diff --git a/README.md b/README.md index 232fe8c..77308e2 100644 --- a/README.md +++ b/README.md @@ -190,7 +190,7 @@ Both deployment modes support scanning multiple AWS regions in parallel via the Scanning uses a Step Functions Map state, so multiple regions execute in parallel with no additional time cost. Services unavailable in a region produce an informational N/A finding. -The HTML report includes a Region column, filter dropdown, and "Risk by Region" summary. +The HTML report includes a Region column, filter dropdown, and "Risk by Region / Scope" summary. > **Upgrading an existing deployment?** See [Troubleshooting](docs/TROUBLESHOOTING.md#9-upgrading-an-existing-deployment-to-multi-region) — it's a simple stack parameter update with no teardown. diff --git a/aiml-security-assessment/functions/security/agentcore_assessments/app.py b/aiml-security-assessment/functions/security/agentcore_assessments/app.py index 71a16da..eb0be10 100644 --- a/aiml-security-assessment/functions/security/agentcore_assessments/app.py +++ b/aiml-security-assessment/functions/security/agentcore_assessments/app.py @@ -51,6 +51,35 @@ "https://docs.aws.amazon.com/wellarchitected/latest/agentic-ai-lens/" "agentic-ai-lens.html" ) +AGENTCORE_STARTER_TOOLKIT_URL = ( + "https://aws.github.io/bedrock-agentcore-starter-toolkit/" +) +AGENTCORE_VPC_REFERENCE_URL = ( + "https://aws.github.io/bedrock-agentcore-starter-toolkit/" + "user-guide/security/agentcore-vpc.html" +) +AGENTCORE_OBSERVABILITY_REFERENCE_URL = ( + "https://aws.github.io/bedrock-agentcore-starter-toolkit/" + "user-guide/observability/quickstart.html" +) +AGENTCORE_BROWSER_REFERENCE_URL = ( + "https://aws.github.io/bedrock-agentcore-starter-toolkit/" + "user-guide/builtin-tools/quickstart-browser.html" +) +AGENTCORE_MEMORY_REFERENCE_URL = ( + "https://aws.github.io/bedrock-agentcore-starter-toolkit/" + "user-guide/memory/quickstart.html" +) +AGENTCORE_GATEWAY_REFERENCE_URL = ( + "https://aws.github.io/bedrock-agentcore-starter-toolkit/" + "user-guide/gateway/quickstart.html" +) +AGENTCORE_DATA_ENCRYPTION_REFERENCE_URL = ( + "https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/data-encryption.html" +) +ECR_ENCRYPTION_REFERENCE_URL = ( + "https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html" +) AGENTCORE_GATEWAY_API_REFERENCE_URL = ( "https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/" "API_GetGateway.html" @@ -464,7 +493,7 @@ def check_agentcore_vpc_configuration() -> List[Dict[str, Any]]: finding_name="AgentCore VPC Configuration Check", finding_details="AgentCore client not available in this region", resolution="Deploy in a region where Amazon Bedrock AgentCore is available", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/", + reference=AGENTCORE_STARTER_TOOLKIT_URL, severity=SeverityEnum.INFORMATIONAL, status=StatusEnum.NA, ) @@ -504,7 +533,7 @@ def check_agentcore_vpc_configuration() -> List[Dict[str, Any]]: finding_name="AgentCore Runtime VPC Configuration", finding_details=f"Runtime '{runtime_name}' ({runtime_id}) is not configured with VPC. This exposes the runtime to public internet.", resolution="Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/security/agentcore-vpc.md", + reference=AGENTCORE_VPC_REFERENCE_URL, severity=SeverityEnum.HIGH, status=StatusEnum.FAILED, ) @@ -543,7 +572,7 @@ def check_agentcore_vpc_configuration() -> List[Dict[str, Any]]: finding_name="AgentCore Runtime Public Subnet", finding_details=f"Runtime '{runtime_name}' is in public subnet {subnet_id} with direct internet access", resolution="Move runtime to private subnets without direct internet gateway routes", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/security/agentcore-vpc.md", + reference=AGENTCORE_VPC_REFERENCE_URL, severity=SeverityEnum.MEDIUM, status=StatusEnum.FAILED, ) @@ -580,7 +609,7 @@ def check_agentcore_vpc_configuration() -> List[Dict[str, Any]]: finding_name="AgentCore VPC Configuration Check", finding_details="All AgentCore resources have proper VPC configuration", resolution="No action required", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/security/agentcore-vpc.md", + reference=AGENTCORE_VPC_REFERENCE_URL, severity=SeverityEnum.HIGH, status=StatusEnum.PASSED, ) @@ -592,7 +621,7 @@ def check_agentcore_vpc_configuration() -> List[Dict[str, Any]]: finding_name="AgentCore VPC Configuration Check", finding_details="No AgentCore resources found", resolution="No action required", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/security/agentcore-vpc.md", + reference=AGENTCORE_VPC_REFERENCE_URL, severity=SeverityEnum.INFORMATIONAL, status=StatusEnum.NA, ) @@ -606,7 +635,7 @@ def check_agentcore_vpc_configuration() -> List[Dict[str, Any]]: finding_name="AgentCore VPC Configuration Check", finding_details=f"Error during check: {str(e)}", resolution="Investigate error and retry assessment", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/", + reference=AGENTCORE_STARTER_TOOLKIT_URL, severity=SeverityEnum.HIGH, status=StatusEnum.FAILED, ) @@ -1181,7 +1210,7 @@ def check_agentcore_observability() -> List[Dict[str, Any]]: finding_name="AgentCore Observability Check", finding_details="AgentCore client not available in this region", resolution="Deploy in a region where Amazon Bedrock AgentCore is available", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/observability/", + reference=AGENTCORE_OBSERVABILITY_REFERENCE_URL, severity=SeverityEnum.INFORMATIONAL, status=StatusEnum.NA, ) @@ -1224,7 +1253,7 @@ def check_agentcore_observability() -> List[Dict[str, Any]]: finding_name="AgentCore Runtime CloudWatch Logs", finding_details=f"Runtime '{runtime_name}' ({runtime_id}) does not have CloudWatch Logs configured", resolution="Enable CloudWatch Logs for monitoring and troubleshooting", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/observability/", + reference=AGENTCORE_OBSERVABILITY_REFERENCE_URL, severity=SeverityEnum.MEDIUM, status=StatusEnum.FAILED, ) @@ -1248,7 +1277,7 @@ def check_agentcore_observability() -> List[Dict[str, Any]]: finding_name="AgentCore Runtime Log Group Missing", finding_details=f"Runtime '{runtime_name}' has CloudWatch Logs configured but log group '{log_group_name}' does not exist", resolution="Create the log group or update runtime configuration", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/observability/", + reference=AGENTCORE_OBSERVABILITY_REFERENCE_URL, severity=SeverityEnum.MEDIUM, status=StatusEnum.FAILED, ) @@ -1265,7 +1294,7 @@ def check_agentcore_observability() -> List[Dict[str, Any]]: finding_name="AgentCore Runtime X-Ray Tracing", finding_details=f"Runtime '{runtime_name}' ({runtime_id}) does not have X-Ray tracing enabled", resolution="Enable X-Ray tracing for distributed tracing and performance analysis", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/observability/", + reference=AGENTCORE_OBSERVABILITY_REFERENCE_URL, severity=SeverityEnum.MEDIUM, status=StatusEnum.FAILED, ) @@ -1288,7 +1317,7 @@ def check_agentcore_observability() -> List[Dict[str, Any]]: finding_name="AgentCore Observability Check", finding_details="All AgentCore resources have proper observability configuration", resolution="No action required", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/observability/", + reference=AGENTCORE_OBSERVABILITY_REFERENCE_URL, severity=SeverityEnum.MEDIUM, status=StatusEnum.PASSED, ) @@ -1300,7 +1329,7 @@ def check_agentcore_observability() -> List[Dict[str, Any]]: finding_name="AgentCore Observability Check", finding_details="No AgentCore resources found", resolution="No action required", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/observability/", + reference=AGENTCORE_OBSERVABILITY_REFERENCE_URL, severity=SeverityEnum.INFORMATIONAL, status=StatusEnum.NA, ) @@ -1314,7 +1343,7 @@ def check_agentcore_observability() -> List[Dict[str, Any]]: finding_name="AgentCore Observability Check", finding_details=f"Error during check: {str(e)}", resolution="Investigate error and retry assessment", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/observability/", + reference=AGENTCORE_OBSERVABILITY_REFERENCE_URL, severity=SeverityEnum.MEDIUM, status=StatusEnum.FAILED, ) @@ -1374,7 +1403,7 @@ def check_agentcore_encryption() -> List[Dict[str, Any]]: finding_name="AgentCore ECR Repository Encryption", finding_details=f"ECR repository '{repo_name}' does not have encryption enabled", resolution="Enable encryption with customer-managed KMS keys for better control", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/security-encryption.html", + reference=ECR_ENCRYPTION_REFERENCE_URL, severity=SeverityEnum.HIGH, status=StatusEnum.FAILED, ) @@ -1386,7 +1415,7 @@ def check_agentcore_encryption() -> List[Dict[str, Any]]: finding_name="AgentCore ECR Repository AWS-Managed Keys", finding_details=f"ECR repository '{repo_name}' uses AWS-managed keys instead of customer-managed KMS keys", resolution="Consider using customer-managed KMS keys for better control and audit capabilities", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/security-encryption.html", + reference=ECR_ENCRYPTION_REFERENCE_URL, severity=SeverityEnum.LOW, status=StatusEnum.FAILED, ) @@ -1407,7 +1436,7 @@ def check_agentcore_encryption() -> List[Dict[str, Any]]: finding_name="AgentCore