedrock activity.
+
Medium
-
Failed
+
Passed
-
-
111111111111
+
+
111122223333
us-east-1
-
AC-04
-
AgentCore Runtime X-Ray Tracing
-
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabled
-
Enable X-Ray tracing for distributed tracing and performance analysis
-
-
Medium
-
Failed
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
Consider using customer-managed KMS keys for better control and audit capabilities
-
-
Low
-
Failed
+
BR-09
+
Bedrock Knowledge Base Encryption Review
+
Knowledge Base 'knowledge-base-semiconductors' (RQYFDSE1LT) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
+
Informational
+
N/A
-
-
111111111111
+
+
111122223333
us-east-1
-
AC-06
-
AgentCore Runtime Storage Configuration
-
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have storage configuration for browser tools
-
Configure S3 storage for browser tool session recordings and artifacts
-
-
Medium
-
Failed
+
BR-09
+
Bedrock Knowledge Base Encryption Review
+
Knowledge Base '111122223333-us-east-1-kb' (PAJOKBSIMQ) uses 'S3_VECTORS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
+
Informational
+
N/A
-
-
111111111111
+
+
111122223333
us-east-1
-
AC-06
-
AgentCore Runtime Storage Configuration
-
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have storage configuration for browser tools
-
Configure S3 storage for browser tool session recordings and artifacts
-
-
Medium
-
Failed
+
BR-09
+
Bedrock Knowledge Base Encryption Review
+
Knowledge Base 'e2e-rag-knowledgebase' (ESIYAYSYTJ) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
+
Informational
+
N/A
-
-
111111111111
+
+
111122223333
us-east-1
-
AC-06
-
AgentCore Runtime Storage Configuration
-
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have storage configuration for browser tools
-
Configure S3 storage for browser tool session recordings and artifacts
-
-
Medium
+
BR-10
+
Bedrock Guardrail IAM Enforcement Missing
+
The following roles can invoke Bedrock models without enforced guardrails: 111122223333-us-east-1-kb-bedrock-service-role, agentcore-wildrydes_gateway_role_ab3991f6-role, AgentCoreEvalsSDK-us-east-1-d04ba7b68b, AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76, AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b, AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D, AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ, AmazonBedrockExecutionRoleForKnowledgeBase_072pr, AmazonBedrockExecutionRoleForKnowledgeBase_byjin, AmazonBedrockExecutionRoleForKnowledgeBase_h9718...
+
Add IAM policy conditions to enforce guardrail usage:
+1. Use 'bedrock:GuardrailIdentifier' condition key
+2. Specify required guardrail ARN or ID
+3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}
+
+
High
Failed
-
-
111111111111
+
+
111122223333
us-east-1
-
AC-06
-
AgentCore Runtime Storage Configuration
-
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have storage configuration for browser tools
-
Configure S3 storage for browser tool session recordings and artifacts
-
-
Medium
-
Failed
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
+
+
111122223333
us-east-1
-
AC-06
-
AgentCore Runtime Storage Configuration
-
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have storage configuration for browser tools
-
Configure S3 storage for browser tool session recordings and artifacts
-
+
BR-12
+
Bedrock Invocation Log Encryption
+
S3 bucket 'nistairmfguardrail-invocationlogsbucket8fe5371b-wmlsng7pkyhm' for invocation logs uses SSE-S3 encryption instead of customer-managed KMS. Invocation logs may contain sensitive prompts and responses.
+
1. Enable SSE-KMS with a customer-managed key on the S3 bucket
+2. Update bucket policy to require encrypted uploads
+3. Consider enabling S3 bucket versioning and MFA delete for log integrity
+
Medium
Failed
-
-
111111111111
+
+
111122223333
us-east-1
-
AC-07
-
AgentCore Memory Encryption
-
Memory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configured
-
Enable encryption with customer-managed KMS keys
-
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
Global
+
BR-15
+
Cross-Account Guardrails Enforcement Check
+
Check must run in AWS Organizations management account to evaluate organizational policies
+
Run assessment in management account to check cross-account guardrails enforcement
+
Medium
-
Failed
+
N/A
-
-
111111111111
+
+
111122223333
us-east-1
-
AC-07
-
AgentCore Memory Encryption
-
Memory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configured
-
Enable encryption with customer-managed KMS keys
-
+
BR-16
+
Guardrail Tier Validation Check
+
Guardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) is using the 'CLASSIC' content-filter tier instead of 'STANDARD'. The STANDARD tier provides more robust content filtering and broader language support than the CLASSIC tier.
+
Update the guardrail to use the STANDARD content-filter tier for improved contextual understanding, better prompt attack filtering (distinguishing jailbreaks from prompt injection), and broader language support. The STANDARD tier requires cross-Region inference. Review pricing implications before upgrading.
+
Medium
Failed
-
-
111111111111
+
+
111122223333
us-east-1
-
AC-07
-
AgentCore Memory Encryption
-
Memory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configured
-
Enable encryption with customer-managed KMS keys
-
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
111122223333
+
us-east-1
+
BR-18
+
Model Evaluation Implementation Check
+
No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
+
Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.
+
Medium
Failed
-
-
111111111111
+
+
111122223333
us-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
111122223333
+
us-east-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Review
+
Knowledge base 'knowledge-base-semiconductors' (ID: RQYFDSE1LT) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
Informational
N/A
-
-
111111111111
+
+
111122223333
us-east-1
-
AC-08
-
AgentCore VPC Endpoints Missing
-
No AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.
-
Create VPC interface endpoints for AgentCore services:
-1. com.amazonaws.region.bedrock-agentcore
-2. com.amazonaws.region.bedrock-agentcore-control
-3. com.amazonaws.region.bedrock-agentcore-runtime
-This enables private connectivity via AWS PrivateLink
-
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Review
+
Knowledge base '111122223333-us-east-1-kb' (ID: PAJOKBSIMQ) uses 'S3_VECTORS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Review
+
Knowledge base 'e2e-rag-knowledgebase' (ID: ESIYAYSYTJ) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
No action required. Continue monitoring filter effectiveness and adjust thresholds as needed.
+
+
Low
+
Passed
+
+
+
111122223333
+
us-east-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
Guardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.
+
Configure Automated Reasoning policies on guardrails to mathematically verify model responses. Define policies that specify allowed and disallowed behaviors. Use for high-assurance use cases where formal verification is required.
+
+
Medium
Failed
-
-
111111111111
+
+
111122223333
us-east-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
+
BR-25
+
RAG Evaluation Jobs Check
+
Knowledge base 'knowledge-base-semiconductors' (ID: RQYFDSE1LT) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
+
Low
+
Failed
+
+
+
111122223333
+
us-east-1
+
BR-25
+
RAG Evaluation Jobs Check
+
Knowledge base '111122223333-us-east-1-kb' (ID: PAJOKBSIMQ) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
+
Low
+
Failed
+
+
+
111122223333
+
us-east-1
+
BR-25
+
RAG Evaluation Jobs Check
+
Knowledge base 'e2e-rag-knowledgebase' (ID: ESIYAYSYTJ) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
+
Low
+
Failed
+
+
+
111122223333
+
us-east-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
1 guardrails have sensitive-information (PII) filters configured
+
No action required. Periodically review the PII entity types and regex patterns to ensure coverage matches your data.
+
+
Low
+
Passed
+
+
+
111122223333
+
us-east-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
1 guardrails have contextual grounding checks enabled
+
No action required. Review grounding and relevance thresholds periodically to balance hallucination detection against false positives.
+
+
Low
+
Passed
+
+
+
111122223333
+
us-east-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
N/A
-
-
111111111111
+
+
111122223333
us-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
N/A
-
-
111111111111
+
+
111122223333
us-east-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
No imported custom Bedrock models found in this region
+
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
111122223333
+
us-east-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
111122223333
+
us-east-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
+
Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is properly configured with delivery to: Amazon S3, CloudWatch Logs
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-east-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
+
Medium
+
Passed
+
+
+
111122223333
+
Global
+
AG-09
+
Agentic AI Guardrail Enforcement Boundary
+
Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policies
+
Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
+
+
111122223333
+
us-east-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
+
+
111122223333
+
us-east-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
+
+
111122223333
+
us-east-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 11 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
+
Low
+
Passed
+
+
+
111122223333
+
us-east-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: 1 guardrails have complete content filter coverage (hate, insults, sexual, violence)
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
+
Low
+
Passed
+
+
+
111122223333
+
us-east-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: Guardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: 1 guardrails have sensitive-information (PII) filters configured
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
+
Low
+
Passed
+
+
+
111122223333
+
us-east-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: 1 guardrails have contextual grounding checks enabled
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
+
Low
+
Passed
+
+
+
111122223333
+
us-east-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
+
+
111122223333
+
us-east-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
+
+
111122223333
+
us-east-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
+
Medium
+
Failed
+
+
+
111122223333
+
ap-south-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
+
+
111122223333
+
ap-south-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
+
+
111122223333
+
ap-south-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
+
+
111122223333
+
ap-south-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
+
+
111122223333
+
ap-south-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
+
+
111122223333
+
ap-south-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
No action required
-
+
Informational
N/A
-
-
111111111111
-
Global
-
BR-01
-
AmazonBedrockFullAccess role check
-
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonBedrockFullAccess policy attached
-
Limit the AmazonBedrockFullAccess policy only to required access
-
-
High
-
Failed
-
-
-
111111111111
-
Global
-
BR-01
-
AmazonBedrockFullAccess role check
-
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonBedrockFullAccess policy attached
-
Limit the AmazonBedrockFullAccess policy only to required access
-
-
High
-
Failed
+
+
111122223333
+
ap-south-1
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-01
-
AmazonBedrockFullAccess role check
-
Role 'myAskMeAnything-role-kmsizqwf' has AmazonBedrockFullAccess policy attached
-
Limit the AmazonBedrockFullAccess policy only to required access
-
-
High
-
Failed
+
+
111122223333
+
ap-south-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-cdk_agent_core'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
+
+
111122223333
+
ap-south-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-neoCyan_Agent'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
+
+
111122223333
+
ap-south-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_knnc9' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_knnc9'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
+
+
111122223333
+
ap-south-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_qxqw2' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_qxqw2'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
+
+
111122223333
+
ap-south-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'AmazonSageMaker-ExecutionRole-20250525T153161' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
+
+
111122223333
+
ap-south-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
High
-
Failed
+
N/A
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
+
+
111122223333
+
ap-south-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
+
+
111122223333
+
ap-south-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'myAskMeAnything-role-kmsizqwf' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
+
+
111122223333
+
ap-south-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
High
-
Failed
+
N/A
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
User 'BedrockAPIKey-20pp' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
+
+
111122223333
+
ap-south-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
High
-
Failed
+
N/A
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
User 'BedrockAPIKey-yhc3' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
+
+
111122223333
+
ap-south-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
User 'BedrockClientUser' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
+
+
111122223333
+
ap-south-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
High
-
Failed
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role '111111111111-us-east-1-kb-bedrock-service-role' last accessed Bedrock on 2025-12-22
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
ap-south-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
Medium
-
Failed
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role '111111111111-us-east-1-kb-setup-function-role' last accessed Bedrock on 2025-12-22
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
ap-south-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
ap-south-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
ap-south-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
Medium
-
Failed
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AIMLSecurityMemberRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
ap-south-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
ap-south-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b' last accessed Bedrock on 2025-12-21
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
ap-south-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D' last accessed Bedrock on 2024-06-25
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
ap-south-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
Medium
-
Failed
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ' last accessed Bedrock on 2025-04-27
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
ap-south-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_072pr' last accessed Bedrock on 2024-06-25
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
ap-south-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_byjin' last accessed Bedrock on 2024-11-17
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
ap-south-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_h9718' last accessed Bedrock on 2024-11-17
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
ap-south-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_knnc9' last accessed Bedrock on 2026-01-01
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
ap-south-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_qxqw2' last accessed Bedrock on 2025-12-28
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
ap-south-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_semicon' last accessed Bedrock on 2024-09-01
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
ap-south-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_xtwwd' last accessed Bedrock on 2025-10-13
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
ap-south-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_y9m7f' last accessed Bedrock on 2025-04-27
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
ap-south-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonQInvestigationRole-DefaultInvestigationGroup-8vxyjh' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
ap-south-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonSageMaker-ExecutionRole-20231014T200029' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
ap-south-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonSageMaker-ExecutionRole-20250525T153161' last accessed Bedrock on 2025-12-22
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
ap-south-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-02
+
Amazon Bedrock private connectivity not used
+
No Bedrock service VPC endpoints found in VPCs: vpc-0f85a6754ab37efb7, vpc-5c3b6524, vpc-03bcafcb58a3029fc
+
Create a VPC endpoint in your VPC with any of the following Bedrock service endpoints that your application may be using:
+- com.amazonaws.region.bedrock
+- com.amazonaws.region.bedrock-runtime
+- com.amazonaws.region.bedrock-agent
+- com.amazonaws.region.bedrock-agent-runtime
+
Medium
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'aws-api-mcp-server-execution-role' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-west-2
+
BR-04
+
Bedrock Model Invocation Logging Check
+
Model invocation logging is not enabled. This limits your ability to track and audit model usage.
+
Enable model invocation logging to collect invocation logs, model input data, and model output data. Configure logging to deliver to Amazon S3, CloudWatch Logs, or both for comprehensive monitoring.
+
Medium
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AwsSecurityAudit' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-west-2
+
BR-05
+
Bedrock Guardrails Check
+
Amazon Bedrock Guardrails are properly configured with 1 guardrails
+
No action required. Continue monitoring and updating guardrails as needed.
+
+
High
+
Passed
+
+
+
111122223333
+
us-west-2
+
BR-06
+
Bedrock CloudTrail Logging Check
+
CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
+
No action required. Continue monitoring CloudTrail logs for Bedrock activity.
+
Medium
+
Passed
+
+
+
111122223333
+
us-west-2
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-09
+
Bedrock Knowledge Base Encryption Review
+
Knowledge Base 'knowledge-base-bedrock-agent' (XSPYLN4FQL) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-09
+
Bedrock Knowledge Base Encryption Review
+
Knowledge Base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (SUGAG7RGYD) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-09
+
Bedrock Knowledge Base Encryption Review
+
Knowledge Base 'promptfoo-rag-workshop-111122223333-kb' (N74ZIKTUFL) uses 'RDS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-09
+
Bedrock Knowledge Base Encryption Review
+
Knowledge Base 'InvestmentResearchKB' (M1GMUG3BP0) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-09
+
Bedrock Knowledge Base Encryption Review
+
Knowledge Base 'knowledge-base-quick-start-xtwwd' (ENFHSBBLMV) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-09
+
Bedrock Knowledge Base Encryption Review
+
Knowledge Base 'kb-s3-vector-store' (116IXQU5VP) uses 'S3_VECTORS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-10
+
Bedrock Guardrail IAM Enforcement Missing
+
The following roles can invoke Bedrock models without enforced guardrails: 111122223333-us-east-1-kb-bedrock-service-role, agentcore-wildrydes_gateway_role_ab3991f6-role, AgentCoreEvalsSDK-us-east-1-d04ba7b68b, AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76, AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b, AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D, AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ, AmazonBedrockExecutionRoleForKnowledgeBase_072pr, AmazonBedrockExecutionRoleForKnowledgeBase_byjin, AmazonBedrockExecutionRoleForKnowledgeBase_h9718...
+
Add IAM policy conditions to enforce guardrail usage:
+1. Use 'bedrock:GuardrailIdentifier' condition key
+2. Specify required guardrail ARN or ID
+3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}
+
+
High
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AWSServiceRoleForAuditManager' last accessed Bedrock on 2024-11-25
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-west-2
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-16
+
Guardrail Tier Validation Check
+
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is using the 'CLASSIC' content-filter tier instead of 'STANDARD'. The STANDARD tier provides more robust content filtering and broader language support than the CLASSIC tier.
+
Update the guardrail to use the STANDARD content-filter tier for improved contextual understanding, better prompt attack filtering (distinguishing jailbreaks from prompt injection), and broader language support. The STANDARD tier requires cross-Region inference. Review pricing implications before upgrading.
+
Medium
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AWSServiceRoleForSupport' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-west-2
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-18
+
Model Evaluation Implementation Check
+
No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
+
Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.
+
Medium
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AWSVAPTAudit' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-west-2
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
Medium
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Review
+
Knowledge base 'knowledge-base-bedrock-agent' (ID: XSPYLN4FQL) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Review
+
Knowledge base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (ID: SUGAG7RGYD) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Review
+
Knowledge base 'promptfoo-rag-workshop-111122223333-kb' (ID: N74ZIKTUFL) uses 'RDS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Review
+
Knowledge base 'InvestmentResearchKB' (ID: M1GMUG3BP0) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Review
+
Knowledge base 'knowledge-base-quick-start-xtwwd' (ID: ENFHSBBLMV) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Review
+
Knowledge base 'kb-s3-vector-store' (ID: 116IXQU5VP) uses 'S3_VECTORS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
Continue monitoring quota utilization. Review and adjust quotas as application requirements change.
+
+
Low
+
Passed
+
+
+
111122223333
+
us-west-2
+
BR-23
+
Guardrail Content Filter Coverage Check
+
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is missing content filters: HATE, VIOLENCE, SEXUAL, INSULTS. Complete content filter coverage is essential for comprehensive content safety.
+
Update guardrail to enable all content filters (HATE, INSULTS, SEXUAL, VIOLENCE). Configure appropriate threshold levels (LOW, MEDIUM, HIGH) for both input and output filtering based on your use case. Review AWS documentation for threshold guidance.
+
+
High
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'BedrockCognitoFederatedRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-west-2
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.
+
Configure Automated Reasoning policies on guardrails to mathematically verify model responses. Define policies that specify allowed and disallowed behaviors. Use for high-assurance use cases where formal verification is required.
+
Medium
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'cdk-hnb659fds-lookup-role-111111111111-us-east-1' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
+
+
111122223333
+
us-west-2
+
BR-25
+
RAG Evaluation Jobs Check
+
Knowledge base 'knowledge-base-bedrock-agent' (ID: XSPYLN4FQL) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
+
Low
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'cdk-hnb659fds-lookup-role-111111111111-us-west-2' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
+
+
111122223333
+
us-west-2
+
BR-25
+
RAG Evaluation Jobs Check
+
Knowledge base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (ID: SUGAG7RGYD) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
+
Low
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'cfn-contextualChatBot-usi-LambdaExecutionRoleForKno-aHg3J0xel6VU' last accessed Bedrock on 2024-03-25
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
+
+
111122223333
+
us-west-2
+
BR-25
+
RAG Evaluation Jobs Check
+
Knowledge base 'promptfoo-rag-workshop-111122223333-kb' (ID: N74ZIKTUFL) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
+
Low
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'CloudSecAuditRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
+
+
111122223333
+
us-west-2
+
BR-25
+
RAG Evaluation Jobs Check
+
Knowledge base 'InvestmentResearchKB' (ID: M1GMUG3BP0) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
+
Low
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'CloudSeerTrustedServiceRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
+
+
111122223333
+
us-west-2
+
BR-25
+
RAG Evaluation Jobs Check
+
Knowledge base 'knowledge-base-quick-start-xtwwd' (ID: ENFHSBBLMV) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
+
Low
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' last accessed Bedrock on 2025-12-22
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
+
+
111122223333
+
us-west-2
+
BR-25
+
RAG Evaluation Jobs Check
+
Knowledge base 'kb-s3-vector-store' (ID: 116IXQU5VP) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
+
Low
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'CustomerSupportStackInfra-CustomerSupportLambdaRole-ujGGiNU6KEnI' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
+
+
111122223333
+
us-west-2
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) has no sensitive-information filters configured (no PII entities or regex patterns). Prompts and model responses are not screened for sensitive data such as PII.
+
Configure sensitive-information filters on the guardrail: add PII entity types (e.g. NAME, EMAIL, SSN, CREDIT_DEBIT_CARD_NUMBER) and/or custom regex patterns, and set the appropriate BLOCK or ANONYMIZE action for input and output.
+
+
High
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-west-2
+
BR-27
+
Guardrail Contextual Grounding Check
+
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have contextual grounding checks enabled. Without grounding and relevance checks, the guardrail cannot detect hallucinated (ungrounded) or off-topic model responses.
+
Enable contextual grounding checks (GROUNDING and RELEVANCE filter types) on the guardrail with appropriate thresholds. This is especially important for RAG applications to ensure responses are grounded in the retrieved source material.
+
Medium
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'e2ebedrockrag-KbRoleStack-2YO19O2NS6FP-KbRole-OgMxcvrnZrHZ' last accessed Bedrock on 2025-11-18
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-west-2
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
No imported custom Bedrock models found in this region
+
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
Medium
-
Failed
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'fsi-genai-workshop-bedrock-kb-role' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-west-2
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
+
Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.
+
Medium
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'fsi-genai-workshop-lambda-execution-role' last accessed Bedrock on 2025-12-28
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-west-2
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is not enabled. This limits your ability to track and audit model usage.
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Medium
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'fsi-genai-workshop-websocket-lambda-role' last accessed Bedrock on 2025-12-28
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-west-2
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Medium
-
Failed
+
Passed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-west-2
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Medium
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IDP-BDASAMPLEPROJECT-SGJRDJI15S-LambdaExecutionRole-MCRJbTEDuyKt' last accessed Bedrock on 2025-08-24
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
+
+
111122223333
+
us-west-2
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 7 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
+
Low
+
Passed
+
+
+
111122223333
+
us-west-2
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is missing content filters: HATE, VIOLENCE, SEXUAL, INSULTS. Complete content filter coverage is essential for comprehensive content safety.
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
+
High
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IDP-ChatWithDocumentResolverFunctionRole-ATyH7GeR2ad1' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-west-2
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Medium
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IDP-DOCUMENTBEDROCKKB-CY8-StartIngestionJobFunction-NjNLRuUn8qtp' last accessed Bedrock on 2025-08-24
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
+
+
111122223333
+
us-west-2
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) has no sensitive-information filters configured (no PII entities or regex patterns). Prompts and model responses are not screened for sensitive data such as PII.
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
+
High
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IDP-EvaluationFunctionRole-LQdnEMAdwWPe' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-west-2
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have contextual grounding checks enabled. Without grounding and relevance checks, the guardrail cannot detect hallucinated (ungrounded) or off-topic model responses.
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Medium
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IDP-PATTERN1STACK-TNHNKPK-ProcessResultsFunctionRol-8z8mNwa6RahP' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-west-2
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Medium
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IDP-PATTERN1STACK-TNHNKPK-SummarizationFunctionRole-MY6sxSMvFNr4' last accessed Bedrock on 2025-10-07
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IDP-PATTERN1STACK-TNHNKPKJY4Q-InvokeBDAFunctionRole-pLHufEKQ0Nu4' last accessed Bedrock on 2025-10-07
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IDP-QueryKnowledgeBaseResolverFunctionRole-p9Mcpfk0BA6z' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' last accessed Bedrock on 2024-07-30
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IibsAdminAccess-DO-NOT-DELETE' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'InternalAuditInternal' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'LLMEvaluationPromptfoo-Aurora-Bedrock-Role' last accessed Bedrock on 2025-12-30
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'LLMEvaluationPromptfoo-LambdaExecutionRole-umo63kVrhIoy' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' last accessed Bedrock on 2025-12-30
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'Meeting-Note-Bot-Role' last accessed Bedrock on 2025-10-22
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'myAskMeAnything-role-kmsizqwf' last accessed Bedrock on 2024-01-04
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'ProwlerMemberRole' last accessed Bedrock on 2026-03-10
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'resco-aiml-security-19304-BedrockSecurityAssessment-kgYUbi1MIbbb' last accessed Bedrock on 2026-04-18
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'ReSCOAIMLMemberRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'SAT-PrereqTest-CodeBuildRole-SATv2Stack-PreReqs' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'threat-designer-role' last accessed Bedrock on 2025-07-02
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
User 'BedrockAPIKey-yhc3' last accessed Bedrock on 2026-04-19
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
User 'BedrockClientUser' last accessed Bedrock on 2025-04-06
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
us-east-1
+
+
111122223333
+
sa-east-1
BR-02
Amazon Bedrock private connectivity check
No regional Bedrock resources found to assess private connectivity
@@ -2042,9 +2616,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
111122223333
+
sa-east-1
BR-04
Bedrock Model Invocation Logging Check
No regional Bedrock resources found to monitor with invocation logging
@@ -2053,9 +2627,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
111122223333
+
sa-east-1
BR-05
Bedrock Guardrails Check
No regional Bedrock resources found to protect with guardrails
@@ -2064,9 +2638,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
111122223333
+
sa-east-1
BR-06
Bedrock CloudTrail Logging Check
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
@@ -2075,9 +2649,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
111122223333
+
sa-east-1
BR-07
Bedrock Prompt Management Check
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
@@ -2090,9 +2664,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
111122223333
+
sa-east-1
BR-08
Bedrock Agent IAM Roles Check
No Bedrock agents found in the account
@@ -2101,20 +2675,20 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
111122223333
+
sa-east-1
BR-09
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX/aiml-security-aiml-security-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:us-east-1:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
+
No Knowledge Bases found in the account
+
No action required
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
111122223333
+
sa-east-1
BR-10
Bedrock Guardrail IAM Enforcement Check
No guardrails configured - IAM enforcement check not applicable
@@ -2123,9 +2697,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
111122223333
+
sa-east-1
BR-11
Bedrock Custom Model Encryption Check
No custom/fine-tuned models found in the account
@@ -2134,9 +2708,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
111122223333
+
sa-east-1
BR-12
Bedrock Invocation Log Encryption Check
Model invocation logging to S3 is not configured
@@ -2145,9 +2719,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
111122223333
+
sa-east-1
BR-13
Bedrock Flows Guardrails Check
No Bedrock Flows found in the account
@@ -2156,427 +2730,19513 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'AmazonSageMaker-ExecutionRole-20231014T200029' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
-
High
-
Failed
+
+
111122223333
+
sa-east-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
-
-
111111111111
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'AmazonSageMaker-ExecutionRole-20250525T153161' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
+
+
111122223333
+
sa-east-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
High
-
Failed
+
N/A
-
-
111111111111
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'AmazonSageMakerServiceCatalogProductsExecutionRole' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
-
High
-
Failed
+
+
111122223333
+
sa-east-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'EMR_EC2_DefaultRole' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
-
High
-
Failed
+
+
111122223333
+
sa-east-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
-
-
111111111111
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
+
+
111122223333
+
sa-east-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
High
-
Failed
+
N/A
-
-
111111111111
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
+
+
111122223333
+
sa-east-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
High
-
Failed
+
N/A
-
-
111111111111
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'SageMaker-EMR-ExecutionRole' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
+
+
111122223333
+
sa-east-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
High
-
Failed
+
N/A
-
-
111111111111
-
us-east-1
-
SM-01
-
Non-VPC Only Network Access
-
SageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is not configured for VPC-only access
-
Configure the SageMaker domain to use VPC-only network access type
-
+
+
111122223333
+
sa-east-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
High
-
Failed
+
N/A
-
-
111111111111
-
us-east-1
-
SM-02
-
SSO Not Properly Configured
-
SageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is using authentication mode: IAM
-
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
-
+
+
111122223333
+
sa-east-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
Medium
-
Failed
+
N/A
-
-
111111111111
-
us-east-1
-
SM-03
-
Missing Encryption Configuration
-
Domain 'QuickSetupDomain-20250525T153160' - No KMS key configured
-
Configure encryption using AWS KMS customer managed keys for enhanced security
-
+
+
111122223333
+
sa-east-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
High
-
Failed
+
N/A
-
-
111111111111
-
us-east-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
+
+
111122223333
+
sa-east-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
Medium
-
Passed
+
N/A
-
-
111111111111
-
us-east-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
+
+
111122223333
+
sa-east-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
+
+
111122223333
+
sa-east-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
+
+
111122223333
+
sa-east-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
+
+
111122223333
+
sa-east-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
+
+
111122223333
+
sa-east-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
+
+
111122223333
+
sa-east-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
+
+
111122223333
+
sa-east-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
+
+
111122223333
+
sa-east-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
+
+
111122223333
+
sa-east-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
+
+
111122223333
+
sa-east-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
+
+
111122223333
+
sa-east-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
-
No action required
-
+
+
111122223333
+
sa-east-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-15
-
SageMaker Feature Store Encryption Check
-
No feature groups with offline stores found
-
No action required
-
+
+
111122223333
+
sa-east-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-16
-
SageMaker Data Quality Job Encryption Check
-
No data quality job definitions found
-
No action required
-
+
+
111122223333
+
sa-east-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-17
-
SageMaker Processing Job Encryption Check
-
No processing jobs found
-
No action required
-
+
+
111122223333
+
Global
+
AC-02
+
AgentCore IAM Full Access Policy
+
The following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161
+
Replace with least-privilege policies scoped to specific AgentCore resources and actions
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
AC-02
+
AgentCore IAM Wildcard Permissions
+
The following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-role
+
Scope permissions to specific AgentCore resources using resource ARNs
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
AC-03
+
AgentCore Stale Access
+
The following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (199 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (199 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (199 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (82 days)
+
Review and remove unused AgentCore permissions following least privilege principle
+
+
Medium
+
Failed
+
+
+
111122223333
+
Global
+
AC-03
+
AgentCore Unused Permissions
+
The following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CloudSeerTrustedServiceRole', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW'
+
Review and remove unused AgentCore permissions following least privilege principle
+
Informational
N/A
-
-
111111111111
+
+
111122223333
+
Global
+
AC-09
+
AgentCore Service-Linked Role Missing
+
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
+
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
+
+
Medium
+
Failed
+
+
+
111122223333
us-east-1
-
SM-18
-
SageMaker Transform Job Encryption Check
-
No transform jobs found
-
No action required
-
-
Informational
-
N/A
+
AC-01
+
AgentCore Runtime VPC Configuration
+
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.
+
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.
+
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
+
+
High
+
Failed
-
-
111111111111
+
+
111122223333
us-east-1
-
SM-20
-
SageMaker Compilation Job Encryption Check
-
No compilation jobs found
-
No action required
-
-
Informational
-
N/A
+
AC-01
+
AgentCore Runtime VPC Configuration
+
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.
+
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
+
+
High
+
Failed
-
-
111111111111
+
+
111122223333
us-east-1
-
SM-21
-
SageMaker AutoML Job Network Isolation Check
-
No AutoML jobs found
-
No action required
-
-
Informational
-
N/A
+
AC-01
+
AgentCore Runtime VPC Configuration
+
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.
+
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
+
+
High
+
Failed
-
-
111111111111
+
+
111122223333
us-east-1
-
SM-22
-
Model Approval Workflow Check
-
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
+
AC-01
+
AgentCore Runtime VPC Configuration
+
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.
+
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
+
+
High
+
Failed
-
-
111111111111
+
+
111122223333
us-east-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
+
AC-04
+
AgentCore Runtime CloudWatch Logs
+
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configured
+
Enable CloudWatch Logs for monitoring and troubleshooting
+
Medium
-
Passed
+
Failed
-
-
111111111111
+
+
111122223333
us-east-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
+
AC-04
+
AgentCore Runtime X-Ray Tracing
+
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabled
+
Enable X-Ray tracing for distributed tracing and performance analysis
+
+
Medium
+
Failed
-
-
111111111111
+
+
111122223333
us-east-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
111111111111
-
ap-southeast-2
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
+
AC-04
+
AgentCore Runtime CloudWatch Logs
+
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configured
+
Enable CloudWatch Logs for monitoring and troubleshooting
+
+
Medium
+
Failed
-
-
111111111111
-
ap-southeast-2
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
+
+
111122223333
+
us-east-1
+
AC-04
+
AgentCore Runtime X-Ray Tracing
+
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabled
+
Enable X-Ray tracing for distributed tracing and performance analysis
+
+
Medium
+
Failed
-
-
111111111111
-
ap-southeast-2
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
+
+
111122223333
+
us-east-1
+
AC-04
+
AgentCore Runtime CloudWatch Logs
+
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configured
+
Enable CloudWatch Logs for monitoring and troubleshooting
+
+
Medium
+
Failed
-
-
111111111111
-
ap-southeast-2
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
+
+
111122223333
+
us-east-1
+
AC-04
+
AgentCore Runtime X-Ray Tracing
+
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabled
+
Enable X-Ray tracing for distributed tracing and performance analysis
+
+
Medium
+
Failed
-
-
111111111111
-
ap-southeast-2
+
+
111122223333
+
us-east-1
+
AC-04
+
AgentCore Runtime CloudWatch Logs
+
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configured
+
Enable CloudWatch Logs for monitoring and troubleshooting
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-04
+
AgentCore Runtime X-Ray Tracing
+
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabled
+
Enable X-Ray tracing for distributed tracing and performance analysis
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-04
+
AgentCore Runtime CloudWatch Logs
+
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configured
+
Enable CloudWatch Logs for monitoring and troubleshooting
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-04
+
AgentCore Runtime X-Ray Tracing
+
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabled
+
Enable X-Ray tracing for distributed tracing and performance analysis
Consider using customer-managed KMS keys for better control and audit capabilities
+
+
Low
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-06
+
AgentCore Runtime Storage Configuration
+
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have storage configuration for browser tools
+
Configure S3 storage for browser tool session recordings and artifacts
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-06
+
AgentCore Runtime Storage Configuration
+
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have storage configuration for browser tools
+
Configure S3 storage for browser tool session recordings and artifacts
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-06
+
AgentCore Runtime Storage Configuration
+
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have storage configuration for browser tools
+
Configure S3 storage for browser tool session recordings and artifacts
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-06
+
AgentCore Runtime Storage Configuration
+
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have storage configuration for browser tools
+
Configure S3 storage for browser tool session recordings and artifacts
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-06
+
AgentCore Runtime Storage Configuration
+
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have storage configuration for browser tools
+
Configure S3 storage for browser tool session recordings and artifacts
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-07
+
AgentCore Memory Encryption
+
Memory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configured
+
Enable encryption with customer-managed KMS keys
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-07
+
AgentCore Memory Encryption
+
Memory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configured
+
Enable encryption with customer-managed KMS keys
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-07
+
AgentCore Memory Encryption
+
Memory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configured
+
Enable encryption with customer-managed KMS keys
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
Found 2 Gateway resources
+
No action required
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-east-1
+
AC-08
+
AgentCore VPC Endpoints Missing
+
No AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.
+
Create VPC interface endpoints for AgentCore services:
+1. com.amazonaws.region.bedrock-agentcore
+2. com.amazonaws.region.bedrock-agentcore-control
+3. com.amazonaws.region.bedrock-agentcore-runtime
+This enables private connectivity via AWS PrivateLink
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-10
+
AgentCore Resource-Based Policies Missing
+
The following AgentCore resources do not have resource-based policies: Runtime 'origami_expeditions', Runtime 'neoCyan_Agent', Runtime 'customer_support_agent', Runtime 'cdk_agent_core', Runtime 'awsapimcpserver' and 2 more. Without RBPs, access control relies solely on identity-based policies.
+
Attach resource-based policies to AgentCore resources to:
+1. Implement defense-in-depth access control
+2. Enable cross-account access control
+3. Restrict access based on source VPC or IP
+4. Implement hierarchical authorization for Agent Runtimes
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
AC-12
+
AgentCore Gateway Encryption Missing
+
The following Gateways do not use customer-managed KMS encryption: 'customersupport-gw', 'wildrydes-gateway-ab3991f6'. Gateway configuration data uses AWS-managed keys.
+
1. Create gateways with customer-managed KMS keys for additional control
+2. AWS-managed keys are single-tenant and region-specific
+3. Consider CMK for enhanced audit capabilities and key rotation control
Agentic AI Gateway Tool Policy Enforcement Missing
+
Gateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.
+
Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
Gateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) does not expose DEBUG-level exception detail.
+
No action required
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-east-1
+
AG-27
+
Agentic AI Gateway WAF Protection Missing
+
Gateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) is not associated with an AWS WAF web ACL.
+
Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.
Agentic AI Gateway Tool Policy Enforcement Missing
+
Gateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.
+
Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
Gateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) does not expose DEBUG-level exception detail.
+
No action required
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-east-1
+
AG-27
+
Agentic AI Gateway WAF Protection Missing
+
Gateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) is not associated with an AWS WAF web ACL.
+
Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.
+
+
Low
+
Failed
+
+
+
111122223333
+
Global
+
AG-16
+
Agentic AI AgentCore Least Privilege
+
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161
+
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
AG-16
+
Agentic AI AgentCore Least Privilege
+
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-role
+
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
AG-17
+
Agentic AI Stale AgentCore Access
+
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (199 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (199 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (199 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (82 days)
+
Remove or restrict stale AgentCore permissions for principals that no longer need access.
+
+
Medium
+
Failed
+
+
+
111122223333
+
Global
+
AG-17
+
Agentic AI Stale AgentCore Access
+
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CloudSeerTrustedServiceRole', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW'
+
Remove or restrict stale AgentCore permissions for principals that no longer need access.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configured
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabled
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configured
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabled
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configured
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabled
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configured
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabled
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configured
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabled
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configured
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configured
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configured
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: The following AgentCore resources do not have resource-based policies: Runtime 'origami_expeditions', Runtime 'neoCyan_Agent', Runtime 'customer_support_agent', Runtime 'cdk_agent_core', Runtime 'awsapimcpserver' and 2 more. Without RBPs, access control relies solely on identity-based policies.
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: The following Gateways do not use customer-managed KMS encryption: 'customersupport-gw', 'wildrydes-gateway-ab3991f6'. Gateway configuration data uses AWS-managed keys.
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Low
+
Failed
+
+
+
111122223333
+
sa-east-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
+
Medium
+
Passed
+
+
+
111122223333
+
ap-south-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
111122223333
+
ap-south-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
111122223333
+
ap-south-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
111122223333
+
ap-south-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
111122223333
+
Global
+
SM-02
+
SageMaker Full Access Policy Used
+
Role 'AmazonSageMaker-ExecutionRole-20231014T200029' has AmazonSageMakerFullAccess policy attached
+
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
SM-02
+
SageMaker Full Access Policy Used
+
Role 'AmazonSageMaker-ExecutionRole-20250525T153161' has AmazonSageMakerFullAccess policy attached
+
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
SM-02
+
SageMaker Full Access Policy Used
+
Role 'AmazonSageMakerServiceCatalogProductsExecutionRole' has AmazonSageMakerFullAccess policy attached
+
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
SM-02
+
SageMaker Full Access Policy Used
+
Role 'EMR_EC2_DefaultRole' has AmazonSageMakerFullAccess policy attached
+
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
SM-02
+
SageMaker Full Access Policy Used
+
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonSageMakerFullAccess policy attached
+
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
SM-02
+
SageMaker Full Access Policy Used
+
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonSageMakerFullAccess policy attached
+
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
SM-02
+
SageMaker Full Access Policy Used
+
Role 'SageMaker-EMR-ExecutionRole' has AmazonSageMakerFullAccess policy attached
+
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
SM-01
+
Non-VPC Only Network Access
+
SageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is not configured for VPC-only access
+
Configure the SageMaker domain to use VPC-only network access type
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
SM-02
+
SSO Not Properly Configured
+
SageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is using authentication mode: IAM
+
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
SM-03
+
Missing Encryption Configuration
+
Domain 'QuickSetupDomain-20250525T153160' - No KMS key configured
+
Configure encryption using AWS KMS customer managed keys for enhanced security
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-east-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-east-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
111122223333
+
us-east-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
SM-01
+
Non-VPC Only Network Access
+
SageMaker domain 'd-krxh4fmtaxjl' (PromptEvaluationDomain) is not configured for VPC-only access
+
Configure the SageMaker domain to use VPC-only network access type
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
SM-02
+
SSO Not Properly Configured
+
SageMaker domain 'd-krxh4fmtaxjl' (PromptEvaluationDomain) is using authentication mode: IAM
+
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
SM-03
+
Missing Encryption Configuration
+
Domain 'PromptEvaluationDomain' - No KMS key configured
+
Configure encryption using AWS KMS customer managed keys for enhanced security
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-west-2
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-west-2
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
111122223333
+
us-west-2
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
+
Medium
+
Passed
+
+
+
111122223333
+
sa-east-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
111122223333
+
sa-east-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
111122223333
+
sa-east-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
111122223333
+
sa-east-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
+
Medium
+
Passed
+
+
+
111122223333
+
eu-west-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
111122223333
+
eu-west-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
111122223333
+
eu-west-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
111122223333
+
eu-west-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
FS-01
+
AWS Shield Advanced Not Enabled
+
AWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.
+
1. Subscribe to AWS Shield Advanced for DDoS protection.
+2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection.
+3. Enable Shield Response Team (SRT) access and configure proactive engagement.
+4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.
+
+
Low
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-01
+
AWS Shield Advanced Not Enabled
+
AWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.
+
1. Subscribe to AWS Shield Advanced for DDoS protection.
+2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection.
+3. Enable Shield Response Team (SRT) access and configure proactive engagement.
+4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.
+
+
Low
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-01
+
No Regional WAF Web ACLs Found
+
No AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.
+
1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP).
+2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock.
+3. Add AWS Managed Rules for known bad inputs.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-01
+
No Regional WAF Web ACLs Found
+
No AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.
+
1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP).
+2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock.
+3. Add AWS Managed Rules for known bad inputs.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-02
+
API Gateway Usage Plans Missing Throttle
+
Usage plans without throttling: myAskMeAnything-UsagePlan. Unbounded API calls can exhaust Bedrock token quotas and inflate costs.
+
Set rateLimit and burstLimit on all usage plans associated with GenAI API stages. Consider per-consumer API keys with individual quotas.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-02
+
API Gateway Usage Plans Missing Throttle
+
Usage plans without throttling: myAskMeAnything-UsagePlan. Unbounded API calls can exhaust Bedrock token quotas and inflate costs.
+
Set rateLimit and burstLimit on all usage plans associated with GenAI API stages. Consider per-consumer API keys with individual quotas.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-03
+
Bedrock Token Quotas Customized
+
Found 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.
+
No action required. Periodically re-review quotas against expected peak load.
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-west-2
+
FS-03
+
Bedrock Token Quotas Customized
+
Found 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.
+
No action required. Periodically re-review quotas against expected peak load.
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-east-1
+
FS-04
+
No Cost Anomaly Detection Monitors
+
No AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.
+
1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker.
+2. Configure alert subscriptions (SNS/email) for anomalies above threshold.
+3. Set daily spend budgets with AWS Budgets as a secondary control.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-04
+
No Cost Anomaly Detection Monitors
+
No AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.
+
1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker.
+2. Configure alert subscriptions (SNS/email) for anomalies above threshold.
+3. Set daily spend budgets with AWS Budgets as a secondary control.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-05
+
No Bedrock CloudWatch Alarms Found
+
No CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.
+
Create CloudWatch alarms for:
+- AWS/Bedrock InvocationThrottles (threshold > 0)
+- AWS/Bedrock TokensProcessed (threshold based on quota)
+- Custom application-level token counters via EMF
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-05
+
No Bedrock CloudWatch Alarms Found
+
No CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.
+
Create CloudWatch alarms for:
+- AWS/Bedrock InvocationThrottles (threshold > 0)
+- AWS/Bedrock TokensProcessed (threshold based on quota)
+- Custom application-level token counters via EMF
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-06
+
No AI/ML Service Budgets Configured
+
No AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.
+
1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds.
+2. Add SNS notifications to on-call channels.
+3. Consider budget actions to apply IAM deny policies when thresholds are breached.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-06
+
No AI/ML Service Budgets Configured
+
No AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.
+
1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds.
+2. Add SNS notifications to on-call channels.
+3. Consider budget actions to apply IAM deny policies when thresholds are breached.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-07
+
Agent Action Boundary Check
+
No Bedrock agents found.
+
No action required.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
FS-07
+
Agent Action Boundary Check
+
No Bedrock agents found.
+
No action required.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
FS-08
+
AgentCore Runtimes Missing Policy Engine
+
Runtimes without authorizer configuration: origami_expeditions, neoCyan_Agent, customer_support_agent, cdk_agent_core, awsapimcpserver. Without a policy engine, agents can invoke any registered tool without authorization checks.
+
Configure an authorizer (Lambda or Cedar policy store) on each AgentCore runtime to enforce fine-grained tool-call authorization.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-08
+
AgentCore Runtimes Missing Policy Engine
+
Runtimes without authorizer configuration: origami_expeditions, neoCyan_Agent, customer_support_agent, cdk_agent_core, awsapimcpserver. Without a policy engine, agents can invoke any registered tool without authorization checks.
+
Configure an authorizer (Lambda or Cedar policy store) on each AgentCore runtime to enforce fine-grained tool-call authorization.
1. Set reserved concurrency on agent Lambda functions.
+2. Implement maximum iteration counts in agent orchestration logic.
+3. Use Step Functions with MaxConcurrency and timeout states.
+4. Add circuit-breaker patterns to agent tool invocations.
1. Set reserved concurrency on agent Lambda functions.
+2. Implement maximum iteration counts in agent orchestration logic.
+3. Use Step Functions with MaxConcurrency and timeout states.
+4. Add circuit-breaker patterns to agent tool invocations.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-10
+
Human-in-the-Loop Check — No Agent Workflows Found
+
No Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.
+
Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
FS-10
+
Human-in-the-Loop Check — No Agent Workflows Found
+
No Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.
+
Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
FS-11
+
No Agent Rate Alarms Found
+
No CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.
+
Create CloudWatch alarms on:
+- Bedrock agent invocation counts (threshold based on expected max)
+- Lambda invocation errors for agent functions
+- Step Functions execution failures and timeouts
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-11
+
No Agent Rate Alarms Found
+
No CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.
+
Create CloudWatch alarms on:
+- Bedrock agent invocation counts (threshold based on expected max)
+- Lambda invocation errors for agent functions
+- Step Functions execution failures and timeouts
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-12
+
No Bedrock-Scoped SCPs Found
+
No Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.
+
1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list.
+2. Use bedrock:ModelId condition key to allowlist approved models.
+3. Maintain a model inventory and update the SCP when models are approved/retired.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-12
+
No Bedrock-Scoped SCPs Found
+
No Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.
+
1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list.
+2. Use bedrock:ModelId condition key to allowlist approved models.
+3. Maintain a model inventory and update the SCP when models are approved/retired.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-13
+
Model Provenance Tags Present
+
All reviewed models have required provenance tags.
+
No action required.
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-west-2
+
FS-13
+
Model Provenance Tags Present
+
All reviewed models have required provenance tags.
+
No action required.
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-east-1
+
FS-14
+
Model Governance Config Rules Present
+
Found 11 model-related Config rule(s).
+
No action required.
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-west-2
+
FS-14
+
Model Governance Config Rules Present
+
Found 11 model-related Config rule(s).
+
No action required.
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-east-1
+
FS-15
+
No Bedrock Evaluation Jobs Found
+
No Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.
+
1. Run Bedrock Model Evaluation with adversarial/red-team datasets.
+2. Use FMEval library for automated robustness testing.
+3. Schedule periodic re-evaluation after model updates.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-15
+
No Bedrock Evaluation Jobs Found
+
No Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.
+
1. Run Bedrock Model Evaluation with adversarial/red-team datasets.
+2. Use FMEval library for automated robustness testing.
+3. Schedule periodic re-evaluation after model updates.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-16
+
ECR Repositories Without Image Scanning
+
4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111122223333-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.
+
Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-16
+
ECR Repositories Without Image Scanning
+
4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111122223333-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.
+
Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-20
+
No SageMaker Feature Groups Found
+
No SageMaker Feature Store groups found.
+
No action required.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
FS-20
+
No SageMaker Feature Groups Found
+
No SageMaker Feature Store groups found.
+
No action required.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
FS-21
+
Training Data Buckets Without Versioning
+
13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111122223333-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111122223333-huo1mvme4t.
+
Enable S3 versioning on all training data buckets. Consider enabling MFA Delete for additional protection against poisoning.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-21
+
Training Data Buckets Without Versioning
+
13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111122223333-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111122223333-huo1mvme4t.
+
Enable S3 versioning on all training data buckets. Consider enabling MFA Delete for additional protection against poisoning.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-22
+
Overly Permissive Knowledge Base IAM Roles
+
827 role(s) with wildcard KB permissions:
+- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'Admin' allows '*'
+- Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' allows 'bedrock:*'
+- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'Agentic-AI-MCP-Strands-SDK-Works-VSCodeInstanceRole-NCTUnlnRBFO6' allows '*'
+- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+
Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-22
+
Overly Permissive Knowledge Base IAM Roles
+
827 role(s) with wildcard KB permissions:
+- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'Admin' allows '*'
+- Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' allows 'bedrock:*'
+- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'Agentic-AI-MCP-Strands-SDK-Works-VSCodeInstanceRole-NCTUnlnRBFO6' allows '*'
+- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+
Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-24
+
ADVISORY: Knowledge Base Metadata Filtering — Manual Review Required
+
Found 3 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.
+
1. Add metadata fields (tenantId, dataClassification) to KB data sources.
+2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls.
+3. Validate filters in integration tests to prevent cross-tenant data leakage.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
FS-24
+
ADVISORY: Knowledge Base Metadata Filtering — Manual Review Required
+
Found 3 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.
+
1. Add metadata fields (tenantId, dataClassification) to KB data sources.
+2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls.
+3. Validate filters in integration tests to prevent cross-tenant data leakage.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
FS-25
+
OpenSearch Serverless Encryption Policies Present
+
Found 5 encryption policy(ies); 5 use a customer-managed KMS key.
+
Verify all vector store collections use customer-managed KMS keys.
+
+
High
+
Passed
+
+
+
111122223333
+
us-west-2
+
FS-25
+
OpenSearch Serverless Encryption Policies Present
+
Found 5 encryption policy(ies); 5 use a customer-managed KMS key.
+
Verify all vector store collections use customer-managed KMS keys.
+
+
High
+
Passed
+
+
+
111122223333
+
us-east-1
+
FS-26
+
OpenSearch Serverless Collections Not VPC-Restricted
+
Found 5 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.
+
Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-26
+
OpenSearch Serverless Collections Not VPC-Restricted
+
Found 5 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.
+
Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-27
+
Contextual Grounding Enabled on Guardrails
+
Guardrails with contextual grounding: nist-ai-rmf-guardrail.
+
No action required for contextual grounding. Also consider enabling Automated Reasoning checks for formal policy verification.
+
+
High
+
Passed
+
+
+
111122223333
+
us-west-2
+
FS-27
+
Contextual Grounding Enabled on Guardrails
+
Guardrails with contextual grounding: nist-ai-rmf-guardrail.
+
No action required for contextual grounding. Also consider enabling Automated Reasoning checks for formal policy verification.
+
+
High
+
Passed
+
+
+
111122223333
+
us-east-1
+
FS-27
+
No Automated Reasoning Policies Found
+
No Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.
+
1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds).
+2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail).
+3. Set confidenceThreshold on the policy to control strictness.
+4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response).
+5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-27
+
No Automated Reasoning Policies Found
+
No Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.
+
1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds).
+2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail).
+3. Set confidenceThreshold on the policy to control strictness.
+4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response).
+5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-28
+
Denied Topics Configured on CLASSIC Tier
+
Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides broader language support and improved detection for denied topics.
+
Verify topics cover regulated financial advice categories. For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (set topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile on the guardrail). When authoring denied-topic policies, use existing compliance materials as the source: employee policies, training materials, procedure documents, and incident reports (PDF §1.2.1 Practical guidance).
+
+
High
+
Passed
+
+
+
111122223333
+
us-west-2
+
FS-28
+
Denied Topics Configured on CLASSIC Tier
+
Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides broader language support and improved detection for denied topics.
+
Verify topics cover regulated financial advice categories. For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (set topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile on the guardrail). When authoring denied-topic policies, use existing compliance materials as the source: employee policies, training materials, procedure documents, and incident reports (PDF §1.2.1 Practical guidance).
Application-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.
+
1. Implement post-processing to append required disclaimers to GenAI outputs.
+2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures.
+3. Document disclaimer requirements in the AI use case register.
+4. Test disclaimer presence in QA/UAT before production deployment.
Application-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.
+
1. Implement post-processing to append required disclaimers to GenAI outputs.
+2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures.
+3. Document disclaimer requirements in the AI use case register.
+4. Test disclaimer presence in QA/UAT before production deployment.
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.
+
Run Bedrock Model Evaluation with compliance-specific datasets:
+- Fair lending test cases (ECOA, Fair Housing Act)
+- UDAP/UDAAP unfair/deceptive practice scenarios
+- AML/KYC edge cases
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.
+
Run Bedrock Model Evaluation with compliance-specific datasets:
+- Fair lending test cases (ECOA, Fair Housing Act)
+- UDAP/UDAAP unfair/deceptive practice scenarios
+- AML/KYC edge cases
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
FS-31
+
Knowledge Base Data Sources Past Review Threshold
+
2 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit):
+- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 722 days ago
+- KB '111122223333-us-east-1-kb' source '111122223333-us-east-1-kb-datasource' last synced 199 days ago
+Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.
+
1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match.
+2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61.
+3. Set CloudWatch alarms on sync job failures.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-31
+
Knowledge Base Data Sources Past Review Threshold
+
2 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit):
+- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 722 days ago
+- KB '111122223333-us-east-1-kb' source '111122223333-us-east-1-kb-datasource' last synced 199 days ago
+Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.
+
1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match.
+2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61.
+3. Set CloudWatch alarms on sync job failures.
Source attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.
+
1. Use Bedrock RetrieveAndGenerate with citations enabled.
+2. Include source document references in response post-processing.
+3. Test citation accuracy in QA before production deployment.
+4. Consider Bedrock Guardrails grounding checks to validate response accuracy.
Source attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.
+
1. Use Bedrock RetrieveAndGenerate with citations enabled.
+2. Include source document references in response post-processing.
+3. Test citation accuracy in QA before production deployment.
+4. Consider Bedrock Guardrails grounding checks to validate response accuracy.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
FS-33
+
KB Data Source Buckets Without Versioning
+
KB data source S3 buckets without versioning: 111122223333-us-east-1-kb-data-bucket.
+
Enable S3 versioning on all KB data source buckets. Enable S3 Object Integrity (checksum) for tamper detection.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-33
+
KB Data Source Buckets Without Versioning
+
KB data source S3 buckets without versioning: 111122223333-us-east-1-kb-data-bucket.
+
Enable S3 versioning on all KB data source buckets. Enable S3 Object Integrity (checksum) for tamper detection.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-34
+
Legacy Foundation Models Available in Region
+
Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.
+
1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config).
+2. Migrate active usage to current model versions.
+3. Document training-data cutoff dates for all models in use.
+4. Add data-currency disclaimers to outputs from models with old cutoffs.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
FS-34
+
Legacy Foundation Models Available in Region
+
Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.
+
1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config).
+2. Migrate active usage to current model versions.
+3. Document training-data cutoff dates for all models in use.
+4. Add data-currency disclaimers to outputs from models with old cutoffs.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
FS-35
+
ADVISORY: Harmful-Content Test Coverage — Manual Review Required
+
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.
+
Run Bedrock Model Evaluation or FMEval with harmful content datasets:
+- Toxicity detection
+- Hate speech classification
+- Violence/self-harm content
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
FS-35
+
ADVISORY: Harmful-Content Test Coverage — Manual Review Required
+
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.
+
Run Bedrock Model Evaluation or FMEval with harmful content datasets:
+- Toxicity detection
+- Hate speech classification
+- Violence/self-harm content
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
FS-36
+
Guardrail Content Filters on CLASSIC Tier
+
Guardrails with content filters: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides improved contextual understanding, typographical error detection, 60+ language support, and better prompt-attack classification (distinguishes jailbreaks from prompt injection).
+
Consider upgrading to STANDARD tier content filters for FinServ workloads that handle multiple languages or require higher detection accuracy. STANDARD tier requires cross-region inference (crossRegionDetails.guardrailProfileArn on the guardrail). To upgrade: update the guardrail's contentPolicy.filtersConfig.contentFiltersTierConfig with tierName=STANDARD and configure a guardrail cross-region profile.
+
+
High
+
Passed
+
+
+
111122223333
+
us-west-2
+
FS-36
+
Guardrail Content Filters on CLASSIC Tier
+
Guardrails with content filters: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides improved contextual understanding, typographical error detection, 60+ language support, and better prompt-attack classification (distinguishes jailbreaks from prompt injection).
+
Consider upgrading to STANDARD tier content filters for FinServ workloads that handle multiple languages or require higher detection accuracy. STANDARD tier requires cross-region inference (crossRegionDetails.guardrailProfileArn on the guardrail). To upgrade: update the guardrail's contentPolicy.filtersConfig.contentFiltersTierConfig with tierName=STANDARD and configure a guardrail cross-region profile.
+
+
High
+
Passed
+
+
+
111122223333
+
us-east-1
+
FS-37
+
ADVISORY: User Feedback Mechanism — Manual Review Required
+
User feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.
+
1. Implement thumbs-up/down or flag-for-review UI in GenAI applications.
+2. Route flagged outputs to human reviewers via SQS/SNS.
+3. Log feedback to DynamoDB/S3 for model improvement.
+4. Define SLAs for reviewing flagged content.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
FS-37
+
ADVISORY: User Feedback Mechanism — Manual Review Required
+
User feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.
+
1. Implement thumbs-up/down or flag-for-review UI in GenAI applications.
+2. Route flagged outputs to human reviewers via SQS/SNS.
+3. Log feedback to DynamoDB/S3 for model improvement.
+4. Define SLAs for reviewing flagged content.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
FS-38
+
No Guardrails With Word Filters
+
Found 1 guardrail(s) but none have word/phrase filters. Profanity and prohibited financial terms may appear in outputs.
+
Add word filters to guardrails:
+- Enable AWS managed profanity list
+- Add custom denylist for prohibited financial terms
+- Add allowlist for required regulatory language
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-38
+
No Guardrails With Word Filters
+
Found 1 guardrail(s) but none have word/phrase filters. Profanity and prohibited financial terms may appear in outputs.
+
Add word filters to guardrails:
+- Enable AWS managed profanity list
+- Add custom denylist for prohibited financial terms
+- Add allowlist for required regulatory language
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-39
+
No SageMaker Clarify Bias Monitoring
+
No SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.
+
1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions.
+2. Define protected attributes (age, gender, race proxies).
+3. Set bias metric thresholds and alert on violations.
+4. Document bias testing results for regulatory examination.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-39
+
No SageMaker Clarify Bias Monitoring
+
No SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.
+
1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions.
+2. Define protected attributes (age, gender, race proxies).
+3. Set bias metric thresholds and alert on violations.
+4. Document bias testing results for regulatory examination.
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.
+
Run Bedrock Model Evaluation with bias test datasets:
+- Demographic parity test cases
+- Equal opportunity scenarios
+- Counterfactual fairness tests
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.
+
Run Bedrock Model Evaluation with bias test datasets:
+- Demographic parity test cases
+- Equal opportunity scenarios
+- Counterfactual fairness tests
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
FS-41
+
No SageMaker Clarify Explainability Monitoring
+
No SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).
+
1. Configure SageMaker Clarify explainability for credit/lending models.
+2. Generate SHAP values for feature importance.
+3. Map top features to human-readable adverse action reason codes.
+4. Store explanations for regulatory examination.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-41
+
No SageMaker Clarify Explainability Monitoring
+
No SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).
+
1. Configure SageMaker Clarify explainability for credit/lending models.
+2. Generate SHAP values for feature importance.
+3. Map top features to human-readable adverse action reason codes.
+4. Store explanations for regulatory examination.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-42
+
No SageMaker Model Cards Found
+
No SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.
+
1. Create SageMaker Model Cards for all production models.
+2. Document: intended use, out-of-scope uses, training data, bias evaluations.
+3. Include regulatory compliance attestations.
+4. Review and update cards at each model version release.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-42
+
No SageMaker Model Cards Found
+
No SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.
+
1. Create SageMaker Model Cards for all production models.
+2. Document: intended use, out-of-scope uses, training data, bias evaluations.
+3. Include regulatory compliance attestations.
+4. Review and update cards at each model version release.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-43
+
No CloudWatch Logs Data Protection Policies
+
No CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.
+
1. Create CloudWatch Logs data protection policies to mask PII.
+2. Enable masking for: SSN, credit card numbers, bank account numbers, email.
+3. Apply policies to Bedrock invocation log groups.
+4. Test masking with synthetic PII before production deployment.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-43
+
No CloudWatch Logs Data Protection Policies
+
No CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.
+
1. Create CloudWatch Logs data protection policies to mask PII.
+2. Enable masking for: SSN, credit card numbers, bank account numbers, email.
+3. Apply policies to Bedrock invocation log groups.
+4. Test masking with synthetic PII before production deployment.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-44
+
Amazon Macie Enabled
+
Amazon Macie is enabled and scanning S3 buckets.
+
Verify Macie jobs cover training data and KB data source buckets.
+
+
High
+
Passed
+
+
+
111122223333
+
us-west-2
+
FS-44
+
Amazon Macie Enabled
+
Amazon Macie is enabled and scanning S3 buckets.
+
Verify Macie jobs cover training data and KB data source buckets.
+
+
High
+
Passed
+
+
+
111122223333
+
us-east-1
+
FS-45
+
Guardrail PII Filters Configured
+
Guardrails with PII filters: nist-ai-rmf-guardrail.
+
No action required.
+
+
High
+
Passed
+
+
+
111122223333
+
us-west-2
+
FS-45
+
Guardrail PII Filters Configured
+
Guardrails with PII filters: nist-ai-rmf-guardrail.
Application-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.
+
1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.'
+2. Implement post-processing to append disclaimers.
+3. Test disclaimer presence in QA before production.
Application-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.
+
1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.'
+2. Implement post-processing to append disclaimers.
+3. Test disclaimer presence in QA before production.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
FS-50
+
Relevance Grounding Filters Present
+
Guardrails with RELEVANCE grounding filters: nist-ai-rmf-guardrail.
+
No action required.
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-west-2
+
FS-50
+
Relevance Grounding Filters Present
+
Guardrails with RELEVANCE grounding filters: nist-ai-rmf-guardrail.
+
No action required.
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-east-1
+
FS-51
+
No Guardrails With Prompt Attack Filters
+
Found 1 guardrail(s) but none have PROMPT_ATTACK filters. Prompt injection attacks may bypass system prompts and access controls.
+
1. Enable PROMPT_ATTACK content filter in Bedrock Guardrails.
+2. Set input filter strength to HIGH.
+3. Use input tags () to differentiate user inputs from developer-provided prompts — required for PROMPT_ATTACK filters to work correctly with InvokeModel/InvokeModelWithResponseStream.
+4. Consider STANDARD tier (GA June 2025) for better jailbreak vs. injection classification and broader language support.
+5. Implement application-level input sanitization as defense-in-depth.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-51
+
No Guardrails With Prompt Attack Filters
+
Found 1 guardrail(s) but none have PROMPT_ATTACK filters. Prompt injection attacks may bypass system prompts and access controls.
+
1. Enable PROMPT_ATTACK content filter in Bedrock Guardrails.
+2. Set input filter strength to HIGH.
+3. Use input tags () to differentiate user inputs from developer-provided prompts — required for PROMPT_ATTACK filters to work correctly with InvokeModel/InvokeModelWithResponseStream.
+4. Consider STANDARD tier (GA June 2025) for better jailbreak vs. injection classification and broader language support.
+5. Implement application-level input sanitization as defense-in-depth.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-52
+
Bedrock Lambda Functions on Deprecated Runtimes
+
Functions on deprecated runtimes: e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Deprecated runtimes may use outdated boto3/SDK versions lacking security patches.
+
1. Upgrade Lambda functions to a supported runtime — Python 3.12+, Node.js 22.x or 24.x, Java 21+, or .NET 8+.
+2. Update boto3 to the latest version in Lambda layers (pin the version in requirements.txt and redeploy).
+3. Enable Lambda runtime management controls for automatic minor-version updates (runtimeManagementConfig.updateRuntimeOn = 'Auto').
+4. Refer to https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html for the authoritative list of supported and deprecated runtimes.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-52
+
Bedrock Lambda Functions on Deprecated Runtimes
+
Functions on deprecated runtimes: e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Deprecated runtimes may use outdated boto3/SDK versions lacking security patches.
+
1. Upgrade Lambda functions to a supported runtime — Python 3.12+, Node.js 22.x or 24.x, Java 21+, or .NET 8+.
+2. Update boto3 to the latest version in Lambda layers (pin the version in requirements.txt and redeploy).
+3. Enable Lambda runtime management controls for automatic minor-version updates (runtimeManagementConfig.updateRuntimeOn = 'Auto').
+4. Refer to https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html for the authoritative list of supported and deprecated runtimes.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-53
+
No WAF Web ACLs — Injection Rules Not Applicable
+
No regional WAF Web ACLs found.
+
Create WAF Web ACLs with injection protection rules (see FS-01).
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
FS-53
+
No WAF Web ACLs — Injection Rules Not Applicable
+
No regional WAF Web ACLs found.
+
Create WAF Web ACLs with injection protection rules (see FS-01).
Penetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.
+
1. Conduct penetration testing of GenAI applications at least annually and before major releases.
+2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts.
+3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it.
+4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail.
+5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.
Penetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.
+
1. Conduct penetration testing of GenAI applications at least annually and before major releases.
+2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts.
+3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it.
+4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail.
+5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
FS-55
+
No Output Validation Functions Found
+
No Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.
+
1. Implement output validation Lambda functions in GenAI pipelines.
+2. Validate output schema, length, and content before downstream use.
+3. Sanitize outputs before rendering in web UIs (XSS prevention).
+4. Encode outputs appropriately for the target context (HTML, SQL, JSON).
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-55
+
No Output Validation Functions Found
+
No Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.
+
1. Implement output validation Lambda functions in GenAI pipelines.
+2. Validate output schema, length, and content before downstream use.
+3. Sanitize outputs before rendering in web UIs (XSS prevention).
+4. Encode outputs appropriately for the target context (HTML, SQL, JSON).
Output encoding practices cannot be verified via AWS APIs. Manual code review required.
+
1. HTML-encode GenAI outputs before rendering in web UIs.
+2. Use parameterized queries when GenAI output is used in database operations.
+3. JSON-encode outputs before embedding in JavaScript contexts.
+4. Validate output length and format before passing to downstream APIs.
Output encoding practices cannot be verified via AWS APIs. Manual code review required.
+
1. HTML-encode GenAI outputs before rendering in web UIs.
+2. Use parameterized queries when GenAI output is used in database operations.
+3. JSON-encode outputs before embedding in JavaScript contexts.
+4. Validate output length and format before passing to downstream APIs.
Found 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.
+
1. Use Bedrock structured output (response schemas) where supported.
+2. Implement JSON schema validation on Lambda output processors.
+3. Reject malformed outputs and return safe error responses.
+4. Log schema validation failures to CloudWatch for monitoring.
Found 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.
+
1. Use Bedrock structured output (response schemas) where supported.
+2. Implement JSON schema validation on Lambda output processors.
+3. Reject malformed outputs and return safe error responses.
+4. Log schema validation failures to CloudWatch for monitoring.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
FS-59
+
Topic Restrictions Configured on CLASSIC Tier
+
Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only; the STANDARD tier (GA June 2025) adds broader language support for off-topic detection.
+
For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile).
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-west-2
+
FS-59
+
Topic Restrictions Configured on CLASSIC Tier
+
Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only; the STANDARD tier (GA June 2025) adds broader language support for off-topic detection.
+
For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile).
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-east-1
+
FS-60
+
ADVISORY: Contextual Grounding for Off-Topic Prevention
+
Contextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.
+
1. Include explicit scope instructions in system prompts.
+2. Use Bedrock Guardrails relevance grounding filter.
+3. Test with off-topic prompts in QA to verify rejection behavior.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
FS-60
+
ADVISORY: Contextual Grounding for Off-Topic Prevention
+
Contextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.
+
1. Include explicit scope instructions in system prompts.
+2. Use Bedrock Guardrails relevance grounding filter.
+3. Test with off-topic prompts in QA to verify rejection behavior.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
FS-61
+
No Automated KB Sync Schedules Detected
+
Found 3 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.
+
1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature.
+2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync.
+3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance).
+4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-61
+
No Automated KB Sync Schedules Detected
+
Found 3 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.
+
1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature.
+2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync.
+3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance).
+4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-62
+
ADVISORY: Data Currency Disclaimer — Manual Review Required
+
Data currency disclaimers cannot be verified via AWS APIs. Manual review required.
+
1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].'
+2. Expose KB last sync timestamp in application responses.
+3. Alert users when KB data is older than defined threshold.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
FS-62
+
ADVISORY: Data Currency Disclaimer — Manual Review Required
+
Data currency disclaimers cannot be verified via AWS APIs. Manual review required.
+
1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].'
+2. Expose KB last sync timestamp in application responses.
+3. Alert users when KB data is older than defined threshold.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
FS-63
+
Foundation Model Lifecycle Management
+
No legacy models detected. 10 lifecycle-related Config rule(s) found.
+
No action required.
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-west-2
+
FS-63
+
Foundation Model Lifecycle Management
+
No legacy models detected. 10 lifecycle-related Config rule(s) found.
+
No action required.
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-east-1
+
FS-65
+
KB Data Source Buckets Missing S3 Event Notifications
+
The following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time:
+- semiconductor-demo-9999
+- 111122223333-us-east-1-kb-data-bucket
+
1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket.
+2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting.
+3. Integrate alerts into your security incident response workflow.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-65
+
KB Data Source Buckets Missing S3 Event Notifications
+
The following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time:
+- semiconductor-demo-9999
+- 111122223333-us-east-1-kb-data-bucket
+
1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket.
+2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting.
+3. Integrate alerts into your security incident response workflow.
The following runtimes have no JWT or IAM authorizer configured for end-user identity propagation. Tool calls are authorized only by the agent execution role, not the originating user:
+- origami_expeditions
+- neoCyan_Agent
+- customer_support_agent
+- cdk_agent_core
+- awsapimcpserver
+
1. Configure a custom JWT authorizer or IAM authorizer on each AgentCore runtime.
+2. Propagate the end-user's identity token to downstream tool services.
+3. Ensure tool services validate the propagated identity before executing actions.
+4. Do not expose propagated identity tokens to unauthorized third parties.
The following runtimes have no JWT or IAM authorizer configured for end-user identity propagation. Tool calls are authorized only by the agent execution role, not the originating user:
+- origami_expeditions
+- neoCyan_Agent
+- customer_support_agent
+- cdk_agent_core
+- awsapimcpserver
+
1. Configure a custom JWT authorizer or IAM authorizer on each AgentCore runtime.
+2. Propagate the end-user's identity token to downstream tool services.
+3. Ensure tool services validate the propagated identity before executing actions.
+4. Do not expose propagated identity tokens to unauthorized third parties.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-67
+
Agent Action-Group Lambdas May Lack Transaction Thresholds
+
The following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions:
+- aiml-security-aiml-security-111122223333-FinServAssessment
+- aiml-security-aiml-security-111122223333-BedrockAssessment
+- resco-aiml-BedrockAssessment
+- aiml-security-aiml-security-111122223333-AgentCoreAssessment
+- e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk
+- e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII
+- resco-aiml-AgentCoreAssessment
+
1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda.
+2. Implement threshold enforcement logic in the Lambda handler.
+3. Configure AgentCore Policy Engine rules to cap financial transaction amounts.
+4. Route transactions exceeding thresholds to a human-in-the-loop approval step.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-67
+
Agent Action-Group Lambdas May Lack Transaction Thresholds
+
The following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions:
+- aiml-security-aiml-security-111122223333-FinServAssessment
+- aiml-security-aiml-security-111122223333-BedrockAssessment
+- resco-aiml-BedrockAssessment
+- aiml-security-aiml-security-111122223333-AgentCoreAssessment
+- e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk
+- e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII
+- resco-aiml-AgentCoreAssessment
+
1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda.
+2. Implement threshold enforcement logic in the Lambda handler.
+3. Configure AgentCore Policy Engine rules to cap financial transaction amounts.
+4. Route transactions exceeding thresholds to a human-in-the-loop approval step.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-68
+
API Gateway Request Body Size Limits Not Enforced
+
Found 3 REST API(s) and 0 regional WAF Web ACL(s), but none enforce a maximum request-body size. Note: an API Gateway request validator does NOT cap body size (it validates the schema and required params; the REST limit is a fixed 10 MB), and a WAF body SizeConstraint only inspects the first ~16 KB of the body by default. Oversized prompts can exhaust Bedrock token quotas and inflate costs.
+
1. Add a maxLength (or maxItems/maxProperties) bound to the request-body JSON-Schema model used by your request validator, so oversized prompts are rejected with a 400.
+2. Add a WAF SizeConstraintStatement on the request Body sized within WAF's body-inspection window (default 16 KB; raise via the web ACL AssociationConfig, or set OversizeHandling=MATCH to block bodies beyond the window), and associate the ACL with the API stage.
+3. Set the max_tokens parameter in Bedrock API calls to cap output length.
+4. Implement client-side token counting before submitting requests.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-68
+
API Gateway Request Body Size Limits Not Enforced
+
Found 3 REST API(s) and 0 regional WAF Web ACL(s), but none enforce a maximum request-body size. Note: an API Gateway request validator does NOT cap body size (it validates the schema and required params; the REST limit is a fixed 10 MB), and a WAF body SizeConstraint only inspects the first ~16 KB of the body by default. Oversized prompts can exhaust Bedrock token quotas and inflate costs.
+
1. Add a maxLength (or maxItems/maxProperties) bound to the request-body JSON-Schema model used by your request validator, so oversized prompts are rejected with a 400.
+2. Add a WAF SizeConstraintStatement on the request Body sized within WAF's body-inspection window (default 16 KB; raise via the web ACL AssociationConfig, or set OversizeHandling=MATCH to block bodies beyond the window), and associate the ACL with the API stage.
+3. Set the max_tokens parameter in Bedrock API calls to cap output length.
+4. Implement client-side token counting before submitting requests.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-69
+
Prompt Input Validation Functions Present
+
Found 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111122223333-CleanupBucket.
+
Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-west-2
+
FS-69
+
Prompt Input Validation Functions Present
+
Found 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111122223333-CleanupBucket.
+
Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.
+
+
Medium
+
Passed
+
+
+
111122223333
+
eu-west-1
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
+
Informational
+
N/A
+
+
+
444455556666
+
Global
+
BR-01
+
AmazonBedrockFullAccess role check
+
No roles found with AmazonBedrockFullAccess policy
+
No action required
+
+
High
+
Passed
+
+
+
444455556666
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
No identities found with overly permissive marketplace subscription access
+
No action required
+
+
Medium
+
Passed
+
+
+
444455556666
+
us-east-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
Global
+
BR-15
+
Cross-Account Guardrails Enforcement Check
+
Check must run in AWS Organizations management account to evaluate organizational policies
+
Run assessment in management account to check cross-account guardrails enforcement
+
+
Medium
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
No imported custom Bedrock models found in this region
+
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
+
Informational
+
N/A
+
+
+
444455556666
+
Global
+
AG-09
+
Agentic AI Guardrail Enforcement Boundary
+
Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policies
+
Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
+
Informational
+
N/A
+
+
+
444455556666
+
Global
+
AC-02
+
AgentCore IAM Full Access Check
+
No roles with overly permissive AgentCore access found
+
No action required
+
+
High
+
Passed
+
+
+
444455556666
+
Global
+
AC-03
+
AgentCore Stale Access
+
The following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (82 days)
+
Review and remove unused AgentCore permissions following least privilege principle
+
+
Medium
+
Failed
+
+
+
444455556666
+
Global
+
AC-03
+
AgentCore Unused Permissions
+
The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
+
Review and remove unused AgentCore permissions following least privilege principle
+
+
Informational
+
N/A
+
+
+
444455556666
+
Global
+
AC-09
+
AgentCore Service-Linked Role Missing
+
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
+
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
+
+
Medium
+
Failed
+
+
+
444455556666
+
us-east-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
Global
+
AG-16
+
Agentic AI AgentCore Least Privilege
+
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: No roles with overly permissive AgentCore access found
+
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
+
+
High
+
Passed
+
+
+
444455556666
+
Global
+
AG-17
+
Agentic AI Stale AgentCore Access
+
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (82 days)
+
Remove or restrict stale AgentCore permissions for principals that no longer need access.
+
+
Medium
+
Failed
+
+
+
444455556666
+
Global
+
AG-17
+
Agentic AI Stale AgentCore Access
+
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
+
Remove or restrict stale AgentCore permissions for principals that no longer need access.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
+
Medium
+
Passed
+
+
+
444455556666
+
eu-west-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
444455556666
+
eu-west-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
444455556666
+
eu-west-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
444455556666
+
eu-west-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
444455556666
+
Global
+
SM-02
+
SageMaker IAM Permissions Check
+
No issues found with IAM permissions and no stale access detected
+
No action required
+
+
High
+
Passed
+
+
+
444455556666
+
us-east-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
+
Medium
+
Passed
+
+
+
444455556666
+
us-east-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
444455556666
+
us-east-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
444455556666
+
us-east-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
444455556666
+
us-east-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
+
Medium
+
Passed
+
+
+
444455556666
+
ap-south-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
444455556666
+
ap-south-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
444455556666
+
ap-south-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
444455556666
+
ap-south-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
+
Medium
+
Passed
+
+
+
444455556666
+
sa-east-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
444455556666
+
sa-east-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
444455556666
+
sa-east-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
444455556666
+
sa-east-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
+
Medium
+
Passed
+
+
+
444455556666
+
us-west-2
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
444455556666
+
us-west-2
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
444455556666
+
us-west-2
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
444455556666
+
us-west-2
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
No imported custom Bedrock models found in this region
+
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-01
+
AWS Shield Advanced Not Enabled
+
AWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.
+
1. Subscribe to AWS Shield Advanced for DDoS protection.
+2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection.
+3. Enable Shield Response Team (SRT) access and configure proactive engagement.
+4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.
+
+
Low
+
Failed
+
+
+
777788889999
+
us-east-1
+
FS-01
+
No Regional WAF Web ACLs Found
+
No AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.
+
1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP).
+2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock.
+3. Add AWS Managed Rules for known bad inputs.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
FS-02
+
No API Gateway Usage Plans Found
+
No usage plans configured. GenAI API endpoints may have no rate limits.
+
Create API Gateway usage plans with throttle settings (rateLimit and burstLimit) for all Bedrock-facing APIs.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-03
+
Bedrock Token Quotas Customized
+
Found 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.
+
No action required. Periodically re-review quotas against expected peak load.
+
+
Medium
+
Passed
+
+
+
777788889999
+
us-east-1
+
FS-04
+
No Cost Anomaly Detection Monitors
+
No AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.
+
1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker.
+2. Configure alert subscriptions (SNS/email) for anomalies above threshold.
+3. Set daily spend budgets with AWS Budgets as a secondary control.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
FS-05
+
No Bedrock CloudWatch Alarms Found
+
No CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.
+
Create CloudWatch alarms for:
+- AWS/Bedrock InvocationThrottles (threshold > 0)
+- AWS/Bedrock TokensProcessed (threshold based on quota)
+- Custom application-level token counters via EMF
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
FS-06
+
No AI/ML Service Budgets Configured
+
No AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.
+
1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds.
+2. Add SNS notifications to on-call channels.
+3. Consider budget actions to apply IAM deny policies when thresholds are breached.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
FS-07
+
Agent Action Boundaries Look Appropriate
+
Reviewed 1 agent(s); no wildcard sensitive actions found.
+
No action required.
+
+
High
+
Passed
+
+
+
777788889999
+
us-east-1
+
FS-08
+
No AgentCore Runtimes Found
+
No AgentCore runtimes found; policy engine check not applicable.
+
If using AgentCore, configure the Policy Engine to authorize tool calls.
1. Set reserved concurrency on agent Lambda functions.
+2. Implement maximum iteration counts in agent orchestration logic.
+3. Use Step Functions with MaxConcurrency and timeout states.
+4. Add circuit-breaker patterns to agent tool invocations.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
FS-10
+
Human-in-the-Loop Check — No Agent Workflows Found
+
No Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.
+
Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-11
+
No Agent Rate Alarms Found
+
No CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.
+
Create CloudWatch alarms on:
+- Bedrock agent invocation counts (threshold based on expected max)
+- Lambda invocation errors for agent functions
+- Step Functions execution failures and timeouts
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
FS-12
+
No Bedrock-Scoped SCPs Found
+
No Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.
+
1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list.
+2. Use bedrock:ModelId condition key to allowlist approved models.
+3. Maintain a model inventory and update the SCP when models are approved/retired.
Tag all models with: source (e.g., 'aws-marketplace', 'internal'), version, and approval-date. Enforce tagging via SCP or AWS Config rule.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
FS-14
+
Model Governance Config Rules Present
+
Found 13 model-related Config rule(s).
+
No action required.
+
+
Medium
+
Passed
+
+
+
777788889999
+
us-east-1
+
FS-15
+
No Bedrock Evaluation Jobs Found
+
No Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.
+
1. Run Bedrock Model Evaluation with adversarial/red-team datasets.
+2. Use FMEval library for automated robustness testing.
+3. Schedule periodic re-evaluation after model updates.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
FS-16
+
ECR Repositories Without Image Scanning
+
2 ECR repo(s) without scan-on-push: cdk-hnb659fds-container-assets-777788889999-us-east-1, aiml-sec-test-agentcore-no-encryption.
+
Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
FS-20
+
Feature Groups Without Offline Store
+
1 feature group(s) lack an active offline store: aiml-sec-test-feature-group. Without offline store, historical feature data cannot be used for rollback.
+
1. Enable offline store (S3-backed) for all production feature groups.
+2. Enable S3 versioning on the offline store bucket.
+3. Document rollback procedures for poisoned feature data.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
FS-21
+
Training Data Buckets Have Versioning
+
All 2 training bucket(s) have versioning enabled.
+
No action required.
+
+
High
+
Passed
+
+
+
777788889999
+
us-east-1
+
FS-22
+
Overly Permissive Knowledge Base IAM Roles
+
823 role(s) with wildcard KB permissions:
+- Role 'Admin' allows '*'
+- Role 'aiml-sec-test-resources-BedrockAgentRole-RScmoTZfp2sC' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-sec-test-resources-BedrockAgentRole-RScmoTZfp2sC' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' allows 'bedrock:*'
+- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:GetModelInvocationLoggingConfiguration' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+
Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
FS-24
+
ADVISORY: Knowledge Base Metadata Filtering — Manual Review Required
+
Found 1 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.
+
1. Add metadata fields (tenantId, dataClassification) to KB data sources.
+2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls.
+3. Validate filters in integration tests to prevent cross-tenant data leakage.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-25
+
OpenSearch Serverless Encryption Policies Present
+
Found 1 encryption policy(ies); 1 use a customer-managed KMS key.
+
Verify all vector store collections use customer-managed KMS keys.
+
+
High
+
Passed
+
+
+
777788889999
+
us-east-1
+
FS-26
+
OpenSearch Serverless Collections Not VPC-Restricted
+
Found 1 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.
+
Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
FS-27
+
COULD NOT ASSESS: Guardrail Contextual Grounding Check
+
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
+
+
Low
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-27
+
No Automated Reasoning Policies Found
+
No Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.
+
1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds).
+2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail).
+3. Set confidenceThreshold on the policy to control strictness.
+4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response).
+5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
FS-28
+
COULD NOT ASSESS: Financial Denied Topics Check
+
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
Application-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.
+
1. Implement post-processing to append required disclaimers to GenAI outputs.
+2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures.
+3. Document disclaimer requirements in the AI use case register.
+4. Test disclaimer presence in QA/UAT before production deployment.
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.
+
Run Bedrock Model Evaluation with compliance-specific datasets:
+- Fair lending test cases (ECOA, Fair Housing Act)
+- UDAP/UDAAP unfair/deceptive practice scenarios
+- AML/KYC edge cases
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-31
+
Knowledge Base Data Sources Past Review Threshold
+
1 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit):
+- KB 'knowledge-base-prowler-findings' source 'knowledge-base-quick-start-9lb68-data-source' last synced 423 days ago
+Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.
+
1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match.
+2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61.
+3. Set CloudWatch alarms on sync job failures.
Source attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.
+
1. Use Bedrock RetrieveAndGenerate with citations enabled.
+2. Include source document references in response post-processing.
+3. Test citation accuracy in QA before production deployment.
+4. Consider Bedrock Guardrails grounding checks to validate response accuracy.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-33
+
KB Data Source Buckets Have Versioning
+
All reviewed KB data source buckets have versioning enabled.
+
No action required.
+
+
Medium
+
Passed
+
+
+
777788889999
+
us-east-1
+
FS-34
+
Legacy Foundation Models Available in Region
+
Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.
+
1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config).
+2. Migrate active usage to current model versions.
+3. Document training-data cutoff dates for all models in use.
+4. Add data-currency disclaimers to outputs from models with old cutoffs.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-35
+
ADVISORY: Harmful-Content Test Coverage — Manual Review Required
+
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.
+
Run Bedrock Model Evaluation or FMEval with harmful content datasets:
+- Toxicity detection
+- Hate speech classification
+- Violence/self-harm content
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-36
+
COULD NOT ASSESS: Guardrail Content Filters Check
+
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
+
+
Low
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-37
+
ADVISORY: User Feedback Mechanism — Manual Review Required
+
User feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.
+
1. Implement thumbs-up/down or flag-for-review UI in GenAI applications.
+2. Route flagged outputs to human reviewers via SQS/SNS.
+3. Log feedback to DynamoDB/S3 for model improvement.
+4. Define SLAs for reviewing flagged content.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-38
+
COULD NOT ASSESS: Guardrail Word Filters Check
+
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
+
+
Low
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-39
+
No SageMaker Clarify Bias Monitoring
+
No SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.
+
1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions.
+2. Define protected attributes (age, gender, race proxies).
+3. Set bias metric thresholds and alert on violations.
+4. Document bias testing results for regulatory examination.
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.
+
Run Bedrock Model Evaluation with bias test datasets:
+- Demographic parity test cases
+- Equal opportunity scenarios
+- Counterfactual fairness tests
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-41
+
No SageMaker Clarify Explainability Monitoring
+
No SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).
+
1. Configure SageMaker Clarify explainability for credit/lending models.
+2. Generate SHAP values for feature importance.
+3. Map top features to human-readable adverse action reason codes.
+4. Store explanations for regulatory examination.
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
FS-42
+
No SageMaker Model Cards Found
+
No SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.
+
1. Create SageMaker Model Cards for all production models.
+2. Document: intended use, out-of-scope uses, training data, bias evaluations.
+3. Include regulatory compliance attestations.
+4. Review and update cards at each model version release.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
FS-43
+
No CloudWatch Logs Data Protection Policies
+
No CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.
+
1. Create CloudWatch Logs data protection policies to mask PII.
+2. Enable masking for: SSN, credit card numbers, bank account numbers, email.
+3. Apply policies to Bedrock invocation log groups.
+4. Test masking with synthetic PII before production deployment.
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
FS-44
+
Amazon Macie Not Enabled
+
Amazon Macie is not enabled. S3 buckets containing training data and KB data sources are not being scanned for PII/sensitive data.
+
1. Enable Amazon Macie in all regions where AI/ML data is stored.
+2. Create Macie classification jobs for training data and KB buckets.
+3. Configure Macie findings to route to Security Hub and SNS.
+4. Remediate PII findings before using data for model training.
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
FS-45
+
COULD NOT ASSESS: Guardrail PII Filters Check
+
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
+
+
Low
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-46
+
AI/ML Buckets Without Data Classification Tags
+
3 AI/ML bucket(s) without data-classification tags: aiml-sec-test-resources-bedrockloggingbucket-wtuvpinrlpmd, aiml-sec-test-resources-sagemakerbucket-6zzmxxaxco6g, aiml-security-mgmt-aimlassessmentbucket-kbitsdgexylv.
+
Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
FS-47
+
COULD NOT ASSESS: Guardrail Grounding Threshold Check
+
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
+
+
Low
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-48
+
Active Knowledge Bases for RAG Present
+
Found 1 active Knowledge Base(s) for RAG grounding.
Application-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.
+
1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.'
+2. Implement post-processing to append disclaimers.
+3. Test disclaimer presence in QA before production.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-50
+
COULD NOT ASSESS: Guardrail Relevance Grounding Check
+
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
+
+
Low
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-51
+
COULD NOT ASSESS: Prompt Injection Input Validation Check
+
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
+
+
Low
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-52
+
Bedrock Lambda Functions on Current Runtimes
+
All 10 Bedrock Lambda function(s) use current runtimes.
+
No action required.
+
+
Medium
+
Passed
+
+
+
777788889999
+
us-east-1
+
FS-53
+
No WAF Web ACLs — Injection Rules Not Applicable
+
No regional WAF Web ACLs found.
+
Create WAF Web ACLs with injection protection rules (see FS-01).
Penetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.
+
1. Conduct penetration testing of GenAI applications at least annually and before major releases.
+2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts.
+3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it.
+4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail.
+5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-55
+
No Output Validation Functions Found
+
No Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.
+
1. Implement output validation Lambda functions in GenAI pipelines.
+2. Validate output schema, length, and content before downstream use.
+3. Sanitize outputs before rendering in web UIs (XSS prevention).
+4. Encode outputs appropriately for the target context (HTML, SQL, JSON).
Output encoding practices cannot be verified via AWS APIs. Manual code review required.
+
1. HTML-encode GenAI outputs before rendering in web UIs.
+2. Use parameterized queries when GenAI output is used in database operations.
+3. JSON-encode outputs before embedding in JavaScript contexts.
+4. Validate output length and format before passing to downstream APIs.
Found 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.
+
1. Use Bedrock structured output (response schemas) where supported.
+2. Implement JSON schema validation on Lambda output processors.
+3. Reject malformed outputs and return safe error responses.
+4. Log schema validation failures to CloudWatch for monitoring.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-59
+
COULD NOT ASSESS: Guardrail Topic Allowlist Check
+
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
+
+
Low
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-60
+
ADVISORY: Contextual Grounding for Off-Topic Prevention
+
Contextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.
+
1. Include explicit scope instructions in system prompts.
+2. Use Bedrock Guardrails relevance grounding filter.
+3. Test with off-topic prompts in QA to verify rejection behavior.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-61
+
No Automated KB Sync Schedules Detected
+
Found 1 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.
+
1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature.
+2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync.
+3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance).
+4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
FS-62
+
ADVISORY: Data Currency Disclaimer — Manual Review Required
+
Data currency disclaimers cannot be verified via AWS APIs. Manual review required.
+
1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].'
+2. Expose KB last sync timestamp in application responses.
+3. Alert users when KB data is older than defined threshold.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-63
+
Foundation Model Lifecycle Management
+
No legacy models detected. 11 lifecycle-related Config rule(s) found.
+
No action required.
+
+
Medium
+
Passed
+
+
+
777788889999
+
us-east-1
+
FS-65
+
KB Data Source Buckets Missing S3 Event Notifications
+
The following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time:
+- sat2-prowler-2025-prowlerfindingsbucket-wc1k0mza7lpk
+
1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket.
+2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting.
+3. Integrate alerts into your security incident response workflow.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
FS-66
+
No AgentCore Runtimes Found
+
No AgentCore runtimes found; identity propagation check not applicable.
+
If using AgentCore, configure token propagation so end-user identities are forwarded to tool services.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-67
+
Agent Action-Group Lambdas May Lack Transaction Thresholds
+
The following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions:
+- aiml-security-aiml-security-mgmt-FinServAssessment
+- aiml-security-aiml-security-mgmt-AgentCoreAssessment
+- aiml-security-aiml-security-mgmt-BedrockAssessment
+
1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda.
+2. Implement threshold enforcement logic in the Lambda handler.
+3. Configure AgentCore Policy Engine rules to cap financial transaction amounts.
+4. Route transactions exceeding thresholds to a human-in-the-loop approval step.
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
FS-68
+
API Gateway Request Body Size Limits — Not Applicable
+
No API Gateway REST APIs and no regional WAF Web ACLs were found in this region. There is no input-payload surface to assess for body-size limits.
+
If GenAI endpoints are fronted by API Gateway or WAF in another region, run the assessment there. Otherwise no action is required.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-69
+
Prompt Input Validation Functions Present
+
Found 1 Lambda function(s) with input validation/sanitization naming patterns: aiml-security-aiml-security-mgmt-CleanupBucket.
+
Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.