Encryption Check", finding_details="All AgentCore resources have proper encryption configuration", resolution="No action required", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/key-management.html", + reference=AGENTCORE_DATA_ENCRYPTION_REFERENCE_URL, severity=SeverityEnum.HIGH, status=StatusEnum.PASSED, ) @@ -1419,7 +1448,7 @@ def check_agentcore_encryption() -> List[Dict[str, Any]]: finding_name="AgentCore Encryption Check", finding_details="No AgentCore resources found", resolution="No action required", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/key-management.html", + reference=AGENTCORE_DATA_ENCRYPTION_REFERENCE_URL, severity=SeverityEnum.INFORMATIONAL, status=StatusEnum.NA, ) @@ -1433,7 +1462,7 @@ def check_agentcore_encryption() -> List[Dict[str, Any]]: finding_name="AgentCore Encryption Check", finding_details=f"Error during check: {str(e)}", resolution="Investigate error and retry assessment", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/key-management.html", + reference=AGENTCORE_DATA_ENCRYPTION_REFERENCE_URL, severity=SeverityEnum.HIGH, status=StatusEnum.FAILED, ) @@ -1461,7 +1490,7 @@ def check_browser_tool_recording() -> List[Dict[str, Any]]: finding_name="AgentCore Browser Tool Recording Check", finding_details="AgentCore client not available in this region", resolution="Deploy in a region where Amazon Bedrock AgentCore is available", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/browser/", + reference=AGENTCORE_BROWSER_REFERENCE_URL, severity=SeverityEnum.INFORMATIONAL, status=StatusEnum.NA, ) @@ -1485,7 +1514,7 @@ def check_browser_tool_recording() -> List[Dict[str, Any]]: finding_name="AgentCore Browser Tool Recording Check", finding_details="No AgentCore Runtimes found to check browser tool configuration", resolution="No action required", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/browser/", + reference=AGENTCORE_BROWSER_REFERENCE_URL, severity=SeverityEnum.INFORMATIONAL, status=StatusEnum.NA, ) @@ -1514,7 +1543,7 @@ def check_browser_tool_recording() -> List[Dict[str, Any]]: finding_name="AgentCore Runtime Storage Configuration", finding_details=f"Runtime '{runtime_name}' ({runtime_id}) does not have storage configuration for browser tools", resolution="Configure S3 storage for browser tool session recordings and artifacts", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/browser/", + reference=AGENTCORE_BROWSER_REFERENCE_URL, severity=SeverityEnum.MEDIUM, status=StatusEnum.FAILED, ) @@ -1532,7 +1561,7 @@ def check_browser_tool_recording() -> List[Dict[str, Any]]: finding_name="AgentCore Browser Tool Recording Check", finding_details=f"All {len(runtimes)} Runtimes have proper storage configuration", resolution="No action required", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/browser/", + reference=AGENTCORE_BROWSER_REFERENCE_URL, severity=SeverityEnum.MEDIUM, status=StatusEnum.PASSED, ) @@ -1546,7 +1575,7 @@ def check_browser_tool_recording() -> List[Dict[str, Any]]: finding_name="AgentCore Browser Tool Recording Check", finding_details=f"Error during check: {str(e)}", resolution="Investigate error and retry assessment", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/browser/", + reference=AGENTCORE_BROWSER_REFERENCE_URL, severity=SeverityEnum.MEDIUM, status=StatusEnum.FAILED, ) @@ -1575,7 +1604,7 @@ def check_agentcore_memory_configuration() -> List[Dict[str, Any]]: finding_name="AgentCore Memory Configuration Check", finding_details="AgentCore client not available in this region", resolution="Deploy in a region where Amazon Bedrock AgentCore is available", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/memory/", + reference=AGENTCORE_MEMORY_REFERENCE_URL, severity=SeverityEnum.INFORMATIONAL, status=StatusEnum.NA, ) @@ -1595,7 +1624,7 @@ def check_agentcore_memory_configuration() -> List[Dict[str, Any]]: finding_name="AgentCore Memory Configuration Check", finding_details="No Memory resources found", resolution="No action required", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/memory/", + reference=AGENTCORE_MEMORY_REFERENCE_URL, severity=SeverityEnum.INFORMATIONAL, status=StatusEnum.NA, ) @@ -1627,7 +1656,7 @@ def check_agentcore_memory_configuration() -> List[Dict[str, Any]]: finding_name="AgentCore Memory Encryption", finding_details=f"Memory '{memory_name}' ({memory_id}) does not have customer-managed encryption configured", resolution="Enable encryption with customer-managed KMS keys", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/memory/", + reference=AGENTCORE_MEMORY_REFERENCE_URL, severity=SeverityEnum.MEDIUM, status=StatusEnum.FAILED, ) @@ -1645,7 +1674,7 @@ def check_agentcore_memory_configuration() -> List[Dict[str, Any]]: finding_name="AgentCore Memory Configuration Check", finding_details=f"All {len(memories)} Memory resources have proper configuration", resolution="No action required", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/memory/", + reference=AGENTCORE_MEMORY_REFERENCE_URL, severity=SeverityEnum.HIGH, status=StatusEnum.PASSED, ) @@ -1659,7 +1688,7 @@ def check_agentcore_memory_configuration() -> List[Dict[str, Any]]: finding_name="AgentCore Memory Configuration Check", finding_details=f"Error during check: {str(e)}", resolution="Investigate error and retry assessment", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/memory/", + reference=AGENTCORE_MEMORY_REFERENCE_URL, severity=SeverityEnum.MEDIUM, status=StatusEnum.FAILED, ) @@ -2493,7 +2522,7 @@ def check_agentcore_gateway_configuration() -> List[Dict[str, Any]]: finding_name="AgentCore Gateway Configuration Check", finding_details="AgentCore client not available in this region", resolution="Deploy in a region where Amazon Bedrock AgentCore is available", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/gateway/", + reference=AGENTCORE_GATEWAY_REFERENCE_URL, severity=SeverityEnum.INFORMATIONAL, status=StatusEnum.NA, ) @@ -2515,7 +2544,7 @@ def check_agentcore_gateway_configuration() -> List[Dict[str, Any]]: finding_name="AgentCore Gateway Configuration Check", finding_details="No Gateway resources found", resolution="No action required", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/gateway/", + reference=AGENTCORE_GATEWAY_REFERENCE_URL, severity=SeverityEnum.INFORMATIONAL, status=StatusEnum.NA, ) @@ -2540,7 +2569,7 @@ def check_agentcore_gateway_configuration() -> List[Dict[str, Any]]: finding_name="AgentCore Gateway Configuration Check", finding_details=f"Found {len(gateways)} Gateway resources", resolution="No action required", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/gateway/", + reference=AGENTCORE_GATEWAY_REFERENCE_URL, severity=SeverityEnum.MEDIUM, status=StatusEnum.PASSED, ) @@ -2555,7 +2584,7 @@ def check_agentcore_gateway_configuration() -> List[Dict[str, Any]]: finding_name="AgentCore Gateway Configuration Check", finding_details="Gateway API not yet available in bedrock-agentcore-control", resolution="N/A - Gateway management may be done through other means", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/gateway/", + reference=AGENTCORE_GATEWAY_REFERENCE_URL, severity=SeverityEnum.INFORMATIONAL, status=StatusEnum.NA, ) @@ -2569,7 +2598,7 @@ def check_agentcore_gateway_configuration() -> List[Dict[str, Any]]: finding_name="AgentCore Gateway Configuration Check", finding_details="No Gateway resources found", resolution="No action required", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/gateway/", + reference=AGENTCORE_GATEWAY_REFERENCE_URL, severity=SeverityEnum.INFORMATIONAL, status=StatusEnum.NA, ) @@ -2585,7 +2614,7 @@ def check_agentcore_gateway_configuration() -> List[Dict[str, Any]]: finding_name="AgentCore Gateway Configuration Check", finding_details=f"Error during check: {str(e)}", resolution="Investigate error and retry assessment", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/gateway/", + reference=AGENTCORE_GATEWAY_REFERENCE_URL, severity=SeverityEnum.MEDIUM, status=StatusEnum.FAILED, ) @@ -2949,7 +2978,7 @@ def lambda_handler(event, context): finding_name=f"AgentCore {check_name} Check Error", finding_details=f"Error during {check_name} check: {str(e)}", resolution="Investigate error and retry assessment", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/", + reference=AGENTCORE_STARTER_TOOLKIT_URL, severity=SeverityEnum.HIGH, status=StatusEnum.FAILED, region=GLOBAL_REGION_LABEL, @@ -3016,7 +3045,7 @@ def lambda_handler(event, context): finding_name="AgentCore Service Availability", finding_details=f"Amazon Bedrock AgentCore is not available in region {region}. No checks performed.", resolution="No action required. AgentCore is not deployed in this region.", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/", + reference=AGENTCORE_STARTER_TOOLKIT_URL, severity=SeverityEnum.INFORMATIONAL, status=StatusEnum.NA, region=region, @@ -3093,7 +3122,7 @@ def lambda_handler(event, context): finding_name=f"AgentCore {check_name} Check Error", finding_details=f"Error during {check_name} check: {str(e)}", resolution="Investigate error and retry assessment", - reference="https://aws.github.io/bedrock-agentcore-starter-toolkit/", + reference=AGENTCORE_STARTER_TOOLKIT_URL, severity=SeverityEnum.HIGH, status=StatusEnum.FAILED, region=region, diff --git