+
+
Medium
+
Passed
+
+
+
777788889999
+
us-west-2
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
777788889999
+
Global
+
AC-02
+
AgentCore IAM Wildcard Permissions
+
The following roles have wildcard AgentCore permissions on all resources: aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV
+
Scope permissions to specific AgentCore resources using resource ARNs
+
+
High
+
Failed
+
+
+
777788889999
+
Global
+
AC-03
+
AgentCore Unused Permissions
+
The following principals have AgentCore permissions but have never accessed the service: role 'aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV', role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
+
Review and remove unused AgentCore permissions following least privilege principle
+
+
Informational
+
N/A
+
+
+
777788889999
+
Global
+
AC-09
+
AgentCore Service-Linked Role Missing
+
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
+
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
Consider using customer-managed KMS keys for better control and audit capabilities
+
+
Low
+
Failed
+
+
+
777788889999
+
us-east-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
Global
+
AG-16
+
Agentic AI AgentCore Least Privilege
+
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have wildcard AgentCore permissions on all resources: aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV
+
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
+
+
High
+
Failed
+
+
+
777788889999
+
Global
+
AG-17
+
Agentic AI Stale AgentCore Access
+
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV', role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
+
Remove or restrict stale AgentCore permissions for principals that no longer need access.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
+
Medium
+
Passed
+
+
+
777788889999
+
ap-south-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
777788889999
+
ap-south-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
777788889999
+
ap-south-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
777788889999
+
ap-south-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
777788889999
+
Global
+
SM-02
+
SageMaker Full Access Policy Used
+
Role 'aiml-sec-test-resources-SageMakerFullAccessRole-ZREdSNCErx2S' has AmazonSageMakerFullAccess policy attached
+
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-01
+
Direct Internet Access Enabled
+
SageMaker notebook instance 'aiml-sec-test-notebook-with-internet' has direct internet access enabled
+
Configure the notebook instance to use VPC connectivity and disable direct internet access
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-01
+
Non-VPC Only Network Access
+
SageMaker domain 'd-ilmtsfeenavc' (aiml-sec-test-domain-fail-028e1010-52cbf970) is not configured for VPC-only access
+
Configure the SageMaker domain to use VPC-only network access type
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-01
+
Non-VPC Only Network Access
+
SageMaker domain 'd-cmz7ohkxxop3' (aiml-sec-test-domain-fail-fef4e7f0-bb429d11) is not configured for VPC-only access
+
Configure the SageMaker domain to use VPC-only network access type
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-02
+
SSO Not Properly Configured
+
SageMaker domain 'd-7zl8skw96ppk' (aiml-sec-test-domain-pass-028e1010-3dba8b08) is using authentication mode: IAM
+
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-02
+
SSO Not Properly Configured
+
SageMaker domain 'd-ilmtsfeenavc' (aiml-sec-test-domain-fail-028e1010-52cbf970) is using authentication mode: IAM
+
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-02
+
SSO Not Properly Configured
+
SageMaker domain 'd-uqjoi05f0zzp' (aiml-sec-test-domain-pass-fef4e7f0-51d1e898) is using authentication mode: IAM
+
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-02
+
SSO Not Properly Configured
+
SageMaker domain 'd-cmz7ohkxxop3' (aiml-sec-test-domain-fail-fef4e7f0-bb429d11) is using authentication mode: IAM
+
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-03
+
Missing Encryption Configuration
+
Notebook Instance 'aiml-sec-test-notebook-with-internet' - No KMS key configured
+
Configure encryption using AWS KMS customer managed keys for enhanced security
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-03
+
Missing Encryption Configuration
+
Domain 'aiml-sec-test-domain-fail-028e1010-52cbf970' - No KMS key configured
+
Configure encryption using AWS KMS customer managed keys for enhanced security
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-03
+
Missing Encryption Configuration
+
Domain 'aiml-sec-test-domain-fail-fef4e7f0-bb429d11' - No KMS key configured
+
Configure encryption using AWS KMS customer managed keys for enhanced security
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-03
+
Missing Encryption Configuration
+
Training Job 'aiml-sec-test-training-no-encryption-028e1010-e2fb8765' - No output encryption configured
+
Configure encryption using AWS KMS customer managed keys for enhanced security
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-03
+
Missing VPC Encryption
+
Training Job 'aiml-sec-test-training-no-encryption-028e1010-e2fb8765' - Inter-container traffic encryption not enabled
+
Enable encryption for inter-container traffic and VPC communication
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
777788889999
+
us-east-1
+
SM-05
+
SageMaker Model Registry Issue
+
Model group 'aiml-sec-test-model-package-group' has minimal versioning
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Low
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
SM-08
+
Model Registry Empty Model Group
+
Model group aiml-sec-test-model-package-group has no registered models
+
Implement proper model versioning and approval workflows
+
+
Low
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-09
+
SageMaker Notebook Root Access Enabled
+
Notebook instance 'aiml-sec-test-notebook-with-internet' has root access enabled. Root access allows users to install arbitrary software, modify system configurations, and potentially escalate privileges.
+
Disable root access by updating the notebook instance with RootAccess=Disabled. Note: Lifecycle configurations will still run with root access.
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-10
+
SageMaker Notebook Not in VPC
+
Notebook instance 'aiml-sec-test-notebook-with-internet' is not deployed in a custom VPC. This uses SageMaker's service VPC with reduced network isolation.
+
Create the notebook instance within a custom VPC by specifying SubnetId and SecurityGroupIds. This provides network isolation and allows use of VPC endpoints.
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-11
+
SageMaker Model Network Isolation Disabled
+
Model 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' does not have network isolation enabled. Model containers can make outbound network calls, potentially exfiltrating data.
+
Enable network isolation by setting EnableNetworkIsolation=True when creating models. This prevents containers from making outbound network calls.
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
SM-14
+
SageMaker Model Platform Repository Access
+
Model 'SageMakerModelWithIsolation-JASFpUHjajdk' uses Platform repository access mode. Container images are pulled from public/external registries, exposing supply chain risks.
+
Configure RepositoryAccessMode=Vpc in ImageConfig to pull images from private ECR repositories through VPC. This provides supply chain security.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-14
+
SageMaker Model Platform Repository Access
+
Model 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' uses Platform repository access mode. Container images are pulled from public/external registries, exposing supply chain risks.
+
Configure RepositoryAccessMode=Vpc in ImageConfig to pull images from private ECR repositories through VPC. This provides supply chain security.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-15
+
SageMaker Feature Store Offline Encryption Missing
+
Feature group 'aiml-sec-test-feature-group' offline store does not have KMS encryption configured. Feature data in S3 may not be encrypted with customer-managed keys.
+
Configure KmsKeyId in OfflineStoreConfig.S3StorageConfig when creating feature groups to encrypt offline store data with customer-managed KMS keys.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-16
+
SageMaker Data Quality Job Encryption Check
+
No data quality job definitions found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
SM-17
+
SageMaker Processing Job Encryption Check
+
All 1 processing jobs have volume encryption configured
+
No action required
+
+
Medium
+
Passed
+
+
+
777788889999
+
us-east-1
+
SM-18
+
SageMaker Transform Job Encryption Check
+
All 1 transform jobs have volume encryption configured
Checked 1 model package groups. Approval workflows appear to be properly configured.
+
No action required
+
+
Medium
+
Passed
+
+
+
777788889999
+
us-east-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
777788889999
+
us-east-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
777788889999
+
us-east-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
+
Medium
+
Passed
+
+
+
777788889999
+
eu-west-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
777788889999
+
eu-west-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
777788889999
+
eu-west-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
777788889999
+
eu-west-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
+
Medium
+
Passed
+
+
+
777788889999
+
us-west-2
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
777788889999
+
us-west-2
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
777788889999
+
us-west-2
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
777788889999
+
us-west-2
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
+
Medium
+
Passed
+
+
+
777788889999
+
sa-east-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
777788889999
+
sa-east-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
777788889999
+
sa-east-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
777788889999
+
sa-east-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
777788889999
+
Global
+
BR-01
+
AmazonBedrockFullAccess role check
+
Role 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' has AmazonBedrockFullAccess policy attached
+
Limit the AmazonBedrockFullAccess policy only to required access
+
+
High
+
Failed
+
+
+
777788889999
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
+
Failed
+
+
+
777788889999
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'aiml-sec-test-resources-MarketplaceOverlyPermissive-igL3hGIapee1' has overly permissive marketplace subscription access through policy 'OverlyPermissiveMarketplace'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
+
Failed
+
+
+
777788889999
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'ProwlerApp-EC2-Role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
BR-02
+
Amazon Bedrock private connectivity
+
Bedrock VPC endpoints found: VPC vpc-089a9d593e34658c6 has endpoint com.amazonaws.us-east-1.bedrock-runtime
+
No action required
+
+
High
+
Passed
+
+
+
777788889999
+
us-east-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
Model invocation logging is not enabled. This limits your ability to track and audit model usage.
+
Enable model invocation logging to collect invocation logs, model input data, and model output data. Configure logging to deliver to Amazon S3, CloudWatch Logs, or both for comprehensive monitoring.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
BR-05
+
Bedrock Guardrails Check
+
Amazon Bedrock Guardrails are properly configured with 1 guardrails
+
No action required. Continue monitoring and updating guardrails as needed.
+
+
High
+
Passed
+
+
+
777788889999
+
us-east-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
+
No action required. Continue monitoring CloudTrail logs for Bedrock activity.
+
+
Medium
+
Passed
+
+
+
777788889999
+
us-east-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management is being used with 1 prompts
+
No action required. Continue using Prompt Management for consistent and optimized prompts.
+
+
Low
+
Passed
+
+
+
777788889999
+
us-east-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
Error during check: An error occurred (AccessDeniedException) when calling the GetAgent operation: You do not have sufficient permissions to the key. Check credentials for appropriate permissions to the key (kms:Decrypt, kms:GenerateDataKey) and try again.
+
Investigate error and retry assessment
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
BR-09
+
Bedrock Knowledge Base Encryption Review
+
Knowledge Base 'knowledge-base-prowler-findings' (9K2QZLVCZW) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Missing
+
The following roles can invoke Bedrock models without enforced guardrails: aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G, aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a, aiml-sec-test-resources-BedrockKnowledgeBaseRole-6NNC1i9FuTbM, AmazonBedrockExecutionRoleForKnowledgeBase_7erx6, ProwlerApp-EC2-Role
+
Add IAM policy conditions to enforce guardrail usage:
+1. Use 'bedrock:GuardrailIdentifier' condition key
+2. Specify required guardrail ARN or ID
+3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
Global
+
BR-15
+
Cross-Account Guardrails Enforcement Check
+
Check must run in AWS Organizations management account to evaluate organizational policies
+
Run assessment in management account to check cross-account guardrails enforcement
+
+
Medium
+
N/A
+
+
+
777788889999
+
us-east-1
+
BR-16
+
Guardrail Tier Validation Check
+
Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
+
Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
777788889999
+
us-east-1
+
BR-18
+
Model Evaluation Implementation Check
+
No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
+
Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
777788889999
+
us-east-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Review
+
Knowledge base 'knowledge-base-prowler-findings' (ID: 9K2QZLVCZW) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
Continue monitoring quota utilization. Review and adjust quotas as application requirements change.
+
+
Low
+
Passed
+
+
+
777788889999
+
us-east-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
+
Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
BR-25
+
RAG Evaluation Jobs Check
+
Knowledge base 'knowledge-base-prowler-findings' (ID: 9K2QZLVCZW) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
+
Low
+
Failed
+
+
+
777788889999
+
us-east-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
+
Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
+
Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
BR-28
+
Agent Guardrail Association Check
+
1 agents have an associated guardrail
+
No action required. Continue associating guardrails with new agents.
+
+
Low
+
Passed
+
+
+
777788889999
+
us-east-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
No imported custom Bedrock models found in this region
+
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
777788889999
+
us-east-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
777788889999
+
us-east-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
+
Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is not enabled. This limits your ability to track and audit model usage.
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
+
Medium
+
Passed
+
+
+
777788889999
+
Global
+
AG-09
+
Agentic AI Guardrail Enforcement Boundary
+
Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policies
+
Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 9 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
+
Low
+
Passed
+
+
+
777788889999
+
us-east-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: 1 agents have an associated guardrail
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
+
Low
+
Passed
+
+
+
777788889999
+
us-east-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-west-2
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
No imported custom Bedrock models found in this region
+
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
+
Informational
+
N/A
+
+
+
+
Risk Distribution
+
Pass Rate by Severity
+
+
HIGH
12.8%
28 of 219 checks passed
+
MEDIUM
29.3%
82 of 280 checks passed
+
LOW
30.3%
30 of 99 checks passed
+
Overall
23.4%
140 of 598 actionable checks
+
+
Risk by Account
+
111122223333
193
78 High · 95 Med · 20 Low
444455556666
3
0 High · 3 Med · 0 Low
777788889999
64
28 High · 31 Med · 5 Low
+
Risk by Region
+
ap-south-1
0
0 High · 0 Med · 0 Low
eu-west-1
0
0 High · 0 Med · 0 Low
sa-east-1
0
0 High · 0 Med · 0 Low
us-east-1
157
52 High · 90 Med · 15 Low
us-west-2
64
22 High · 32 Med · 10 Low
+
Findings by Assessment Area
+
+
Bedrock
461
50 Failed · 18 Passed
+
SageMaker
423
34 Failed · 61 Passed
+
AgentCore
182
39 Failed · 3 Passed
+
Agentic AI Security
388
47 Failed · 18 Passed
+
Financial Services Risk
210
90 Failed · 40 Passed
+
+
+
+
Amazon Bedrock Findings
+
+
+
+
+
+
+
+
+
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
+
111122223333
+
Global
+
BR-01
+
AmazonBedrockFullAccess role check
+
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonBedrockFullAccess policy attached
+
Limit the AmazonBedrockFullAccess policy only to required access
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
BR-01
+
AmazonBedrockFullAccess role check
+
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonBedrockFullAccess policy attached
+
Limit the AmazonBedrockFullAccess policy only to required access
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
BR-01
+
AmazonBedrockFullAccess role check
+
Role 'myAskMeAnything-role-kmsizqwf' has AmazonBedrockFullAccess policy attached
+
Limit the AmazonBedrockFullAccess policy only to required access
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-cdk_agent_core'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-neoCyan_Agent'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_knnc9' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_knnc9'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_qxqw2' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_qxqw2'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'AmazonSageMaker-ExecutionRole-20250525T153161' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'myAskMeAnything-role-kmsizqwf' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
User 'BedrockAPIKey-20pp' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
User 'BedrockAPIKey-yhc3' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
User 'BedrockClientUser' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
BR-02
+
Amazon Bedrock private connectivity not used
+
No Bedrock service VPC endpoints found in VPCs: vpc-03472be90d65c2f68, vpc-39319f44, vpc-064f3e808e378cbc8, vpc-02d020a365a06c7fe
+
Create a VPC endpoint in your VPC with any of the following Bedrock service endpoints that your application may be using:
+- com.amazonaws.region.bedrock
+- com.amazonaws.region.bedrock-runtime
+- com.amazonaws.region.bedrock-agent
+- com.amazonaws.region.bedrock-agent-runtime
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
Model invocation logging is properly configured with delivery to: Amazon S3, CloudWatch Logs
+
No action required
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-east-1
+
BR-05
+
Bedrock Guardrails Check
+
Amazon Bedrock Guardrails are properly configured with 1 guardrails
+
No action required. Continue monitoring and updating guardrails as needed.
+
+
High
+
Passed
+
+
+
111122223333
+
us-east-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
+
No action required. Continue monitoring CloudTrail logs for Bedrock activity.
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-east-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
BR-09
+
Bedrock Knowledge Base Encryption Review
+
Knowledge Base 'knowledge-base-semiconductors' (RQYFDSE1LT) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
BR-09
+
Bedrock Knowledge Base Encryption Review
+
Knowledge Base '111122223333-us-east-1-kb' (PAJOKBSIMQ) uses 'S3_VECTORS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
BR-09
+
Bedrock Knowledge Base Encryption Review
+
Knowledge Base 'e2e-rag-knowledgebase' (ESIYAYSYTJ) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Missing
+
The following roles can invoke Bedrock models without enforced guardrails: 111122223333-us-east-1-kb-bedrock-service-role, agentcore-wildrydes_gateway_role_ab3991f6-role, AgentCoreEvalsSDK-us-east-1-d04ba7b68b, AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76, AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b, AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D, AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ, AmazonBedrockExecutionRoleForKnowledgeBase_072pr, AmazonBedrockExecutionRoleForKnowledgeBase_byjin, AmazonBedrockExecutionRoleForKnowledgeBase_h9718...
+
Add IAM policy conditions to enforce guardrail usage:
+1. Use 'bedrock:GuardrailIdentifier' condition key
+2. Specify required guardrail ARN or ID
+3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
BR-12
+
Bedrock Invocation Log Encryption
+
S3 bucket 'nistairmfguardrail-invocationlogsbucket8fe5371b-wmlsng7pkyhm' for invocation logs uses SSE-S3 encryption instead of customer-managed KMS. Invocation logs may contain sensitive prompts and responses.
+
1. Enable SSE-KMS with a customer-managed key on the S3 bucket
+2. Update bucket policy to require encrypted uploads
+3. Consider enabling S3 bucket versioning and MFA delete for log integrity
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
Global
+
BR-15
+
Cross-Account Guardrails Enforcement Check
+
Check must run in AWS Organizations management account to evaluate organizational policies
+
Run assessment in management account to check cross-account guardrails enforcement
+
+
Medium
+
N/A
+
+
+
111122223333
+
us-east-1
+
BR-16
+
Guardrail Tier Validation Check
+
Guardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) is using the 'CLASSIC' content-filter tier instead of 'STANDARD'. The STANDARD tier provides more robust content filtering and broader language support than the CLASSIC tier.
+
Update the guardrail to use the STANDARD content-filter tier for improved contextual understanding, better prompt attack filtering (distinguishing jailbreaks from prompt injection), and broader language support. The STANDARD tier requires cross-Region inference. Review pricing implications before upgrading.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
111122223333
+
us-east-1
+
BR-18
+
Model Evaluation Implementation Check
+
No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
+
Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
111122223333
+
us-east-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Review
+
Knowledge base 'knowledge-base-semiconductors' (ID: RQYFDSE1LT) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Review
+
Knowledge base '111122223333-us-east-1-kb' (ID: PAJOKBSIMQ) uses 'S3_VECTORS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Review
+
Knowledge base 'e2e-rag-knowledgebase' (ID: ESIYAYSYTJ) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
No action required. Continue monitoring filter effectiveness and adjust thresholds as needed.
+
+
Low
+
Passed
+
+
+
111122223333
+
us-east-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
Guardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.
+
Configure Automated Reasoning policies on guardrails to mathematically verify model responses. Define policies that specify allowed and disallowed behaviors. Use for high-assurance use cases where formal verification is required.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
BR-25
+
RAG Evaluation Jobs Check
+
Knowledge base 'knowledge-base-semiconductors' (ID: RQYFDSE1LT) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
+
Low
+
Failed
+
+
+
111122223333
+
us-east-1
+
BR-25
+
RAG Evaluation Jobs Check
+
Knowledge base '111122223333-us-east-1-kb' (ID: PAJOKBSIMQ) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
+
Low
+
Failed
+
+
+
111122223333
+
us-east-1
+
BR-25
+
RAG Evaluation Jobs Check
+
Knowledge base 'e2e-rag-knowledgebase' (ID: ESIYAYSYTJ) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
+
Low
+
Failed
+
+
+
111122223333
+
us-east-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
1 guardrails have sensitive-information (PII) filters configured
+
No action required. Periodically review the PII entity types and regex patterns to ensure coverage matches your data.
+
+
Low
+
Passed
+
+
+
111122223333
+
us-east-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
1 guardrails have contextual grounding checks enabled
+
No action required. Review grounding and relevance thresholds periodically to balance hallucination detection against false positives.
+
+
Low
+
Passed
+
+
+
111122223333
+
us-east-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
111122223333
+
us-east-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
111122223333
+
us-east-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
No imported custom Bedrock models found in this region
+
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
111122223333
+
us-east-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
111122223333
+
us-east-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
+
Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.
+
+
Medium
+
Failed
+
+
+
111122223333
+
ap-south-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
111122223333
+
ap-south-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-02
+
Amazon Bedrock private connectivity not used
+
No Bedrock service VPC endpoints found in VPCs: vpc-0f85a6754ab37efb7, vpc-5c3b6524, vpc-03bcafcb58a3029fc
+
Create a VPC endpoint in your VPC with any of the following Bedrock service endpoints that your application may be using:
+- com.amazonaws.region.bedrock
+- com.amazonaws.region.bedrock-runtime
+- com.amazonaws.region.bedrock-agent
+- com.amazonaws.region.bedrock-agent-runtime
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-04
+
Bedrock Model Invocation Logging Check
+
Model invocation logging is not enabled. This limits your ability to track and audit model usage.
+
Enable model invocation logging to collect invocation logs, model input data, and model output data. Configure logging to deliver to Amazon S3, CloudWatch Logs, or both for comprehensive monitoring.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-05
+
Bedrock Guardrails Check
+
Amazon Bedrock Guardrails are properly configured with 1 guardrails
+
No action required. Continue monitoring and updating guardrails as needed.
+
+
High
+
Passed
+
+
+
111122223333
+
us-west-2
+
BR-06
+
Bedrock CloudTrail Logging Check
+
CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
+
No action required. Continue monitoring CloudTrail logs for Bedrock activity.
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-west-2
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-09
+
Bedrock Knowledge Base Encryption Review
+
Knowledge Base 'knowledge-base-bedrock-agent' (XSPYLN4FQL) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-09
+
Bedrock Knowledge Base Encryption Review
+
Knowledge Base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (SUGAG7RGYD) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-09
+
Bedrock Knowledge Base Encryption Review
+
Knowledge Base 'promptfoo-rag-workshop-111122223333-kb' (N74ZIKTUFL) uses 'RDS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-09
+
Bedrock Knowledge Base Encryption Review
+
Knowledge Base 'InvestmentResearchKB' (M1GMUG3BP0) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-09
+
Bedrock Knowledge Base Encryption Review
+
Knowledge Base 'knowledge-base-quick-start-xtwwd' (ENFHSBBLMV) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-09
+
Bedrock Knowledge Base Encryption Review
+
Knowledge Base 'kb-s3-vector-store' (116IXQU5VP) uses 'S3_VECTORS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-10
+
Bedrock Guardrail IAM Enforcement Missing
+
The following roles can invoke Bedrock models without enforced guardrails: 111122223333-us-east-1-kb-bedrock-service-role, agentcore-wildrydes_gateway_role_ab3991f6-role, AgentCoreEvalsSDK-us-east-1-d04ba7b68b, AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76, AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b, AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D, AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ, AmazonBedrockExecutionRoleForKnowledgeBase_072pr, AmazonBedrockExecutionRoleForKnowledgeBase_byjin, AmazonBedrockExecutionRoleForKnowledgeBase_h9718...
+
Add IAM policy conditions to enforce guardrail usage:
+1. Use 'bedrock:GuardrailIdentifier' condition key
+2. Specify required guardrail ARN or ID
+3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-16
+
Guardrail Tier Validation Check
+
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is using the 'CLASSIC' content-filter tier instead of 'STANDARD'. The STANDARD tier provides more robust content filtering and broader language support than the CLASSIC tier.
+
Update the guardrail to use the STANDARD content-filter tier for improved contextual understanding, better prompt attack filtering (distinguishing jailbreaks from prompt injection), and broader language support. The STANDARD tier requires cross-Region inference. Review pricing implications before upgrading.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-18
+
Model Evaluation Implementation Check
+
No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
+
Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Review
+
Knowledge base 'knowledge-base-bedrock-agent' (ID: XSPYLN4FQL) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Review
+
Knowledge base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (ID: SUGAG7RGYD) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Review
+
Knowledge base 'promptfoo-rag-workshop-111122223333-kb' (ID: N74ZIKTUFL) uses 'RDS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Review
+
Knowledge base 'InvestmentResearchKB' (ID: M1GMUG3BP0) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Review
+
Knowledge base 'knowledge-base-quick-start-xtwwd' (ID: ENFHSBBLMV) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Review
+
Knowledge base 'kb-s3-vector-store' (ID: 116IXQU5VP) uses 'S3_VECTORS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
Continue monitoring quota utilization. Review and adjust quotas as application requirements change.
+
+
Low
+
Passed
+
+
+
111122223333
+
us-west-2
+
BR-23
+
Guardrail Content Filter Coverage Check
+
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is missing content filters: HATE, VIOLENCE, SEXUAL, INSULTS. Complete content filter coverage is essential for comprehensive content safety.
+
Update guardrail to enable all content filters (HATE, INSULTS, SEXUAL, VIOLENCE). Configure appropriate threshold levels (LOW, MEDIUM, HIGH) for both input and output filtering based on your use case. Review AWS documentation for threshold guidance.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.
+
Configure Automated Reasoning policies on guardrails to mathematically verify model responses. Define policies that specify allowed and disallowed behaviors. Use for high-assurance use cases where formal verification is required.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-25
+
RAG Evaluation Jobs Check
+
Knowledge base 'knowledge-base-bedrock-agent' (ID: XSPYLN4FQL) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
+
Low
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-25
+
RAG Evaluation Jobs Check
+
Knowledge base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (ID: SUGAG7RGYD) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
+
Low
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-25
+
RAG Evaluation Jobs Check
+
Knowledge base 'promptfoo-rag-workshop-111122223333-kb' (ID: N74ZIKTUFL) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
+
Low
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-25
+
RAG Evaluation Jobs Check
+
Knowledge base 'InvestmentResearchKB' (ID: M1GMUG3BP0) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
+
Low
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-25
+
RAG Evaluation Jobs Check
+
Knowledge base 'knowledge-base-quick-start-xtwwd' (ID: ENFHSBBLMV) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
+
Low
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-25
+
RAG Evaluation Jobs Check
+
Knowledge base 'kb-s3-vector-store' (ID: 116IXQU5VP) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
+
Low
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) has no sensitive-information filters configured (no PII entities or regex patterns). Prompts and model responses are not screened for sensitive data such as PII.
+
Configure sensitive-information filters on the guardrail: add PII entity types (e.g. NAME, EMAIL, SSN, CREDIT_DEBIT_CARD_NUMBER) and/or custom regex patterns, and set the appropriate BLOCK or ANONYMIZE action for input and output.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-27
+
Guardrail Contextual Grounding Check
+
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have contextual grounding checks enabled. Without grounding and relevance checks, the guardrail cannot detect hallucinated (ungrounded) or off-topic model responses.
+
Enable contextual grounding checks (GROUNDING and RELEVANCE filter types) on the guardrail with appropriate thresholds. This is especially important for RAG applications to ensure responses are grounded in the retrieved source material.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
No imported custom Bedrock models found in this region
+
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
111122223333
+
us-west-2
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
+
Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.
+
+
Medium
+
Failed
+
+
+
111122223333
+
sa-east-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
111122223333
+
sa-east-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
111122223333
+
eu-west-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
444455556666
+
ap-south-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
Global
+
BR-01
+
AmazonBedrockFullAccess role check
+
No roles found with AmazonBedrockFullAccess policy
+
No action required
+
+
High
+
Passed
+
+
+
444455556666
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
No identities found with overly permissive marketplace subscription access
+
No action required
+
+
Medium
+
Passed
+
+
+
444455556666
+
us-east-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
Global
+
BR-15
+
Cross-Account Guardrails Enforcement Check
+
Check must run in AWS Organizations management account to evaluate organizational policies
+
Run assessment in management account to check cross-account guardrails enforcement
+
+
Medium
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
No imported custom Bedrock models found in this region
+
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
444455556666
+
us-east-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
444455556666
+
eu-west-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
BR-07
Bedrock Prompt Management Check
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
@@ -2589,9 +22249,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
444455556666
+
sa-east-1
BR-08
Bedrock Agent IAM Roles Check
No Bedrock agents found in the account
@@ -2600,20 +22260,20 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
444455556666
+
sa-east-1
BR-09
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX/aiml-security-aiml-security-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:ap-southeast-2:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
+
No Knowledge Bases found in the account
+
No action required
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
444455556666
+
sa-east-1
BR-10
Bedrock Guardrail IAM Enforcement Check
No guardrails configured - IAM enforcement check not applicable
@@ -2622,9 +22282,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
444455556666
+
sa-east-1
BR-11
Bedrock Custom Model Encryption Check
No custom/fine-tuned models found in the account
@@ -2633,9 +22293,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
444455556666
+
sa-east-1
BR-12
Bedrock Invocation Log Encryption Check
Model invocation logging to S3 is not configured
@@ -2644,9 +22304,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
444455556666
+
sa-east-1
BR-13
Bedrock Flows Guardrails Check
No Bedrock Flows found in the account
@@ -2655,9 +22315,196 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
eu-west-1
+
+
444455556666
+
sa-east-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
444455556666
+
sa-east-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
BR-02
Amazon Bedrock private connectivity check
No regional Bedrock resources found to assess private connectivity
@@ -2666,9 +22513,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
eu-west-1
+
+
444455556666
+
us-west-2
BR-04
Bedrock Model Invocation Logging Check
No regional Bedrock resources found to monitor with invocation logging
@@ -2677,9 +22524,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
eu-west-1
+
+
444455556666
+
us-west-2
BR-05
Bedrock Guardrails Check
No regional Bedrock resources found to protect with guardrails
@@ -2688,9 +22535,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
eu-west-1
+
+
444455556666
+
us-west-2
BR-06
Bedrock CloudTrail Logging Check
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
@@ -2699,9 +22546,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
eu-west-1
+
+
444455556666
+
us-west-2
BR-07
Bedrock Prompt Management Check
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
@@ -2714,9 +22561,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
eu-west-1
+
+
444455556666
+
us-west-2
BR-08
Bedrock Agent IAM Roles Check
No Bedrock agents found in the account
@@ -2725,20 +22572,20 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
eu-west-1
+
+
444455556666
+
us-west-2
BR-09
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX/aiml-security-aiml-security-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:eu-west-1:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
+
No Knowledge Bases found in the account
+
No action required
Informational
N/A
-
-
111111111111
-
eu-west-1
+
+
444455556666
+
us-west-2
BR-10
Bedrock Guardrail IAM Enforcement Check
No guardrails configured - IAM enforcement check not applicable
@@ -2747,9 +22594,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
eu-west-1
+
+
444455556666
+
us-west-2
BR-11
Bedrock Custom Model Encryption Check
No custom/fine-tuned models found in the account
@@ -2758,9 +22605,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
eu-west-1
+
+
444455556666
+
us-west-2
BR-12
Bedrock Invocation Log Encryption Check
Model invocation logging to S3 is not configured
@@ -2769,9 +22616,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
eu-west-1
+
+
444455556666
+
us-west-2
BR-13
Bedrock Flows Guardrails Check
No Bedrock Flows found in the account
@@ -2780,1402 +22627,1795 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
+
+
444455556666
+
us-west-2
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
+
444455556666
+
us-west-2
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
No action required
-
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
Medium
-
Passed
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
No imported custom Bedrock models found in this region
+
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
444455556666
+
us-west-2
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
-
-
111111111111
-
eu-west-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
+
+
777788889999
+
sa-east-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
+
+
777788889999
+
sa-east-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
Medium
-
Passed
+
N/A
-
-
111111111111
-
eu-west-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
+
+
777788889999
+
sa-east-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
N/A
-
-
111111111111
-
eu-west-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
+
+
777788889999
+
sa-east-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
N/A
-
-
111111111111
-
eu-west-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
+
+
777788889999
+
sa-east-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
+
+
777788889999
+
sa-east-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
N/A
-
-
111111111111
-
eu-west-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
+
+
777788889999
+
sa-east-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
N/A
-
-
111111111111
-
eu-west-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
+
+
777788889999
+
sa-east-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
N/A
-
-
111111111111
-
eu-west-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
+
+
777788889999
+
sa-east-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
N/A
-
-
111111111111
-
eu-west-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
+
+
777788889999
+
sa-east-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
N/A
-
-
111111111111
-
eu-west-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
+
+
777788889999
+
sa-east-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
N/A
-
-
111111111111
-
eu-west-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
+
+
777788889999
+
sa-east-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
777788889999
+
sa-east-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
No action required
-
+
Informational
N/A
-
-
111111111111
+
+
777788889999
eu-west-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
No action required
-
+
Informational
N/A
-
-
111111111111
+
+
777788889999
eu-west-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
No action required
-
+
Informational
N/A
-
-
111111111111
+
+
777788889999
eu-west-1
-
SM-15
-
SageMaker Feature Store Encryption Check
-
No feature groups with offline stores found
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
No action required
-
+
Informational
N/A
-
-
111111111111
+
+
777788889999
eu-west-1
-
SM-16
-
SageMaker Data Quality Job Encryption Check
-
No data quality job definitions found
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
No action required
-
+
Informational
N/A
-
-
111111111111
+
+
777788889999
eu-west-1
-
SM-17
-
SageMaker Processing Job Encryption Check
-
No processing jobs found
-
No action required
-
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
Informational
N/A
-
-
111111111111
+
+
777788889999
eu-west-1
-
SM-21
-
SageMaker AutoML Job Network Isolation Check
-
No AutoML jobs found
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
No action required
-
+
Informational
N/A
-
-
111111111111
+
+
777788889999
eu-west-1
-
SM-22
-
Model Approval Workflow Check
-
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
111111111111
+
+
777788889999
eu-west-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
No action required
-
-
Low
-
Passed
-
-
-
111111111111
-
eu-west-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
FS-01
-
AWS Shield Advanced Not Enabled
-
AWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.
-
1. Subscribe to AWS Shield Advanced for DDoS protection.
-2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection.
-3. Enable Shield Response Team (SRT) access and configure proactive engagement.
-4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.
-
-
Low
-
Failed
-
-
-
111111111111
-
us-east-1
-
FS-01
-
No Regional WAF Web ACLs Found
-
No AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.
-
1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP).
-2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock.
-3. Add AWS Managed Rules for known bad inputs.
-
-
Medium
-
Failed
-
-
-
111111111111
-
us-east-1
-
FS-02
-
API Gateway Usage Plans Missing Throttle
-
Usage plans without throttling: myAskMeAnything-UsagePlan. Unbounded API calls can exhaust Bedrock token quotas and inflate costs.
-
Set rateLimit and burstLimit on all usage plans associated with GenAI API stages. Consider per-consumer API keys with individual quotas.
-
+
+
777788889999
+
eu-west-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
Medium
-
Failed
+
N/A
-
-
111111111111
-
us-east-1
-
FS-03
-
Bedrock Token Quotas At Default
-
All 232 Bedrock token-based quota(s) are at their AWS default values — no quota increase has been applied. Running at default is a legitimate posture, but it should be a reviewed decision aligned with expected peak load rather than an oversight.
-
1. Review current Bedrock TPM/TPD quotas in the Service Quotas console.
-2. Request increases aligned with expected peak load, or document a deliberate decision to remain at default after review.
-3. Implement client-side token counting and pre-flight quota checks.
-4. Use Bedrock cross-region inference profiles to distribute load.
-
-
Medium
+
+
777788889999
+
eu-west-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
N/A
-
-
111111111111
-
us-east-1
-
FS-04
-
No Cost Anomaly Detection Monitors
-
No AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.
-
1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker.
-2. Configure alert subscriptions (SNS/email) for anomalies above threshold.
-3. Set daily spend budgets with AWS Budgets as a secondary control.
-
-
Medium
-
Failed
+
+
777788889999
+
eu-west-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
FS-05
-
No Bedrock CloudWatch Alarms Found
-
No CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.
-
Create CloudWatch alarms for:
-- AWS/Bedrock InvocationThrottles (threshold > 0)
-- AWS/Bedrock TokensProcessed (threshold based on quota)
-- Custom application-level token counters via EMF
-
+
+
777788889999
+
eu-west-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
Medium
-
Failed
+
N/A
-
-
111111111111
-
us-east-1
-
FS-06
-
No AI/ML Service Budgets Configured
-
No AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.
-
1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds.
-2. Add SNS notifications to on-call channels.
-3. Consider budget actions to apply IAM deny policies when thresholds are breached.
-
-
Medium
-
Failed
+
+
777788889999
+
eu-west-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
-
-
111111111111
-
us-east-1
-
FS-07
-
Agent Action Boundary Check
-
No Bedrock agents found.
-
No action required.
-
+
+
777788889999
+
eu-west-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
FS-08
-
AgentCore Runtimes Missing Policy Engine
-
Runtimes without authorizer configuration: origami_expeditions, neoCyan_Agent, customer_support_agent, cdk_agent_core, awsapimcpserver. Without a policy engine, agents can invoke any registered tool without authorization checks.
-
Configure an authorizer (Lambda or Cedar policy store) on each AgentCore runtime to enforce fine-grained tool-call authorization.
-
+
+
777788889999
+
eu-west-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
1. Set reserved concurrency on agent Lambda functions.
-2. Implement maximum iteration counts in agent orchestration logic.
-3. Use Step Functions with MaxConcurrency and timeout states.
-4. Add circuit-breaker patterns to agent tool invocations.
-
+
+
777788889999
+
eu-west-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
Medium
-
Failed
+
N/A
-
-
111111111111
-
us-east-1
-
FS-10
-
Human-in-the-Loop Check — No Agent Workflows Found
-
No Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.
-
Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.
-
-
Informational
+
+
777788889999
+
eu-west-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
N/A
-
-
111111111111
-
us-east-1
-
FS-11
-
No Agent Rate Alarms Found
-
No CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.
-
Create CloudWatch alarms on:
-- Bedrock agent invocation counts (threshold based on expected max)
-- Lambda invocation errors for agent functions
-- Step Functions execution failures and timeouts
-
+
+
777788889999
+
eu-west-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
777788889999
+
eu-west-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
Medium
-
Failed
+
N/A
-
-
111111111111
-
us-east-1
-
FS-12
-
No Bedrock-Scoped SCPs Found
-
No Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.
-
1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list.
-2. Use bedrock:ModelId condition key to allowlist approved models.
-3. Maintain a model inventory and update the SCP when models are approved/retired.
-
+
+
777788889999
+
eu-west-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
High
-
Failed
+
N/A
-
-
111111111111
-
us-east-1
-
FS-13
-
Model Provenance Tags Present
-
All reviewed models have required provenance tags.
-
No action required.
-
-
Medium
-
Passed
+
+
777788889999
+
eu-west-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
-
-
111111111111
-
us-east-1
-
FS-14
-
Model Governance Config Rules Present
-
Found 11 model-related Config rule(s).
-
No action required.
-
-
Medium
-
Passed
+
+
777788889999
+
eu-west-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
+
N/A
-
-
111111111111
-
us-east-1
-
FS-15
-
No Bedrock Evaluation Jobs Found
-
No Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.
-
1. Run Bedrock Model Evaluation with adversarial/red-team datasets.
-2. Use FMEval library for automated robustness testing.
-3. Schedule periodic re-evaluation after model updates.
-
+
+
777788889999
+
eu-west-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
Medium
-
Failed
+
N/A
-
-
111111111111
-
us-east-1
-
FS-16
-
ECR Repositories Without Image Scanning
-
4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111111111111-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.
-
Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.
-
-
High
-
Failed
+
+
777788889999
+
eu-west-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
FS-20
-
No SageMaker Feature Groups Found
-
No SageMaker Feature Store groups found.
-
No action required.
-
+
+
777788889999
+
ap-south-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
FS-21
-
Training Data Buckets Without Versioning
-
13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111111111111-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111111111111-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111111111111-huo1mvme4t.
-
Enable S3 versioning on all training data buckets. Consider enabling MFA Delete for additional protection against poisoning.
-
-
High
-
Failed
+
+
777788889999
+
ap-south-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
FS-22
-
Overly Permissive Knowledge Base IAM Roles
-
722 role(s) with wildcard KB permissions:
-- Role '111111111111-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role '111111111111-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'Admin' allows '*'
-- Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' allows 'bedrock:*'
-- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'Agentic-AI-MCP-Strands-SDK-Works-VSCodeInstanceRole-NCTUnlnRBFO6' allows '*'
-- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListModelInvocations' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-
Replace wildcard bedrock-agent:* with specific actions: bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.
-
-
High
-
Failed
+
+
777788889999
+
ap-south-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
FS-24
-
ADVISORY: Knowledge Base Metadata Filtering — Manual Review Required
-
Found 3 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.
-
1. Add metadata fields (tenantId, dataClassification) to KB data sources.
-2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls.
-3. Validate filters in integration tests to prevent cross-tenant data leakage.
-
+
+
777788889999
+
ap-south-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
FS-25
-
OpenSearch Serverless Encryption Policies Present
-
Found 5 encryption policy(ies); 5 use a customer-managed KMS key.
-
Verify all vector store collections use customer-managed KMS keys.
-
-
High
-
Passed
+
+
777788889999
+
ap-south-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
-
-
111111111111
-
us-east-1
-
FS-26
-
OpenSearch Serverless Collections Not VPC-Restricted
-
Found 5 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.
-
Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.
-
+
+
777788889999
+
ap-south-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
High
-
Failed
+
N/A
-
-
111111111111
-
us-east-1
-
FS-27
-
No Guardrails — Contextual Grounding Not Applicable
-
No Bedrock Guardrails configured. Configure guardrails first (see BR-05).
-
Configure Bedrock Guardrails with contextual grounding checks (grounding threshold ≥0.7 and relevance threshold ≥0.7 for FinServ use cases).
-
+
+
777788889999
+
ap-south-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
FS-27
-
Automated Reasoning Policies — Access Check
-
Access denied or service unavailable when listing Automated Reasoning policies. The IAM action name (bedrock:ListAutomatedReasoningPolicies) is correct, so the most likely causes are, in order: (1) the assessment MEMBER ROLE in this account was deployed before this action was added and has not been re-deployed; (2) an AWS Organizations SCP or permission boundary denies this newer Bedrock action; (3) the region does not support ARC. ARC is available in AWS GovCloud (US) and a growing set of commercial regions (e.g., us-east-1, us-east-2, us-west-2, eu-central-1, eu-west-1, eu-west-3) — verify the current list in the AWS documentation.
-
1. RE-DEPLOY the member-role CloudFormation stack so the role picks up bedrock:ListAutomatedReasoningPolicies (templates may be current while the *deployed* role is stale). See deployment/1-aiml-security-member-roles.yaml and aiml-security-single-account.yaml.
-2. Check for an Organizations SCP / permission boundary denying the action.
-3. Confirm the assessed region supports Automated Reasoning checks.
-4. Re-run the assessment after re-deploying.
-
-
Low
+
+
777788889999
+
ap-south-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
N/A
-
-
111111111111
-
us-east-1
-
FS-28
-
No Guardrails — Denied Topics Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with denied topics for regulated financial content.
-
-
Informational
+
+
777788889999
+
ap-south-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
Application-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.
-
1. Implement post-processing to append required disclaimers to GenAI outputs.
-2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures.
-3. Document disclaimer requirements in the AI use case register.
-4. Test disclaimer presence in QA/UAT before production deployment.
-
-
Informational
+
+
777788889999
+
ap-south-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation with compliance-specific datasets:
-- Fair lending test cases (ECOA, Fair Housing Act)
-- UDAP/UDAAP unfair/deceptive practice scenarios
-- AML/KYC edge cases
-
+
+
777788889999
+
ap-south-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
FS-31
-
Knowledge Base Data Sources Past Review Threshold
-
2 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit):
-- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 702 days ago
-- KB '111111111111-us-east-1-kb' source '111111111111-us-east-1-kb-datasource' last synced 180 days ago
-Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.
-
1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match.
-2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61.
-3. Set CloudWatch alarms on sync job failures.
-
+
+
777788889999
+
ap-south-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
Source attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.
-
1. Use Bedrock RetrieveAndGenerate with citations enabled.
-2. Include source document references in response post-processing.
-3. Test citation accuracy in QA before production deployment.
-4. Consider Bedrock Guardrails grounding checks to validate response accuracy.
-
-
Informational
+
+
777788889999
+
ap-south-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
N/A
-
-
111111111111
-
us-east-1
-
FS-33
-
KB Data Source Buckets Without Versioning
-
KB data source S3 buckets without versioning: 111111111111-us-east-1-kb-data-bucket.
-
Enable S3 versioning on all KB data source buckets. Enable S3 Object Integrity (checksum) for tamper detection.
-
+
+
777788889999
+
ap-south-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
777788889999
+
ap-south-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
Medium
-
Failed
+
N/A
-
-
111111111111
-
us-east-1
-
FS-34
-
Legacy Foundation Models Available in Region
-
Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, amazon.titan-image-generator-v2:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.
-
1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config).
-2. Migrate active usage to current model versions.
-3. Document training-data cutoff dates for all models in use.
-4. Add data-currency disclaimers to outputs from models with old cutoffs.
-
-
Informational
+
+
777788889999
+
ap-south-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
N/A
-
-
111111111111
-
us-east-1
-
FS-35
-
ADVISORY: Harmful-Content Test Coverage — Manual Review Required
-
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation or FMEval with harmful content datasets:
-- Toxicity detection
-- Hate speech classification
-- Violence/self-harm content
-
-
Informational
+
+
777788889999
+
ap-south-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
N/A
-
-
111111111111
-
us-east-1
-
FS-36
-
No Guardrails — Content Filters Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with content filters.
-
-
Informational
+
+
777788889999
+
ap-south-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
N/A
-
-
111111111111
-
us-east-1
-
FS-37
-
ADVISORY: User Feedback Mechanism — Manual Review Required
-
User feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.
-
1. Implement thumbs-up/down or flag-for-review UI in GenAI applications.
-2. Route flagged outputs to human reviewers via SQS/SNS.
-3. Log feedback to DynamoDB/S3 for model improvement.
-4. Define SLAs for reviewing flagged content.
-
-
Informational
+
+
777788889999
+
ap-south-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
N/A
-
-
111111111111
-
us-east-1
-
FS-38
-
No Guardrails — Word Filters Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with word filters.
-
+
+
777788889999
+
ap-south-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
FS-39
-
No SageMaker Clarify Bias Monitoring
-
No SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.
-
1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions.
-2. Define protected attributes (age, gender, race proxies).
-3. Set bias metric thresholds and alert on violations.
-4. Document bias testing results for regulatory examination.
-
+
+
777788889999
+
Global
+
BR-01
+
AmazonBedrockFullAccess role check
+
Role 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' has AmazonBedrockFullAccess policy attached
+
Limit the AmazonBedrockFullAccess policy only to required access
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation with bias test datasets:
-- Demographic parity test cases
-- Equal opportunity scenarios
-- Counterfactual fairness tests
-
-
Informational
-
N/A
+
+
777788889999
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
+
Failed
-
-
111111111111
-
us-east-1
-
FS-41
-
No SageMaker Clarify Explainability Monitoring
-
No SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).
-
1. Configure SageMaker Clarify explainability for credit/lending models.
-2. Generate SHAP values for feature importance.
-3. Map top features to human-readable adverse action reason codes.
-4. Store explanations for regulatory examination.
-
+
+
777788889999
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'aiml-sec-test-resources-MarketplaceOverlyPermissive-igL3hGIapee1' has overly permissive marketplace subscription access through policy 'OverlyPermissiveMarketplace'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
High
Failed
-
-
111111111111
-
us-east-1
-
FS-42
-
No SageMaker Model Cards Found
-
No SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.
-
1. Create SageMaker Model Cards for all production models.
-2. Document: intended use, out-of-scope uses, training data, bias evaluations.
-3. Include regulatory compliance attestations.
-4. Review and update cards at each model version release.
-
-
Medium
+
+
777788889999
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'ProwlerApp-EC2-Role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
Failed
-
-
111111111111
+
+
777788889999
us-east-1
-
FS-43
-
No CloudWatch Logs Data Protection Policies
-
No CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.
-
1. Create CloudWatch Logs data protection policies to mask PII.
-2. Enable masking for: SSN, credit card numbers, bank account numbers, email.
-3. Apply policies to Bedrock invocation log groups.
-4. Test masking with synthetic PII before production deployment.
-
+
BR-02
+
Amazon Bedrock private connectivity
+
Bedrock VPC endpoints found: VPC vpc-089a9d593e34658c6 has endpoint com.amazonaws.us-east-1.bedrock-runtime
+
No action required
+
High
+
Passed
+
+
+
777788889999
+
us-east-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
Model invocation logging is not enabled. This limits your ability to track and audit model usage.
+
Enable model invocation logging to collect invocation logs, model input data, and model output data. Configure logging to deliver to Amazon S3, CloudWatch Logs, or both for comprehensive monitoring.
+
+
Medium
Failed
-
-
111111111111
+
+
777788889999
us-east-1
-
FS-44
-
Amazon Macie Enabled
-
Amazon Macie is enabled and scanning S3 buckets.
-
Verify Macie jobs cover training data and KB data source buckets.
-
+
BR-05
+
Bedrock Guardrails Check
+
Amazon Bedrock Guardrails are properly configured with 1 guardrails
+
No action required. Continue monitoring and updating guardrails as needed.
+
High
Passed
-
-
111111111111
+
+
777788889999
us-east-1
-
FS-45
-
No Guardrails — PII Filters Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with PII/sensitive information filters.
-
-
Informational
-
N/A
+
BR-06
+
Bedrock CloudTrail Logging Check
+
CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
+
No action required. Continue monitoring CloudTrail logs for Bedrock activity.
Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule.
-
-
Medium
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management is being used with 1 prompts
+
No action required. Continue using Prompt Management for consistent and optimized prompts.
+
+
Low
+
Passed
+
+
+
777788889999
+
us-east-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
Error during check: An error occurred (AccessDeniedException) when calling the GetAgent operation: You do not have sufficient permissions to the key. Check credentials for appropriate permissions to the key (kms:Decrypt, kms:GenerateDataKey) and try again.
+
Investigate error and retry assessment
+
+
High
Failed
-
-
111111111111
+
+
777788889999
us-east-1
-
FS-47
-
No Guardrails — Grounding Threshold Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with contextual grounding checks.
-
+
BR-09
+
Bedrock Knowledge Base Encryption Review
+
Knowledge Base 'knowledge-base-prowler-findings' (9K2QZLVCZW) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
Informational
N/A
-
-
111111111111
+
+
777788889999
us-east-1
-
FS-48
-
Active Knowledge Bases for RAG Present
-
Found 3 active Knowledge Base(s) for RAG grounding.
-
No action required.
-
-
Medium
-
Passed
+
BR-10
+
Bedrock Guardrail IAM Enforcement Missing
+
The following roles can invoke Bedrock models without enforced guardrails: aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G, aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a, aiml-sec-test-resources-BedrockKnowledgeBaseRole-6NNC1i9FuTbM, AmazonBedrockExecutionRoleForKnowledgeBase_7erx6, ProwlerApp-EC2-Role
+
Add IAM policy conditions to enforce guardrail usage:
+1. Use 'bedrock:GuardrailIdentifier' condition key
+2. Specify required guardrail ARN or ID
+3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}
Application-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.
-
1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.'
-2. Implement post-processing to append disclaimers.
-3. Test disclaimer presence in QA before production.
-
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
Informational
N/A
-
-
111111111111
+
+
777788889999
us-east-1
-
FS-50
-
No Guardrails With Relevance Grounding Filters
-
No guardrails have RELEVANCE contextual grounding filters. Without relevance filters, responses that are off-topic or unrelated to the user query will not be blocked, increasing hallucination risk in RAG-based FinServ applications.
-
Enable the RELEVANCE contextual grounding filter in Bedrock Guardrails with a threshold of ≥0.7 to block responses that are not relevant to the user query. Also enable the GROUNDING filter (≥0.7) to block responses not supported by the retrieved source context.
-
-
Medium
-
Failed
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
-
-
111111111111
+
+
777788889999
us-east-1
-
FS-51
-
No Guardrails — Prompt Attack Filters Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with prompt attack filters.
-
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
FS-52
-
Bedrock Lambda Functions on Deprecated Runtimes
-
Functions on deprecated runtimes: e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Deprecated runtimes may use outdated boto3/SDK versions lacking security patches.
-
1. Upgrade Lambda functions to a supported runtime — Python 3.12+, Node.js 22.x or 24.x, Java 21+, or .NET 8+.
-2. Update boto3 to the latest version in Lambda layers (pin the version in requirements.txt and redeploy).
-3. Enable Lambda runtime management controls for automatic minor-version updates (runtimeManagementConfig.updateRuntimeOn = 'Auto').
-4. Refer to https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html for the authoritative list of supported and deprecated runtimes.
-
+
+
777788889999
+
Global
+
BR-15
+
Cross-Account Guardrails Enforcement Check
+
Check must run in AWS Organizations management account to evaluate organizational policies
+
Run assessment in management account to check cross-account guardrails enforcement
+
Medium
-
Failed
+
N/A
-
-
111111111111
+
+
777788889999
us-east-1
-
FS-53
-
No WAF Web ACLs — Injection Rules Not Applicable
-
No regional WAF Web ACLs found.
-
Create WAF Web ACLs with injection protection rules (see FS-01).
-
+
BR-16
+
Guardrail Tier Validation Check
+
Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
+
Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.
Penetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.
-
1. Conduct penetration testing of GenAI applications at least annually and before major releases.
-2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts.
-3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it.
-4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail.
-5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.
-
-
Informational
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
N/A
-
-
111111111111
+
+
777788889999
us-east-1
-
FS-55
-
No Output Validation Functions Found
-
No Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.
-
1. Implement output validation Lambda functions in GenAI pipelines.
-2. Validate output schema, length, and content before downstream use.
-3. Sanitize outputs before rendering in web UIs (XSS prevention).
-4. Encode outputs appropriately for the target context (HTML, SQL, JSON).
-
+
BR-18
+
Model Evaluation Implementation Check
+
No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
+
Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.
+
Medium
Failed
-
-
111111111111
+
+
777788889999
us-east-1
-
FS-56
-
No WAF ACLs — XSS Prevention Not Applicable
-
No regional WAF Web ACLs found.
-
Create WAF ACLs with XSS prevention rules.
-
-
Informational
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
Output encoding practices cannot be verified via AWS APIs. Manual code review required.
-
1. HTML-encode GenAI outputs before rendering in web UIs.
-2. Use parameterized queries when GenAI output is used in database operations.
-3. JSON-encode outputs before embedding in JavaScript contexts.
-4. Validate output length and format before passing to downstream APIs.
-
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Review
+
Knowledge base 'knowledge-base-prowler-findings' (ID: 9K2QZLVCZW) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
Found 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.
-
1. Use Bedrock structured output (response schemas) where supported.
-2. Implement JSON schema validation on Lambda output processors.
-3. Reject malformed outputs and return safe error responses.
-4. Log schema validation failures to CloudWatch for monitoring.
Continue monitoring quota utilization. Review and adjust quotas as application requirements change.
+
+
Low
+
Passed
+
+
+
777788889999
+
us-east-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
+
Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.
+
Informational
N/A
-
-
111111111111
+
+
777788889999
us-east-1
-
FS-59
-
No Guardrails — Topic Allowlist Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with topic policies to restrict off-topic responses.
-
+
BR-25
+
RAG Evaluation Jobs Check
+
Knowledge base 'knowledge-base-prowler-findings' (ID: 9K2QZLVCZW) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
+
Low
+
Failed
+
+
+
777788889999
+
us-east-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
+
Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.
+
Informational
N/A
-
-
111111111111
+
+
777788889999
us-east-1
-
FS-60
-
ADVISORY: Contextual Grounding for Off-Topic Prevention
-
Contextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.
-
1. Include explicit scope instructions in system prompts.
-2. Use Bedrock Guardrails relevance grounding filter.
-3. Test with off-topic prompts in QA to verify rejection behavior.
-
+
BR-27
+
Guardrail Contextual Grounding Check
+
Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
+
Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.
+
Informational
N/A
-
-
111111111111
+
+
777788889999
us-east-1
-
FS-61
-
COULD NOT ASSESS: Knowledge Base Sync Schedule Check
-
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the ListSchedules operation: User: arn:aws:sts::111111111111:assumed-role/aiml-security-19304724716-FinServSecurityAssessment-G8d5dEiMJsZB/aiml-security-aiml-security-111111111111-FinServAssessment is not authorized to perform: scheduler:ListSchedules on resource: arn:aws:scheduler:us-east-1:111111111111:schedule/*/* because no identity-based policy allows the scheduler:ListSchedules action). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
-
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
-2. Confirm the service/feature is supported in the assessed region.
-3. Ensure botocore meets the version floor in requirements.txt.
-4. Re-run the assessment; assess this control manually until it succeeds.
-
+
BR-28
+
Agent Guardrail Association Check
+
1 agents have an associated guardrail
+
No action required. Continue associating guardrails with new agents.
+
Low
-
N/A
+
Passed
-
-
111111111111
+
+
777788889999
us-east-1
-
FS-62
-
ADVISORY: Data Currency Disclaimer — Manual Review Required
-
Data currency disclaimers cannot be verified via AWS APIs. Manual review required.
-
1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].'
-2. Expose KB last sync timestamp in application responses.
-3. Alert users when KB data is older than defined threshold.
-
-
Informational
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
No imported custom Bedrock models found in this region
+
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
N/A
-
-
111111111111
+
+
777788889999
us-east-1
-
FS-63
-
Foundation Model Lifecycle Management
-
No legacy models detected. 10 lifecycle-related Config rule(s) found.
-
No action required.
-
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
Medium
-
Passed
+
N/A
-
-
111111111111
+
+
777788889999
us-east-1
-
FS-65
-
KB Data Source Buckets Missing S3 Event Notifications
-
The following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time:
-- semiconductor-demo-9999
-- 111111111111-us-east-1-kb-data-bucket
-
1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket.
-2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting.
-3. Integrate alerts into your security incident response workflow.
-
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
+
Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.
The following runtimes have no JWT or IAM authorizer configured for end-user identity propagation. Tool calls are authorized only by the agent execution role, not the originating user:
-- origami_expeditions
-- neoCyan_Agent
-- customer_support_agent
-- cdk_agent_core
-- awsapimcpserver
-
1. Configure a custom JWT authorizer or IAM authorizer on each AgentCore runtime.
-2. Propagate the end-user's identity token to downstream tool services.
-3. Ensure tool services validate the propagated identity before executing actions.
-4. Do not expose propagated identity tokens to unauthorized third parties.
-
-
High
-
Failed
+
+
777788889999
+
us-west-2
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
FS-67
-
Agent Action-Group Lambdas May Lack Transaction Thresholds
-
The following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions:
-- aiml-security-aiml-security-111111111111-FinServAssessment
-- aiml-security-aiml-security-111111111111-BedrockAssessment
-- resco-aiml-BedrockAssessment
-- aiml-security-aiml-security-111111111111-AgentCoreAssessment
-- e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk
-- e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII
-- resco-aiml-AgentCoreAssessment
-
1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda.
-2. Implement threshold enforcement logic in the Lambda handler.
-3. Configure AgentCore Policy Engine rules to cap financial transaction amounts.
-4. Route transactions exceeding thresholds to a human-in-the-loop approval step.
-
-
High
-
Failed
+
+
777788889999
+
us-west-2
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
FS-68
-
API Gateway Request Body Size Limits Not Enforced
-
Found 3 REST API(s) and 0 regional WAF Web ACL(s), but none enforce a maximum request-body size. Note: an API Gateway request validator does NOT cap body size (it validates the schema and required params; the REST limit is a fixed 10 MB), and a WAF body SizeConstraint only inspects the first ~16 KB of the body by default. Oversized prompts can exhaust Bedrock token quotas and inflate costs.
-
1. Add a maxLength (or maxItems/maxProperties) bound to the request-body JSON-Schema model used by your request validator, so oversized prompts are rejected with a 400.
-2. Add a WAF SizeConstraintStatement on the request Body sized within WAF's body-inspection window (default 16 KB; raise via the web ACL AssociationConfig, or set OversizeHandling=MATCH to block bodies beyond the window), and associate the ACL with the API stage.
-3. Set the max_tokens parameter in Bedrock API calls to cap output length.
-4. Implement client-side token counting before submitting requests.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
FS-69
-
Prompt Input Validation Functions Present
-
Found 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111111111111-CleanupBucket.
-
Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.
-
-
Medium
-
Passed
+
+
777788889999
+
us-west-2
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
eu-west-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
+
+
777788889999
+
us-west-2
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in ap-southeast-2; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
+
+
777788889999
+
us-west-2
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
+
+
777788889999
+
us-west-2
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
No action required
-
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
+
+
777788889999
+
us-west-2
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
+
+
777788889999
+
us-west-2
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
No action required
-
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
+
+
777788889999
+
us-west-2
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
+
+
777788889999
+
us-west-2
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
No action required
-
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
+
+
777788889999
+
us-west-2
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
N/A
-
-
333333333333
-
ap-southeast-2
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
+
+
777788889999
+
us-west-2
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
N/A
-
-
333333333333
-
ap-southeast-2
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
+
+
777788889999
+
us-west-2
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
No action required
-
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
+
+
777788889999
+
us-west-2
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
N/A
-
-
333333333333
-
ap-southeast-2
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
+
+
777788889999
+
us-west-2
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
N/A
-
-
333333333333
-
eu-west-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
+
+
777788889999
+
us-west-2
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
N/A
-
-
333333333333
-
eu-west-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
+
+
777788889999
+
us-west-2
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
No action required
-
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
+
+
777788889999
+
us-west-2
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
N/A
-
-
333333333333
-
eu-west-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
+
+
777788889999
+
us-west-2
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
N/A
-
-
333333333333
-
eu-west-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
+
+
777788889999
+
us-west-2
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
N/A
-
-
333333333333
-
eu-west-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
+
+
777788889999
+
us-west-2
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
N/A
-
-
333333333333
-
eu-west-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
+
+
777788889999
+
us-west-2
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
N/A
-
-
333333333333
-
eu-west-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
+
+
777788889999
+
us-west-2
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
N/A
-
-
333333333333
-
eu-west-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
+
+
777788889999
+
us-west-2
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
N/A
-
-
333333333333
-
eu-west-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
+
+
777788889999
+
us-west-2
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
No imported custom Bedrock models found in this region
+
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
No action required
-
+
Informational
N/A
-
-
-
333333333333
-
eu-west-1
+
+
+
+
Amazon SageMaker Findings
+
+
+
+
+
+
+
+
+
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
+
111122223333
+
ap-south-1
SM-01
SageMaker Internet Access Check
No SageMaker notebook instances or domains found to check
@@ -4184,9 +24424,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
eu-west-1
+
+
111122223333
+
ap-south-1
SM-02
SageMaker SSO Configuration Check
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
@@ -4195,9 +24435,9 @@
Security Assessment Overview
Medium
Passed
-
-
333333333333
-
eu-west-1
+
+
111122223333
+
ap-south-1
SM-03
Data Protection Check
No SageMaker resources found to check for data protection
@@ -4206,9 +24446,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
eu-west-1
+
+
111122223333
+
ap-south-1
SM-04
GuardDuty Enabled
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
@@ -4217,9 +24457,9 @@
Security Assessment Overview
Medium
Passed
-
-
333333333333
-
eu-west-1
+
+
111122223333
+
ap-south-1
SM-05
SageMaker Model Registry Issue
No model package groups found
@@ -4228,9 +24468,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
eu-west-1
+
+
111122223333
+
ap-south-1
SM-05
SageMaker Feature Store Issue
No feature groups found
@@ -4239,9 +24479,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
eu-west-1
+
+
111122223333
+
ap-south-1
SM-05
SageMaker Pipelines Issue
No ML pipelines found
@@ -4250,9 +24490,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
eu-west-1
+
+
111122223333
+
ap-south-1
SM-06
SageMaker Clarify No Clarify Usage
No SageMaker Clarify jobs found
@@ -4261,9 +24501,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
eu-west-1
+
+
111122223333
+
ap-south-1
SM-07
SageMaker Model Monitor No Model Monitoring
No Model Monitor schedules found
@@ -4272,9 +24512,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
eu-west-1
+
+
111122223333
+
ap-south-1
SM-08
Model Registry Registry Not Used
Model Registry is not being utilized
@@ -4283,9 +24523,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
eu-west-1
+
+
111122223333
+
ap-south-1
SM-09
SageMaker Notebook Root Access Check
No notebook instances found
@@ -4294,9 +24534,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
eu-west-1
+
+
111122223333
+
ap-south-1
SM-10
SageMaker Notebook VPC Deployment Check
No notebook instances found
@@ -4305,9 +24545,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
eu-west-1
+
+
111122223333
+
ap-south-1
SM-11
SageMaker Model Network Isolation Check
No models found
@@ -4316,9 +24556,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
eu-west-1
+
+
111122223333
+
ap-south-1
SM-12
SageMaker Endpoint Instance Count Check
No InService endpoints found
@@ -4327,9 +24567,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
eu-west-1
+
+
111122223333
+
ap-south-1
SM-13
SageMaker Monitoring Network Isolation Check
No monitoring schedules found
@@ -4338,9 +24578,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
eu-west-1
+
+
111122223333
+
ap-south-1
SM-14
SageMaker Model Repository Access Check
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
@@ -4437,9 +24677,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
eu-west-1
+
+
111122223333
+
ap-south-1
SM-23
Model Drift Detection Check
No InService endpoints found to monitor.
@@ -4448,74 +24688,140 @@
Security Assessment Overview
Medium
Passed
-
-
333333333333
-
eu-west-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
+
+
111122223333
+
ap-south-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
111122223333
+
ap-south-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
111122223333
+
Global
+
SM-02
+
SageMaker Full Access Policy Used
+
Role 'AmazonSageMaker-ExecutionRole-20231014T200029' has AmazonSageMakerFullAccess policy attached
+
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
SM-02
+
SageMaker Full Access Policy Used
+
Role 'AmazonSageMaker-ExecutionRole-20250525T153161' has AmazonSageMakerFullAccess policy attached
+
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
SM-02
+
SageMaker Full Access Policy Used
+
Role 'AmazonSageMakerServiceCatalogProductsExecutionRole' has AmazonSageMakerFullAccess policy attached
+
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
SM-02
+
SageMaker Full Access Policy Used
+
Role 'EMR_EC2_DefaultRole' has AmazonSageMakerFullAccess policy attached
+
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
SM-02
+
SageMaker Full Access Policy Used
+
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonSageMakerFullAccess policy attached
+
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
+
+
High
+
Failed
-
-
333333333333
-
eu-west-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
+
+
111122223333
+
Global
+
SM-02
+
SageMaker Full Access Policy Used
+
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonSageMakerFullAccess policy attached
+
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
+
+
High
+
Failed
-
-
333333333333
+
+
111122223333
Global
SM-02
-
SageMaker IAM Permissions Check
-
No issues found with IAM permissions and no stale access detected
-
No action required
+
SageMaker Full Access Policy Used
+
Role 'SageMaker-EMR-ExecutionRole' has AmazonSageMakerFullAccess policy attached
+
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
High
-
Passed
+
Failed
-
-
333333333333
+
+
111122223333
us-east-1
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
+
Non-VPC Only Network Access
+
SageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is not configured for VPC-only access
+
Configure the SageMaker domain to use VPC-only network access type
-
Informational
-
N/A
+
High
+
Failed
-
-
333333333333
+
+
111122223333
us-east-1
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
+
SSO Not Properly Configured
+
SageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is using authentication mode: IAM
+
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
Medium
-
Passed
+
Failed
-
-
333333333333
+
+
111122223333
us-east-1
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
+
Missing Encryption Configuration
+
Domain 'QuickSetupDomain-20250525T153160' - No KMS key configured
+
Configure encryption using AWS KMS customer managed keys for enhanced security
No SageMaker notebook instances or domains found to check
-
No action required
+
Non-VPC Only Network Access
+
SageMaker domain 'd-krxh4fmtaxjl' (PromptEvaluationDomain) is not configured for VPC-only access
+
Configure the SageMaker domain to use VPC-only network access type
-
Informational
-
N/A
+
High
+
Failed
-
-
333333333333
-
ap-southeast-2
+
+
111122223333
+
us-west-2
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
+
SSO Not Properly Configured
+
SageMaker domain 'd-krxh4fmtaxjl' (PromptEvaluationDomain) is using authentication mode: IAM
+
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
Medium
-
Passed
+
Failed
-
-
333333333333
-
ap-southeast-2
+
+
111122223333
+
us-west-2
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
+
Missing Encryption Configuration
+
Domain 'PromptEvaluationDomain' - No KMS key configured
+
Configure encryption using AWS KMS customer managed keys for enhanced security
+
+
High
+
Failed
-
-
333333333333
-
ap-southeast-2
+
+
111122223333
+
us-west-2
SM-04
GuardDuty Enabled
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
@@ -4822,9 +25128,9 @@
Security Assessment Overview
Medium
Passed
-
-
333333333333
-
ap-southeast-2
+
+
111122223333
+
us-west-2
SM-05
SageMaker Model Registry Issue
No model package groups found
@@ -4833,9 +25139,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
ap-southeast-2
+
+
111122223333
+
us-west-2
SM-05
SageMaker Feature Store Issue
No feature groups found
@@ -4844,9 +25150,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
ap-southeast-2
+
+
111122223333
+
us-west-2
SM-05
SageMaker Pipelines Issue
No ML pipelines found
@@ -4855,9 +25161,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
ap-southeast-2
+
+
111122223333
+
us-west-2
SM-06
SageMaker Clarify No Clarify Usage
No SageMaker Clarify jobs found
@@ -4866,9 +25172,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
ap-southeast-2
+
+
111122223333
+
us-west-2
SM-07
SageMaker Model Monitor No Model Monitoring
No Model Monitor schedules found
@@ -4877,9 +25183,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
ap-southeast-2
+
+
111122223333
+
us-west-2
SM-08
Model Registry Registry Not Used
Model Registry is not being utilized
@@ -4888,9 +25194,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
ap-southeast-2
+
+
111122223333
+
us-west-2
SM-09
SageMaker Notebook Root Access Check
No notebook instances found
@@ -4899,9 +25205,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
ap-southeast-2
+
+
111122223333
+
us-west-2
SM-10
SageMaker Notebook VPC Deployment Check
No notebook instances found
@@ -4910,9 +25216,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
ap-southeast-2
+
+
111122223333
+
us-west-2
SM-11
SageMaker Model Network Isolation Check
No models found
@@ -4921,9 +25227,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
ap-southeast-2
+
+
111122223333
+
us-west-2
SM-12
SageMaker Endpoint Instance Count Check
No InService endpoints found
@@ -4932,9 +25238,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
ap-southeast-2
+
+
111122223333
+
us-west-2
SM-13
SageMaker Monitoring Network Isolation Check
No monitoring schedules found
@@ -4943,9 +25249,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
ap-southeast-2
+
+
111122223333
+
us-west-2
SM-14
SageMaker Model Repository Access Check
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
@@ -5042,9 +25348,9 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
ap-southeast-2
+
+
111122223333
+
us-west-2
SM-23
Model Drift Detection Check
No InService endpoints found to monitor.
@@ -5053,9 +25359,9 @@
Security Assessment Overview
Medium
Passed
-
-
333333333333
-
ap-southeast-2
+
+
111122223333
+
us-west-2
SM-24
A/B Testing and Shadow Deployment Check
No InService endpoints found.
@@ -5064,9 +25370,9 @@
Security Assessment Overview
Low
Passed
-
-
333333333333
-
ap-southeast-2
+
+
111122223333
+
us-west-2
SM-25
ML Lineage Tracking - Experiments Not Used
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
@@ -5075,1741 +25381,1505 @@
Security Assessment Overview
Informational
N/A
-
-
333333333333
-
Global
-
BR-01
-
AmazonBedrockFullAccess role check
-
No roles found with AmazonBedrockFullAccess policy
+
+
111122223333
+
sa-east-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
No action required
-
-
High
-
Passed
-
-
-
333333333333
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'ProwlerApp-EC2-Role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AIMLSecurityMemberRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_7erx6' last accessed Bedrock on 2025-05-13
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AwsSecurityAudit' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AWSServiceRoleForAuditManager' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AWSServiceRoleForSupport' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AWSVAPTAudit' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'cdk-hnb659fds-lookup-role-333333333333-us-east-1' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'cdk-hnb659fds-lookup-role-333333333333-us-east-2' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
Informational
+
N/A
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'cdk-hnb659fds-lookup-role-333333333333-us-west-2' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
sa-east-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
Medium
-
Failed
+
Passed
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'CloudSecAuditRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
sa-east-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'CloudSeerTrustedServiceRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
sa-east-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
Medium
-
Failed
+
Passed
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IibsAdminAccess-DO-NOT-DELETE' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
sa-east-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'InternalAuditInternal' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
sa-east-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'Nova-DO-NOT-DELETE' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
sa-east-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'ProwlerApp-EC2-Role' last accessed Bedrock on 2026-03-29
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
sa-east-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'ProwlerMemberRole' last accessed Bedrock on 2026-03-10
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
sa-east-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'ProwlerScanRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
sa-east-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'resco-aiml-security-mgmt-BedrockSecurityAssessmentF-espswsHIf9by' last accessed Bedrock on 2026-04-18
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
sa-east-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'ReSCOAIMLMemberRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
sa-east-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
us-east-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
+
+
111122223333
+
sa-east-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
+
+
111122223333
+
sa-east-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
+
+
111122223333
+
sa-east-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
+
111122223333
+
sa-east-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
+
+
111122223333
+
sa-east-1
+
SM-15
+
SageMaker Feature Store Encryption Check
+
No feature groups with offline stores found
+
No action required
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
+
+
111122223333
+
sa-east-1
+
SM-16
+
SageMaker Data Quality Job Encryption Check
+
No data quality job definitions found
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::333333333333:assumed-role/aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b/aiml-security-aiml-security-mgmt-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:us-east-1:333333333333:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
-
+
+
111122223333
+
sa-east-1
+
SM-17
+
SageMaker Processing Job Encryption Check
+
No processing jobs found
+
No action required
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
+
+
111122223333
+
sa-east-1
+
SM-20
+
SageMaker Compilation Job Encryption Check
+
No compilation jobs found
+
No action required
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
+
+
111122223333
+
sa-east-1
+
SM-21
+
SageMaker AutoML Job Network Isolation Check
+
No AutoML jobs found
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-01
-
AWS Shield Advanced Not Enabled
-
AWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.
-
1. Subscribe to AWS Shield Advanced for DDoS protection.
-2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection.
-3. Enable Shield Response Team (SRT) access and configure proactive engagement.
-4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.
-
-
Low
-
Failed
+
+
111122223333
+
sa-east-1
+
SM-22
+
Model Approval Workflow Check
+
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
-
-
333333333333
-
us-east-1
-
FS-01
-
No Regional WAF Web ACLs Found
-
No AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.
-
1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP).
-2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock.
-3. Add AWS Managed Rules for known bad inputs.
-
+
+
111122223333
+
sa-east-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
Medium
-
Failed
+
Passed
-
-
333333333333
-
us-east-1
-
FS-02
-
No API Gateway Usage Plans Found
-
No usage plans configured. GenAI API endpoints may have no rate limits.
-
Create API Gateway usage plans with throttle settings (rateLimit and burstLimit) for all Bedrock-facing APIs.
-
+
+
111122223333
+
sa-east-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
111122223333
+
sa-east-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-03
-
Bedrock Token Quotas At Default
-
All 232 Bedrock token-based quota(s) are at their AWS default values — no quota increase has been applied. Running at default is a legitimate posture, but it should be a reviewed decision aligned with expected peak load rather than an oversight.
-
1. Review current Bedrock TPM/TPD quotas in the Service Quotas console.
-2. Request increases aligned with expected peak load, or document a deliberate decision to remain at default after review.
-3. Implement client-side token counting and pre-flight quota checks.
-4. Use Bedrock cross-region inference profiles to distribute load.
-
-
Medium
+
+
111122223333
+
eu-west-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-04
-
No Cost Anomaly Detection Monitors
-
No AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.
-
1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker.
-2. Configure alert subscriptions (SNS/email) for anomalies above threshold.
-3. Set daily spend budgets with AWS Budgets as a secondary control.
-
+
+
111122223333
+
eu-west-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
Medium
-
Failed
+
Passed
-
-
333333333333
-
us-east-1
-
FS-05
-
No Bedrock CloudWatch Alarms Found
-
No CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.
-
Create CloudWatch alarms for:
-- AWS/Bedrock InvocationThrottles (threshold > 0)
-- AWS/Bedrock TokensProcessed (threshold based on quota)
-- Custom application-level token counters via EMF
-
-
Medium
-
Failed
+
+
111122223333
+
eu-west-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
us-east-1
-
FS-06
-
No AI/ML Service Budgets Configured
-
No AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.
-
1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds.
-2. Add SNS notifications to on-call channels.
-3. Consider budget actions to apply IAM deny policies when thresholds are breached.
-
+
+
111122223333
+
eu-west-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
Medium
-
Failed
+
Passed
+
+
+
111122223333
+
eu-west-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
-
-
333333333333
-
us-east-1
-
FS-07
-
Agent Action Boundary Check
-
No Bedrock agents found.
-
No action required.
-
+
+
111122223333
+
eu-west-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-08
-
No AgentCore Runtimes Found
-
No AgentCore runtimes found; policy engine check not applicable.
-
If using AgentCore, configure the Policy Engine to authorize tool calls.
-
+
+
111122223333
+
eu-west-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
1. Set reserved concurrency on agent Lambda functions.
-2. Implement maximum iteration counts in agent orchestration logic.
-3. Use Step Functions with MaxConcurrency and timeout states.
-4. Add circuit-breaker patterns to agent tool invocations.
-
-
Medium
-
Failed
+
+
111122223333
+
eu-west-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
-
-
333333333333
-
us-east-1
-
FS-10
-
Human-in-the-Loop Check — No Agent Workflows Found
-
No Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.
-
Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.
-
+
+
111122223333
+
eu-west-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-11
-
No Agent Rate Alarms Found
-
No CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.
-
Create CloudWatch alarms on:
-- Bedrock agent invocation counts (threshold based on expected max)
-- Lambda invocation errors for agent functions
-- Step Functions execution failures and timeouts
-
-
Medium
-
Failed
+
+
111122223333
+
eu-west-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
-
-
333333333333
-
us-east-1
-
FS-12
-
No Bedrock-Scoped SCPs Found
-
No Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.
-
1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list.
-2. Use bedrock:ModelId condition key to allowlist approved models.
-3. Maintain a model inventory and update the SCP when models are approved/retired.
-
-
High
-
Failed
+
+
111122223333
+
eu-west-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
us-east-1
-
FS-13
-
Model Provenance Tags Present
-
All reviewed models have required provenance tags.
-
No action required.
-
-
Medium
-
Passed
+
+
111122223333
+
eu-west-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
us-east-1
-
FS-14
-
Model Governance Config Rules Present
-
Found 13 model-related Config rule(s).
-
No action required.
-
-
Medium
-
Passed
+
+
111122223333
+
eu-west-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
us-east-1
-
FS-15
-
No Bedrock Evaluation Jobs Found
-
No Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.
-
1. Run Bedrock Model Evaluation with adversarial/red-team datasets.
-2. Use FMEval library for automated robustness testing.
-3. Schedule periodic re-evaluation after model updates.
-
-
Medium
-
Failed
+
+
111122223333
+
eu-west-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
us-east-1
-
FS-16
-
ECR Repositories Without Image Scanning
-
1 ECR repo(s) without scan-on-push: cdk-hnb659fds-container-assets-333333333333-us-east-1.
-
Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.
-
-
High
-
Failed
+
+
111122223333
+
eu-west-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
us-east-1
-
FS-20
-
No SageMaker Feature Groups Found
-
No SageMaker Feature Store groups found.
-
No action required.
-
+
+
111122223333
+
eu-west-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
+
No action required
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-21
-
No Training Data Buckets Identified
-
No S3 buckets with training/model naming found.
-
Tag training data buckets and enable versioning.
-
+
+
111122223333
+
eu-west-1
+
SM-15
+
SageMaker Feature Store Encryption Check
+
No feature groups with offline stores found
+
No action required
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-22
-
Overly Permissive Knowledge Base IAM Roles
-
710 role(s) with wildcard KB permissions:
-- Role 'Admin' allows '*'
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:ListModelInvocations' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:GetModelInvocationLoggingConfiguration' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:ListPrompts' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:GetPrompt' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:ListAgents' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:GetAgent' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:ListCustomModels' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-
Replace wildcard bedrock-agent:* with specific actions: bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.
-
-
High
-
Failed
+
+
111122223333
+
eu-west-1
+
SM-16
+
SageMaker Data Quality Job Encryption Check
+
No data quality job definitions found
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
us-east-1
-
FS-24
-
ADVISORY: Knowledge Base Metadata Filtering — Manual Review Required
-
Found 1 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.
-
1. Add metadata fields (tenantId, dataClassification) to KB data sources.
-2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls.
-3. Validate filters in integration tests to prevent cross-tenant data leakage.
-
+
+
111122223333
+
eu-west-1
+
SM-17
+
SageMaker Processing Job Encryption Check
+
No processing jobs found
+
No action required
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-25
-
OpenSearch Serverless Encryption Policies Present
-
Found 1 encryption policy(ies); 1 use a customer-managed KMS key.
-
Verify all vector store collections use customer-managed KMS keys.
-
-
High
-
Passed
+
+
111122223333
+
eu-west-1
+
SM-18
+
SageMaker Transform Job Encryption Check
+
No transform jobs found
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
us-east-1
-
FS-26
-
OpenSearch Serverless Collections Not VPC-Restricted
-
Found 1 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.
-
Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.
No Guardrails — Contextual Grounding Not Applicable
-
No Bedrock Guardrails configured. Configure guardrails first (see BR-05).
-
Configure Bedrock Guardrails with contextual grounding checks (grounding threshold ≥0.7 and relevance threshold ≥0.7 for FinServ use cases).
-
+
+
111122223333
+
eu-west-1
+
SM-20
+
SageMaker Compilation Job Encryption Check
+
No compilation jobs found
+
No action required
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-27
-
Automated Reasoning Policies — Access Check
-
Access denied or service unavailable when listing Automated Reasoning policies. The IAM action name (bedrock:ListAutomatedReasoningPolicies) is correct, so the most likely causes are, in order: (1) the assessment MEMBER ROLE in this account was deployed before this action was added and has not been re-deployed; (2) an AWS Organizations SCP or permission boundary denies this newer Bedrock action; (3) the region does not support ARC. ARC is available in AWS GovCloud (US) and a growing set of commercial regions (e.g., us-east-1, us-east-2, us-west-2, eu-central-1, eu-west-1, eu-west-3) — verify the current list in the AWS documentation.
-
1. RE-DEPLOY the member-role CloudFormation stack so the role picks up bedrock:ListAutomatedReasoningPolicies (templates may be current while the *deployed* role is stale). See deployment/1-aiml-security-member-roles.yaml and aiml-security-single-account.yaml.
-2. Check for an Organizations SCP / permission boundary denying the action.
-3. Confirm the assessed region supports Automated Reasoning checks.
-4. Re-run the assessment after re-deploying.
-
-
Low
+
+
111122223333
+
eu-west-1
+
SM-21
+
SageMaker AutoML Job Network Isolation Check
+
No AutoML jobs found
+
No action required
+
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-28
-
No Guardrails — Denied Topics Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with denied topics for regulated financial content.
-
+
+
111122223333
+
eu-west-1
+
SM-22
+
Model Approval Workflow Check
+
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
Application-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.
-
1. Implement post-processing to append required disclaimers to GenAI outputs.
-2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures.
-3. Document disclaimer requirements in the AI use case register.
-4. Test disclaimer presence in QA/UAT before production deployment.
-
+
+
111122223333
+
eu-west-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
111122223333
+
eu-west-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
111122223333
+
eu-west-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation with compliance-specific datasets:
-- Fair lending test cases (ECOA, Fair Housing Act)
-- UDAP/UDAAP unfair/deceptive practice scenarios
-- AML/KYC edge cases
-
+
+
444455556666
+
eu-west-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-31
-
Knowledge Base Data Sources Past Review Threshold
-
1 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit):
-- KB 'knowledge-base-prowler-findings' source 'knowledge-base-quick-start-9lb68-data-source' last synced 403 days ago
-Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.
-
1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match.
-2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61.
-3. Set CloudWatch alarms on sync job failures.
-
+
+
444455556666
+
eu-west-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
Source attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.
-
1. Use Bedrock RetrieveAndGenerate with citations enabled.
-2. Include source document references in response post-processing.
-3. Test citation accuracy in QA before production deployment.
-4. Consider Bedrock Guardrails grounding checks to validate response accuracy.
-
+
+
444455556666
+
eu-west-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-33
-
KB Data Source Buckets Have Versioning
-
All reviewed KB data source buckets have versioning enabled.
-
No action required.
-
+
+
444455556666
+
eu-west-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
Medium
Passed
-
-
333333333333
-
us-east-1
-
FS-34
-
Legacy Foundation Models Available in Region
-
Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, amazon.titan-image-generator-v2:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.
-
1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config).
-2. Migrate active usage to current model versions.
-3. Document training-data cutoff dates for all models in use.
-4. Add data-currency disclaimers to outputs from models with old cutoffs.
-
+
+
444455556666
+
eu-west-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-35
-
ADVISORY: Harmful-Content Test Coverage — Manual Review Required
-
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation or FMEval with harmful content datasets:
-- Toxicity detection
-- Hate speech classification
-- Violence/self-harm content
-
+
+
444455556666
+
eu-west-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-36
-
No Guardrails — Content Filters Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with content filters.
-
+
+
444455556666
+
eu-west-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-37
-
ADVISORY: User Feedback Mechanism — Manual Review Required
-
User feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.
-
1. Implement thumbs-up/down or flag-for-review UI in GenAI applications.
-2. Route flagged outputs to human reviewers via SQS/SNS.
-3. Log feedback to DynamoDB/S3 for model improvement.
-4. Define SLAs for reviewing flagged content.
-
+
+
444455556666
+
eu-west-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-38
-
No Guardrails — Word Filters Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with word filters.
-
+
+
444455556666
+
eu-west-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-39
-
No SageMaker Clarify Bias Monitoring
-
No SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.
-
1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions.
-2. Define protected attributes (age, gender, race proxies).
-3. Set bias metric thresholds and alert on violations.
-4. Document bias testing results for regulatory examination.
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation with bias test datasets:
-- Demographic parity test cases
-- Equal opportunity scenarios
-- Counterfactual fairness tests
-
+
+
444455556666
+
eu-west-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-41
-
No SageMaker Clarify Explainability Monitoring
-
No SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).
-
1. Configure SageMaker Clarify explainability for credit/lending models.
-2. Generate SHAP values for feature importance.
-3. Map top features to human-readable adverse action reason codes.
-4. Store explanations for regulatory examination.
-
-
High
-
Failed
-
-
-
333333333333
-
us-east-1
-
FS-42
-
No SageMaker Model Cards Found
-
No SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.
-
1. Create SageMaker Model Cards for all production models.
-2. Document: intended use, out-of-scope uses, training data, bias evaluations.
-3. Include regulatory compliance attestations.
-4. Review and update cards at each model version release.
-
-
Medium
-
Failed
-
-
-
333333333333
-
us-east-1
-
FS-43
-
No CloudWatch Logs Data Protection Policies
-
No CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.
-
1. Create CloudWatch Logs data protection policies to mask PII.
-2. Enable masking for: SSN, credit card numbers, bank account numbers, email.
-3. Apply policies to Bedrock invocation log groups.
-4. Test masking with synthetic PII before production deployment.
-
-
High
-
Failed
-
-
-
333333333333
-
us-east-1
-
FS-44
-
Amazon Macie Not Enabled
-
Amazon Macie is not enabled. S3 buckets containing training data and KB data sources are not being scanned for PII/sensitive data.
-
1. Enable Amazon Macie in all regions where AI/ML data is stored.
-2. Create Macie classification jobs for training data and KB buckets.
-3. Configure Macie findings to route to Security Hub and SNS.
-4. Remediate PII findings before using data for model training.
-
-
High
-
Failed
+
+
444455556666
+
eu-west-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
us-east-1
-
FS-45
-
No Guardrails — PII Filters Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with PII/sensitive information filters.
-
+
+
444455556666
+
eu-west-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-46
-
No AI/ML Data Buckets Identified
-
No S3 buckets with AI/ML naming found.
-
Tag AI/ML data buckets with data-classification labels.
-
+
+
444455556666
+
eu-west-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-47
-
No Guardrails — Grounding Threshold Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with contextual grounding checks.
-
+
+
444455556666
+
eu-west-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-48
-
Active Knowledge Bases for RAG Present
-
Found 1 active Knowledge Base(s) for RAG grounding.
Application-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.
-
1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.'
-2. Implement post-processing to append disclaimers.
-3. Test disclaimer presence in QA before production.
-
+
+
444455556666
+
eu-west-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-50
-
No Guardrails With Relevance Grounding Filters
-
No guardrails have RELEVANCE contextual grounding filters. Without relevance filters, responses that are off-topic or unrelated to the user query will not be blocked, increasing hallucination risk in RAG-based FinServ applications.
-
Enable the RELEVANCE contextual grounding filter in Bedrock Guardrails with a threshold of ≥0.7 to block responses that are not relevant to the user query. Also enable the GROUNDING filter (≥0.7) to block responses not supported by the retrieved source context.
-
-
Medium
-
Failed
-
-
-
333333333333
-
us-east-1
-
FS-51
-
No Guardrails — Prompt Attack Filters Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with prompt attack filters.
-
+
+
444455556666
+
eu-west-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
+
No action required
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-52
-
Bedrock Lambda Functions on Current Runtimes
-
All 16 Bedrock Lambda function(s) use current runtimes.
-
No action required.
-
-
Medium
-
Passed
-
-
-
333333333333
-
us-east-1
-
FS-53
-
No WAF Web ACLs — Injection Rules Not Applicable
-
No regional WAF Web ACLs found.
-
Create WAF Web ACLs with injection protection rules (see FS-01).
Penetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.
-
1. Conduct penetration testing of GenAI applications at least annually and before major releases.
-2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts.
-3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it.
-4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail.
-5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.
-
+
+
444455556666
+
eu-west-1
+
SM-16
+
SageMaker Data Quality Job Encryption Check
+
No data quality job definitions found
+
No action required
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-55
-
No Output Validation Functions Found
-
No Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.
-
1. Implement output validation Lambda functions in GenAI pipelines.
-2. Validate output schema, length, and content before downstream use.
-3. Sanitize outputs before rendering in web UIs (XSS prevention).
-4. Encode outputs appropriately for the target context (HTML, SQL, JSON).
Output encoding practices cannot be verified via AWS APIs. Manual code review required.
-
1. HTML-encode GenAI outputs before rendering in web UIs.
-2. Use parameterized queries when GenAI output is used in database operations.
-3. JSON-encode outputs before embedding in JavaScript contexts.
-4. Validate output length and format before passing to downstream APIs.
Found 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.
-
1. Use Bedrock structured output (response schemas) where supported.
-2. Implement JSON schema validation on Lambda output processors.
-3. Reject malformed outputs and return safe error responses.
-4. Log schema validation failures to CloudWatch for monitoring.
Configure guardrails with topic policies to restrict off-topic responses.
-
+
+
444455556666
+
eu-west-1
+
SM-20
+
SageMaker Compilation Job Encryption Check
+
No compilation jobs found
+
No action required
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-60
-
ADVISORY: Contextual Grounding for Off-Topic Prevention
-
Contextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.
-
1. Include explicit scope instructions in system prompts.
-2. Use Bedrock Guardrails relevance grounding filter.
-3. Test with off-topic prompts in QA to verify rejection behavior.
-
+
+
444455556666
+
eu-west-1
+
SM-21
+
SageMaker AutoML Job Network Isolation Check
+
No AutoML jobs found
+
No action required
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-61
-
COULD NOT ASSESS: Knowledge Base Sync Schedule Check
-
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the ListSchedules operation: User: arn:aws:sts::333333333333:assumed-role/aiml-security-mgmt-FinServSecurityAssessmentFunctio-pwj9by1swQWa/aiml-security-aiml-security-mgmt-FinServAssessment is not authorized to perform: scheduler:ListSchedules on resource: arn:aws:scheduler:us-east-1:333333333333:schedule/*/* because no identity-based policy allows the scheduler:ListSchedules action). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
-
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
-2. Confirm the service/feature is supported in the assessed region.
-3. Ensure botocore meets the version floor in requirements.txt.
-4. Re-run the assessment; assess this control manually until it succeeds.
-
-
Low
-
N/A
-
-
-
333333333333
-
us-east-1
-
FS-62
-
ADVISORY: Data Currency Disclaimer — Manual Review Required
-
Data currency disclaimers cannot be verified via AWS APIs. Manual review required.
-
1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].'
-2. Expose KB last sync timestamp in application responses.
-3. Alert users when KB data is older than defined threshold.
-
+
+
444455556666
+
eu-west-1
+
SM-22
+
Model Approval Workflow Check
+
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-63
-
Foundation Model Lifecycle Management
-
No legacy models detected. 11 lifecycle-related Config rule(s) found.
-
No action required.
-
+
+
444455556666
+
eu-west-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
Medium
Passed
-
-
333333333333
-
us-east-1
-
FS-65
-
KB Data Source Buckets Missing S3 Event Notifications
-
The following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time:
-- sat2-prowler-2025-prowlerfindingsbucket-wc1k0mza7lpk
-
1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket.
-2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting.
-3. Integrate alerts into your security incident response workflow.
-
-
Medium
-
Failed
+
+
444455556666
+
eu-west-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
-
-
333333333333
-
us-east-1
-
FS-66
-
No AgentCore Runtimes Found
-
No AgentCore runtimes found; identity propagation check not applicable.
-
If using AgentCore, configure token propagation so end-user identities are forwarded to tool services.
-
+
+
444455556666
+
eu-west-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
FS-67
-
Agent Action-Group Lambdas May Lack Transaction Thresholds
-
The following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions:
-- aiml-security-aiml-security-mgmt-FinServAssessment
-- resco-aiml-BedrockAssessment
-- resco-aiml-AgentCoreAssessment
-- aiml-security-aiml-security-mgmt-AgentCoreAssessment
-- aiml-security-aiml-security-mgmt-BedrockAssessment
-
1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda.
-2. Implement threshold enforcement logic in the Lambda handler.
-3. Configure AgentCore Policy Engine rules to cap financial transaction amounts.
-4. Route transactions exceeding thresholds to a human-in-the-loop approval step.