a/aiml-security-assessment/functions/security/bedrock_assessments/app.py b/aiml-security-assessment/functions/security/bedrock_assessments/app.py index 993ed1e..0e9b4bf 100644 --- a/aiml-security-assessment/functions/security/bedrock_assessments/app.py +++ b/aiml-security-assessment/functions/security/bedrock_assessments/app.py @@ -878,7 +878,7 @@ def check_bedrock_full_access_roles( finding_name="AmazonBedrockFullAccess role check", finding_details=f"Role '{role['name']}' has AmazonBedrockFullAccess policy attached", resolution="Limit the AmazonBedrockFullAccess policy only to required access", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/security_iam_id-based-policy-examples-agent.html#iam-agents-ex-all\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/security_iam_id-based-policy-examples-br-studio.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/security-iam-awsmanpol.html\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/security_iam_id-based-policy-examples.html", severity="High", status="Failed", region=region, @@ -892,7 +892,7 @@ def check_bedrock_full_access_roles( finding_name="AmazonBedrockFullAccess role check", finding_details="No roles found with AmazonBedrockFullAccess policy", resolution="No action required", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/security_iam_id-based-policy-examples-agent.html#iam-agents-ex-all\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/security_iam_id-based-policy-examples-br-studio.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/security-iam-awsmanpol.html\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/security_iam_id-based-policy-examples.html", severity="High", status="Passed", region=region, @@ -4172,7 +4172,7 @@ def check_bedrock_agent_action_group_iam( finding_name="Agent Action Group IAM Least Privilege Check", finding_details="No Bedrock agents configured in this region", resolution="When creating agents with action groups, ensure Lambda execution roles follow least privilege principles", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/agents-security.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/agents-permissions.html", severity="High", status="N/A", region=region, @@ -4340,7 +4340,7 @@ def check_bedrock_agent_action_group_iam( finding_name="Agent Action Group IAM Least Privilege Check", finding_details=f"Lambda function '{lambda_info['function_name']}' used by agent '{lambda_info['agent_name']}' action group '{lambda_info['action_group']}' has role '{lambda_info['role_name']}' with {lambda_info['issue']}. This violates least privilege principles.", resolution="Update the Lambda execution role to use scoped permissions. Remove AdministratorAccess and FullAccess policies. Grant only the specific AWS service permissions needed for the action group's operations. Use Resource-based policies to scope permissions to specific resources.", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/agents-security.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/agents-permissions.html", severity="High", status="Failed", region=region, @@ -4354,7 +4354,7 @@ def check_bedrock_agent_action_group_iam( finding_name="Agent Action Group IAM Least Privilege Check", finding_details=f"{len(compliant_lambdas)} Lambda functions are using scoped IAM roles", resolution="No action required. Continue using least privilege IAM roles for action group Lambda functions.", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/agents-security.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/agents-permissions.html", severity="Medium", status="Passed", region=region, @@ -4413,7 +4413,7 @@ def check_bedrock_agent_action_group_iam( finding_name="Agent Action Group IAM Least Privilege Check", finding_details=f"Error during check: {str(e)}", resolution="Investigate error and retry assessment", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/agents-security.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/agents-permissions.html", severity="High", status="Failed", region=region, @@ -4901,7 +4901,7 @@ def check_bedrock_automated_reasoning_policy(region: str = "") -> Dict[str, Any] finding_name="Automated Reasoning Policy Implementation Check", finding_details="No Bedrock guardrails configured in this region", resolution="Create guardrails with Automated Reasoning policies for formal verification of model responses", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-automated-reasoning.