-
+
+
444455556666
+
Global
+
SM-02
+
SageMaker IAM Permissions Check
+
No issues found with IAM permissions and no stale access detected
+
No action required
+
High
-
Failed
+
Passed
-
-
333333333333
+
+
444455556666
us-east-1
-
FS-68
-
API Gateway Request Body Size Limits — Not Applicable
-
No API Gateway REST APIs and no regional WAF Web ACLs were found in this region. There is no input-payload surface to assess for body-size limits.
-
If GenAI endpoints are fronted by API Gateway or WAF in another region, run the assessment there. Otherwise no action is required.
-
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
Informational
N/A
-
-
333333333333
+
+
444455556666
us-east-1
-
FS-69
-
Prompt Input Validation Functions Present
-
Found 2 Lambda function(s) with input validation/sanitization naming patterns: aiml-security-aiml-security-mgmt-CleanupBucket, resco-aiml-CleanupBucket.
-
Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.
-
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
Medium
Passed
-
-
333333333333
-
eu-west-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
+
+
444455556666
+
us-east-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in ap-southeast-2; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
+
+
444455556666
+
us-east-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
444455556666
+
us-east-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
+
+
444455556666
+
us-east-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
+
+
444455556666
+
us-east-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
+
+
444455556666
+
us-east-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
+
+
444455556666
+
us-east-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
+
+
444455556666
+
us-east-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
+
+
444455556666
+
us-east-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
No action required
-
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::333333333333:assumed-role/aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b/aiml-security-aiml-security-mgmt-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:ap-southeast-2:333333333333:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
-
+
+
444455556666
+
us-east-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
+
+
444455556666
+
us-east-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
+
+
444455556666
+
us-east-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
No action required
-
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
+
+
444455556666
+
us-east-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
+
+
444455556666
+
us-east-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No action required
-
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
+
+
444455556666
+
us-east-1
+
SM-15
+
SageMaker Feature Store Encryption Check
+
No feature groups with offline stores found
No action required
-
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
+
+
444455556666
+
us-east-1
+
SM-16
+
SageMaker Data Quality Job Encryption Check
+
No data quality job definitions found
No action required
-
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
+
+
444455556666
+
us-east-1
+
SM-17
+
SageMaker Processing Job Encryption Check
+
No processing jobs found
No action required
-
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
+
444455556666
+
us-east-1
+
SM-18
+
SageMaker Transform Job Encryption Check
+
No transform jobs found
No action required
-
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::333333333333:assumed-role/aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b/aiml-security-aiml-security-mgmt-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:eu-west-1:333333333333:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
-
+
+
444455556666
+
us-east-1
+
SM-21
+
SageMaker AutoML Job Network Isolation Check
+
No AutoML jobs found
+
No action required
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
+
+
444455556666
+
us-east-1
+
SM-22
+
Model Approval Workflow Check
+
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
+
+
444455556666
+
us-east-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
No action required
-
-
Informational
-
N/A
+
+
Medium
+
Passed
-
-
333333333333
-
eu-west-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
+
+
444455556666
+
us-east-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
444455556666
+
us-east-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
+
+
444455556666
+
ap-south-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
No action required
-
+
Informational
N/A
-
-
333333333333
-
Global
-
AC-02
-
AgentCore IAM Full Access Check
-
No roles with overly permissive AgentCore access found
+
+
444455556666
+
ap-south-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
No action required
-
-
High
+
+
Medium
Passed
-
-
333333333333
-
Global
-
AC-03
-
AgentCore Stale Access
-
The following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-mgmt-AgentCoreSecurityAssessmen-JrbYHkz9UslU' (62 days)
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Medium
-
Failed
+
+
444455556666
+
ap-south-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
Global
-
AC-03
-
AgentCore Unused Permissions
-
The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'ReSCOAIMLMemberRole'
-
Review and remove unused AgentCore permissions following least privilege principle
-
+
+
444455556666
+
ap-south-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
Medium
-
Failed
+
Passed
-
-
333333333333
-
Global
-
AC-09
-
AgentCore Service-Linked Role Missing
-
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
-
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
-
-
Medium
-
Failed
+
+
444455556666
+
ap-south-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
-
-
333333333333
-
us-east-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
+
+
444455556666
+
ap-south-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
+
+
444455556666
+
ap-south-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
+
+
444455556666
+
ap-south-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
+
+
444455556666
+
ap-south-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
+
+
444455556666
+
ap-south-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
+
+
444455556666
+
ap-south-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
+
+
444455556666
+
ap-south-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
+
+
444455556666
+
ap-south-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
+
+
444455556666
+
ap-south-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
+
+
444455556666
+
ap-south-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No action required
-
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
+
+
444455556666
+
ap-south-1
+
SM-15
+
SageMaker Feature Store Encryption Check
+
No feature groups with offline stores found
No action required
-
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
+
+
444455556666
+
ap-south-1
+
SM-16
+
SageMaker Data Quality Job Encryption Check
+
No data quality job definitions found
No action required
-
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
+
+
444455556666
+
ap-south-1
+
SM-17
+
SageMaker Processing Job Encryption Check
+
No processing jobs found
No action required
-
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
No AgentCore resources found to check for resource-based policies
-
No action required
-
+
+
444455556666
+
ap-south-1
+
SM-22
+
Model Approval Workflow Check
+
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
+
+
444455556666
+
ap-south-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
No action required
-
-
Informational
-
N/A
+
+
Medium
+
Passed
-
-
222222222222
-
eu-west-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
+
+
444455556666
+
ap-south-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
No action required
-
+
+
Low
+
Passed
+
+
+
444455556666
+
ap-south-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
Informational
N/A
-
-
222222222222
-
eu-west-1
+
+
444455556666
+
sa-east-1
SM-01
SageMaker Internet Access Check
No SageMaker notebook instances or domains found to check
@@ -6818,9 +26888,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
eu-west-1
+
+
444455556666
+
sa-east-1
SM-02
SageMaker SSO Configuration Check
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
@@ -6829,9 +26899,9 @@
Security Assessment Overview
Medium
Passed
-
-
222222222222
-
eu-west-1
+
+
444455556666
+
sa-east-1
SM-03
Data Protection Check
No SageMaker resources found to check for data protection
@@ -6840,9 +26910,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
eu-west-1
+
+
444455556666
+
sa-east-1
SM-04
GuardDuty Enabled
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
@@ -6851,9 +26921,9 @@
Security Assessment Overview
Medium
Passed
-
-
222222222222
-
eu-west-1
+
+
444455556666
+
sa-east-1
SM-05
SageMaker Model Registry Issue
No model package groups found
@@ -6862,9 +26932,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
eu-west-1
+
+
444455556666
+
sa-east-1
SM-05
SageMaker Feature Store Issue
No feature groups found
@@ -6873,9 +26943,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
eu-west-1
+
+
444455556666
+
sa-east-1
SM-05
SageMaker Pipelines Issue
No ML pipelines found
@@ -6884,9 +26954,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
eu-west-1
+
+
444455556666
+
sa-east-1
SM-06
SageMaker Clarify No Clarify Usage
No SageMaker Clarify jobs found
@@ -6895,9 +26965,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
eu-west-1
+
+
444455556666
+
sa-east-1
SM-07
SageMaker Model Monitor No Model Monitoring
No Model Monitor schedules found
@@ -6906,9 +26976,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
eu-west-1
+
+
444455556666
+
sa-east-1
SM-08
Model Registry Registry Not Used
Model Registry is not being utilized
@@ -6917,9 +26987,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
eu-west-1
+
+
444455556666
+
sa-east-1
SM-09
SageMaker Notebook Root Access Check
No notebook instances found
@@ -6928,9 +26998,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
eu-west-1
+
+
444455556666
+
sa-east-1
SM-10
SageMaker Notebook VPC Deployment Check
No notebook instances found
@@ -6939,9 +27009,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
eu-west-1
+
+
444455556666
+
sa-east-1
SM-11
SageMaker Model Network Isolation Check
No models found
@@ -6950,9 +27020,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
eu-west-1
+
+
444455556666
+
sa-east-1
SM-12
SageMaker Endpoint Instance Count Check
No InService endpoints found
@@ -6961,9 +27031,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
eu-west-1
+
+
444455556666
+
sa-east-1
SM-13
SageMaker Monitoring Network Isolation Check
No monitoring schedules found
@@ -6972,9 +27042,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
eu-west-1
+
+
444455556666
+
sa-east-1
SM-14
SageMaker Model Repository Access Check
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
@@ -7379,9 +27438,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
us-east-1
+
+
444455556666
+
us-west-2
SM-23
Model Drift Detection Check
No InService endpoints found to monitor.
@@ -7390,9 +27449,9 @@
Security Assessment Overview
Medium
Passed
-
-
222222222222
-
us-east-1
+
+
444455556666
+
us-west-2
SM-24
A/B Testing and Shadow Deployment Check
No InService endpoints found.
@@ -7401,9 +27460,9 @@
Security Assessment Overview
Low
Passed
-
-
222222222222
-
us-east-1
+
+
444455556666
+
us-west-2
SM-25
ML Lineage Tracking - Experiments Not Used
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
@@ -7412,167 +27471,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
us-east-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
222222222222
-
eu-west-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
222222222222
-
ap-southeast-2
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in ap-southeast-2; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
222222222222
-
ap-southeast-2
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
222222222222
-
ap-southeast-2
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
222222222222
-
ap-southeast-2
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
222222222222
-
ap-southeast-2
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
222222222222
-
ap-southeast-2
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
222222222222
-
ap-southeast-2
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
222222222222
-
ap-southeast-2
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::222222222222:assumed-role/aiml-security-23026652352-BedrockSecurityAssessment-UZzmVN1xrMwf/aiml-security-aiml-security-222222222222-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:ap-southeast-2:222222222222:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
-
-
Informational
-
N/A
-
-
-
222222222222
-
ap-southeast-2
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
222222222222
-
ap-southeast-2
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
222222222222
-
ap-southeast-2
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
222222222222
-
ap-southeast-2
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
222222222222
-
ap-southeast-2
+
+
777788889999
+
ap-south-1
SM-01
SageMaker Internet Access Check
No SageMaker notebook instances or domains found to check
@@ -7581,9 +27482,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
ap-southeast-2
+
+
777788889999
+
ap-south-1
SM-02
SageMaker SSO Configuration Check
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
@@ -7592,9 +27493,9 @@
Security Assessment Overview
Medium
Passed
-
-
222222222222
-
ap-southeast-2
+
+
777788889999
+
ap-south-1
SM-03
Data Protection Check
No SageMaker resources found to check for data protection
@@ -7603,9 +27504,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
ap-southeast-2
+
+
777788889999
+
ap-south-1
SM-04
GuardDuty Enabled
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
@@ -7614,9 +27515,9 @@
Security Assessment Overview
Medium
Passed
-
-
222222222222
-
ap-southeast-2
+
+
777788889999
+
ap-south-1
SM-05
SageMaker Model Registry Issue
No model package groups found
@@ -7625,9 +27526,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
ap-southeast-2
+
+
777788889999
+
ap-south-1
SM-05
SageMaker Feature Store Issue
No feature groups found
@@ -7636,9 +27537,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
ap-southeast-2
+
+
777788889999
+
ap-south-1
SM-05
SageMaker Pipelines Issue
No ML pipelines found
@@ -7647,9 +27548,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
ap-southeast-2
+
+
777788889999
+
ap-south-1
SM-06
SageMaker Clarify No Clarify Usage
No SageMaker Clarify jobs found
@@ -7658,9 +27559,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
ap-southeast-2
+
+
777788889999
+
ap-south-1
SM-07
SageMaker Model Monitor No Model Monitoring
No Model Monitor schedules found
@@ -7669,9 +27570,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
ap-southeast-2
+
+
777788889999
+
ap-south-1
SM-08
Model Registry Registry Not Used
Model Registry is not being utilized
@@ -7680,9 +27581,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
ap-southeast-2
+
+
777788889999
+
ap-south-1
SM-09
SageMaker Notebook Root Access Check
No notebook instances found
@@ -7691,9 +27592,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
ap-southeast-2
+
+
777788889999
+
ap-south-1
SM-10
SageMaker Notebook VPC Deployment Check
No notebook instances found
@@ -7702,9 +27603,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
ap-southeast-2
+
+
777788889999
+
ap-south-1
SM-11
SageMaker Model Network Isolation Check
No models found
@@ -7713,9 +27614,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
ap-southeast-2
+
+
777788889999
+
ap-south-1
SM-12
SageMaker Endpoint Instance Count Check
No InService endpoints found
@@ -7724,9 +27625,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
ap-southeast-2
+
+
777788889999
+
ap-south-1
SM-13
SageMaker Monitoring Network Isolation Check
No monitoring schedules found
@@ -7735,9 +27636,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
ap-southeast-2
+
+
777788889999
+
ap-south-1
SM-14
SageMaker Model Repository Access Check
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
@@ -7834,9 +27735,9 @@
Security Assessment Overview
Informational
N/A
-
-
222222222222
-
ap-southeast-2
+
+
777788889999
+
ap-south-1
SM-23
Model Drift Detection Check
No InService endpoints found to monitor.
@@ -7845,9 +27746,9 @@
Security Assessment Overview
Medium
Passed
-
-
222222222222
-
ap-southeast-2
+
+
777788889999
+
ap-south-1
SM-24
A/B Testing and Shadow Deployment Check
No InService endpoints found.
@@ -7856,7201 +27757,7615 @@
Security Assessment Overview
Low
Passed
-
-
222222222222
-
ap-southeast-2
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
222222222222
-
Global
-
BR-01
-
AmazonBedrockFullAccess role check
-
No roles found with AmazonBedrockFullAccess policy
-
No action required
-
-
High
-
Passed
-
-
-
222222222222
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
No identities found with overly permissive marketplace subscription access
-
No action required
-
-
Medium
-
Passed
-
-
-
222222222222
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AIMLSecurityMemberRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
ap-south-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
-
-
222222222222
+
+
777788889999
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AwsSecurityAudit' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
+
SM-02
+
SageMaker Full Access Policy Used
+
Role 'aiml-sec-test-resources-SageMakerFullAccessRole-ZREdSNCErx2S' has AmazonSageMakerFullAccess policy attached
+
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
+
+
High
Failed
-
-
222222222222
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AWSServiceRoleForAuditManager' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
+
+
777788889999
+
us-east-1
+
SM-01
+
Direct Internet Access Enabled
+
SageMaker notebook instance 'aiml-sec-test-notebook-with-internet' has direct internet access enabled
+
Configure the notebook instance to use VPC connectivity and disable direct internet access
+
+
High
Failed
-
-
222222222222
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AWSServiceRoleForSupport' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
+
+
777788889999
+
us-east-1
+
SM-01
+
Non-VPC Only Network Access
+
SageMaker domain 'd-ilmtsfeenavc' (aiml-sec-test-domain-fail-028e1010-52cbf970) is not configured for VPC-only access
+
Configure the SageMaker domain to use VPC-only network access type
+
+
High
Failed
-
-
222222222222
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'CloudSecAuditRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
+
+
777788889999
+
us-east-1
+
SM-01
+
Non-VPC Only Network Access
+
SageMaker domain 'd-cmz7ohkxxop3' (aiml-sec-test-domain-fail-fef4e7f0-bb429d11) is not configured for VPC-only access
+
Configure the SageMaker domain to use VPC-only network access type
+
+
High
Failed
-
-
222222222222
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'CloudSeerTrustedServiceRole' last accessed Bedrock on 2025-08-18
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
777788889999
+
us-east-1
+
SM-02
+
SSO Not Properly Configured
+
SageMaker domain 'd-7zl8skw96ppk' (aiml-sec-test-domain-pass-028e1010-3dba8b08) is using authentication mode: IAM
+
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
+
Medium
Failed
-
-
222222222222
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IibsAdminAccess-DO-NOT-DELETE' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
777788889999
+
us-east-1
+
SM-02
+
SSO Not Properly Configured
+
SageMaker domain 'd-ilmtsfeenavc' (aiml-sec-test-domain-fail-028e1010-52cbf970) is using authentication mode: IAM
+
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
+
Medium
Failed
-
-
222222222222
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'InternalAuditInternal' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
777788889999
+
us-east-1
+
SM-02
+
SSO Not Properly Configured
+
SageMaker domain 'd-uqjoi05f0zzp' (aiml-sec-test-domain-pass-fef4e7f0-51d1e898) is using authentication mode: IAM
+
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
+
Medium
Failed
-
-
222222222222
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'ProwlerMemberRole' last accessed Bedrock on 2026-03-10
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
777788889999
+
us-east-1
+
SM-02
+
SSO Not Properly Configured
+
SageMaker domain 'd-cmz7ohkxxop3' (aiml-sec-test-domain-fail-fef4e7f0-bb429d11) is using authentication mode: IAM
+
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
+
Medium
Failed
-
-
222222222222
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'resco-aiml-security-23026-BedrockSecurityAssessment-xNwSsmlzindY' last accessed Bedrock on 2026-04-18
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
+
+
777788889999
+
us-east-1
+
SM-03
+
Missing Encryption Configuration
+
Notebook Instance 'aiml-sec-test-notebook-with-internet' - No KMS key configured
+
Configure encryption using AWS KMS customer managed keys for enhanced security
+
+
High
Failed
-
-
222222222222
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'ReSCOAIMLMemberRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
+
+
777788889999
+
us-east-1
+
SM-03
+
Missing Encryption Configuration
+
Domain 'aiml-sec-test-domain-fail-028e1010-52cbf970' - No KMS key configured
+
Configure encryption using AWS KMS customer managed keys for enhanced security
+
+
High
Failed
-
-
222222222222
+
+
777788889999
us-east-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
+
SM-03
+
Missing Encryption Configuration
+
Domain 'aiml-sec-test-domain-fail-fef4e7f0-bb429d11' - No KMS key configured
+
Configure encryption using AWS KMS customer managed keys for enhanced security
+
+
High
+
Failed
-
-
222222222222
+
+
777788889999
us-east-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
+
SM-03
+
Missing Encryption Configuration
+
Training Job 'aiml-sec-test-training-no-encryption-028e1010-e2fb8765' - No output encryption configured
+
Configure encryption using AWS KMS customer managed keys for enhanced security
+
+
High
+
Failed
-
-
222222222222
+
+
777788889999
us-east-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
+
SM-03
+
Missing VPC Encryption
+
Training Job 'aiml-sec-test-training-no-encryption-028e1010-e2fb8765' - Inter-container traffic encryption not enabled
+
Enable encryption for inter-container traffic and VPC communication
+
+
Medium
+
Failed
-
-
222222222222
+
+
777788889999
us-east-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
No action required
-
-
Informational
-
N/A
-
-
-
222222222222
-
us-east-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
+
+
Medium
+
Passed
-
-
222222222222
+
+
777788889999
us-east-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
+
SM-05
+
SageMaker Model Registry Issue
+
Model group 'aiml-sec-test-model-package-group' has minimal versioning
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Low
+
Failed
-
-
222222222222
+
+
777788889999
us-east-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::222222222222:assumed-role/aiml-security-23026652352-BedrockSecurityAssessment-UZzmVN1xrMwf/aiml-security-aiml-security-222222222222-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:us-east-1:222222222222:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
-
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
Informational
N/A
-
-
222222222222
+
+
777788889999
us-east-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
Informational
N/A
-
-
222222222222
+
+
777788889999
us-east-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
Informational
N/A
-
-
222222222222
+
+
777788889999
us-east-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
+
SM-08
+
Model Registry Empty Model Group
+
Model group aiml-sec-test-model-package-group has no registered models
+
Implement proper model versioning and approval workflows
+
+
Low
+
Failed
-
-
222222222222
+
+
777788889999
us-east-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
222222222222
-
Global
-
AC-02
-
AgentCore IAM Full Access Check
-
No roles with overly permissive AgentCore access found
-
No action required
-
+
SM-09
+
SageMaker Notebook Root Access Enabled
+
Notebook instance 'aiml-sec-test-notebook-with-internet' has root access enabled. Root access allows users to install arbitrary software, modify system configurations, and potentially escalate privileges.
+
Disable root access by updating the notebook instance with RootAccess=Disabled. Note: Lifecycle configurations will still run with root access.
+
High
-
Passed
-
-
-
222222222222
-
Global
-
AC-03
-
AgentCore Stale Access
-
The following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (62 days)
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Medium
-
Failed
-
-
-
222222222222
-
Global
-
AC-03
-
AgentCore Unused Permissions
-
The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'ReSCOAIMLMemberRole'
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Medium
Failed
-
-
222222222222
-
Global
-
AC-09
-
AgentCore Service-Linked Role Missing
-
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
-
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
-
-
Medium
+
+
777788889999
+
us-east-1
+
SM-10
+
SageMaker Notebook Not in VPC
+
Notebook instance 'aiml-sec-test-notebook-with-internet' is not deployed in a custom VPC. This uses SageMaker's service VPC with reduced network isolation.
+
Create the notebook instance within a custom VPC by specifying SubnetId and SecurityGroupIds. This provides network isolation and allows use of VPC endpoints.
+
+
High
Failed
-
-
222222222222
+
+
777788889999
us-east-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
+
SM-11
+
SageMaker Model Network Isolation Disabled
+
Model 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' does not have network isolation enabled. Model containers can make outbound network calls, potentially exfiltrating data.
+
Enable network isolation by setting EnableNetworkIsolation=True when creating models. This prevents containers from making outbound network calls.
+
+
High
+
Failed
-
-
222222222222
+
+
777788889999
us-east-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
No action required
-
+
Informational
N/A
-
-
222222222222
+
+
777788889999
us-east-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
No action required
-
+
Informational
N/A
-
-
222222222222
+
+
777788889999
us-east-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
+
SM-14
+
SageMaker Model Platform Repository Access
+
Model 'SageMakerModelWithIsolation-JASFpUHjajdk' uses Platform repository access mode. Container images are pulled from public/external registries, exposing supply chain risks.
+
Configure RepositoryAccessMode=Vpc in ImageConfig to pull images from private ECR repositories through VPC. This provides supply chain security.
+
+
Medium
+
Failed
-
-
222222222222
+
+
777788889999
us-east-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
+
SM-14
+
SageMaker Model Platform Repository Access
+
Model 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' uses Platform repository access mode. Container images are pulled from public/external registries, exposing supply chain risks.
+
Configure RepositoryAccessMode=Vpc in ImageConfig to pull images from private ECR repositories through VPC. This provides supply chain security.
+
+
Medium
+
Failed
-
-
222222222222
+
+
777788889999
us-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
+
SM-15
+
SageMaker Feature Store Offline Encryption Missing
+
Feature group 'aiml-sec-test-feature-group' offline store does not have KMS encryption configured. Feature data in S3 may not be encrypted with customer-managed keys.
+
Configure KmsKeyId in OfflineStoreConfig.S3StorageConfig when creating feature groups to encrypt offline store data with customer-managed KMS keys.
+
+
Medium
+
Failed
-
-
222222222222
+
+
777788889999
us-east-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
+
SM-16
+
SageMaker Data Quality Job Encryption Check
+
No data quality job definitions found
No action required
-
+
Informational
N/A
-
-
222222222222
+
+
777788889999
us-east-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
+
SM-17
+
SageMaker Processing Job Encryption Check
+
All 1 processing jobs have volume encryption configured
No action required
-
-
Informational
-
N/A
+
+
Medium
+
Passed
-
-
222222222222
+
+
777788889999
us-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
+
SM-18
+
SageMaker Transform Job Encryption Check
+
All 1 transform jobs have volume encryption configured
No AgentCore Runtimes found to check browser tool configuration
+
+
777788889999
+
us-east-1
+
SM-22
+
Model Approval Workflow Check
+
Checked 1 model package groups. Approval workflows appear to be properly configured.
No action required
-
-
Informational
-
N/A
+
+
Medium
+
Passed
-
-
222222222222
-
ap-southeast-2
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
+
+
777788889999
+
us-east-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
No action required
-
-
Informational
-
N/A
+
+
Medium
+
Passed
-
-
222222222222
-
ap-southeast-2
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
+
+
777788889999
+
us-east-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
No action required
-
-
Informational
-
N/A
+
+
Low
+
Passed
-
-
222222222222
-
ap-southeast-2
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
+
+
777788889999
+
us-east-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
+
+
777788889999
+
eu-west-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
No action required
-
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
+
+
777788889999
+
eu-west-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
No action required
-
-
Informational
-
N/A
+
+
Medium
+
Passed
-
-
222222222222
-
ap-southeast-2
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
+
+
777788889999
+
eu-west-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
No action required
-
+
Informational
N/A
-
-
222222222222
+
+
777788889999
eu-west-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
No action required
-
-
Informational
-
N/A
+
+
Medium
+
Passed
-
-
222222222222
+
+
777788889999
eu-west-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
Informational
N/A
-
-
222222222222
+
+
777788889999
eu-west-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
Informational
N/A
-
-
222222222222
+
+
777788889999
eu-west-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
Informational
N/A
-
-
222222222222
+
+
777788889999
eu-west-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
Informational
N/A
-
-
222222222222
+
+
777788889999
eu-west-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
Informational
N/A
-
-
222222222222
+
+
777788889999
eu-west-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::222222222222:assumed-role/aiml-security-23026652352-BedrockSecurityAssessment-UZzmVN1xrMwf/aiml-security-aiml-security-222222222222-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:eu-west-1:222222222222:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
-
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
Informational
N/A
-
-
222222222222
+
+
777788889999
eu-west-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
Informational
N/A
-
-
222222222222
+
+
777788889999
eu-west-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
No action required
-
+
Informational
N/A
-
-
222222222222
+
+
777788889999
eu-west-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
Informational
N/A
-
-
222222222222
+
+
777788889999
eu-west-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
No action required
-
+
Informational
N/A
-
-
-
-
Risk Distribution
-
Pass Rate by Severity
-
-
HIGH
14.8%
9 of 61 checks passed
-
MEDIUM
20.5%
39 of 190 checks passed
-
LOW
52.9%
9 of 17 checks passed
-
Overall
21.3%
57 of 268 actionable checks
-
-
Risk by Account
-
111111111111
146
42 High · 101 Med · 3 Low
222222222222
14
0 High · 14 Med · 0 Low
333333333333
45
10 High · 34 Med · 1 Low
-
Risk by Region
-
ap-southeast-2
0
0 High · 0 Med · 0 Low
eu-west-1
0
0 High · 0 Med · 0 Low
us-east-1
80
28 High · 48 Med · 4 Low
-
Findings by Service
-
-
Bedrock
209
107 Failed · 3 Passed
-
SageMaker
252
10 Failed · 37 Passed
-
AgentCore
123
37 Failed · 2 Passed
-
Financial Services Risk
139
51 Failed · 15 Passed
-
-
-
-
Amazon Bedrock Findings
-
-
-
-
-
-
-
-
-
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
-
111111111111
-
Global
-
BR-01
-
AmazonBedrockFullAccess role check
-
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonBedrockFullAccess policy attached
-
Limit the AmazonBedrockFullAccess policy only to required access
-
-
High
-
Failed
-
-
-
111111111111
-
Global
-
BR-01
-
AmazonBedrockFullAccess role check
-
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonBedrockFullAccess policy attached
-
Limit the AmazonBedrockFullAccess policy only to required access
-
-
High
-
Failed
-
-
-
111111111111
-
Global
-
BR-01
-
AmazonBedrockFullAccess role check
-
Role 'myAskMeAnything-role-kmsizqwf' has AmazonBedrockFullAccess policy attached
-
Limit the AmazonBedrockFullAccess policy only to required access
-
-
High
-
Failed
-
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-cdk_agent_core'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-neoCyan_Agent'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_knnc9' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_knnc9'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_qxqw2' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_qxqw2'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'AmazonSageMaker-ExecutionRole-20250525T153161' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'myAskMeAnything-role-kmsizqwf' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
User 'BedrockAPIKey-20pp' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
User 'BedrockAPIKey-yhc3' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
User 'BedrockClientUser' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role '111111111111-us-east-1-kb-bedrock-service-role' last accessed Bedrock on 2025-12-22
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role '111111111111-us-east-1-kb-setup-function-role' last accessed Bedrock on 2025-12-22
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AIMLSecurityMemberRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b' last accessed Bedrock on 2025-12-21
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D' last accessed Bedrock on 2024-06-25
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ' last accessed Bedrock on 2025-04-27
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_072pr' last accessed Bedrock on 2024-06-25
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_byjin' last accessed Bedrock on 2024-11-17
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
eu-west-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_h9718' last accessed Bedrock on 2024-11-17
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
eu-west-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_knnc9' last accessed Bedrock on 2026-01-01
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
eu-west-1
+
SM-15
+
SageMaker Feature Store Encryption Check
+
No feature groups with offline stores found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_qxqw2' last accessed Bedrock on 2025-12-28
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
eu-west-1
+
SM-16
+
SageMaker Data Quality Job Encryption Check
+
No data quality job definitions found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_semicon' last accessed Bedrock on 2024-09-01
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
eu-west-1
+
SM-17
+
SageMaker Processing Job Encryption Check
+
No processing jobs found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_xtwwd' last accessed Bedrock on 2025-10-13
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
eu-west-1
+
SM-18
+
SageMaker Transform Job Encryption Check
+
No transform jobs found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_y9m7f' last accessed Bedrock on 2025-04-27
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
Role 'AmazonQInvestigationRole-DefaultInvestigationGroup-8vxyjh' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
eu-west-1
+
SM-20
+
SageMaker Compilation Job Encryption Check
+
No compilation jobs found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonSageMaker-ExecutionRole-20231014T200029' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
eu-west-1
+
SM-21
+
SageMaker AutoML Job Network Isolation Check
+
No AutoML jobs found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonSageMaker-ExecutionRole-20250525T153161' last accessed Bedrock on 2025-12-22
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
eu-west-1
+
SM-22
+
Model Approval Workflow Check
+
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'aws-api-mcp-server-execution-role' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
777788889999
+
eu-west-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
Medium
-
Failed
+
Passed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AwsSecurityAudit' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
eu-west-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AWSServiceRoleForAuditManager' last accessed Bedrock on 2024-11-25
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
eu-west-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AWSServiceRoleForSupport' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AWSVAPTAudit' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
777788889999
+
us-west-2
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
Medium
-
Failed
+
Passed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'BedrockCognitoFederatedRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'cdk-hnb659fds-lookup-role-111111111111-us-east-1' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
777788889999
+
us-west-2
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
Medium
-
Failed
+
Passed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'cdk-hnb659fds-lookup-role-111111111111-us-west-2' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'cfn-contextualChatBot-usi-LambdaExecutionRoleForKno-aHg3J0xel6VU' last accessed Bedrock on 2024-03-25
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'CloudSecAuditRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'CloudSeerTrustedServiceRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' last accessed Bedrock on 2025-12-22
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'CustomerSupportStackInfra-CustomerSupportLambdaRole-ujGGiNU6KEnI' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'e2ebedrockrag-KbRoleStack-2YO19O2NS6FP-KbRole-OgMxcvrnZrHZ' last accessed Bedrock on 2025-11-18
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'fsi-genai-workshop-bedrock-kb-role' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'fsi-genai-workshop-lambda-execution-role' last accessed Bedrock on 2025-12-28
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'fsi-genai-workshop-websocket-lambda-role' last accessed Bedrock on 2025-12-28
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
SM-15
+
SageMaker Feature Store Encryption Check
+
No feature groups with offline stores found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IDP-BDASAMPLEPROJECT-SGJRDJI15S-LambdaExecutionRole-MCRJbTEDuyKt' last accessed Bedrock on 2025-08-24
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
SM-16
+
SageMaker Data Quality Job Encryption Check
+
No data quality job definitions found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IDP-ChatWithDocumentResolverFunctionRole-ATyH7GeR2ad1' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
SM-17
+
SageMaker Processing Job Encryption Check
+
No processing jobs found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IDP-DOCUMENTBEDROCKKB-CY8-StartIngestionJobFunction-NjNLRuUn8qtp' last accessed Bedrock on 2025-08-24
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
SM-18
+
SageMaker Transform Job Encryption Check
+
No transform jobs found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IDP-EvaluationFunctionRole-LQdnEMAdwWPe' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
Role 'IDP-PATTERN1STACK-TNHNKPK-ProcessResultsFunctionRol-8z8mNwa6RahP' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
SM-20
+
SageMaker Compilation Job Encryption Check
+
No compilation jobs found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IDP-PATTERN1STACK-TNHNKPK-SummarizationFunctionRole-MY6sxSMvFNr4' last accessed Bedrock on 2025-10-07
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
SM-21
+
SageMaker AutoML Job Network Isolation Check
+
No AutoML jobs found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IDP-PATTERN1STACK-TNHNKPKJY4Q-InvokeBDAFunctionRole-pLHufEKQ0Nu4' last accessed Bedrock on 2025-10-07
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
SM-22
+
Model Approval Workflow Check
+
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IDP-QueryKnowledgeBaseResolverFunctionRole-p9Mcpfk0BA6z' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
777788889999
+
us-west-2
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
Medium
-
Failed
+
Passed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' last accessed Bedrock on 2024-07-30
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IibsAdminAccess-DO-NOT-DELETE' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
us-west-2
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'InternalAuditInternal' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
sa-east-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'LLMEvaluationPromptfoo-Aurora-Bedrock-Role' last accessed Bedrock on 2025-12-30
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
777788889999
+
sa-east-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
Medium
-
Failed
+
Passed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'LLMEvaluationPromptfoo-LambdaExecutionRole-umo63kVrhIoy' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
sa-east-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' last accessed Bedrock on 2025-12-30
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
777788889999
+
sa-east-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
Medium
-
Failed
+
Passed
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'Meeting-Note-Bot-Role' last accessed Bedrock on 2025-10-22
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
sa-east-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'myAskMeAnything-role-kmsizqwf' last accessed Bedrock on 2024-01-04
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
sa-east-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'ProwlerMemberRole' last accessed Bedrock on 2026-03-10
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
sa-east-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
777788889999
+
sa-east-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'resco-aiml-security-19304-BedrockSecurityAssessment-kgYUbi1MIbbb' last accessed Bedrock on 2026-04-18
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
sa-east-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'ReSCOAIMLMemberRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
sa-east-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'SAT-PrereqTest-CodeBuildRole-SATv2Stack-PreReqs' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
sa-east-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'threat-designer-role' last accessed Bedrock on 2025-07-02
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
sa-east-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
User 'BedrockAPIKey-yhc3' last accessed Bedrock on 2026-04-19
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
sa-east-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
User 'BedrockClientUser' last accessed Bedrock on 2025-04-06
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
777788889999
+
sa-east-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
+
+
777788889999
+
sa-east-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
No action required
-
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
+
+
777788889999
+
sa-east-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No action required
-
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
+
+
777788889999
+
sa-east-1
+
SM-15
+
SageMaker Feature Store Encryption Check
+
No feature groups with offline stores found
No action required
-
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
+
777788889999
+
sa-east-1
+
SM-16
+
SageMaker Data Quality Job Encryption Check
+
No data quality job definitions found
No action required
-
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
+
+
777788889999
+
sa-east-1
+
SM-17
+
SageMaker Processing Job Encryption Check
+
No processing jobs found
+
No action required
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
+
+
777788889999
+
sa-east-1
+
SM-18
+
SageMaker Transform Job Encryption Check
+
No transform jobs found
No action required
-
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX/aiml-security-aiml-security-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:us-east-1:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
+
+
777788889999
+
sa-east-1
+
SM-20
+
SageMaker Compilation Job Encryption Check
+
No compilation jobs found
+
No action required
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
+
+
777788889999
+
sa-east-1
+
SM-21
+
SageMaker AutoML Job Network Isolation Check
+
No AutoML jobs found
No action required
-
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
+
+
777788889999
+
sa-east-1
+
SM-22
+
Model Approval Workflow Check
+
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
+
+
777788889999
+
sa-east-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
No action required
-
+
+
Medium
+
Passed
+
+
+
777788889999
+
sa-east-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
777788889999
+
sa-east-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
Informational
N/A
-
-
-
111111111111
-
ap-southeast-2
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
+
+
+
+
Amazon Bedrock AgentCore Findings
+
+
+
+
+
+
+
+
+
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
+
111122223333
+
ap-south-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
+
+
111122223333
+
ap-south-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
+
+
111122223333
+
ap-south-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
+
111122223333
+
ap-south-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
+
+
111122223333
+
ap-south-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
+
+
111122223333
+
ap-south-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX/aiml-security-aiml-security-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:ap-southeast-2:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
-
+
+
111122223333
+
ap-south-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
+
+
111122223333
+
ap-south-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
+
+
111122223333
+
ap-south-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
+
+
111122223333
+
ap-south-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
+
+
111122223333
+
us-west-2
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
+
+
111122223333
+
us-west-2
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
+
+
111122223333
+
us-west-2
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
+
+
111122223333
+
us-west-2
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
+
111122223333
+
us-west-2
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
+
+
111122223333
+
us-west-2
+
AC-13
+
AgentCore Gateway Configuration Check
+
Found 1 Gateway resources
+
No action required
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-west-2
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
+
+
111122223333
+
us-west-2
+
AC-10
+
AgentCore Resource-Based Policies Missing
+
The following AgentCore resources do not have resource-based policies: Gateway 'aws-news-mcp'. Without RBPs, access control relies solely on identity-based policies.
+
Attach resource-based policies to AgentCore resources to:
+1. Implement defense-in-depth access control
+2. Enable cross-account access control
+3. Restrict access based on source VPC or IP
+4. Implement hierarchical authorization for Agent Runtimes
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX/aiml-security-aiml-security-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:eu-west-1:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
-
+
+
111122223333
+
us-west-2
+
AC-12
+
AgentCore Gateway Encryption Missing
+
The following Gateways do not use customer-managed KMS encryption: 'aws-news-mcp'. Gateway configuration data uses AWS-managed keys.
+
1. Create gateways with customer-managed KMS keys for additional control
+2. AWS-managed keys are single-tenant and region-specific
+3. Consider CMK for enhanced audit capabilities and key rotation control
+
+
Low
+
Failed
+
+
+
111122223333
+
Global
+
AC-02
+
AgentCore IAM Full Access Policy
+
The following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161
+
Replace with least-privilege policies scoped to specific AgentCore resources and actions
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
AC-02
+
AgentCore IAM Wildcard Permissions
+
The following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-role
+
Scope permissions to specific AgentCore resources using resource ARNs
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
AC-03
+
AgentCore Stale Access
+
The following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (199 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (199 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (199 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (82 days)
+
Review and remove unused AgentCore permissions following least privilege principle
+
+
Medium
+
Failed
+
+
+
111122223333
+
Global
+
AC-03
+
AgentCore Unused Permissions
+
The following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CloudSeerTrustedServiceRole', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW'
+
Review and remove unused AgentCore permissions following least privilege principle
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
+
+
111122223333
+
Global
+
AC-09
+
AgentCore Service-Linked Role Missing
+
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
+
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-01
+
AgentCore Runtime VPC Configuration
+
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.
+
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-01
+
AgentCore Runtime VPC Configuration
+
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.
+
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-01
+
AgentCore Runtime VPC Configuration
+
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.
+
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-01
+
AgentCore Runtime VPC Configuration
+
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.
+
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-01
+
AgentCore Runtime VPC Configuration
+
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.
+
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-04
+
AgentCore Runtime CloudWatch Logs
+
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configured
+
Enable CloudWatch Logs for monitoring and troubleshooting
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-04
+
AgentCore Runtime X-Ray Tracing
+
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabled
+
Enable X-Ray tracing for distributed tracing and performance analysis
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-04
+
AgentCore Runtime CloudWatch Logs
+
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configured
+
Enable CloudWatch Logs for monitoring and troubleshooting
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-04
+
AgentCore Runtime X-Ray Tracing
+
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabled
+
Enable X-Ray tracing for distributed tracing and performance analysis
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-04
+
AgentCore Runtime CloudWatch Logs
+
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configured
+
Enable CloudWatch Logs for monitoring and troubleshooting
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-04
+
AgentCore Runtime X-Ray Tracing
+
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabled
+
Enable X-Ray tracing for distributed tracing and performance analysis
+
+
Medium
+
Failed
-
-
111111111111
-
eu-west-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
+
+
111122223333
+
us-east-1
+
AC-04
+
AgentCore Runtime CloudWatch Logs
+
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configured
+
Enable CloudWatch Logs for monitoring and troubleshooting
+
+
Medium
+
Failed
-
-
111111111111
-
eu-west-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
+
+
111122223333
+
us-east-1
+
AC-04
+
AgentCore Runtime X-Ray Tracing
+
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabled
+
Enable X-Ray tracing for distributed tracing and performance analysis
+
+
Medium
+
Failed
-
-
111111111111
-
eu-west-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
+
+
111122223333
+
us-east-1
+
AC-04
+
AgentCore Runtime CloudWatch Logs
+
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configured
+
Enable CloudWatch Logs for monitoring and troubleshooting
+
+
Medium
+
Failed
-
-
333333333333
-
Global
-
BR-01
-
AmazonBedrockFullAccess role check
-
No roles found with AmazonBedrockFullAccess policy
-
No action required
-
-
High
-
Passed
+
+
111122223333
+
us-east-1
+
AC-04
+
AgentCore Runtime X-Ray Tracing
+
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabled
+
Enable X-Ray tracing for distributed tracing and performance analysis
+
+
Medium
+
Failed
-
-
333333333333
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'ProwlerApp-EC2-Role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
Consider using customer-managed KMS keys for better control and audit capabilities
+
+
Low
Failed
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AIMLSecurityMemberRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
Consider using customer-managed KMS keys for better control and audit capabilities
+
+
Low
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-06
+
AgentCore Runtime Storage Configuration
+
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have storage configuration for browser tools
+
Configure S3 storage for browser tool session recordings and artifacts
+
Medium
Failed
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_7erx6' last accessed Bedrock on 2025-05-13
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-east-1
+
AC-06
+
AgentCore Runtime Storage Configuration
+
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have storage configuration for browser tools
+
Configure S3 storage for browser tool session recordings and artifacts
+
Medium
Failed
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AwsSecurityAudit' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-east-1
+
AC-06
+
AgentCore Runtime Storage Configuration
+
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have storage configuration for browser tools
+
Configure S3 storage for browser tool session recordings and artifacts
+
Medium
Failed
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AWSServiceRoleForAuditManager' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-east-1
+
AC-06
+
AgentCore Runtime Storage Configuration
+
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have storage configuration for browser tools
+
Configure S3 storage for browser tool session recordings and artifacts
+
Medium
Failed
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AWSServiceRoleForSupport' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-east-1
+
AC-06
+
AgentCore Runtime Storage Configuration
+
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have storage configuration for browser tools
+
Configure S3 storage for browser tool session recordings and artifacts
+
Medium
Failed
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AWSVAPTAudit' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-east-1
+
AC-07
+
AgentCore Memory Encryption
+
Memory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configured
+
Enable encryption with customer-managed KMS keys
+
Medium
Failed
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'cdk-hnb659fds-lookup-role-333333333333-us-east-1' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-east-1
+
AC-07
+
AgentCore Memory Encryption
+
Memory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configured
+
Enable encryption with customer-managed KMS keys
+
Medium
Failed
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'cdk-hnb659fds-lookup-role-333333333333-us-east-2' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-east-1
+
AC-07
+
AgentCore Memory Encryption
+
Memory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configured
+
Enable encryption with customer-managed KMS keys
+
Medium
Failed
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'cdk-hnb659fds-lookup-role-333333333333-us-west-2' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
111122223333
+
us-east-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
Found 2 Gateway resources
+
No action required
+
Medium
+
Passed
+
+
+
111122223333
+
us-east-1
+
AC-08
+
AgentCore VPC Endpoints Missing
+
No AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.
+
Create VPC interface endpoints for AgentCore services:
+1. com.amazonaws.region.bedrock-agentcore
+2. com.amazonaws.region.bedrock-agentcore-control
+3. com.amazonaws.region.bedrock-agentcore-runtime
+This enables private connectivity via AWS PrivateLink
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-10
+
AgentCore Resource-Based Policies Missing
+
The following AgentCore resources do not have resource-based policies: Runtime 'origami_expeditions', Runtime 'neoCyan_Agent', Runtime 'customer_support_agent', Runtime 'cdk_agent_core', Runtime 'awsapimcpserver' and 2 more. Without RBPs, access control relies solely on identity-based policies.
+
Attach resource-based policies to AgentCore resources to:
+1. Implement defense-in-depth access control
+2. Enable cross-account access control
+3. Restrict access based on source VPC or IP
+4. Implement hierarchical authorization for Agent Runtimes
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
AC-12
+
AgentCore Gateway Encryption Missing
+
The following Gateways do not use customer-managed KMS encryption: 'customersupport-gw', 'wildrydes-gateway-ab3991f6'. Gateway configuration data uses AWS-managed keys.
+
1. Create gateways with customer-managed KMS keys for additional control
+2. AWS-managed keys are single-tenant and region-specific
+3. Consider CMK for enhanced audit capabilities and key rotation control
+
+
Low
Failed
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'CloudSecAuditRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
sa-east-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'CloudSeerTrustedServiceRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
sa-east-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IibsAdminAccess-DO-NOT-DELETE' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
sa-east-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'InternalAuditInternal' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
sa-east-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'Nova-DO-NOT-DELETE' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
eu-west-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'ProwlerApp-EC2-Role' last accessed Bedrock on 2026-03-29
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
eu-west-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'ProwlerMemberRole' last accessed Bedrock on 2026-03-10
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
eu-west-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'ProwlerScanRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
eu-west-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'resco-aiml-security-mgmt-BedrockSecurityAssessmentF-espswsHIf9by' last accessed Bedrock on 2026-04-18
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
eu-west-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'ReSCOAIMLMemberRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
111122223333
+
eu-west-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
-
-
333333333333
-
us-east-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
+
+
111122223333
+
eu-west-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
+
+
111122223333
+
eu-west-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
+
+
111122223333
+
eu-west-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
+
111122223333
+
eu-west-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
+
+
444455556666
+
ap-south-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
+
+
444455556666
+
ap-south-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::333333333333:assumed-role/aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b/aiml-security-aiml-security-mgmt-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:us-east-1:333333333333:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
-
+
+
444455556666
+
ap-south-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
+
+
444455556666
+
ap-south-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
+
+
444455556666
+
ap-south-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
+
+
444455556666
+
ap-south-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
+
+
444455556666
+
ap-south-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
+
+
444455556666
+
ap-south-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
No action required
-
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
+
+
444455556666
+
ap-south-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
ap-south-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
+
+
444455556666
+
us-west-2
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
+
444455556666
+
us-west-2
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
+
+
444455556666
+
us-west-2
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
+
+
444455556666
+
us-west-2
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
No action required
-
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::333333333333:assumed-role/aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b/aiml-security-aiml-security-mgmt-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:ap-southeast-2:333333333333:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
-
+
+
444455556666
+
us-west-2
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
+
+
444455556666
+
us-west-2
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
+
+
444455556666
+
us-west-2
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
No action required
-
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
+
+
444455556666
+
us-west-2
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
+
+
444455556666
+
us-west-2
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
No action required
-
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
+
+
444455556666
+
sa-east-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
+
+
444455556666
+
sa-east-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
+
+
444455556666
+
sa-east-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
+
444455556666
+
sa-east-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
No action required
-
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
+
+
444455556666
+
sa-east-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
+
+
444455556666
+
sa-east-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
No action required
-
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::333333333333:assumed-role/aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b/aiml-security-aiml-security-mgmt-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:eu-west-1:333333333333:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
-
+
+
444455556666
+
sa-east-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
+
+
444455556666
+
sa-east-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
+
+
444455556666
+
sa-east-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
No action required
-
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
+
+
444455556666
+
sa-east-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
+
+
444455556666
+
Global
+
AC-02
+
AgentCore IAM Full Access Check
+
No roles with overly permissive AgentCore access found
No action required
-
+
+
High
+
Passed
+
+
+
444455556666
+
Global
+
AC-03
+
AgentCore Stale Access
+
The following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (82 days)
+
Review and remove unused AgentCore permissions following least privilege principle
+
+
Medium
+
Failed
+
+
+
444455556666
+
Global
+
AC-03
+
AgentCore Unused Permissions
+
The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
+
Review and remove unused AgentCore permissions following least privilege principle
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
+
+
444455556666
+
Global
+
AC-09
+
AgentCore Service-Linked Role Missing
+
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
+
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
+
+
Medium
+
Failed
+
+
+
444455556666
+
us-east-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
+
+
444455556666
+
us-east-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
+
+
444455556666
+
us-east-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
+
444455556666
+
us-east-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
No action required
-
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
+
+
444455556666
+
us-east-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
+
+
444455556666
+
us-east-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
No action required
-
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::222222222222:assumed-role/aiml-security-23026652352-BedrockSecurityAssessment-UZzmVN1xrMwf/aiml-security-aiml-security-222222222222-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:ap-southeast-2:222222222222:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
-
+
+
444455556666
+
us-east-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
+
+
444455556666
+
us-east-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
+
+
444455556666
+
us-east-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
No action required
-
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
+
+
444455556666
+
us-east-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
+
+
444455556666
+
eu-west-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
222222222222
-
Global
-
BR-01
-
AmazonBedrockFullAccess role check
-
No roles found with AmazonBedrockFullAccess policy
+
+
444455556666
+
eu-west-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
No action required
-
-
High
-
Passed
+
+
Informational
+
N/A
-
-
222222222222
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
No identities found with overly permissive marketplace subscription access
+
+
444455556666
+
eu-west-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
No action required
-
-
Medium
-
Passed
-
-
-
222222222222
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AIMLSecurityMemberRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
222222222222
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AwsSecurityAudit' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
222222222222
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AWSServiceRoleForAuditManager' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
222222222222
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AWSServiceRoleForSupport' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
222222222222
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'CloudSecAuditRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
222222222222
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'CloudSeerTrustedServiceRole' last accessed Bedrock on 2025-08-18
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
222222222222
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IibsAdminAccess-DO-NOT-DELETE' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
222222222222
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'InternalAuditInternal' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
222222222222
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'ProwlerMemberRole' last accessed Bedrock on 2026-03-10
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
222222222222
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'resco-aiml-security-23026-BedrockSecurityAssessment-xNwSsmlzindY' last accessed Bedrock on 2026-04-18
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
222222222222
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'ReSCOAIMLMemberRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
Informational
+
N/A
-
-
222222222222
-
us-east-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
+
+
444455556666
+
eu-west-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
No action required
-
+
Informational
N/A
-
-
222222222222
-
us-east-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
+
+
444455556666
+
eu-west-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
No action required
-
+
Informational
N/A
-
-
222222222222
-
us-east-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
+
+
444455556666
+
eu-west-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
No action required
-
+
Informational
N/A
-
-
222222222222
-
us-east-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
+
444455556666
+
eu-west-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
222222222222
-
us-east-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
+
+
444455556666
+
eu-west-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
Informational
N/A
-
-
222222222222
-
us-east-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
+
+
444455556666
+
eu-west-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
No action required
-
+
Informational
N/A
-
-
222222222222
-
us-east-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::222222222222:assumed-role/aiml-security-23026652352-BedrockSecurityAssessment-UZzmVN1xrMwf/aiml-security-aiml-security-222222222222-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:us-east-1:222222222222:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
-
+
+
444455556666
+
eu-west-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
Informational
N/A
-
-
222222222222
-
us-east-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
+
+
777788889999
+
ap-south-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
Informational
N/A
-
-
222222222222
-
us-east-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
+
+
777788889999
+
ap-south-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
222222222222
-
us-east-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
+
+
777788889999
+
ap-south-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
Informational
N/A
-
-
222222222222
-
us-east-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
+
+
777788889999
+
ap-south-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
No action required
-
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
+
+
777788889999
+
ap-south-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
No action required
-
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
+
+
777788889999
+
ap-south-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
No action required
-
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
+
+
777788889999
+
ap-south-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
+
777788889999
+
ap-south-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
No action required
-
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
+
+
777788889999
+
ap-south-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
+
+
777788889999
+
ap-south-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
No action required
-
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::222222222222:assumed-role/aiml-security-23026652352-BedrockSecurityAssessment-UZzmVN1xrMwf/aiml-security-aiml-security-222222222222-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:eu-west-1:222222222222:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
-
+
+
777788889999
+
us-west-2
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
+
+
777788889999
+
us-west-2
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
+
+
777788889999
+
us-west-2
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
+
+
777788889999
+
us-west-2
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
+
+
777788889999
+
us-west-2
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
No action required
-
+
Informational
N/A
-
-
-
-
Amazon SageMaker Findings
-
-
-
-
-
-
-
-
-
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
-
111111111111
-
ap-southeast-2
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
+
+
+
777788889999
+
us-west-2
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
+
777788889999
+
us-west-2
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
No action required
-
-
Medium
-
Passed
+
+
Informational
+
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
+
+
777788889999
+
us-west-2
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
+
777788889999
+
us-west-2
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
No action required
-
-
Medium
-
Passed
-
-
-
111111111111
-
ap-southeast-2
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
+
+
777788889999
+
us-west-2
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
+
+
777788889999
+
sa-east-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
+
+
777788889999
+
sa-east-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
+
+
777788889999
+
sa-east-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
+
+
777788889999
+
sa-east-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
+
+
777788889999
+
sa-east-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
+
+
777788889999
+
sa-east-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
+
+
777788889999
+
sa-east-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
+
+
777788889999
+
sa-east-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
+
+
777788889999
+
sa-east-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
+
+
777788889999
+
sa-east-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-15
-
SageMaker Feature Store Encryption Check
-
No feature groups with offline stores found
+
+
777788889999
+
eu-west-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-16
-
SageMaker Data Quality Job Encryption Check
-
No data quality job definitions found
+
+
777788889999
+
eu-west-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-17
-
SageMaker Processing Job Encryption Check
-
No processing jobs found
+
+
777788889999
+
eu-west-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-18
-
SageMaker Transform Job Encryption Check
-
No transform jobs found
+
+
777788889999
+
eu-west-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
+
+
777788889999
+
eu-west-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
+
+
777788889999
+
eu-west-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
No action required
-
-
Medium
-
Passed
+
+
Informational
+
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
+
+
777788889999
+
eu-west-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
No action required
-
-
Low
-
Passed
-
-
-
111111111111
-
ap-southeast-2
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
+
Informational
N/A
-
-
111111111111
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'AmazonSageMaker-ExecutionRole-20231014T200029' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
-
High
-
Failed
-
-
-
111111111111
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'AmazonSageMaker-ExecutionRole-20250525T153161' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
-
High
-
Failed
-
-
-
111111111111
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'AmazonSageMakerServiceCatalogProductsExecutionRole' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
-
High
-
Failed
-
-
-
111111111111
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'EMR_EC2_DefaultRole' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
-
High
-
Failed
-
-
-
111111111111
+
+
777788889999
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
+
AC-02
+
AgentCore IAM Wildcard Permissions
+
The following roles have wildcard AgentCore permissions on all resources: aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV
+
Scope permissions to specific AgentCore resources using resource ARNs
+
High
Failed
-
-
111111111111
+
+
777788889999
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
-
High
-
Failed
+
AC-03
+
AgentCore Unused Permissions
+
The following principals have AgentCore permissions but have never accessed the service: role 'aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV', role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
+
Review and remove unused AgentCore permissions following least privilege principle
+
+
Informational
+
N/A
-
-
111111111111
+
+
777788889999
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'SageMaker-EMR-ExecutionRole' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
-
High
+
AC-09
+
AgentCore Service-Linked Role Missing
+
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
+
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
+
+
Medium
Failed
-
-
111111111111
+
+
777788889999
us-east-1
-
SM-01
-
Non-VPC Only Network Access
-
SageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is not configured for VPC-only access
-
Configure the SageMaker domain to use VPC-only network access type
-
-
High
-
Failed
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
+
+
777788889999
us-east-1
-
SM-02
-
SSO Not Properly Configured
-
SageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is using authentication mode: IAM
-
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
-
-
Medium
-
Failed
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
+
+
777788889999
us-east-1
-
SM-03
-
Missing Encryption Configuration
-
Domain 'QuickSetupDomain-20250525T153160' - No KMS key configured
-
Configure encryption using AWS KMS customer managed keys for enhanced security
Consider using customer-managed KMS keys for better control and audit capabilities
+
+
Low
Failed
-
-
111111111111
+
+
777788889999
us-east-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
No action required
-
-
Medium
-
Passed
-
-
-
111111111111
-
us-east-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
+
Informational
N/A
-
-
111111111111
+
+
777788889999
us-east-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
Informational
N/A
-
-
111111111111
+
+
777788889999
us-east-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
Informational
N/A
-
-
111111111111
+
+
777788889999
us-east-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
Informational
N/A
-
-
111111111111
+
+
777788889999
us-east-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
Informational
N/A
-
-
111111111111
+
+
777788889999
us-east-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
Informational
N/A
-
-
111111111111
+
+
777788889999
us-east-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
No action required
-
+
Informational
N/A
-
-
-
111111111111
-
us-east-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
+
+
+
Agentic AI Security Findings
Scope: API-provable Agentic AI security controls mapped to the AWS Well-Architected Agentic AI Lens security guidance. Human-in-the-loop governance is referenced in methodology but not scored automatically unless an AWS API can prove the control.
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
+
111122223333
+
ap-south-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
+
+
111122223333
+
ap-south-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
+
+
111122223333
+
ap-south-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
+
+
111122223333
+
ap-south-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
-
No action required
-
+
+
111122223333
+
ap-south-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-15
-
SageMaker Feature Store Encryption Check
-
No feature groups with offline stores found
-
No action required
-
+
+
111122223333
+
ap-south-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-16
-
SageMaker Data Quality Job Encryption Check
-
No data quality job definitions found
-
No action required
-
+
+
111122223333
+
ap-south-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-17
-
SageMaker Processing Job Encryption Check
-
No processing jobs found
-
No action required
-
+
+
111122223333
+
ap-south-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-18
-
SageMaker Transform Job Encryption Check
-
No transform jobs found
-
No action required
-
+
+
111122223333
+
ap-south-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
Agentic AI Gateway Tool Policy Enforcement Missing
+
Gateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.
+
Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
Gateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) does not expose DEBUG-level exception detail.
+
No action required
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-west-2
+
AG-27
+
Agentic AI Gateway WAF Protection Missing
+
Gateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) is not associated with an AWS WAF web ACL.
+
Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.
+
+
Low
+
Failed
+
+
+
111122223333
+
us-west-2
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Informational
N/A
-
-
111111111111
+
+
111122223333
+
us-west-2
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: The following AgentCore resources do not have resource-based policies: Gateway 'aws-news-mcp'. Without RBPs, access control relies solely on identity-based policies.
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: The following Gateways do not use customer-managed KMS encryption: 'aws-news-mcp'. Gateway configuration data uses AWS-managed keys.
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Low
+
Failed
+
+
+
111122223333
us-east-1
-
SM-20
-
SageMaker Compilation Job Encryption Check
-
No compilation jobs found
-
No action required
-
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is properly configured with delivery to: Amazon S3, CloudWatch Logs
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-east-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
+
Medium
+
Passed
+
+
+
111122223333
+
Global
+
AG-09
+
Agentic AI Guardrail Enforcement Boundary
+
Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policies
+
Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.
+
Informational
N/A
-
-
111111111111
+
+
111122223333
us-east-1
-
SM-21
-
SageMaker AutoML Job Network Isolation Check
-
No AutoML jobs found
-
No action required
-
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Informational
N/A
-
-
111111111111
+
+
111122223333
us-east-1
-
SM-22
-
Model Approval Workflow Check
-
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Informational
N/A
-
-
111111111111
+
+
111122223333
us-east-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 11 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
+
Low
+
Passed
+
+
+
111122223333
+
us-east-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: 1 guardrails have complete content filter coverage (hate, insults, sexual, violence)
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
+
Low
+
Passed
+
+
+
111122223333
+
us-east-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: Guardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: 1 guardrails have sensitive-information (PII) filters configured
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
+
Low
Passed
-
-
111111111111
+
+
111122223333
us-east-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: 1 guardrails have contextual grounding checks enabled
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Low
Passed
-
-
111111111111
+
+
111122223333
us-east-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
+
+
111122223333
+
us-east-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
+
+
111122223333
+
us-east-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Medium
-
Passed
+
Failed
-
-
111111111111
-
eu-west-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
+
+
111122223333
+
ap-south-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
+
+
111122223333
+
ap-south-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
+
Informational
+
N/A
-
-
111111111111
-
eu-west-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
+
+
111122223333
+
ap-south-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
+
+
111122223333
+
ap-south-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
+
+
111122223333
+
ap-south-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
+
+
111122223333
+
ap-south-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
+
+
111122223333
+
ap-south-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
+
+
111122223333
+
us-west-2
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is not enabled. This limits your ability to track and audit model usage.
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-west-2
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
+
+
111122223333
+
us-west-2
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
+
+
111122223333
+
us-west-2
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 7 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
+
Low
+
Passed
+
+
+
111122223333
+
us-west-2
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is missing content filters: HATE, VIOLENCE, SEXUAL, INSULTS. Complete content filter coverage is essential for comprehensive content safety.
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) has no sensitive-information filters configured (no PII entities or regex patterns). Prompts and model responses are not screened for sensitive data such as PII.
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have contextual grounding checks enabled. Without grounding and relevance checks, the guardrail cannot detect hallucinated (ungrounded) or off-topic model responses.
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
+
+
111122223333
+
us-west-2
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
+
+
111122223333
+
us-west-2
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
+
Medium
+
Failed
+
+
+
111122223333
+
sa-east-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
+
+
111122223333
+
sa-east-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
-
No action required
-
+
+
111122223333
+
sa-east-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-15
-
SageMaker Feature Store Encryption Check
-
No feature groups with offline stores found
-
No action required
-
+
+
111122223333
+
sa-east-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-16
-
SageMaker Data Quality Job Encryption Check
-
No data quality job definitions found
-
No action required
-
+
+
111122223333
+
sa-east-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-17
-
SageMaker Processing Job Encryption Check
-
No processing jobs found
-
No action required
-
+
+
111122223333
+
sa-east-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-18
-
SageMaker Transform Job Encryption Check
-
No transform jobs found
-
No action required
-
+
+
111122223333
+
sa-east-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-20
-
SageMaker Compilation Job Encryption Check
-
No compilation jobs found
-
No action required
-
+
+
111122223333
+
sa-east-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-21
-
SageMaker AutoML Job Network Isolation Check
-
No AutoML jobs found
-
No action required
-
+
+
111122223333
+
sa-east-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-22
-
Model Approval Workflow Check
-
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
+
+
111122223333
+
sa-east-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
+
+
111122223333
+
sa-east-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
Agentic AI Gateway Tool Policy Enforcement Missing
+
Gateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.
+
Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
Gateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) does not expose DEBUG-level exception detail.
No action required
-
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-east-1
+
AG-27
+
Agentic AI Gateway WAF Protection Missing
+
Gateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) is not associated with an AWS WAF web ACL.
+
Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
+
+
111122223333
+
us-east-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement Missing
+
Gateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.
+
Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
Gateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) does not expose DEBUG-level exception detail.
+
No action required
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-east-1
+
AG-27
+
Agentic AI Gateway WAF Protection Missing
+
Gateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) is not associated with an AWS WAF web ACL.
+
Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.
+
+
Low
+
Failed
+
+
+
111122223333
+
Global
+
AG-16
+
Agentic AI AgentCore Least Privilege
+
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161
+
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
AG-16
+
Agentic AI AgentCore Least Privilege
+
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-role
+
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
+
+
High
+
Failed
+
+
+
111122223333
+
Global
+
AG-17
+
Agentic AI Stale AgentCore Access
+
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (199 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (199 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (199 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (82 days)
+
Remove or restrict stale AgentCore permissions for principals that no longer need access.
+
+
Medium
+
Failed
+
+
+
111122223333
+
Global
+
AG-17
+
Agentic AI Stale AgentCore Access
+
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CloudSeerTrustedServiceRole', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW'
+
Remove or restrict stale AgentCore permissions for principals that no longer need access.
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
+
+
111122223333
+
us-east-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configured
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabled
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configured
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabled
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configured
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabled
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configured
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Medium
+
Failed
-
-
333333333333
-
eu-west-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
+
+
111122223333
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabled
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Medium
-
Passed
+
Failed
-
-
333333333333
-
eu-west-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
+
+
111122223333
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configured
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Medium
+
Failed
-
-
333333333333
-
eu-west-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
+
+
111122223333
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabled
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Medium
-
Passed
+
Failed
-
-
333333333333
-
eu-west-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
+
+
111122223333
+
us-east-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configured
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Medium
+
Failed
-
-
333333333333
-
eu-west-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
+
+
111122223333
+
us-east-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configured
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Medium
+
Failed
-
-
333333333333
-
eu-west-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
+
+
111122223333
+
us-east-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configured
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Medium
+
Failed
-
-
333333333333
-
eu-west-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
+
+
111122223333
+
us-east-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
High
+
Failed
-
-
333333333333
-
eu-west-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
+
+
111122223333
+
us-east-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: The following AgentCore resources do not have resource-based policies: Runtime 'origami_expeditions', Runtime 'neoCyan_Agent', Runtime 'customer_support_agent', Runtime 'cdk_agent_core', Runtime 'awsapimcpserver' and 2 more. Without RBPs, access control relies solely on identity-based policies.
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
High
+
Failed
-
-
333333333333
-
eu-west-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
+
+
111122223333
+
us-east-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
+
+
111122223333
+
us-east-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: The following Gateways do not use customer-managed KMS encryption: 'customersupport-gw', 'wildrydes-gateway-ab3991f6'. Gateway configuration data uses AWS-managed keys.
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Low
+
Failed
+
+
+
111122223333
+
sa-east-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
+
+
111122223333
+
sa-east-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
+
+
111122223333
+
sa-east-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
+
+
111122223333
+
sa-east-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
+
+
111122223333
+
sa-east-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
-
No action required
-
+
+
111122223333
+
sa-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
SM-15
-
SageMaker Feature Store Encryption Check
-
No feature groups with offline stores found
-
No action required
-
+
+
111122223333
+
sa-east-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
SM-16
-
SageMaker Data Quality Job Encryption Check
-
No data quality job definitions found
-
No action required
-
+
+
111122223333
+
sa-east-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
SM-17
-
SageMaker Processing Job Encryption Check
-
No processing jobs found
-
No action required
-
+
+
111122223333
+
sa-east-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
SM-18
-
SageMaker Transform Job Encryption Check
-
No transform jobs found
-
No action required
-
+
+
111122223333
+
sa-east-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
333333333333
+
+
111122223333
eu-west-1
-
SM-20
-
SageMaker Compilation Job Encryption Check
-
No compilation jobs found
-
No action required
-
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Informational
N/A
-
-
333333333333
+
+
111122223333
eu-west-1
-
SM-21
-
SageMaker AutoML Job Network Isolation Check
-
No AutoML jobs found
-
No action required
-
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Informational
N/A
-
-
333333333333
+
+
111122223333
eu-west-1
-
SM-22
-
Model Approval Workflow Check
-
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
333333333333
-
eu-west-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
333333333333
+
+
111122223333
eu-west-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Informational
N/A
-
-
333333333333
-
Global
-
SM-02
-
SageMaker IAM Permissions Check
-
No issues found with IAM permissions and no stale access detected
-
No action required
-
-
High
-
Passed
-
-
-
333333333333
-
us-east-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
+
+
111122223333
+
eu-west-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
333333333333
-
us-east-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
+
+
111122223333
+
eu-west-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
333333333333
-
us-east-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
+
+
111122223333
+
eu-west-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
+
+
111122223333
+
eu-west-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
+
+
111122223333
+
eu-west-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
+
+
111122223333
+
eu-west-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
+
+
111122223333
+
eu-west-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
+
+
111122223333
+
eu-west-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
+
+
111122223333
+
eu-west-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
+
+
111122223333
+
eu-west-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
+
+
111122223333
+
eu-west-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
+
+
111122223333
+
eu-west-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
+
+
111122223333
+
eu-west-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
-
No action required
-
+
+
111122223333
+
eu-west-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
SM-15
-
SageMaker Feature Store Encryption Check
-
No feature groups with offline stores found
-
No action required
-
+
+
111122223333
+
eu-west-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
SM-16
-
SageMaker Data Quality Job Encryption Check
-
No data quality job definitions found
-
No action required
-
+
+
111122223333
+
eu-west-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
SM-17
-
SageMaker Processing Job Encryption Check
-
No processing jobs found
-
No action required
-
+
+
111122223333
+
eu-west-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
SM-18
-
SageMaker Transform Job Encryption Check
-
No transform jobs found
+
+
111122223333
+
eu-west-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
111122223333
+
eu-west-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
+
+
444455556666
+
ap-south-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
+
+
444455556666
+
ap-south-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Informational
+
N/A
-
-
333333333333
-
us-east-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
+
+
444455556666
+
ap-south-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
-
-
333333333333
-
us-east-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
+
+
444455556666
+
ap-south-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
+
+
444455556666
+
ap-south-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
+
+
444455556666
+
ap-south-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
+
+
444455556666
+
ap-south-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
+
+
444455556666
+
ap-south-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Informational
+
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
+
+
444455556666
+
ap-south-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
+
+
444455556666
+
ap-south-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
+
+
444455556666
+
ap-south-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
+
+
444455556666
+
ap-south-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
+
+
444455556666
+
ap-south-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
+
+
444455556666
+
ap-south-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
+
+
444455556666
+
ap-south-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
+
+
444455556666
+
ap-south-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
+
+
444455556666
+
ap-south-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
+
+
444455556666
+
ap-south-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
+
+
444455556666
+
ap-south-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
-
No action required
-
+
+
444455556666
+
ap-south-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
+
Informational
+
N/A
+
+
+
444455556666
+
Global
+
AG-09
+
Agentic AI Guardrail Enforcement Boundary
+
Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policies
+
Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-15
-
SageMaker Feature Store Encryption Check
-
No feature groups with offline stores found
-
No action required
-
+
+
444455556666
+
us-east-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-16
-
SageMaker Data Quality Job Encryption Check
-
No data quality job definitions found
-
No action required
-
+
+
444455556666
+
us-east-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-17
-
SageMaker Processing Job Encryption Check
-
No processing jobs found
-
No action required
-
+
+
444455556666
+
us-east-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-18
-
SageMaker Transform Job Encryption Check
-
No transform jobs found
-
No action required
-
+
+
444455556666
+
us-east-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-20
-
SageMaker Compilation Job Encryption Check
-
No compilation jobs found
-
No action required
-
+
+
444455556666
+
us-east-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-21
-
SageMaker AutoML Job Network Isolation Check
-
No AutoML jobs found
-
No action required
-
+
+
444455556666
+
us-east-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-22
-
Model Approval Workflow Check
-
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
+
+
444455556666
+
us-east-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
+
+
444455556666
+
us-east-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
+
Informational
+
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
+
+
444455556666
+
us-east-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
+
Informational
+
N/A
-
-
333333333333
-
ap-southeast-2
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
+
+
444455556666
+
us-east-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
+
+
444455556666
+
us-west-2
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
+
444455556666
+
us-west-2
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
No action required
-
-
Medium
-
Passed
+
+
Informational
+
N/A
-
-
222222222222
-
eu-west-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
+
+
444455556666
+
us-west-2
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
+
444455556666
+
us-west-2
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
No action required
-
-
Medium
-
Passed
-
-
-
222222222222
-
eu-west-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
+
+
444455556666
+
us-west-2
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
+
+
444455556666
+
us-west-2
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
+
+
444455556666
+
us-west-2
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
+
+
444455556666
+
us-west-2
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
+
+
444455556666
+
us-west-2
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
+
+
444455556666
+
us-west-2
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
+
+
444455556666
+
us-west-2
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
+
+
444455556666
+
sa-east-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
+
+
444455556666
+
sa-east-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
+
+
444455556666
+
sa-east-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
+
+
444455556666
+
sa-east-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
SM-15
-
SageMaker Feature Store Encryption Check
-
No feature groups with offline stores found
-
No action required
-
+
+
444455556666
+
sa-east-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
SM-16
-
SageMaker Data Quality Job Encryption Check
-
No data quality job definitions found
-
No action required
-
+
+
444455556666
+
sa-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
SM-17
-
SageMaker Processing Job Encryption Check
-
No processing jobs found
-
No action required
-
+
+
444455556666
+
sa-east-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
SM-18
-
SageMaker Transform Job Encryption Check
-
No transform jobs found
-
No action required
-
+
+
444455556666
+
sa-east-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
SM-20
-
SageMaker Compilation Job Encryption Check
-
No compilation jobs found
-
No action required
-
+
+
444455556666
+
sa-east-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
SM-21
-
SageMaker AutoML Job Network Isolation Check
-
No AutoML jobs found
-
No action required
-
+
+
444455556666
+
sa-east-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
222222222222
+
+
444455556666
eu-west-1
-
SM-22
-
Model Approval Workflow Check
-
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
222222222222
-
eu-west-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
222222222222
+
+
444455556666
eu-west-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Informational
N/A
-
-
222222222222
-
Global
-
SM-02
-
SageMaker IAM Permissions Check
-
No issues found with IAM permissions and no stale access detected
-
No action required
-
-
High
-
Passed
-
-
-
222222222222
-
us-east-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
+
+
444455556666
+
eu-west-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Informational
N/A
-
-
222222222222
-
us-east-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
+
+
444455556666
+
eu-west-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
+
Informational
+
N/A
-
-
222222222222
-
us-east-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
+
+
444455556666
+
eu-west-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Informational
N/A
-
-
222222222222
-
us-east-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
+
+
444455556666
+
eu-west-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
+
Informational
+
N/A
-
-
222222222222
-
us-east-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
+
+
444455556666
+
eu-west-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Informational
N/A
-
-
222222222222
-
us-east-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
+
+
444455556666
+
eu-west-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Informational
N/A
-
-
222222222222
-
us-east-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
+
+
444455556666
+
eu-west-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Informational
N/A
-
-
222222222222
-
us-east-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
+
+
444455556666
+
eu-west-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Informational
N/A
-
-
222222222222
-
us-east-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
+
+
444455556666
+
eu-west-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Informational
N/A
-
-
222222222222
-
us-east-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
+
+
444455556666
+
eu-west-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Informational
N/A
-
-
222222222222
-
us-east-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
+
+
444455556666
+
eu-west-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Informational
N/A
-
-
222222222222
+
+
444455556666
us-east-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
222222222222
+
+
444455556666
us-east-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
222222222222
+
+
444455556666
us-east-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
222222222222
+
+
444455556666
us-east-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
222222222222
-
us-east-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
-
No action required
-
+
+
444455556666
+
Global
+
AG-16
+
Agentic AI AgentCore Least Privilege
+
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: No roles with overly permissive AgentCore access found
+
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
+
+
High
+
Passed
+
+
+
444455556666
+
Global
+
AG-17
+
Agentic AI Stale AgentCore Access
+
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (82 days)
+
Remove or restrict stale AgentCore permissions for principals that no longer need access.
+
+
Medium
+
Failed
+
+
+
444455556666
+
Global
+
AG-17
+
Agentic AI Stale AgentCore Access
+
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
+
Remove or restrict stale AgentCore permissions for principals that no longer need access.
+
Informational
N/A
-
-
222222222222
+
+
444455556666
us-east-1
-
SM-15
-
SageMaker Feature Store Encryption Check
-
No feature groups with offline stores found
-
No action required
-
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Informational
N/A
-
-
222222222222
+
+
444455556666
us-east-1
-
SM-16
-
SageMaker Data Quality Job Encryption Check
-
No data quality job definitions found
-
No action required
-
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Informational
N/A
-
-
222222222222
+
+
444455556666
us-east-1
-
SM-17
-
SageMaker Processing Job Encryption Check
-
No processing jobs found
-
No action required
-
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Informational
N/A
-
-
222222222222
+
+
444455556666
us-east-1
-
SM-18
-
SageMaker Transform Job Encryption Check
-
No transform jobs found
-
No action required
-
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Informational
N/A
-
-
222222222222
+
+
444455556666
us-east-1
-
SM-20
-
SageMaker Compilation Job Encryption Check
-
No compilation jobs found
-
No action required
-
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
222222222222
+
+
444455556666
us-east-1
-
SM-21
-
SageMaker AutoML Job Network Isolation Check
-
No AutoML jobs found
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
222222222222
-
us-east-1
-
SM-22
-
Model Approval Workflow Check
-
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
+
+
444455556666
+
eu-west-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
+
No action required
+
Informational
N/A
-
-
222222222222
-
us-east-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
+
+
444455556666
+
eu-west-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
No action required
-
-
Medium
-
Passed
+
+
Informational
+
N/A
-
-
222222222222
-
us-east-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
+
+
444455556666
+
eu-west-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
No action required
-
-
Low
-
Passed
+
+
Informational
+
N/A
-
-
222222222222
-
us-east-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
+
+
444455556666
+
eu-west-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
+
+
444455556666
+
eu-west-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
+
+
444455556666
+
eu-west-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
+
+
444455556666
+
eu-west-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
+
+
444455556666
+
eu-west-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
Informational
+
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
+
+
444455556666
+
eu-west-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
+
+
444455556666
+
eu-west-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
+
+
444455556666
+
sa-east-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
+
+
444455556666
+
sa-east-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
+
+
444455556666
+
sa-east-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
+
+
444455556666
+
sa-east-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
+
+
444455556666
+
sa-east-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
+
+
444455556666
+
sa-east-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
+
+
444455556666
+
sa-east-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
+
+
444455556666
+
sa-east-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
+
+
444455556666
+
sa-east-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
-
No action required
-
+
+
444455556666
+
sa-east-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-15
-
SageMaker Feature Store Encryption Check
-
No feature groups with offline stores found
-
No action required
-
+
+
444455556666
+
sa-east-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-16
-
SageMaker Data Quality Job Encryption Check
-
No data quality job definitions found
-
No action required
-
+
+
444455556666
+
sa-east-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-17
-
SageMaker Processing Job Encryption Check
-
No processing jobs found
-
No action required
-
+
+
444455556666
+
sa-east-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-18
-
SageMaker Transform Job Encryption Check
-
No transform jobs found
-
No action required
-
+
+
444455556666
+
us-west-2
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-20
-
SageMaker Compilation Job Encryption Check
-
No compilation jobs found
-
No action required
-
+
+
444455556666
+
us-west-2
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-21
-
SageMaker AutoML Job Network Isolation Check
-
No AutoML jobs found
-
No action required
-
+
+
444455556666
+
us-west-2
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-22
-
Model Approval Workflow Check
-
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
+
+
444455556666
+
us-west-2
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
222222222222
-
ap-southeast-2
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
+
+
444455556666
+
us-west-2
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
+
Informational
+
N/A
-
-
222222222222
-
ap-southeast-2
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
+
+
444455556666
+
us-west-2
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Informational
N/A
-
-
-
-
Amazon Bedrock AgentCore Findings
-
-
-
-
-
-
-
-
-
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
-
111111111111
-
ap-southeast-2
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
+
+
+
444455556666
+
us-west-2
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
+
+
444455556666
+
us-west-2
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
+
+
444455556666
+
us-west-2
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
+
+
444455556666
+
us-west-2
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
+
+
444455556666
+
us-west-2
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
+
+
444455556666
+
us-west-2
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
+
+
777788889999
+
ap-south-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
+
+
777788889999
+
ap-south-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
+
+
777788889999
+
ap-south-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
+
+
777788889999
+
ap-south-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
111111111111
-
Global
-
AC-02
-
AgentCore IAM Full Access Policy
-
The following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161
-
Replace with least-privilege policies scoped to specific AgentCore resources and actions
-
-
High
-
Failed
-
-
-
111111111111
-
Global
-
AC-02
-
AgentCore IAM Wildcard Permissions
-
The following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-role
-
Scope permissions to specific AgentCore resources using resource ARNs
-
-
High
-
Failed
-
-
-
111111111111
-
Global
-
AC-03
-
AgentCore Stale Access
-
The following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (179 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (179 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (179 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (62 days)
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
AC-03
-
AgentCore Unused Permissions
-
The following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW', role 'ReSCOAIMLMemberRole'
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
AC-09
-
AgentCore Service-Linked Role Missing
-
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
-
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
-
-
Medium
-
Failed
-
-
-
111111111111
-
us-east-1
-
AC-01
-
AgentCore Runtime VPC Configuration
-
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.
-
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
-
-
High
-
Failed
-
-
-
111111111111
-
us-east-1
-
AC-01
-
AgentCore Runtime VPC Configuration
-
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.
-
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
-
-
High
-
Failed
-
-
-
111111111111
-
us-east-1
-
AC-01
-
AgentCore Runtime VPC Configuration
-
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.
-
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
-
-
High
-
Failed
-
-
-
111111111111
-
us-east-1
-
AC-01
-
AgentCore Runtime VPC Configuration
-
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.
-
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
-
-
High
-
Failed
-
-
-
111111111111
-
us-east-1
-
AC-01
-
AgentCore Runtime VPC Configuration
-
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.
-
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
-
-
High
-
Failed
+
+
777788889999
+
ap-south-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
AC-04
-
AgentCore Runtime CloudWatch Logs
-
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs for monitoring and troubleshooting
-
-
Medium
-
Failed
+
+
777788889999
+
ap-south-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
AC-04
-
AgentCore Runtime X-Ray Tracing
-
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabled
-
Enable X-Ray tracing for distributed tracing and performance analysis
-
-
Medium
-
Failed
+
+
777788889999
+
ap-south-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
AC-04
-
AgentCore Runtime CloudWatch Logs
-
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs for monitoring and troubleshooting
-
-
Medium
-
Failed
+
+
777788889999
+
ap-south-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
AC-04
-
AgentCore Runtime X-Ray Tracing
-
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabled
-
Enable X-Ray tracing for distributed tracing and performance analysis
-
-
Medium
-
Failed
+
+
777788889999
+
ap-south-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
AC-04
-
AgentCore Runtime CloudWatch Logs
-
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs for monitoring and troubleshooting
-
-
Medium
-
Failed
+
+
777788889999
+
ap-south-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
AC-04
-
AgentCore Runtime X-Ray Tracing
-
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabled
-
Enable X-Ray tracing for distributed tracing and performance analysis
-
-
Medium
-
Failed
+
+
777788889999
+
ap-south-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
AC-04
-
AgentCore Runtime CloudWatch Logs
-
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs for monitoring and troubleshooting
-
-
Medium
-
Failed
+
+
777788889999
+
sa-east-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
AC-04
-
AgentCore Runtime X-Ray Tracing
-
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabled
-
Enable X-Ray tracing for distributed tracing and performance analysis
-
-
Medium
-
Failed
+
+
777788889999
+
sa-east-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
AC-04
-
AgentCore Runtime CloudWatch Logs
-
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs for monitoring and troubleshooting
-
-
Medium
-
Failed
+
+
777788889999
+
sa-east-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
AC-04
-
AgentCore Runtime X-Ray Tracing
-
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabled
-
Enable X-Ray tracing for distributed tracing and performance analysis
-
-
Medium
-
Failed
+
+
777788889999
+
sa-east-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
Consider using customer-managed KMS keys for better control and audit capabilities
-
-
Low
-
Failed
+
+
777788889999
+
sa-east-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
Consider using customer-managed KMS keys for better control and audit capabilities
-
-
Low
-
Failed
+
+
777788889999
+
sa-east-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
AC-06
-
AgentCore Runtime Storage Configuration
-
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have storage configuration for browser tools
-
Configure S3 storage for browser tool session recordings and artifacts
-
-
Medium
-
Failed
+
+
777788889999
+
sa-east-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
AC-06
-
AgentCore Runtime Storage Configuration
-
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have storage configuration for browser tools
-
Configure S3 storage for browser tool session recordings and artifacts
-
-
Medium
-
Failed
+
+
777788889999
+
sa-east-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
AC-06
-
AgentCore Runtime Storage Configuration
-
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have storage configuration for browser tools
-
Configure S3 storage for browser tool session recordings and artifacts
-
-
Medium
-
Failed
+
+
777788889999
+
sa-east-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
AC-06
-
AgentCore Runtime Storage Configuration
-
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have storage configuration for browser tools
-
Configure S3 storage for browser tool session recordings and artifacts
-
-
Medium
-
Failed
+
+
777788889999
+
sa-east-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
AC-06
-
AgentCore Runtime Storage Configuration
-
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have storage configuration for browser tools
-
Configure S3 storage for browser tool session recordings and artifacts
-
-
Medium
-
Failed
+
+
777788889999
+
sa-east-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
AC-07
-
AgentCore Memory Encryption
-
Memory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configured
-
Enable encryption with customer-managed KMS keys
-
-
Medium
-
Failed
+
+
777788889999
+
sa-east-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
AC-07
-
AgentCore Memory Encryption
-
Memory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configured
-
Enable encryption with customer-managed KMS keys
-
-
Medium
-
Failed
+
+
777788889999
+
sa-east-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
AC-07
-
AgentCore Memory Encryption
-
Memory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configured
-
Enable encryption with customer-managed KMS keys
-
-
Medium
-
Failed
+
+
777788889999
+
eu-west-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
+
+
777788889999
+
eu-west-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
AC-08
-
AgentCore VPC Endpoints Missing
-
No AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.
-
Create VPC interface endpoints for AgentCore services:
-1. com.amazonaws.region.bedrock-agentcore
-2. com.amazonaws.region.bedrock-agentcore-control
-3. com.amazonaws.region.bedrock-agentcore-runtime
-This enables private connectivity via AWS PrivateLink
-
-
High
-
Failed
+
+
777788889999
+
eu-west-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
+
+
777788889999
+
eu-west-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
+
+
777788889999
+
eu-west-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
+
+
777788889999
+
eu-west-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Informational
N/A
-
-
111111111111
+
+
777788889999
eu-west-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Informational
N/A
-
-
111111111111
+
+
777788889999
eu-west-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Informational
N/A
-
-
111111111111
+
+
777788889999
eu-west-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Informational
N/A
-
-
111111111111
+
+
777788889999
eu-west-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Informational
N/A
-
-
111111111111
+
+
777788889999
eu-west-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Informational
N/A
-
-
111111111111
+
+
777788889999
eu-west-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Informational
+
N/A
+
+
+
777788889999
+
ap-south-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
+
+
777788889999
+
ap-south-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
+
+
777788889999
+
ap-south-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
+
+
777788889999
+
ap-south-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
+
+
777788889999
+
ap-south-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
+
+
777788889999
+
ap-south-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
+
+
777788889999
+
ap-south-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
+
+
777788889999
+
ap-south-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
+
+
777788889999
+
ap-south-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
+
+
777788889999
+
ap-south-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
+
+
777788889999
+
ap-south-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
+
+
777788889999
+
ap-south-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
+
+
777788889999
+
us-west-2
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
+
+
777788889999
+
us-west-2
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
333333333333
-
ap-southeast-2
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
+
+
777788889999
+
us-west-2
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
+
+
777788889999
+
us-west-2
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
+
+
777788889999
+
us-west-2
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
+
+
777788889999
+
us-west-2
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
+
+
777788889999
+
us-west-2
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
+
+
777788889999
+
us-west-2
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
+
+
777788889999
+
us-west-2
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
+
+
777788889999
+
us-west-2
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
+
+
777788889999
+
us-west-2
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
+
+
777788889999
+
sa-east-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
333333333333
-
eu-west-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
+
+
777788889999
+
sa-east-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
333333333333
-
Global
-
AC-02
-
AgentCore IAM Full Access Check
-
No roles with overly permissive AgentCore access found
+
+
777788889999
+
sa-east-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
No action required
-
-
High
-
Passed
-
-
-
333333333333
-
Global
-
AC-03
-
AgentCore Stale Access
-
The following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-mgmt-AgentCoreSecurityAssessmen-JrbYHkz9UslU' (62 days)
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Medium
-
Failed
-
-
-
333333333333
-
Global
-
AC-03
-
AgentCore Unused Permissions
-
The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'ReSCOAIMLMemberRole'
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Medium
-
Failed
-
-
-
333333333333
-
Global
-
AC-09
-
AgentCore Service-Linked Role Missing
-
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
-
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
-
-
Medium
-
Failed
+
+
Informational
+
N/A
-
-
333333333333
-
us-east-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
+
+
777788889999
+
sa-east-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
+
+
777788889999
+
sa-east-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
+
+
777788889999
+
sa-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
+
+
777788889999
+
sa-east-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
+
+
777788889999
+
sa-east-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
+
+
777788889999
+
sa-east-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
+
+
777788889999
+
sa-east-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
+
+
777788889999
+
sa-east-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
+
+
777788889999
+
eu-west-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
333333333333
-
us-east-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
+
+
777788889999
+
eu-west-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
222222222222
+
+
777788889999
eu-west-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
222222222222
+
+
777788889999
eu-west-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
222222222222
+
+
777788889999
eu-west-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Informational
N/A
-
-
222222222222
+
+
777788889999
eu-west-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Informational
N/A
-
-
222222222222
+
+
777788889999
eu-west-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Informational
N/A
-
-
222222222222
+
+
777788889999
eu-west-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
222222222222
+
+
777788889999
eu-west-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
+
+
777788889999
+
us-east-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
+
+
777788889999
+
us-east-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
222222222222
-
eu-west-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
+
+
777788889999
+
us-east-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
222222222222
-
Global
-
AC-02
-
AgentCore IAM Full Access Check
-
No roles with overly permissive AgentCore access found
+
+
777788889999
+
us-east-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
No action required
-
-
High
-
Passed
+
+
Informational
+
N/A
-
-
222222222222
+
+
777788889999
Global
-
AC-03
-
AgentCore Stale Access
-
The following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (62 days)
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Medium
+
AG-16
+
Agentic AI AgentCore Least Privilege
+
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have wildcard AgentCore permissions on all resources: aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV
+
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
+
+
High
Failed
-
-
222222222222
+
+
777788889999
Global
-
AC-03
-
AgentCore Unused Permissions
-
The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'ReSCOAIMLMemberRole'
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Medium
-
Failed
+
AG-17
+
Agentic AI Stale AgentCore Access
+
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV', role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
+
Remove or restrict stale AgentCore permissions for principals that no longer need access.
+
+
Informational
+
N/A
-
-
222222222222
-
Global
-
AC-09
-
AgentCore Service-Linked Role Missing
-
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
-
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
-
-
Medium
-
Failed
+
+
777788889999
+
us-east-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
Informational
+
N/A
-
-
222222222222
+
+
777788889999
us-east-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Informational
N/A
-
-
222222222222
+
+
777788889999
us-east-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Informational
N/A
-
-
222222222222
+
+
777788889999
us-east-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Informational
N/A
-
-
222222222222
+
+
777788889999
us-east-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Informational
N/A
-
-
222222222222
+
+
777788889999
us-east-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
222222222222
+
+
777788889999
us-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
222222222222
+
+
777788889999
us-east-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is not enabled. This limits your ability to track and audit model usage.
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
+
Medium
+
Passed
+
+
+
777788889999
+
Global
+
AG-09
+
Agentic AI Guardrail Enforcement Boundary
+
Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policies
+
Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.
+
Informational
N/A
-
-
222222222222
+
+
777788889999
us-east-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Informational
N/A
-
-
222222222222
+
+
777788889999
us-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 9 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
+
Low
+
Passed
+
+
+
777788889999
+
us-east-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Informational
N/A
-
-
222222222222
+
+
777788889999
us-east-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
+
+
777788889999
+
us-east-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
+
+
777788889999
+
us-east-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: 1 agents have an associated guardrail
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
+
Low
+
Passed
+
+
+
777788889999
+
us-east-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-west-2
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
+
+
777788889999
+
us-west-2
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
+
+
777788889999
+
us-west-2
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
+
+
777788889999
+
us-west-2
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
+
+
777788889999
+
us-west-2
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
+
+
777788889999
+
us-west-2
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
+
+
777788889999
+
us-west-2
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
+
+
777788889999
+
us-west-2
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Informational
N/A
-
-
222222222222
-
ap-southeast-2
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
+
+
777788889999
+
us-west-2
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
AWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.
+
1. Subscribe to AWS Shield Advanced for DDoS protection.
+2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection.
+3. Enable Shield Response Team (SRT) access and configure proactive engagement.
+4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.
+
+
Low
+
Failed
+
+
+
111122223333
us-east-1
FS-01
No Regional WAF Web ACLs Found
@@ -15076,8 +35405,21 @@
Medium
Failed
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-01
+
No Regional WAF Web ACLs Found
+
No AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.
+
1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP).
+2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock.
+3. Add AWS Managed Rules for known bad inputs.
+
+
Medium
+
Failed
+
+
+
111122223333
us-east-1
FS-02
API Gateway Usage Plans Missing Throttle
@@ -15087,22 +35429,41 @@
Medium
Failed
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-02
+
API Gateway Usage Plans Missing Throttle
+
Usage plans without throttling: myAskMeAnything-UsagePlan. Unbounded API calls can exhaust Bedrock token quotas and inflate costs.
+
Set rateLimit and burstLimit on all usage plans associated with GenAI API stages. Consider per-consumer API keys with individual quotas.
+
+
Medium
+
Failed
+
+
+
111122223333
us-east-1
FS-03
-
Bedrock Token Quotas At Default
-
All 232 Bedrock token-based quota(s) are at their AWS default values — no quota increase has been applied. Running at default is a legitimate posture, but it should be a reviewed decision aligned with expected peak load rather than an oversight.
-
1. Review current Bedrock TPM/TPD quotas in the Service Quotas console.
-2. Request increases aligned with expected peak load, or document a deliberate decision to remain at default after review.
-3. Implement client-side token counting and pre-flight quota checks.
-4. Use Bedrock cross-region inference profiles to distribute load.
+
Bedrock Token Quotas Customized
+
Found 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.
+
No action required. Periodically re-review quotas against expected peak load.
Medium
-
N/A
+
Passed
+
+
+
111122223333
+
us-west-2
+
FS-03
+
Bedrock Token Quotas Customized
+
Found 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.
+
No action required. Periodically re-review quotas against expected peak load.
+
+
Medium
+
Passed
-
-
111111111111
+
+
111122223333
us-east-1
FS-04
No Cost Anomaly Detection Monitors
@@ -15114,9 +35475,36 @@
Medium
Failed
-
-
111111111111
-
us-east-1
+
+
111122223333
+
us-west-2
+
FS-04
+
No Cost Anomaly Detection Monitors
+
No AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.
+
1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker.
+2. Configure alert subscriptions (SNS/email) for anomalies above threshold.
+3. Set daily spend budgets with AWS Budgets as a secondary control.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-05
+
No Bedrock CloudWatch Alarms Found
+
No CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.
+
Create CloudWatch alarms for:
+- AWS/Bedrock InvocationThrottles (threshold > 0)
+- AWS/Bedrock TokensProcessed (threshold based on quota)
+- Custom application-level token counters via EMF
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
FS-05
No Bedrock CloudWatch Alarms Found
No CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.
@@ -15128,8 +35516,8 @@
Medium
Failed
-
-
111111111111
+
+
111122223333
us-east-1
FS-06
No AI/ML Service Budgets Configured
@@ -15141,8 +35529,21 @@
Medium
Failed
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-06
+
No AI/ML Service Budgets Configured
+
No AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.
+
1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds.
+2. Add SNS notifications to on-call channels.
+3. Consider budget actions to apply IAM deny policies when thresholds are breached.
+
+
Medium
+
Failed
+
+
+
111122223333
us-east-1
FS-07
Agent Action Boundary Check
@@ -15152,8 +35553,19 @@
Informational
N/A
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-07
+
Agent Action Boundary Check
+
No Bedrock agents found.
+
No action required.
+
+
Informational
+
N/A
+
+
+
111122223333
us-east-1
FS-08
AgentCore Runtimes Missing Policy Engine
@@ -15163,12 +35575,37 @@
High
Failed
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-08
+
AgentCore Runtimes Missing Policy Engine
+
Runtimes without authorizer configuration: origami_expeditions, neoCyan_Agent, customer_support_agent, cdk_agent_core, awsapimcpserver. Without a policy engine, agents can invoke any registered tool without authorization checks.
+
Configure an authorizer (Lambda or Cedar policy store) on each AgentCore runtime to enforce fine-grained tool-call authorization.
1. Set reserved concurrency on agent Lambda functions.
+2. Implement maximum iteration counts in agent orchestration logic.
+3. Use Step Functions with MaxConcurrency and timeout states.
+4. Add circuit-breaker patterns to agent tool invocations.
1. Set reserved concurrency on agent Lambda functions.
2. Implement maximum iteration counts in agent orchestration logic.
3. Use Step Functions with MaxConcurrency and timeout states.
@@ -15177,8 +35614,8 @@
Medium
Failed
-
-
111111111111
+
+
111122223333
us-east-1
FS-10
Human-in-the-Loop Check — No Agent Workflows Found
@@ -15188,8 +35625,19 @@
Informational
N/A
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-10
+
Human-in-the-Loop Check — No Agent Workflows Found
+
No Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.
+
Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.
+
+
Informational
+
N/A
+
+
+
111122223333
us-east-1
FS-11
No Agent Rate Alarms Found
@@ -15202,8 +35650,22 @@
Medium
Failed
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-11
+
No Agent Rate Alarms Found
+
No CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.
+
Create CloudWatch alarms on:
+- Bedrock agent invocation counts (threshold based on expected max)
+- Lambda invocation errors for agent functions
+- Step Functions execution failures and timeouts
+
+
Medium
+
Failed
+
+
+
111122223333
us-east-1
FS-12
No Bedrock-Scoped SCPs Found
@@ -15215,8 +35677,21 @@
High
Failed
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-12
+
No Bedrock-Scoped SCPs Found
+
No Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.
+
1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list.
+2. Use bedrock:ModelId condition key to allowlist approved models.
+3. Maintain a model inventory and update the SCP when models are approved/retired.
+
+
High
+
Failed
+
+
+
111122223333
us-east-1
FS-13
Model Provenance Tags Present
@@ -15226,8 +35701,19 @@
Medium
Passed
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-13
+
Model Provenance Tags Present
+
All reviewed models have required provenance tags.
+
No action required.
+
+
Medium
+
Passed
+
+
+
111122223333
us-east-1
FS-14
Model Governance Config Rules Present
@@ -15237,8 +35723,19 @@
Medium
Passed
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-14
+
Model Governance Config Rules Present
+
Found 11 model-related Config rule(s).
+
No action required.
+
+
Medium
+
Passed
+
+
+
111122223333
us-east-1
FS-15
No Bedrock Evaluation Jobs Found
@@ -15250,19 +35747,43 @@
Medium
Failed
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-15
+
No Bedrock Evaluation Jobs Found
+
No Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.
+
1. Run Bedrock Model Evaluation with adversarial/red-team datasets.
+2. Use FMEval library for automated robustness testing.
+3. Schedule periodic re-evaluation after model updates.
+
+
Medium
+
Failed
+
+
+
111122223333
us-east-1
FS-16
ECR Repositories Without Image Scanning
-
4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111111111111-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.
+
4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111122223333-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.
+
Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-16
+
ECR Repositories Without Image Scanning
+
4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111122223333-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.
Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.
High
Failed
-
-
111111111111
+
+
111122223333
us-east-1
FS-20
No SageMaker Feature Groups Found
@@ -15272,25 +35793,68 @@
Informational
N/A
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-20
+
No SageMaker Feature Groups Found
+
No SageMaker Feature Store groups found.
+
No action required.
+
+
Informational
+
N/A
+
+
+
111122223333
us-east-1
FS-21
Training Data Buckets Without Versioning
-
13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111111111111-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111111111111-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111111111111-huo1mvme4t.
+
13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111122223333-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111122223333-huo1mvme4t.
+
Enable S3 versioning on all training data buckets. Consider enabling MFA Delete for additional protection against poisoning.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-21
+
Training Data Buckets Without Versioning
+
13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111122223333-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111122223333-huo1mvme4t.
Enable S3 versioning on all training data buckets. Consider enabling MFA Delete for additional protection against poisoning.
High
Failed
-
-
111111111111
+
+
111122223333
us-east-1
FS-22
Overly Permissive Knowledge Base IAM Roles
-
722 role(s) with wildcard KB permissions:
-- Role '111111111111-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role '111111111111-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+
827 role(s) with wildcard KB permissions:
+- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'Admin' allows '*'
+- Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' allows 'bedrock:*'
+- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'Agentic-AI-MCP-Strands-SDK-Works-VSCodeInstanceRole-NCTUnlnRBFO6' allows '*'
+- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+
Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-22
+
Overly Permissive Knowledge Base IAM Roles
+
827 role(s) with wildcard KB permissions:
+- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases)
- Role 'Admin' allows '*'
- Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' allows 'bedrock:*'
- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases)
@@ -15298,14 +35862,14 @@
Replace wildcard bedrock-agent:* with specific actions: bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.
+- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+
Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.
High
Failed
-
-
111111111111
+
+
111122223333
us-east-1
FS-24
ADVISORY: Knowledge Base Metadata Filtering — Manual Review Required
@@ -15317,8 +35881,21 @@
Informational
N/A
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-24
+
ADVISORY: Knowledge Base Metadata Filtering — Manual Review Required
+
Found 3 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.
+
1. Add metadata fields (tenantId, dataClassification) to KB data sources.
+2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls.
+3. Validate filters in integration tests to prevent cross-tenant data leakage.
+
+
Informational
+
N/A
+
+
+
111122223333
us-east-1
FS-25
OpenSearch Serverless Encryption Policies Present
@@ -15328,8 +35905,19 @@
High
Passed
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-25
+
OpenSearch Serverless Encryption Policies Present
+
Found 5 encryption policy(ies); 5 use a customer-managed KMS key.
+
Verify all vector store collections use customer-managed KMS keys.
+
+
High
+
Passed
+
+
+
111122223333
us-east-1
FS-26
OpenSearch Serverless Collections Not VPC-Restricted
@@ -15339,45 +35927,108 @@
High
Failed
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-26
+
OpenSearch Serverless Collections Not VPC-Restricted
+
Found 5 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.
+
Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.
+
+
High
+
Failed
+
+
+
111122223333
us-east-1
FS-27
-
No Guardrails — Contextual Grounding Not Applicable
-
No Bedrock Guardrails configured. Configure guardrails first (see BR-05).
-
Configure Bedrock Guardrails with contextual grounding checks (grounding threshold ≥0.7 and relevance threshold ≥0.7 for FinServ use cases).
+
Contextual Grounding Enabled on Guardrails
+
Guardrails with contextual grounding: nist-ai-rmf-guardrail.
+
No action required for contextual grounding. Also consider enabling Automated Reasoning checks for formal policy verification.
-
Informational
-
N/A
+
High
+
Passed
+
+
+
111122223333
+
us-west-2
+
FS-27
+
Contextual Grounding Enabled on Guardrails
+
Guardrails with contextual grounding: nist-ai-rmf-guardrail.
+
No action required for contextual grounding. Also consider enabling Automated Reasoning checks for formal policy verification.
+
+
High
+
Passed
-
-
111111111111
+
+
111122223333
us-east-1
FS-27
-
Automated Reasoning Policies — Access Check
-
Access denied or service unavailable when listing Automated Reasoning policies. The IAM action name (bedrock:ListAutomatedReasoningPolicies) is correct, so the most likely causes are, in order: (1) the assessment MEMBER ROLE in this account was deployed before this action was added and has not been re-deployed; (2) an AWS Organizations SCP or permission boundary denies this newer Bedrock action; (3) the region does not support ARC. ARC is available in AWS GovCloud (US) and a growing set of commercial regions (e.g., us-east-1, us-east-2, us-west-2, eu-central-1, eu-west-1, eu-west-3) — verify the current list in the AWS documentation.
-
1. RE-DEPLOY the member-role CloudFormation stack so the role picks up bedrock:ListAutomatedReasoningPolicies (templates may be current while the *deployed* role is stale). See deployment/1-aiml-security-member-roles.yaml and aiml-security-single-account.yaml.
-2. Check for an Organizations SCP / permission boundary denying the action.
-3. Confirm the assessed region supports Automated Reasoning checks.
-4. Re-run the assessment after re-deploying.
-
-
Low
-
N/A
+
No Automated Reasoning Policies Found
+
No Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.
+
1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds).
+2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail).
+3. Set confidenceThreshold on the policy to control strictness.
+4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response).
+5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).
+
+
Medium
+
Failed
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-27
+
No Automated Reasoning Policies Found
+
No Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.
+
1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds).
+2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail).
+3. Set confidenceThreshold on the policy to control strictness.
+4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response).
+5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).
+
+
Medium
+
Failed
+
+
+
111122223333
us-east-1
FS-28
-
No Guardrails — Denied Topics Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with denied topics for regulated financial content.
+
Denied Topics Configured on CLASSIC Tier
+
Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides broader language support and improved detection for denied topics.
+
Verify topics cover regulated financial advice categories. For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (set topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile on the guardrail). When authoring denied-topic policies, use existing compliance materials as the source: employee policies, training materials, procedure documents, and incident reports (PDF §1.2.1 Practical guidance).
+
+
High
+
Passed
+
+
+
111122223333
+
us-west-2
+
FS-28
+
Denied Topics Configured on CLASSIC Tier
+
Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides broader language support and improved detection for denied topics.
+
Verify topics cover regulated financial advice categories. For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (set topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile on the guardrail). When authoring denied-topic policies, use existing compliance materials as the source: employee policies, training materials, procedure documents, and incident reports (PDF §1.2.1 Practical guidance).
Application-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.
+
1. Implement post-processing to append required disclaimers to GenAI outputs.
+2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures.
+3. Document disclaimer requirements in the AI use case register.
+4. Test disclaimer presence in QA/UAT before production deployment.
Application-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.
+
Run Bedrock Model Evaluation with compliance-specific datasets:
+- Fair lending test cases (ECOA, Fair Housing Act)
+- UDAP/UDAAP unfair/deceptive practice scenarios
+- AML/KYC edge cases
+
+
Informational
+
N/A
+
+
+
111122223333
us-east-1
FS-31
Knowledge Base Data Sources Past Review Threshold
2 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit):
-- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 702 days ago
-- KB '111111111111-us-east-1-kb' source '111111111111-us-east-1-kb-datasource' last synced 180 days ago
+- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 722 days ago
+- KB '111122223333-us-east-1-kb' source '111122223333-us-east-1-kb-datasource' last synced 199 days ago
+Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.
+
1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match.
+2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61.
+3. Set CloudWatch alarms on sync job failures.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-31
+
Knowledge Base Data Sources Past Review Threshold
+
2 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit):
+- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 722 days ago
+- KB '111122223333-us-east-1-kb' source '111122223333-us-east-1-kb-datasource' last synced 199 days ago
Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.
1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match.
2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61.
@@ -15419,8 +36100,8 @@
Source attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.
+
1. Use Bedrock RetrieveAndGenerate with citations enabled.
+2. Include source document references in response post-processing.
+3. Test citation accuracy in QA before production deployment.
+4. Consider Bedrock Guardrails grounding checks to validate response accuracy.
+
+
Informational
+
N/A
+
+
+
111122223333
us-east-1
FS-33
KB Data Source Buckets Without Versioning
-
KB data source S3 buckets without versioning: 111111111111-us-east-1-kb-data-bucket.
+
KB data source S3 buckets without versioning: 111122223333-us-east-1-kb-data-bucket.
+
Enable S3 versioning on all KB data source buckets. Enable S3 Object Integrity (checksum) for tamper detection.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-33
+
KB Data Source Buckets Without Versioning
+
KB data source S3 buckets without versioning: 111122223333-us-east-1-kb-data-bucket.
Enable S3 versioning on all KB data source buckets. Enable S3 Object Integrity (checksum) for tamper detection.
Medium
Failed
-
-
111111111111
+
+
111122223333
us-east-1
FS-34
Legacy Foundation Models Available in Region
-
Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, amazon.titan-image-generator-v2:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.
+
Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.
+
1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config).
+2. Migrate active usage to current model versions.
+3. Document training-data cutoff dates for all models in use.
+4. Add data-currency disclaimers to outputs from models with old cutoffs.
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-west-2
+
FS-34
+
Legacy Foundation Models Available in Region
+
Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.
1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config).
2. Migrate active usage to current model versions.
3. Document training-data cutoff dates for all models in use.
@@ -15458,8 +36178,8 @@
Informational
N/A
-
-
111111111111
+
+
111122223333
us-east-1
FS-35
ADVISORY: Harmful-Content Test Coverage — Manual Review Required
@@ -15472,20 +36192,59 @@
Informational
N/A
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-35
+
ADVISORY: Harmful-Content Test Coverage — Manual Review Required
+
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.
+
Run Bedrock Model Evaluation or FMEval with harmful content datasets:
+- Toxicity detection
+- Hate speech classification
+- Violence/self-harm content
+
+
Informational
+
N/A
+
+
+
111122223333
us-east-1
FS-36
-
No Guardrails — Content Filters Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with content filters.
+
Guardrail Content Filters on CLASSIC Tier
+
Guardrails with content filters: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides improved contextual understanding, typographical error detection, 60+ language support, and better prompt-attack classification (distinguishes jailbreaks from prompt injection).
+
Consider upgrading to STANDARD tier content filters for FinServ workloads that handle multiple languages or require higher detection accuracy. STANDARD tier requires cross-region inference (crossRegionDetails.guardrailProfileArn on the guardrail). To upgrade: update the guardrail's contentPolicy.filtersConfig.contentFiltersTierConfig with tierName=STANDARD and configure a guardrail cross-region profile.
+
+
High
+
Passed
+
+
+
111122223333
+
us-west-2
+
FS-36
+
Guardrail Content Filters on CLASSIC Tier
+
Guardrails with content filters: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides improved contextual understanding, typographical error detection, 60+ language support, and better prompt-attack classification (distinguishes jailbreaks from prompt injection).
+
Consider upgrading to STANDARD tier content filters for FinServ workloads that handle multiple languages or require higher detection accuracy. STANDARD tier requires cross-region inference (crossRegionDetails.guardrailProfileArn on the guardrail). To upgrade: update the guardrail's contentPolicy.filtersConfig.contentFiltersTierConfig with tierName=STANDARD and configure a guardrail cross-region profile.
+
High
+
Passed
+
+
+
111122223333
+
us-east-1
+
FS-37
+
ADVISORY: User Feedback Mechanism — Manual Review Required
+
User feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.
+
1. Implement thumbs-up/down or flag-for-review UI in GenAI applications.
+2. Route flagged outputs to human reviewers via SQS/SNS.
+3. Log feedback to DynamoDB/S3 for model improvement.
+4. Define SLAs for reviewing flagged content.
+
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
111122223333
+
us-west-2
FS-37
ADVISORY: User Feedback Mechanism — Manual Review Required
User feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.
@@ -15497,19 +36256,36 @@
Informational
N/A
-
-
111111111111
+
+
111122223333
us-east-1
FS-38
-
No Guardrails — Word Filters Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with word filters.
+
No Guardrails With Word Filters
+
Found 1 guardrail(s) but none have word/phrase filters. Profanity and prohibited financial terms may appear in outputs.
+
Add word filters to guardrails:
+- Enable AWS managed profanity list
+- Add custom denylist for prohibited financial terms
+- Add allowlist for required regulatory language
-
Informational
-
N/A
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-38
+
No Guardrails With Word Filters
+
Found 1 guardrail(s) but none have word/phrase filters. Profanity and prohibited financial terms may appear in outputs.
+
Add word filters to guardrails:
+- Enable AWS managed profanity list
+- Add custom denylist for prohibited financial terms
+- Add allowlist for required regulatory language
+
+
Medium
+
Failed
-
-
111111111111
+
+
111122223333
us-east-1
FS-39
No SageMaker Clarify Bias Monitoring
@@ -15522,8 +36298,22 @@
High
Failed
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-39
+
No SageMaker Clarify Bias Monitoring
+
No SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.
+
1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions.
+2. Define protected attributes (age, gender, race proxies).
+3. Set bias metric thresholds and alert on violations.
+4. Document bias testing results for regulatory examination.
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.
+
Run Bedrock Model Evaluation with bias test datasets:
+- Demographic parity test cases
+- Equal opportunity scenarios
+- Counterfactual fairness tests
+
+
Informational
+
N/A
+
+
+
111122223333
us-east-1
FS-41
No SageMaker Clarify Explainability Monitoring
@@ -15550,8 +36354,22 @@
High
Failed
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-41
+
No SageMaker Clarify Explainability Monitoring
+
No SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).
+
1. Configure SageMaker Clarify explainability for credit/lending models.
+2. Generate SHAP values for feature importance.
+3. Map top features to human-readable adverse action reason codes.
+4. Store explanations for regulatory examination.
+
+
High
+
Failed
+
+
+
111122223333
us-east-1
FS-42
No SageMaker Model Cards Found
@@ -15564,8 +36382,22 @@
Medium
Failed
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-42
+
No SageMaker Model Cards Found
+
No SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.
+
1. Create SageMaker Model Cards for all production models.
+2. Document: intended use, out-of-scope uses, training data, bias evaluations.
+3. Include regulatory compliance attestations.
+4. Review and update cards at each model version release.
+
+
Medium
+
Failed
+
+
+
111122223333
us-east-1
FS-43
No CloudWatch Logs Data Protection Policies
@@ -15578,8 +36410,22 @@
High
Failed
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-43
+
No CloudWatch Logs Data Protection Policies
+
No CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.
+
1. Create CloudWatch Logs data protection policies to mask PII.
+2. Enable masking for: SSN, credit card numbers, bank account numbers, email.
+3. Apply policies to Bedrock invocation log groups.
+4. Test masking with synthetic PII before production deployment.
+
+
High
+
Failed
+
+
+
111122223333
us-east-1
FS-44
Amazon Macie Enabled
@@ -15589,41 +36435,85 @@
High
Passed
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-44
+
Amazon Macie Enabled
+
Amazon Macie is enabled and scanning S3 buckets.
+
Verify Macie jobs cover training data and KB data source buckets.
+
+
High
+
Passed
+
+
+
111122223333
us-east-1
FS-45
-
No Guardrails — PII Filters Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with PII/sensitive information filters.
+
Guardrail PII Filters Configured
+
Guardrails with PII filters: nist-ai-rmf-guardrail.
+
No action required.
-
Informational
-
N/A
+
High
+
Passed
+
+
+
111122223333
+
us-west-2
+
FS-45
+
Guardrail PII Filters Configured
+
Guardrails with PII filters: nist-ai-rmf-guardrail.
Application-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.
+
1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.'
+2. Implement post-processing to append disclaimers.
+3. Test disclaimer presence in QA before production.
+
+
Informational
+
N/A
+
+
+
111122223333
us-east-1
FS-50
-
No Guardrails With Relevance Grounding Filters
-
No guardrails have RELEVANCE contextual grounding filters. Without relevance filters, responses that are off-topic or unrelated to the user query will not be blocked, increasing hallucination risk in RAG-based FinServ applications.
-
Enable the RELEVANCE contextual grounding filter in Bedrock Guardrails with a threshold of ≥0.7 to block responses that are not relevant to the user query. Also enable the GROUNDING filter (≥0.7) to block responses not supported by the retrieved source context.
+
Relevance Grounding Filters Present
+
Guardrails with RELEVANCE grounding filters: nist-ai-rmf-guardrail.
+
No action required.
Medium
-
Failed
+
Passed
+
+
+
111122223333
+
us-west-2
+
FS-50
+
Relevance Grounding Filters Present
+
Guardrails with RELEVANCE grounding filters: nist-ai-rmf-guardrail.
+
No action required.
+
+
Medium
+
Passed
-
-
111111111111
+
+
111122223333
us-east-1
FS-51
-
No Guardrails — Prompt Attack Filters Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with prompt attack filters.
-
-
Informational
-
N/A
+
No Guardrails With Prompt Attack Filters
+
Found 1 guardrail(s) but none have PROMPT_ATTACK filters. Prompt injection attacks may bypass system prompts and access controls.
+
1. Enable PROMPT_ATTACK content filter in Bedrock Guardrails.
+2. Set input filter strength to HIGH.
+3. Use input tags () to differentiate user inputs from developer-provided prompts — required for PROMPT_ATTACK filters to work correctly with InvokeModel/InvokeModelWithResponseStream.
+4. Consider STANDARD tier (GA June 2025) for better jailbreak vs. injection classification and broader language support.
+5. Implement application-level input sanitization as defense-in-depth.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-51
+
No Guardrails With Prompt Attack Filters
+
Found 1 guardrail(s) but none have PROMPT_ATTACK filters. Prompt injection attacks may bypass system prompts and access controls.
+
1. Enable PROMPT_ATTACK content filter in Bedrock Guardrails.
+2. Set input filter strength to HIGH.
+3. Use input tags () to differentiate user inputs from developer-provided prompts — required for PROMPT_ATTACK filters to work correctly with InvokeModel/InvokeModelWithResponseStream.
+4. Consider STANDARD tier (GA June 2025) for better jailbreak vs. injection classification and broader language support.
+5. Implement application-level input sanitization as defense-in-depth.
+
+
High
+
Failed
-
-
111111111111
+
+
111122223333
us-east-1
FS-52
Bedrock Lambda Functions on Deprecated Runtimes
@@ -15682,8 +36626,22 @@
Medium
Failed
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-52
+
Bedrock Lambda Functions on Deprecated Runtimes
+
Functions on deprecated runtimes: e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Deprecated runtimes may use outdated boto3/SDK versions lacking security patches.
+
1. Upgrade Lambda functions to a supported runtime — Python 3.12+, Node.js 22.x or 24.x, Java 21+, or .NET 8+.
+2. Update boto3 to the latest version in Lambda layers (pin the version in requirements.txt and redeploy).
+3. Enable Lambda runtime management controls for automatic minor-version updates (runtimeManagementConfig.updateRuntimeOn = 'Auto').
+4. Refer to https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html for the authoritative list of supported and deprecated runtimes.
+
+
Medium
+
Failed
+
+
+
111122223333
us-east-1
FS-53
No WAF Web ACLs — Injection Rules Not Applicable
@@ -15693,8 +36651,19 @@
Informational
N/A
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-53
+
No WAF Web ACLs — Injection Rules Not Applicable
+
No regional WAF Web ACLs found.
+
Create WAF Web ACLs with injection protection rules (see FS-01).
Penetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.
+
1. Conduct penetration testing of GenAI applications at least annually and before major releases.
+2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts.
+3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it.
+4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail.
+5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.
+
+
Informational
+
N/A
+
+
+
111122223333
us-east-1
FS-55
No Output Validation Functions Found
@@ -15722,8 +36706,22 @@
Medium
Failed
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-55
+
No Output Validation Functions Found
+
No Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.
+
1. Implement output validation Lambda functions in GenAI pipelines.
+2. Validate output schema, length, and content before downstream use.
+3. Sanitize outputs before rendering in web UIs (XSS prevention).
+4. Encode outputs appropriately for the target context (HTML, SQL, JSON).
Output encoding practices cannot be verified via AWS APIs. Manual code review required.
+
1. HTML-encode GenAI outputs before rendering in web UIs.
+2. Use parameterized queries when GenAI output is used in database operations.
+3. JSON-encode outputs before embedding in JavaScript contexts.
+4. Validate output length and format before passing to downstream APIs.
Found 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.
+
1. Use Bedrock structured output (response schemas) where supported.
+2. Implement JSON schema validation on Lambda output processors.
+3. Reject malformed outputs and return safe error responses.
+4. Log schema validation failures to CloudWatch for monitoring.
+
+
Informational
+
N/A
+
+
+
111122223333
us-east-1
FS-59
-
No Guardrails — Topic Allowlist Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with topic policies to restrict off-topic responses.
+
Topic Restrictions Configured on CLASSIC Tier
+
Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only; the STANDARD tier (GA June 2025) adds broader language support for off-topic detection.
+
For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile).
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-west-2
+
FS-59
+
Topic Restrictions Configured on CLASSIC Tier
+
Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only; the STANDARD tier (GA June 2025) adds broader language support for off-topic detection.
+
For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile).
+
Medium
+
Passed
+
+
+
111122223333
+
us-east-1
+
FS-60
+
ADVISORY: Contextual Grounding for Off-Topic Prevention
+
Contextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.
+
1. Include explicit scope instructions in system prompts.
+2. Use Bedrock Guardrails relevance grounding filter.
+3. Test with off-topic prompts in QA to verify rejection behavior.
+
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
111122223333
+
us-west-2
FS-60
ADVISORY: Contextual Grounding for Off-Topic Prevention
Contextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.
@@ -15785,23 +36846,50 @@
Informational
N/A
-
-
111111111111
+
+
111122223333
us-east-1
FS-61
-
COULD NOT ASSESS: Knowledge Base Sync Schedule Check
-
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the ListSchedules operation: User: arn:aws:sts::111111111111:assumed-role/aiml-security-19304724716-FinServSecurityAssessment-G8d5dEiMJsZB/aiml-security-aiml-security-111111111111-FinServAssessment is not authorized to perform: scheduler:ListSchedules on resource: arn:aws:scheduler:us-east-1:111111111111:schedule/*/* because no identity-based policy allows the scheduler:ListSchedules action). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
-
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
-2. Confirm the service/feature is supported in the assessed region.
-3. Ensure botocore meets the version floor in requirements.txt.
-4. Re-run the assessment; assess this control manually until it succeeds.
-
-
Low
+
No Automated KB Sync Schedules Detected
+
Found 3 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.
+
1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature.
+2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync.
+3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance).
+4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-61
+
No Automated KB Sync Schedules Detected
+
Found 3 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.
+
1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature.
+2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync.
+3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance).
+4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-62
+
ADVISORY: Data Currency Disclaimer — Manual Review Required
+
Data currency disclaimers cannot be verified via AWS APIs. Manual review required.
+
1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].'
+2. Expose KB last sync timestamp in application responses.
+3. Alert users when KB data is older than defined threshold.
+
+
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
111122223333
+
us-west-2
FS-62
ADVISORY: Data Currency Disclaimer — Manual Review Required
Data currency disclaimers cannot be verified via AWS APIs. Manual review required.
@@ -15812,8 +36900,8 @@
Informational
N/A
-
-
111111111111
+
+
111122223333
us-east-1
FS-63
Foundation Model Lifecycle Management
@@ -15823,14 +36911,40 @@
Medium
Passed
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-63
+
Foundation Model Lifecycle Management
+
No legacy models detected. 10 lifecycle-related Config rule(s) found.
+
No action required.
+
+
Medium
+
Passed
+
+
+
111122223333
us-east-1
FS-65
KB Data Source Buckets Missing S3 Event Notifications
The following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time:
- semiconductor-demo-9999
-- 111111111111-us-east-1-kb-data-bucket
+- 111122223333-us-east-1-kb-data-bucket
+
1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket.
+2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting.
+3. Integrate alerts into your security incident response workflow.
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-65
+
KB Data Source Buckets Missing S3 Event Notifications
+
The following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time:
+- semiconductor-demo-9999
+- 111122223333-us-east-1-kb-data-bucket
1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket.
2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting.
3. Integrate alerts into your security incident response workflow.
The following runtimes have no JWT or IAM authorizer configured for end-user identity propagation. Tool calls are authorized only by the agent execution role, not the originating user:
+- origami_expeditions
+- neoCyan_Agent
+- customer_support_agent
+- cdk_agent_core
+- awsapimcpserver
+
1. Configure a custom JWT authorizer or IAM authorizer on each AgentCore runtime.
+2. Propagate the end-user's identity token to downstream tool services.
+3. Ensure tool services validate the propagated identity before executing actions.
+4. Do not expose propagated identity tokens to unauthorized third parties.
+
+
High
+
Failed
+
+
+
111122223333
us-east-1
FS-67
Agent Action-Group Lambdas May Lack Transaction Thresholds
The following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions:
-- aiml-security-aiml-security-111111111111-FinServAssessment
-- aiml-security-aiml-security-111111111111-BedrockAssessment
+- aiml-security-aiml-security-111122223333-FinServAssessment
+- aiml-security-aiml-security-111122223333-BedrockAssessment
+- resco-aiml-BedrockAssessment
+- aiml-security-aiml-security-111122223333-AgentCoreAssessment
+- e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk
+- e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII
+- resco-aiml-AgentCoreAssessment
+
1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda.
+2. Implement threshold enforcement logic in the Lambda handler.
+3. Configure AgentCore Policy Engine rules to cap financial transaction amounts.
+4. Route transactions exceeding thresholds to a human-in-the-loop approval step.
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
FS-67
+
Agent Action-Group Lambdas May Lack Transaction Thresholds
+
The following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions:
+- aiml-security-aiml-security-111122223333-FinServAssessment
+- aiml-security-aiml-security-111122223333-BedrockAssessment
- resco-aiml-BedrockAssessment
-- aiml-security-aiml-security-111111111111-AgentCoreAssessment
+- aiml-security-aiml-security-111122223333-AgentCoreAssessment
- e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk
- e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII
- resco-aiml-AgentCoreAssessment
@@ -15878,8 +37032,8 @@
High
Failed
-
-
111111111111
+
+
111122223333
us-east-1
FS-68
API Gateway Request Body Size Limits Not Enforced
@@ -15892,19 +37046,99 @@
Medium
Failed
-
-
111111111111
+
+
111122223333
+
us-west-2
+
FS-68
+
API Gateway Request Body Size Limits Not Enforced
+
Found 3 REST API(s) and 0 regional WAF Web ACL(s), but none enforce a maximum request-body size. Note: an API Gateway request validator does NOT cap body size (it validates the schema and required params; the REST limit is a fixed 10 MB), and a WAF body SizeConstraint only inspects the first ~16 KB of the body by default. Oversized prompts can exhaust Bedrock token quotas and inflate costs.
+
1. Add a maxLength (or maxItems/maxProperties) bound to the request-body JSON-Schema model used by your request validator, so oversized prompts are rejected with a 400.
+2. Add a WAF SizeConstraintStatement on the request Body sized within WAF's body-inspection window (default 16 KB; raise via the web ACL AssociationConfig, or set OversizeHandling=MATCH to block bodies beyond the window), and associate the ACL with the API stage.
+3. Set the max_tokens parameter in Bedrock API calls to cap output length.
+4. Implement client-side token counting before submitting requests.
+
+
Medium
+
Failed
+
+
+
111122223333
us-east-1
FS-69
Prompt Input Validation Functions Present
-
Found 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111111111111-CleanupBucket.
+
Found 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111122223333-CleanupBucket.
+
Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.
+
+
Medium
+
Passed
+
+
+
111122223333
+
us-west-2
+
FS-69
+
Prompt Input Validation Functions Present
+
Found 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111122223333-CleanupBucket.
Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.
Medium
Passed
-
-
111111111111
+
+
111122223333
+
eu-west-1
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
111122223333
+
ap-south-1
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
111122223333
+
sa-east-1
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
444455556666
eu-west-1
FS-00
FinServ Regional Scope Not Applicable
@@ -15914,19 +37148,30 @@
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
444455556666
+
ap-south-1
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
444455556666
+
sa-east-1
FS-00
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in ap-southeast-2; FinServ GenAI risk checks were not applied to this region.
+
No regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.
No action required unless GenAI workloads are expected in this region.
Informational
N/A
-
-
333333333333
+
+
777788889999
us-east-1
FS-01
AWS Shield Advanced Not Enabled
@@ -15939,8 +37184,8 @@
Low
Failed
-
-
333333333333
+
+
777788889999
us-east-1
FS-01
No Regional WAF Web ACLs Found
@@ -15952,8 +37197,8 @@
Medium
Failed
-
-
333333333333
+
+
777788889999
us-east-1
FS-02
No API Gateway Usage Plans Found
@@ -15963,22 +37208,19 @@
Informational
N/A
-
-
333333333333
+
+
777788889999
us-east-1
FS-03
-
Bedrock Token Quotas At Default
-
All 232 Bedrock token-based quota(s) are at their AWS default values — no quota increase has been applied. Running at default is a legitimate posture, but it should be a reviewed decision aligned with expected peak load rather than an oversight.
-
1. Review current Bedrock TPM/TPD quotas in the Service Quotas console.
-2. Request increases aligned with expected peak load, or document a deliberate decision to remain at default after review.
-3. Implement client-side token counting and pre-flight quota checks.
-4. Use Bedrock cross-region inference profiles to distribute load.
+
Bedrock Token Quotas Customized
+
Found 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.
+
No action required. Periodically re-review quotas against expected peak load.
Medium
-
N/A
+
Passed
-
-
333333333333
+
+
777788889999
us-east-1
FS-04
No Cost Anomaly Detection Monitors
@@ -15990,8 +37232,8 @@
Medium
Failed
-
-
333333333333
+
+
777788889999
us-east-1
FS-05
No Bedrock CloudWatch Alarms Found
@@ -16004,8 +37246,8 @@
Medium
Failed
-
-
333333333333
+
+
777788889999
us-east-1
FS-06
No AI/ML Service Budgets Configured
@@ -16017,19 +37259,19 @@
Medium
Failed
-
-
333333333333
+
+
777788889999
us-east-1
FS-07
-
Agent Action Boundary Check
-
No Bedrock agents found.
+
Agent Action Boundaries Look Appropriate
+
Reviewed 1 agent(s); no wildcard sensitive actions found.
1. Set reserved concurrency on agent Lambda functions.
2. Implement maximum iteration counts in agent orchestration logic.
3. Use Step Functions with MaxConcurrency and timeout states.
@@ -16053,8 +37295,8 @@
Medium
Failed
-
-
333333333333
+
+
777788889999
us-east-1
FS-10
Human-in-the-Loop Check — No Agent Workflows Found
@@ -16064,8 +37306,8 @@
Informational
N/A
-
-
333333333333
+
+
777788889999
us-east-1
FS-11
No Agent Rate Alarms Found
@@ -16078,8 +37320,8 @@
Medium
Failed
-
-
333333333333
+
+
777788889999
us-east-1
FS-12
No Bedrock-Scoped SCPs Found
@@ -16091,19 +37333,21 @@
High
Failed
-
-
333333333333
+
+
777788889999
us-east-1
FS-13
-
Model Provenance Tags Present
-
All reviewed models have required provenance tags.
Tag all models with: source (e.g., 'aws-marketplace', 'internal'), version, and approval-date. Enforce tagging via SCP or AWS Config rule.
Medium
-
Passed
+
Failed
-
-
333333333333
+
+
777788889999
us-east-1
FS-14
Model Governance Config Rules Present
@@ -16113,8 +37357,8 @@
Medium
Passed
-
-
333333333333
+
+
777788889999
us-east-1
FS-15
No Bedrock Evaluation Jobs Found
@@ -16126,62 +37370,64 @@
Medium
Failed
-
-
333333333333
+
+
777788889999
us-east-1
FS-16
ECR Repositories Without Image Scanning
-
1 ECR repo(s) without scan-on-push: cdk-hnb659fds-container-assets-333333333333-us-east-1.
+
2 ECR repo(s) without scan-on-push: cdk-hnb659fds-container-assets-777788889999-us-east-1, aiml-sec-test-agentcore-no-encryption.
Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.
High
Failed
-
-
333333333333
+
+
777788889999
us-east-1
FS-20
-
No SageMaker Feature Groups Found
-
No SageMaker Feature Store groups found.
-
No action required.
-
-
Informational
-
N/A
+
Feature Groups Without Offline Store
+
1 feature group(s) lack an active offline store: aiml-sec-test-feature-group. Without offline store, historical feature data cannot be used for rollback.
+
1. Enable offline store (S3-backed) for all production feature groups.
+2. Enable S3 versioning on the offline store bucket.
+3. Document rollback procedures for poisoned feature data.
+
+
Medium
+
Failed
-
-
333333333333
+
+
777788889999
us-east-1
FS-21
-
No Training Data Buckets Identified
-
No S3 buckets with training/model naming found.
-
Tag training data buckets and enable versioning.
+
Training Data Buckets Have Versioning
+
All 2 training bucket(s) have versioning enabled.
+
No action required.
-
Informational
-
N/A
+
High
+
Passed
-
-
333333333333
+
+
777788889999
us-east-1
FS-22
Overly Permissive Knowledge Base IAM Roles
-
710 role(s) with wildcard KB permissions:
+
823 role(s) with wildcard KB permissions:
- Role 'Admin' allows '*'
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:ListModelInvocations' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:GetModelInvocationLoggingConfiguration' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:ListPrompts' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:GetPrompt' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:ListAgents' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:GetAgent' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-3SFVOekaDS6b' allows 'bedrock:ListCustomModels' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-
Replace wildcard bedrock-agent:* with specific actions: bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.
+- Role 'aiml-sec-test-resources-BedrockAgentRole-RScmoTZfp2sC' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-sec-test-resources-BedrockAgentRole-RScmoTZfp2sC' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' allows 'bedrock:*'
+- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:GetModelInvocationLoggingConfiguration' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+
Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.
High
Failed
-
-
333333333333
+
+
777788889999
us-east-1
FS-24
ADVISORY: Knowledge Base Metadata Filtering — Manual Review Required
@@ -16193,8 +37439,8 @@
Informational
N/A
-
-
333333333333
+
+
777788889999
us-east-1
FS-25
OpenSearch Serverless Encryption Policies Present
@@ -16204,8 +37450,8 @@
High
Passed
-
-
333333333333
+
+
777788889999
us-east-1
FS-26
OpenSearch Serverless Collections Not VPC-Restricted
@@ -16215,44 +37461,51 @@
High
Failed
-
-
333333333333
+
+
777788889999
us-east-1
FS-27
-
No Guardrails — Contextual Grounding Not Applicable
-
No Bedrock Guardrails configured. Configure guardrails first (see BR-05).
-
Configure Bedrock Guardrails with contextual grounding checks (grounding threshold ≥0.7 and relevance threshold ≥0.7 for FinServ use cases).
-
-
Informational
+
COULD NOT ASSESS: Guardrail Contextual Grounding Check
+
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
+
+
Low
N/A
-
-
333333333333
+
+
777788889999
us-east-1
FS-27
-
Automated Reasoning Policies — Access Check
-
Access denied or service unavailable when listing Automated Reasoning policies. The IAM action name (bedrock:ListAutomatedReasoningPolicies) is correct, so the most likely causes are, in order: (1) the assessment MEMBER ROLE in this account was deployed before this action was added and has not been re-deployed; (2) an AWS Organizations SCP or permission boundary denies this newer Bedrock action; (3) the region does not support ARC. ARC is available in AWS GovCloud (US) and a growing set of commercial regions (e.g., us-east-1, us-east-2, us-west-2, eu-central-1, eu-west-1, eu-west-3) — verify the current list in the AWS documentation.
-
1. RE-DEPLOY the member-role CloudFormation stack so the role picks up bedrock:ListAutomatedReasoningPolicies (templates may be current while the *deployed* role is stale). See deployment/1-aiml-security-member-roles.yaml and aiml-security-single-account.yaml.
-2. Check for an Organizations SCP / permission boundary denying the action.
-3. Confirm the assessed region supports Automated Reasoning checks.
-4. Re-run the assessment after re-deploying.
-
-
Low
-
N/A
+
No Automated Reasoning Policies Found
+
No Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.
+
1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds).
+2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail).
+3. Set confidenceThreshold on the policy to control strictness.
+4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response).
+5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).
+
+
Medium
+
Failed
-
-
333333333333
+
+
777788889999
us-east-1
FS-28
-
No Guardrails — Denied Topics Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with denied topics for regulated financial content.
-
-
Informational
+
COULD NOT ASSESS: Financial Denied Topics Check
+
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
1 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit):
-- KB 'knowledge-base-prowler-findings' source 'knowledge-base-quick-start-9lb68-data-source' last synced 403 days ago
+- KB 'knowledge-base-prowler-findings' source 'knowledge-base-quick-start-9lb68-data-source' last synced 423 days ago
Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.
1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match.
2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61.
@@ -16294,8 +37547,8 @@
Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, amazon.titan-image-generator-v2:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.
+
Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.
1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config).
2. Migrate active usage to current model versions.
3. Document training-data cutoff dates for all models in use.
@@ -16333,8 +37586,8 @@
Informational
N/A
-
-
333333333333
+
+
777788889999
us-east-1
FS-35
ADVISORY: Harmful-Content Test Coverage — Manual Review Required
@@ -16347,19 +37600,22 @@
Informational
N/A
-
-
333333333333
+
+
777788889999
us-east-1
FS-36
-
No Guardrails — Content Filters Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with content filters.
-
-
Informational
+
COULD NOT ASSESS: Guardrail Content Filters Check
+
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
+
+
Low
N/A
-
-
333333333333
+
+
777788889999
us-east-1
FS-37
ADVISORY: User Feedback Mechanism — Manual Review Required
@@ -16372,19 +37628,22 @@
Informational
N/A
-
-
333333333333
+
+
777788889999
us-east-1
FS-38
-
No Guardrails — Word Filters Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with word filters.
-
-
Informational
+
COULD NOT ASSESS: Guardrail Word Filters Check
+
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
Configure guardrails with PII/sensitive information filters.
-
-
Informational
+
COULD NOT ASSESS: Guardrail PII Filters Check
+
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
+
+
Low
N/A
-
-
333333333333
+
+
777788889999
us-east-1
FS-46
-
No AI/ML Data Buckets Identified
-
No S3 buckets with AI/ML naming found.
-
Tag AI/ML data buckets with data-classification labels.
+
AI/ML Buckets Without Data Classification Tags
+
3 AI/ML bucket(s) without data-classification tags: aiml-sec-test-resources-bedrockloggingbucket-wtuvpinrlpmd, aiml-sec-test-resources-sagemakerbucket-6zzmxxaxco6g, aiml-security-mgmt-aimlassessmentbucket-kbitsdgexylv.
+
Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule.
-
Informational
-
N/A
+
Medium
+
Failed
-
-
333333333333
+
+
777788889999
us-east-1
FS-47
-
No Guardrails — Grounding Threshold Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with contextual grounding checks.
-
-
Informational
+
COULD NOT ASSESS: Guardrail Grounding Threshold Check
+
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
No guardrails have RELEVANCE contextual grounding filters. Without relevance filters, responses that are off-topic or unrelated to the user query will not be blocked, increasing hallucination risk in RAG-based FinServ applications.
-
Enable the RELEVANCE contextual grounding filter in Bedrock Guardrails with a threshold of ≥0.7 to block responses that are not relevant to the user query. Also enable the GROUNDING filter (≥0.7) to block responses not supported by the retrieved source context.
-
-
Medium
-
Failed
+
COULD NOT ASSESS: Guardrail Relevance Grounding Check
+
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
+
+
Low
+
N/A
-
-
333333333333
+
+
777788889999
us-east-1
FS-51
-
No Guardrails — Prompt Attack Filters Not Applicable
-
No Bedrock Guardrails configured.
-
Configure guardrails with prompt attack filters.
-
-
Informational
+
COULD NOT ASSESS: Prompt Injection Input Validation Check
+
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
+
+
Low
N/A
-
-
333333333333
+
+
777788889999
us-east-1
FS-52
Bedrock Lambda Functions on Current Runtimes
-
All 16 Bedrock Lambda function(s) use current runtimes.
+
All 10 Bedrock Lambda function(s) use current runtimes.
Configure guardrails with topic policies to restrict off-topic responses.
-
-
Informational
+
COULD NOT ASSESS: Guardrail Topic Allowlist Check
+
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
+
+
Low
N/A
-
-
333333333333
+
+
777788889999
us-east-1
FS-60
ADVISORY: Contextual Grounding for Off-Topic Prevention
@@ -16660,22 +37934,22 @@
Informational
N/A
-
-
333333333333
+
+
777788889999
us-east-1
FS-61
-
COULD NOT ASSESS: Knowledge Base Sync Schedule Check
-
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the ListSchedules operation: User: arn:aws:sts::333333333333:assumed-role/aiml-security-mgmt-FinServSecurityAssessmentFunctio-pwj9by1swQWa/aiml-security-aiml-security-mgmt-FinServAssessment is not authorized to perform: scheduler:ListSchedules on resource: arn:aws:scheduler:us-east-1:333333333333:schedule/*/* because no identity-based policy allows the scheduler:ListSchedules action). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
-
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
-2. Confirm the service/feature is supported in the assessed region.
-3. Ensure botocore meets the version floor in requirements.txt.
-4. Re-run the assessment; assess this control manually until it succeeds.
-
-
Low
-
N/A
+
No Automated KB Sync Schedules Detected
+
Found 1 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.
+
1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature.
+2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync.
+3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance).
+4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.
+
+
Medium
+
Failed
-
-
333333333333
+
+
777788889999
us-east-1
FS-62
ADVISORY: Data Currency Disclaimer — Manual Review Required
@@ -16687,8 +37961,8 @@
Informational
N/A
-
-
333333333333
+
+
777788889999
us-east-1
FS-63
Foundation Model Lifecycle Management
@@ -16698,8 +37972,8 @@
Medium
Passed
-
-
333333333333
+
+
777788889999
us-east-1
FS-65
KB Data Source Buckets Missing S3 Event Notifications
@@ -16712,8 +37986,8 @@
Medium
Failed
-
-
333333333333
+
+
777788889999
us-east-1
FS-66
No AgentCore Runtimes Found
@@ -16723,15 +37997,13 @@
Informational
N/A
-
-
333333333333
+
+
777788889999
us-east-1
FS-67
Agent Action-Group Lambdas May Lack Transaction Thresholds
The following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions:
- aiml-security-aiml-security-mgmt-FinServAssessment
-- resco-aiml-BedrockAssessment
-- resco-aiml-AgentCoreAssessment
- aiml-security-aiml-security-mgmt-AgentCoreAssessment
- aiml-security-aiml-security-mgmt-BedrockAssessment
1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda.
@@ -16742,8 +38014,8 @@
High
Failed
-
-
333333333333
+
+
777788889999
us-east-1
FS-68
API Gateway Request Body Size Limits — Not Applicable
@@ -16753,67 +38025,56 @@
Informational
N/A
-
-
333333333333
+
+
777788889999
us-east-1
FS-69
Prompt Input Validation Functions Present
-
Found 2 Lambda function(s) with input validation/sanitization naming patterns: aiml-security-aiml-security-mgmt-CleanupBucket, resco-aiml-CleanupBucket.
+
Found 1 Lambda function(s) with input validation/sanitization naming patterns: aiml-security-aiml-security-mgmt-CleanupBucket.
Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.
Medium
Passed
-
-
333333333333
-
eu-west-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
333333333333
-
ap-southeast-2
+
+
777788889999
+
us-west-2
FS-00
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in ap-southeast-2; FinServ GenAI risk checks were not applied to this region.
+
No regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.
No action required unless GenAI workloads are expected in this region.
Informational
N/A
-
-
222222222222
-
us-east-1
+
+
777788889999
+
eu-west-1
FS-00
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.
+
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
No action required unless GenAI workloads are expected in this region.
Informational
N/A
-
-
222222222222
-
eu-west-1
+
+
777788889999
+
ap-south-1
FS-00
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
+
No regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.
No action required unless GenAI workloads are expected in this region.
Informational
N/A
-
-
222222222222
-
ap-southeast-2
+
+
777788889999
+
sa-east-1
FS-00
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in ap-southeast-2; FinServ GenAI risk checks were not applied to this region.
+
No regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.
No action required unless GenAI workloads are expected in this region.
Informational
@@ -16824,7 +38085,7 @@
Severity Levels & Status Values
High
Direct security risk
Failed
Remediation needed
Medium
Defense-in-depth gap
Passed
Meets requirements
Low
Best practice
N/A
Not applicable
Informational
No action required
Remediation Guidance
High
7 days
Address immediately; block deployment if unresolved
Medium
30 days
Schedule in next sprint; may require change window
Low
90 days
Include in backlog; address during regular maintenance
Assessment Notes
Point-in-time: Security posture changes as resources are modified. Scope limited: Passed checks verify tested controls only. Context matters: Adjust severity for compliance requirements and environment type.
No regional Bedrock resources found to assess private connectivity
@@ -285,9 +297,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
ap-south-1
BR-04
Bedrock Model Invocation Logging Check
No regional Bedrock resources found to monitor with invocation logging
@@ -296,9 +308,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
ap-south-1
BR-05
Bedrock Guardrails Check
No regional Bedrock resources found to protect with guardrails
@@ -307,9 +319,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
ap-south-1
BR-06
Bedrock CloudTrail Logging Check
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
@@ -318,9 +330,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
ap-south-1
BR-07
Bedrock Prompt Management Check
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
@@ -333,9 +345,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
ap-south-1
BR-08
Bedrock Agent IAM Roles Check
No Bedrock agents found in the account
@@ -344,20 +356,20 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
ap-south-1
BR-09
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-sec-111111111111-BedrockSecurityAssessmentFunc-188U9EAkRKkw/aiml-security-aiml-sec-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:ap-southeast-2:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
+
No Knowledge Bases found in the account
+
No action required
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
ap-south-1
BR-10
Bedrock Guardrail IAM Enforcement Check
No guardrails configured - IAM enforcement check not applicable
@@ -366,9 +378,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
ap-south-1
BR-11
Bedrock Custom Model Encryption Check
No custom/fine-tuned models found in the account
@@ -377,9 +389,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
ap-south-1
BR-12
Bedrock Invocation Log Encryption Check
Model invocation logging to S3 is not configured
@@ -388,9 +400,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
ap-south-1
BR-13
Bedrock Flows Guardrails Check
No Bedrock Flows found in the account
@@ -399,366 +411,339 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
eu-west-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
111111111111
-
eu-west-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
+
+
123456789012
+
ap-south-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
N/A
-
-
111111111111
-
eu-west-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
+
+
123456789012
+
ap-south-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
N/A
-
-
111111111111
-
eu-west-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
+
123456789012
+
ap-south-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
No action required
-
-
Informational
-
N/A
-
-
-
111111111111
-
eu-west-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
+
+
123456789012
+
ap-south-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
N/A
-
-
111111111111
-
eu-west-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-sec-111111111111-BedrockSecurityAssessmentFunc-188U9EAkRKkw/aiml-security-aiml-sec-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:eu-west-1:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
+
+
123456789012
+
ap-south-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
Informational
+
High
N/A
-
-
111111111111
-
eu-west-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
+
+
123456789012
+
ap-south-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
N/A
-
-
111111111111
-
eu-west-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
+
+
123456789012
+
ap-south-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
+
+
123456789012
+
ap-south-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
N/A
-
-
111111111111
-
eu-west-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
+
+
123456789012
+
ap-south-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
N/A
-
-
111111111111
-
Global
-
BR-01
-
AmazonBedrockFullAccess role check
-
No roles found with AmazonBedrockFullAccess policy
-
No action required
-
-
High
-
Passed
+
+
123456789012
+
ap-south-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'aws-elasticbeanstalk-ec2-role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
+
+
123456789012
+
ap-south-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
High
-
Failed
+
N/A
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'RescoAppStack-Ec2Role2FD9A272-UB7xzDXt03Lg' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
+
+
123456789012
+
ap-south-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'xray-sample-SampleInstanceProfileRole-1WB21O2X8T7ZV' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
+
+
123456789012
+
ap-south-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
High
-
Failed
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AIMLSecurityMemberRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
123456789012
+
ap-south-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonQInvestigationRole-DefaultInvestigationGroup-ma74at' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
123456789012
+
ap-south-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'aws-elasticbeanstalk-ec2-role' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
123456789012
+
ap-south-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
Medium
-
Failed
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AwsSecurityAudit' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
123456789012
+
ap-south-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AWSServiceRoleForAuditManager' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
123456789012
+
ap-south-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AWSServiceRoleForSupport' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
123456789012
+
ap-south-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'cdk-hnb659fds-lookup-role-111111111111-us-east-1' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
123456789012
+
ap-south-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'CloudSecAuditRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
123456789012
+
ap-south-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'CloudSeerTrustedServiceRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
123456789012
+
ap-south-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IibsAdminAccess-DO-NOT-DELETE' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
123456789012
+
ap-south-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'InternalAuditInternal' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
123456789012
+
ap-south-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'Nova-DO-NOT-DELETE' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
123456789012
+
ap-south-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'ReSCOAIMLMemberRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
123456789012
+
ap-south-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'RescoAppStack-Ec2Role2FD9A272-UB7xzDXt03Lg' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
123456789012
+
ap-south-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'ScoutSuiteRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
123456789012
+
ap-south-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'SecurityHubGenAISummary-IAMRolefnCreateSummary-ulVA50wgXCG3' last accessed Bedrock on 2024-09-06
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
123456789012
+
ap-south-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'xray-sample-SampleInstanceProfileRole-1WB21O2X8T7ZV' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
123456789012
+
ap-south-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
+
+
123456789012
+
eu-west-1
BR-02
Amazon Bedrock private connectivity check
No regional Bedrock resources found to assess private connectivity
@@ -767,9 +752,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
123456789012
+
eu-west-1
BR-04
Bedrock Model Invocation Logging Check
No regional Bedrock resources found to monitor with invocation logging
@@ -778,9 +763,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
123456789012
+
eu-west-1
BR-05
Bedrock Guardrails Check
No regional Bedrock resources found to protect with guardrails
@@ -789,9 +774,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
123456789012
+
eu-west-1
BR-06
Bedrock CloudTrail Logging Check
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
@@ -800,9 +785,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
123456789012
+
eu-west-1
BR-07
Bedrock Prompt Management Check
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
@@ -815,9 +800,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
123456789012
+
eu-west-1
BR-08
Bedrock Agent IAM Roles Check
No Bedrock agents found in the account
@@ -826,20 +811,20 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
123456789012
+
eu-west-1
BR-09
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-sec-111111111111-BedrockSecurityAssessmentFunc-188U9EAkRKkw/aiml-security-aiml-sec-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:us-east-1:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
+
No Knowledge Bases found in the account
+
No action required
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
123456789012
+
eu-west-1
BR-10
Bedrock Guardrail IAM Enforcement Check
No guardrails configured - IAM enforcement check not applicable
@@ -848,9 +833,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
123456789012
+
eu-west-1
BR-11
Bedrock Custom Model Encryption Check
No custom/fine-tuned models found in the account
@@ -859,9 +844,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
123456789012
+
eu-west-1
BR-12
Bedrock Invocation Log Encryption Check
Model invocation logging to S3 is not configured
@@ -870,9 +855,9 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
us-east-1
+
+
123456789012
+
eu-west-1
BR-13
Bedrock Flows Guardrails Check
No Bedrock Flows found in the account
@@ -881,1338 +866,1316 @@
Security Assessment Overview
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
+
+
123456789012
+
eu-west-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
+
+
123456789012
+
eu-west-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
+
+
123456789012
+
eu-west-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
+
+
123456789012
+
eu-west-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
Medium
-
Passed
-
-
-
111111111111
-
ap-southeast-2
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
+
+
123456789012
+
eu-west-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
+
+
123456789012
+
eu-west-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
+
+
123456789012
+
eu-west-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
+
+
123456789012
+
eu-west-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
+
+
123456789012
+
eu-west-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
+
+
123456789012
+
eu-west-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
+
+
123456789012
+
eu-west-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
+
+
123456789012
+
eu-west-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
+
+
123456789012
+
eu-west-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
+
+
123456789012
+
eu-west-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
-
No action required
-
-
Informational
+
+
123456789012
+
eu-west-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-15
-
SageMaker Feature Store Encryption Check
-
No feature groups with offline stores found
-
No action required
-
-
Informational
+
+
123456789012
+
eu-west-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-16
-
SageMaker Data Quality Job Encryption Check
-
No data quality job definitions found
+
+
123456789012
+
eu-west-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-17
-
SageMaker Processing Job Encryption Check
-
No processing jobs found
-
No action required
-
+
+
123456789012
+
eu-west-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-18
-
SageMaker Transform Job Encryption Check
-
No transform jobs found
-
No action required
-
+
+
123456789012
+
eu-west-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-20
-
SageMaker Compilation Job Encryption Check
-
No compilation jobs found
-
No action required
-
+
+
123456789012
+
eu-west-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-21
-
SageMaker AutoML Job Network Isolation Check
-
No AutoML jobs found
-
No action required
-
+
+
123456789012
+
eu-west-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-22
-
Model Approval Workflow Check
-
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
+
+
123456789012
+
eu-west-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
111111111111
-
ap-southeast-2
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
111111111111
-
ap-southeast-2
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
+
+
123456789012
+
eu-west-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
111111111111
+
+
123456789012
eu-west-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
111111111111
+
+
123456789012
eu-west-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
+
+
123456789012
+
sa-east-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
+
+
123456789012
+
sa-east-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
+
+
123456789012
+
sa-east-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
+
+
123456789012
+
sa-east-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
+
+
123456789012
+
sa-east-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
+
+
123456789012
+
sa-east-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
+
+
123456789012
+
sa-east-1
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
-
No action required
-
+
+
123456789012
+
sa-east-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-15
-
SageMaker Feature Store Encryption Check
-
No feature groups with offline stores found
+
+
123456789012
+
sa-east-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-16
-
SageMaker Data Quality Job Encryption Check
-
No data quality job definitions found
-
No action required
-
+
+
123456789012
+
sa-east-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-17
-
SageMaker Processing Job Encryption Check
-
No processing jobs found
+
+
123456789012
+
sa-east-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-18
-
SageMaker Transform Job Encryption Check
-
No transform jobs found
-
No action required
-
-
Informational
+
+
123456789012
+
sa-east-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
N/A
-
-
111111111111
-
eu-west-1
-
SM-20
-
SageMaker Compilation Job Encryption Check
-
No compilation jobs found
+
+
123456789012
+
sa-east-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-21
-
SageMaker AutoML Job Network Isolation Check
-
No AutoML jobs found
+
+
123456789012
+
sa-east-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-22
-
Model Approval Workflow Check
-
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
+
+
123456789012
+
sa-east-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
N/A
-
-
111111111111
-
eu-west-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
+
+
123456789012
+
sa-east-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
Medium
-
Passed
+
N/A
-
-
111111111111
-
eu-west-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
+
+
123456789012
+
sa-east-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
Low
-
Passed
+
N/A
-
-
111111111111
-
eu-west-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
+
+
123456789012
+
sa-east-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
N/A
-
-
111111111111
-
Global
-
SM-02
-
SageMaker IAM Permissions Check
-
No issues found with IAM permissions and no stale access detected
-
No action required
-
+
+
123456789012
+
sa-east-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
High
-
Passed
+
N/A
-
-
111111111111
-
us-east-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
+
+
123456789012
+
sa-east-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
N/A
-
-
111111111111
-
us-east-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
+
+
123456789012
+
sa-east-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
Medium
-
Passed
+
N/A
-
-
111111111111
-
us-east-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
+
+
123456789012
+
sa-east-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
No action required
-
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
+
+
123456789012
+
sa-east-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
+
+
123456789012
+
sa-east-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
+
+
123456789012
+
sa-east-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
+
+
123456789012
+
sa-east-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
+
+
123456789012
+
sa-east-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
+
+
123456789012
+
sa-east-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
+
+
123456789012
+
sa-east-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
+
+
123456789012
+
sa-east-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
+
+
123456789012
+
sa-east-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
+
+
123456789012
+
sa-east-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
+
+
123456789012
+
sa-east-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
+
Global
+
BR-01
+
AmazonBedrockFullAccess role check
+
No roles found with AmazonBedrockFullAccess policy
+
No action required
+
+
High
+
Passed
+
+
+
123456789012
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'aws-elasticbeanstalk-ec2-role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
+
Failed
+
+
+
123456789012
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'RescoAppStack-Ec2Role2FD9A272-UB7xzDXt03Lg' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
+
Failed
+
+
+
123456789012
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'xray-sample-SampleInstanceProfileRole-1WB21O2X8T7ZV' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
+
Failed
+
+
+
123456789012
us-east-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
No action required
-
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
No action required
-
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
SM-15
-
SageMaker Feature Store Encryption Check
-
No feature groups with offline stores found
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
No action required
-
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
SM-16
-
SageMaker Data Quality Job Encryption Check
-
No data quality job definitions found
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
No action required
-
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
SM-17
-
SageMaker Processing Job Encryption Check
-
No processing jobs found
-
No action required
-
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
SM-21
-
SageMaker AutoML Job Network Isolation Check
-
No AutoML jobs found
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
No action required
-
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
SM-22
-
Model Approval Workflow Check
-
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
No action required
-
-
Medium
-
Passed
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
+
+
123456789012
+
Global
+
BR-15
+
Cross-Account Guardrails Enforcement Check
+
Bedrock Guardrails policy type is not enabled at the organization level. Cross-account guardrails cannot be enforced without enabling this policy type.
+
Enable Bedrock Guardrails policy type in AWS Organizations to enforce consistent safety controls across all accounts. Use AWS Organizations console or CLI to enable the policy type.
+
+
High
+
Failed
-
-
111111111111
+
+
123456789012
us-east-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
+
+
123456789012
+
us-east-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
+
+
123456789012
+
us-east-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
+
+
123456789012
+
us-east-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
+
+
123456789012
+
us-east-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
+
+
123456789012
+
us-east-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
+
+
123456789012
+
us-east-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
+
+
123456789012
+
us-east-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
+
+
123456789012
+
us-east-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
+
+
123456789012
+
us-east-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
+
+
123456789012
+
us-east-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
N/A
-
-
111111111111
-
eu-west-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111111111111
-
eu-west-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111111111111
-
eu-west-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
+
+
123456789012
+
us-east-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
N/A
-
-
111111111111
-
eu-west-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
+
+
123456789012
+
us-east-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
N/A
-
-
111111111111
-
eu-west-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
+
+
123456789012
+
us-east-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
N/A
-
-
111111111111
-
eu-west-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
+
+
123456789012
+
us-east-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
No imported custom Bedrock models found in this region
+
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
N/A
-
-
111111111111
-
eu-west-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
+
+
123456789012
+
us-east-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
N/A
-
-
111111111111
-
eu-west-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
+
+
123456789012
+
us-east-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
+
+
123456789012
+
us-east-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
+
+
123456789012
+
us-east-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
Global
-
AC-02
-
AgentCore IAM Full Access Check
-
No roles with overly permissive AgentCore access found
-
No action required
-
+
AG-09
+
Agentic AI Guardrail Enforcement Boundary
+
Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Bedrock Guardrails policy type is not enabled at the organization level. Cross-account guardrails cannot be enforced without enabling this policy type.
+
Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.
+
High
-
Passed
-
-
-
111111111111
-
Global
-
AC-03
-
AgentCore Unused Permissions
-
The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'ReSCOAIMLMemberRole'
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Medium
Failed
-
-
111111111111
-
Global
-
AC-09
-
AgentCore Service-Linked Role Missing
-
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
-
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
-
-
Medium
-
Failed
-
-
-
111111111111
+
+
123456789012
us-east-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
111111111111
-
ap-southeast-2
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in ap-southeast-2; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
-
Risk Distribution
-
Pass Rate by Severity
-
-
HIGH
50.0%
3 of 6 checks passed
-
MEDIUM
32.1%
9 of 28 checks passed
-
LOW
100.0%
3 of 3 checks passed
-
Overall
40.5%
15 of 37 actionable checks
-
-
-
Risk by Region
-
ap-southeast-2
0
0 High · 0 Med · 0 Low
eu-west-1
0
0 High · 0 Med · 0 Low
us-east-1
0
0 High · 0 Med · 0 Low
-
Findings by Service
-
-
Bedrock
54
20 Failed · 1 Passed
-
SageMaker
82
0 Failed · 13 Passed
-
AgentCore
33
2 Failed · 1 Passed
-
Financial Services Risk
3
0 Failed · 0 Passed
-
-
-
-
Amazon Bedrock Findings
-
-
-
-
-
-
-
-
-
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
us-west-2
BR-02
Amazon Bedrock private connectivity check
No regional Bedrock resources found to assess private connectivity
@@ -2221,9 +2184,9 @@
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
us-west-2
BR-04
Bedrock Model Invocation Logging Check
No regional Bedrock resources found to monitor with invocation logging
@@ -2232,9 +2195,9 @@
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
us-west-2
BR-05
Bedrock Guardrails Check
No regional Bedrock resources found to protect with guardrails
@@ -2243,9 +2206,9 @@
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
us-west-2
BR-06
Bedrock CloudTrail Logging Check
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
@@ -2254,9 +2217,9 @@
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
us-west-2
BR-07
Bedrock Prompt Management Check
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
@@ -2269,9 +2232,9 @@
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
us-west-2
BR-08
Bedrock Agent IAM Roles Check
No Bedrock agents found in the account
@@ -2280,20 +2243,20 @@
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
us-west-2
BR-09
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-sec-111111111111-BedrockSecurityAssessmentFunc-188U9EAkRKkw/aiml-security-aiml-sec-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:ap-southeast-2:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
+
No Knowledge Bases found in the account
+
No action required
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
us-west-2
BR-10
Bedrock Guardrail IAM Enforcement Check
No guardrails configured - IAM enforcement check not applicable
@@ -2302,9 +2265,9 @@
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
us-west-2
BR-11
Bedrock Custom Model Encryption Check
No custom/fine-tuned models found in the account
@@ -2313,9 +2276,9 @@
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
us-west-2
BR-12
Bedrock Invocation Log Encryption Check
Model invocation logging to S3 is not configured
@@ -2324,9 +2287,9 @@
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
us-west-2
BR-13
Bedrock Flows Guardrails Check
No Bedrock Flows found in the account
@@ -2335,502 +2298,339 @@
Informational
N/A
-
-
111111111111
-
eu-west-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
+
+
123456789012
+
us-west-2
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
N/A
-
-
111111111111
-
eu-west-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
+
+
123456789012
+
us-west-2
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
N/A
-
-
111111111111
-
eu-west-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
+
+
123456789012
+
us-west-2
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
+
+
123456789012
+
us-west-2
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
N/A
-
-
111111111111
-
eu-west-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
+
+
123456789012
+
us-west-2
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
N/A
-
-
111111111111
-
eu-west-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
+
+
123456789012
+
us-west-2
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
No action required
-
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-sec-111111111111-BedrockSecurityAssessmentFunc-188U9EAkRKkw/aiml-security-aiml-sec-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:eu-west-1:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
-
-
Informational
+
+
123456789012
+
us-west-2
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
N/A
-
-
111111111111
-
eu-west-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
+
+
123456789012
+
us-west-2
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
N/A
-
-
111111111111
-
eu-west-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
+
+
123456789012
+
us-west-2
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
N/A
-
-
111111111111
-
eu-west-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
+
+
123456789012
+
us-west-2
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
N/A
-
-
111111111111
-
eu-west-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
+
+
123456789012
+
us-west-2
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
N/A
-
-
111111111111
-
Global
-
BR-01
-
AmazonBedrockFullAccess role check
-
No roles found with AmazonBedrockFullAccess policy
-
No action required
-
-
High
-
Passed
-
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'aws-elasticbeanstalk-ec2-role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
+
+
123456789012
+
us-west-2
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
High
-
Failed
+
N/A
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'RescoAppStack-Ec2Role2FD9A272-UB7xzDXt03Lg' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
+
+
123456789012
+
us-west-2
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
-
-
111111111111
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'xray-sample-SampleInstanceProfileRole-1WB21O2X8T7ZV' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
+
+
123456789012
+
us-west-2
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
No imported custom Bedrock models found in this region
+
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
High
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AIMLSecurityMemberRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AmazonQInvestigationRole-DefaultInvestigationGroup-ma74at' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'aws-elasticbeanstalk-ec2-role' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AwsSecurityAudit' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AWSServiceRoleForAuditManager' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'AWSServiceRoleForSupport' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'cdk-hnb659fds-lookup-role-111111111111-us-east-1' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'CloudSecAuditRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'CloudSeerTrustedServiceRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'IibsAdminAccess-DO-NOT-DELETE' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'InternalAuditInternal' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'Nova-DO-NOT-DELETE' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
-
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'ReSCOAIMLMemberRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'RescoAppStack-Ec2Role2FD9A272-UB7xzDXt03Lg' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
+
+
123456789012
+
us-west-2
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
Medium
-
Failed
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'ScoutSuiteRole' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
123456789012
+
us-west-2
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'SecurityHubGenAISummary-IAMRolefnCreateSummary-ulVA50wgXCG3' last accessed Bedrock on 2024-09-06
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
123456789012
+
us-west-2
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
BR-14
-
Stale Bedrock Access Check
-
Role 'xray-sample-SampleInstanceProfileRole-1WB21O2X8T7ZV' last accessed Bedrock on never
-
You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.
-
-
Medium
-
Failed
+
+
123456789012
+
us-west-2
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
+
+
123456789012
+
us-west-2
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
+
+
123456789012
+
us-west-2
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
+
+
123456789012
+
us-west-2
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
+
+
123456789012
+
us-west-2
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
+
+
123456789012
+
us-west-2
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
+
+
123456789012
+
us-west-2
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-sec-111111111111-BedrockSecurityAssessmentFunc-188U9EAkRKkw/aiml-security-aiml-sec-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:us-east-1:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action
-
Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.
-
+
+
123456789012
+
us-west-2
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
+
+
123456789012
+
us-west-2
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
+
+
123456789012
+
us-west-2
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
+
+
123456789012
+
us-west-2
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
+
+
123456789012
+
us-west-2
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Informational
N/A
-
-
-
-
Amazon SageMaker Findings
-
-
-
-
-
-
-
-
-
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
-
111111111111
-
ap-southeast-2
+
+
+
123456789012
+
ap-south-1
SM-01
SageMaker Internet Access Check
No SageMaker notebook instances or domains found to check
@@ -2839,9 +2639,9 @@
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
ap-south-1
SM-02
SageMaker SSO Configuration Check
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
@@ -2850,9 +2650,9 @@
Medium
Passed
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
ap-south-1
SM-03
Data Protection Check
No SageMaker resources found to check for data protection
@@ -2861,9 +2661,9 @@
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
ap-south-1
SM-04
GuardDuty Enabled
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
@@ -2872,9 +2672,9 @@
Medium
Passed
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
ap-south-1
SM-05
SageMaker Model Registry Issue
No model package groups found
@@ -2883,9 +2683,9 @@
Informational
N/A
-
-
111111111111
-
ap-southeast-2
+
+
123456789012
+
ap-south-1
SM-05
SageMaker Feature Store Issue
No feature groups found
@@ -2894,1219 +2694,7806 @@
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
+
+
123456789012
+
ap-south-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
ap-south-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
123456789012
+
ap-south-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
eu-west-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
eu-west-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
eu-west-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
123456789012
+
eu-west-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
sa-east-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
sa-east-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
sa-east-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
123456789012
+
sa-east-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
123456789012
+
Global
+
SM-02
+
SageMaker IAM Permissions Check
+
No issues found with IAM permissions and no stale access detected
+
No action required
+
+
High
+
Passed
+
+
+
123456789012
+
us-east-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
us-east-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
us-east-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
us-east-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
123456789012
+
us-east-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
us-west-2
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
us-west-2
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
us-west-2
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
123456789012
+
us-west-2
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
123456789012
+
Global
+
AC-02
+
AgentCore IAM Full Access Check
+
No roles with overly permissive AgentCore access found
+
No action required
+
+
High
+
Passed
+
+
+
123456789012
+
Global
+
AC-03
+
AgentCore Unused Permissions
+
The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
+
Review and remove unused AgentCore permissions following least privilege principle
+
+
Informational
+
N/A
+
+
+
123456789012
+
Global
+
AC-09
+
AgentCore Service-Linked Role Missing
+
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
+
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
+
+
Medium
+
Failed
+
+
+
123456789012
+
us-east-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
Global
+
AG-16
+
Agentic AI AgentCore Least Privilege
+
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: No roles with overly permissive AgentCore access found
+
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
+
+
High
+
Passed
+
+
+
123456789012
+
Global
+
AG-17
+
Agentic AI Stale AgentCore Access
+
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
+
Remove or restrict stale AgentCore permissions for principals that no longer need access.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
FS-00
+
FinServ Regional Scope Not Applicable
+
No regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.
+
No action required unless GenAI workloads are expected in this region.
+
+
Informational
+
N/A
+
+
+
+
Risk Distribution
+
Pass Rate by Severity
+
+
HIGH
9.8%
4 of 41 checks passed
+
MEDIUM
36.6%
15 of 41 checks passed
+
LOW
27.8%
5 of 18 checks passed
+
Overall
24.0%
24 of 100 actionable checks
+
+
+
Risk by Region
+
ap-south-1
0
0 High · 0 Med · 0 Low
eu-west-1
0
0 High · 0 Med · 0 Low
sa-east-1
0
0 High · 0 Med · 0 Low
us-east-1
0
0 High · 0 Med · 0 Low
us-west-2
0
0 High · 0 Med · 0 Low
+
Findings by Assessment Area
+
+
Bedrock
145
4 Failed · 1 Passed
+
SageMaker
136
0 Failed · 21 Passed
+
AgentCore
53
1 Failed · 1 Passed
+
Agentic AI Security
123
1 Failed · 1 Passed
+
Financial Services Risk
5
0 Failed · 0 Passed
+
+
+
+
Amazon Bedrock Findings
+
+
+
+
+
+
+
+
+
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
+
123456789012
+
ap-south-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
123456789012
+
ap-south-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
123456789012
+
eu-west-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
+
Low
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
123456789012
+
sa-east-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
Global
+
BR-01
+
AmazonBedrockFullAccess role check
+
No roles found with AmazonBedrockFullAccess policy
+
No action required
+
+
High
+
Passed
+
+
+
123456789012
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'aws-elasticbeanstalk-ec2-role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
+
Failed
+
+
+
123456789012
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'RescoAppStack-Ec2Role2FD9A272-UB7xzDXt03Lg' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
+
Failed
+
+
+
123456789012
+
Global
+
BR-03
+
Marketplace Subscription Access Check
+
Role 'xray-sample-SampleInstanceProfileRole-1WB21O2X8T7ZV' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'
+
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
+
High
+
Failed
+
+
+
123456789012
+
us-east-1
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
Global
+
BR-15
+
Cross-Account Guardrails Enforcement Check
+
Bedrock Guardrails policy type is not enabled at the organization level. Cross-account guardrails cannot be enforced without enabling this policy type.
+
Enable Bedrock Guardrails policy type in AWS Organizations to enforce consistent safety controls across all accounts. Use AWS Organizations console or CLI to enable the policy type.
+
+
High
+
Failed
+
+
+
123456789012
+
us-east-1
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
No imported custom Bedrock models found in this region
+
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
123456789012
+
us-east-1
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-02
+
Amazon Bedrock private connectivity check
+
No regional Bedrock resources found to assess private connectivity
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-04
+
Bedrock Model Invocation Logging Check
+
No regional Bedrock resources found to monitor with invocation logging
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-05
+
Bedrock Guardrails Check
+
No regional Bedrock resources found to protect with guardrails
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-06
+
Bedrock CloudTrail Logging Check
+
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-07
+
Bedrock Prompt Management Check
+
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-08
+
Bedrock Agent IAM Roles Check
+
No Bedrock agents found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-09
+
Bedrock Knowledge Base Encryption Check
+
No Knowledge Bases found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-10
+
Bedrock Guardrail IAM Enforcement Check
+
No guardrails configured - IAM enforcement check not applicable
+
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-11
+
Bedrock Custom Model Encryption Check
+
No custom/fine-tuned models found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-12
+
Bedrock Invocation Log Encryption Check
+
Model invocation logging to S3 is not configured
+
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-13
+
Bedrock Flows Guardrails Check
+
No Bedrock Flows found in the account
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-16
+
Guardrail Tier Validation Check
+
No Bedrock guardrails configured in this region
+
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
+
Medium
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-17
+
Custom Model Customer-Managed KMS Encryption Check
+
No custom (fine-tuned) Bedrock models found in this region
+
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-18
+
Model Evaluation Implementation Check
+
No regional Bedrock resources found to assess with model evaluation jobs
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-19
+
Prompt Flow Validation Check
+
No Bedrock prompt flows configured in this region
+
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
+
Medium
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-20
+
Knowledge Base Customer-Managed KMS Encryption Check
+
No Bedrock knowledge bases found in this region
+
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
+
High
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-21
+
Agent Action Group IAM Least Privilege Check
+
No Bedrock agents configured in this region
+
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
+
High
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-22
+
Model Invocation Throttling Limits Check
+
No regional Bedrock resources found to assess model invocation throttling quotas
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-23
+
Guardrail Content Filter Coverage Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
+
High
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-24
+
Automated Reasoning Policy Implementation Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
+
Medium
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-25
+
RAG Evaluation Jobs Check
+
No Bedrock knowledge bases found in this region
+
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
+
Low
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-26
+
Guardrail Sensitive Information Filter Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
+
High
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-27
+
Guardrail Contextual Grounding Check
+
No Bedrock guardrails configured in this region
+
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
+
Medium
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-28
+
Agent Guardrail Association Check
+
No Bedrock agents configured in this region
+
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
+
High
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-29
+
Agent Idle Session TTL Check
+
No Bedrock agents configured in this region
+
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
+
Low
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-30
+
Imported Model Customer-Managed KMS Encryption Check
+
No imported custom Bedrock models found in this region
+
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
+
High
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-31
+
Batch Inference Output Encryption Check
+
No Bedrock batch inference (model invocation) jobs found in this region
+
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
+
Medium
+
N/A
+
+
+
123456789012
+
us-west-2
+
BR-32
+
Bedrock CloudWatch Alarm Check
+
No regional Bedrock resources found to monitor with CloudWatch alarms
+
No action required
+
+
Informational
+
N/A
+
+
+
+
Amazon SageMaker Findings
+
+
+
+
+
+
+
+
+
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
+
123456789012
+
ap-south-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
ap-south-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
ap-south-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
ap-south-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
123456789012
+
ap-south-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
eu-west-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
eu-west-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
eu-west-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
123456789012
+
eu-west-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
sa-east-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
sa-east-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
sa-east-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
123456789012
+
sa-east-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
123456789012
+
Global
+
SM-02
+
SageMaker IAM Permissions Check
+
No issues found with IAM permissions and no stale access detected
+
No action required
+
+
High
+
Passed
+
+
+
123456789012
+
us-east-1
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
us-east-1
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
us-east-1
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
us-east-1
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
123456789012
+
us-east-1
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-01
+
SageMaker Internet Access Check
+
No SageMaker notebook instances or domains found to check
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-02
+
SageMaker SSO Configuration Check
+
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
us-west-2
+
SM-03
+
Data Protection Check
+
No SageMaker resources found to check for data protection
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-04
+
GuardDuty Enabled
+
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
us-west-2
+
SM-05
+
SageMaker Model Registry Issue
+
No model package groups found
+
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-05
+
SageMaker Feature Store Issue
+
No feature groups found
+
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-05
+
SageMaker Pipelines Issue
+
No ML pipelines found
+
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-06
+
SageMaker Clarify No Clarify Usage
+
No SageMaker Clarify jobs found
+
Implement SageMaker Clarify for model explainability and bias detection
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-07
+
SageMaker Model Monitor No Model Monitoring
+
No Model Monitor schedules found
+
Configure comprehensive model monitoring schedules
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-08
+
Model Registry Registry Not Used
+
Model Registry is not being utilized
+
Implement proper model versioning and approval workflows
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-09
+
SageMaker Notebook Root Access Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-10
+
SageMaker Notebook VPC Deployment Check
+
No notebook instances found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-11
+
SageMaker Model Network Isolation Check
+
No models found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-12
+
SageMaker Endpoint Instance Count Check
+
No InService endpoints found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-13
+
SageMaker Monitoring Network Isolation Check
+
No monitoring schedules found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-14
+
SageMaker Model Repository Access Check
+
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
+
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
SM-23
+
Model Drift Detection Check
+
No InService endpoints found to monitor.
+
No action required
+
+
Medium
+
Passed
+
+
+
123456789012
+
us-west-2
+
SM-24
+
A/B Testing and Shadow Deployment Check
+
No InService endpoints found.
+
No action required
+
+
Low
+
Passed
+
+
+
123456789012
+
us-west-2
+
SM-25
+
ML Lineage Tracking - Experiments Not Used
+
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
+
Informational
+
N/A
+
+
+
+
Amazon Bedrock AgentCore Findings
+
+
+
+
+
+
+
+
+
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
+
123456789012
+
ap-south-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
ap-south-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
Global
+
AC-02
+
AgentCore IAM Full Access Check
+
No roles with overly permissive AgentCore access found
+
No action required
+
+
High
+
Passed
+
+
+
123456789012
+
Global
+
AC-03
+
AgentCore Unused Permissions
+
The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
+
Review and remove unused AgentCore permissions following least privilege principle
+
+
Informational
+
N/A
+
+
+
123456789012
+
Global
+
AC-09
+
AgentCore Service-Linked Role Missing
+
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
+
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
+
+
Medium
+
Failed
+
+
+
123456789012
+
us-east-1
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AC-01
+
AgentCore VPC Configuration Check
+
No AgentCore resources found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AC-04
+
AgentCore Observability Check
+
No AgentCore resources found
+
No action required
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
+
+
123456789012
+
us-west-2
+
AC-05
+
AgentCore Encryption Check
+
No AgentCore resources found
+
No action required
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
+
+
123456789012
+
us-west-2
+
AC-06
+
AgentCore Browser Tool Recording Check
+
No AgentCore Runtimes found to check browser tool configuration
+
No action required
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
+
+
123456789012
+
us-west-2
+
AC-07
+
AgentCore Memory Configuration Check
+
No Memory resources found
+
No action required
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
+
+
123456789012
+
us-west-2
+
AC-13
+
AgentCore Gateway Configuration Check
+
No Gateway resources found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
+
+
123456789012
+
us-west-2
+
AC-08
+
AgentCore VPC Endpoints Check
+
No AgentCore resources found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
+
+
123456789012
+
us-west-2
+
AC-10
+
AgentCore Resource-Based Policies Check
+
No AgentCore resources found to check for resource-based policies
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
+
+
123456789012
+
us-west-2
+
AC-11
+
AgentCore Policy Engine Encryption Check
+
No Policy Engines found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
+
+
123456789012
+
us-west-2
+
AC-12
+
AgentCore Gateway Encryption Check
+
No Gateways found
No action required
-
+
+
Informational
+
N/A
+
+
+
Agentic AI Security Findings
Scope: API-provable Agentic AI security controls mapped to the AWS Well-Architected Agentic AI Lens security guidance. Human-in-the-loop governance is referenced in methodology but not scored automatically unless an AWS API can prove the control.
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
+
123456789012
+
ap-south-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
-
No action required
-
+
+
123456789012
+
ap-south-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-15
-
SageMaker Feature Store Encryption Check
-
No feature groups with offline stores found
-
No action required
-
+
+
123456789012
+
ap-south-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-16
-
SageMaker Data Quality Job Encryption Check
-
No data quality job definitions found
-
No action required
-
+
+
123456789012
+
ap-south-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-17
-
SageMaker Processing Job Encryption Check
-
No processing jobs found
-
No action required
-
+
+
123456789012
+
ap-south-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-18
-
SageMaker Transform Job Encryption Check
-
No transform jobs found
-
No action required
-
+
+
123456789012
+
ap-south-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-20
-
SageMaker Compilation Job Encryption Check
-
No compilation jobs found
-
No action required
-
+
+
123456789012
+
ap-south-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-21
-
SageMaker AutoML Job Network Isolation Check
-
No AutoML jobs found
-
No action required
-
+
+
123456789012
+
ap-south-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-22
-
Model Approval Workflow Check
-
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
+
+
123456789012
+
ap-south-1
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
+
+
123456789012
+
ap-south-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
+
Informational
+
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
+
+
123456789012
+
ap-south-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
+
Informational
+
N/A
-
-
111111111111
-
ap-southeast-2
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
+
+
123456789012
+
ap-south-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
+
Informational
+
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
+
Informational
+
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
+
+
123456789012
+
sa-east-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
+
+
123456789012
+
sa-east-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
-
No action required
-
+
+
123456789012
+
sa-east-1
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-15
-
SageMaker Feature Store Encryption Check
-
No feature groups with offline stores found
-
No action required
-
+
+
123456789012
+
sa-east-1
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-16
-
SageMaker Data Quality Job Encryption Check
-
No data quality job definitions found
-
No action required
-
+
+
123456789012
+
sa-east-1
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-17
-
SageMaker Processing Job Encryption Check
-
No processing jobs found
-
No action required
-
+
+
123456789012
+
sa-east-1
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-18
-
SageMaker Transform Job Encryption Check
-
No transform jobs found
-
No action required
-
+
+
123456789012
+
sa-east-1
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-20
-
SageMaker Compilation Job Encryption Check
-
No compilation jobs found
-
No action required
-
+
+
123456789012
+
sa-east-1
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-21
-
SageMaker AutoML Job Network Isolation Check
-
No AutoML jobs found
-
No action required
-
+
+
123456789012
+
sa-east-1
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-22
-
Model Approval Workflow Check
-
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
+
+
123456789012
+
sa-east-1
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Informational
N/A
-
-
111111111111
-
eu-west-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
111111111111
-
eu-west-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
+
+
123456789012
+
us-east-1
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
+
Informational
+
N/A
-
-
111111111111
-
eu-west-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
+
+
123456789012
+
us-east-1
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
Global
-
SM-02
-
SageMaker IAM Permissions Check
-
No issues found with IAM permissions and no stale access detected
-
No action required
-
+
AG-09
+
Agentic AI Guardrail Enforcement Boundary
+
Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Bedrock Guardrails policy type is not enabled at the organization level. Cross-account guardrails cannot be enforced without enabling this policy type.
+
Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.
+
High
-
Passed
+
Failed
-
-
111111111111
+
+
123456789012
us-east-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
111111111111
+
+
123456789012
us-east-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
+
Informational
+
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
+
AG-03
+
Agentic AI Sensitive Information Protection
+
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
+
+
123456789012
+
us-west-2
+
AG-07
+
Agentic AI Model Invocation Logging
+
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
+
+
123456789012
+
us-west-2
+
AG-08
+
Agentic AI API Audit Trail
+
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
+
+
123456789012
+
us-west-2
+
AG-10
+
Agentic AI Adversarial Evaluation Coverage
+
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
-
No action required
-
+
+
123456789012
+
us-west-2
+
AG-11
+
Agentic AI Prompt Flow Validation
+
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-15
-
SageMaker Feature Store Encryption Check
-
No feature groups with offline stores found
-
No action required
-
+
+
123456789012
+
us-west-2
+
AG-06
+
Agentic AI Tool Execution Least Privilege
+
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-16
-
SageMaker Data Quality Job Encryption Check
-
No data quality job definitions found
-
No action required
-
+
+
123456789012
+
us-west-2
+
AG-12
+
Agentic AI Invocation Abuse Controls
+
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-17
-
SageMaker Processing Job Encryption Check
-
No processing jobs found
-
No action required
-
+
+
123456789012
+
us-west-2
+
AG-02
+
Agentic AI Harmful Content Guardrail Coverage
+
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-18
-
SageMaker Transform Job Encryption Check
-
No transform jobs found
-
No action required
-
+
+
123456789012
+
us-west-2
+
AG-04
+
Agentic AI Automated Reasoning Guardrails
+
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Configure automated reasoning policies on guardrails where formal response validation is required.
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-20
-
SageMaker Compilation Job Encryption Check
-
No compilation jobs found
-
No action required
-
+
+
123456789012
+
us-west-2
+
AG-05
+
Agentic AI Grounding Controls
+
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-21
-
SageMaker AutoML Job Network Isolation Check
-
No AutoML jobs found
-
No action required
-
+
+
123456789012
+
us-west-2
+
AG-01
+
Agentic AI Agent Guardrail Association
+
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-22
-
Model Approval Workflow Check
-
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
+
+
123456789012
+
us-west-2
+
AG-13
+
Agentic AI Session Boundary
+
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Informational
N/A
-
-
111111111111
-
us-east-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
+
+
123456789012
+
us-west-2
+
AG-14
+
Agentic AI Operational Abuse Alarms
+
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
+
Informational
+
N/A
-
-
111111111111
-
us-east-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
+
+
123456789012
+
ap-south-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
No action required
-
-
Low
-
Passed
-
-
-
111111111111
-
us-east-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
+
Informational
N/A
-
-
-
-
Amazon Bedrock AgentCore Findings
-
-
-
-
-
-
-
-
-
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
-
111111111111
-
ap-southeast-2
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
+
+
+
123456789012
+
ap-south-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
+
+
123456789012
+
ap-south-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
+
+
123456789012
+
ap-south-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
+
+
123456789012
+
ap-south-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
+
+
123456789012
+
ap-south-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
+
+
123456789012
+
ap-south-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
+
+
123456789012
+
ap-south-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
+
+
123456789012
+
ap-south-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
+
+
123456789012
+
ap-south-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
111111111111
-
ap-southeast-2
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
+
+
123456789012
+
ap-south-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
eu-west-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
123456789012
+
eu-west-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
111111111111
-
Global
-
AC-02
-
AgentCore IAM Full Access Check
-
No roles with overly permissive AgentCore access found
+
+
123456789012
+
sa-east-1
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
No action required
-
-
High
-
Passed
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
AC-03
-
AgentCore Unused Permissions
-
The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'ReSCOAIMLMemberRole'
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Medium
-
Failed
+
+
123456789012
+
sa-east-1
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
-
-
111111111111
-
Global
-
AC-09
-
AgentCore Service-Linked Role Missing
-
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
-
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
-
-
Medium
-
Failed
+
+
123456789012
+
sa-east-1
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
+
No action required
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
Informational
+
N/A
-
-
111111111111
+
+
123456789012
+
sa-east-1
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
123456789012
+
sa-east-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
123456789012
us-east-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
+
AG-24
+
Agentic AI Gateway Inbound Authorization
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
+
AG-25
+
Agentic AI Gateway Tool Policy Enforcement
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
+
AG-26
+
Agentic AI Gateway Error Detail Exposure
+
No AgentCore Gateways found
No action required
-
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
+
AG-27
+
Agentic AI Gateway WAF Protection
+
No AgentCore Gateways found
No action required
-
+
+
Informational
+
N/A
+
+
+
123456789012
+
Global
+
AG-16
+
Agentic AI AgentCore Least Privilege
+
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: No roles with overly permissive AgentCore access found
+
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
+
+
High
+
Passed
+
+
+
123456789012
+
Global
+
AG-17
+
Agentic AI Stale AgentCore Access
+
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
+
Remove or restrict stale AgentCore permissions for principals that no longer need access.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
+
AG-15
+
Agentic AI Runtime Network Boundary
+
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Informational
N/A
-
-
111111111111
+
+
123456789012
us-east-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-east-1
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AG-18
+
Agentic AI AgentCore Observability
+
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AG-19
+
Agentic AI Memory Data Protection
+
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AG-20
+
Agentic AI Private AgentCore Connectivity
+
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AG-21
+
Agentic AI Resource Policy Boundary
+
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AG-22
+
Agentic AI Policy Engine Data Protection
+
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AG-23
+
Agentic AI Gateway Data Protection
+
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.