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/deploy-automated-reasoning-policy.html", severity="Medium", status="N/A", region=region, @@ -4961,7 +4961,7 @@ def check_bedrock_automated_reasoning_policy(region: str = "") -> Dict[str, Any] finding_name="Automated Reasoning Policy Implementation Check", finding_details=f"Guardrail '{gr['name']}' (ID: {gr['id']}) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.", resolution="Configure Automated Reasoning policies on guardrails to mathematically verify model responses. Define policies that specify allowed and disallowed behaviors. Use for high-assurance use cases where formal verification is required.", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-automated-reasoning.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/deploy-automated-reasoning-policy.html", severity="Medium", status="Failed", region=region, @@ -4975,7 +4975,7 @@ def check_bedrock_automated_reasoning_policy(region: str = "") -> Dict[str, Any] finding_name="Automated Reasoning Policy Implementation Check", finding_details=f"{len(with_ar_policy)} guardrails have Automated Reasoning policies configured for formal verification", resolution="No action required. Continue using Automated Reasoning for high-assurance verification.", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-automated-reasoning.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/deploy-automated-reasoning-policy.html", severity="Low", status="Passed", region=region, @@ -4998,7 +4998,7 @@ def check_bedrock_automated_reasoning_policy(region: str = "") -> Dict[str, Any] e, "Automated Reasoning API", region ), resolution="Automated Reasoning may not be available in all regions. Check AWS documentation for regional availability.", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-automated-reasoning.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/deploy-automated-reasoning-policy.html", severity="Low", status="N/A", region=region, @@ -5039,7 +5039,7 @@ def check_bedrock_automated_reasoning_policy(region: str = "") -> Dict[str, Any] finding_name="Automated Reasoning Policy Implementation Check", finding_details=f"Error during check: {str(e)}", resolution="Investigate error and retry assessment", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-automated-reasoning.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/deploy-automated-reasoning-policy.html", severity="Medium", status="Failed", region=region, @@ -5084,7 +5084,7 @@ def check_bedrock_rag_evaluation_jobs(region: str = "") -> Dict[str, Any]: finding_name="RAG Evaluation Jobs Check", finding_details="No Bedrock knowledge bases found in this region", resolution="When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/model-evaluation-rag.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/evaluation-kb.html", severity="Low", status="N/A", region=region, @@ -5166,7 +5166,7 @@ def _job_references_kb(name: str, kb_id: str) -> bool: finding_name="RAG Evaluation Jobs Check", finding_details=f"Knowledge base '{kb['name']}' (ID: {kb['knowledgeBaseId']}) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.", resolution="Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/model-evaluation-rag.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/evaluation-kb.html", severity="Low", status="Failed", region=region, @@ -5180,7 +5180,7 @@ def _job_references_kb(name: str, kb_id: str) -> bool: finding_name="RAG Evaluation Jobs Check", finding_details=f"Found {len(recent_evaluations)} recent RAG evaluation jobs. Regular RAG evaluations help maintain response quality and prevent hallucinations.", resolution="Continue regular RAG evaluations. Review evaluation results and adjust retrieval strategies or knowledge base content as needed.", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/model-evaluation-rag.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/evaluation-kb.html", severity="Low", status="Passed", region=region, @@ -5207,7 +5207,7 @@ def _job_references_kb(name: str, kb_id: str) -> bool: e, "RAG evaluation API", region ), resolution="Amazon Bedrock Knowledge Bases or RAG evaluation are not available in this region. No action required.", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/model-evaluation-rag.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/evaluation-kb.html", severity="Low", status="N/A", region=region, @@ -5247,7 +5247,7 @@ def _job_references_kb(name: str, kb_id: str) -> bool: finding_name="RAG Evaluation Jobs Check", finding_details=f"Error during check: {str(e)}", resolution="Investigate error and retry assessment", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/model-evaluation-rag.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/evaluation-kb.html", severity="Low", status="Failed", region=region, @@ -5654,7 +5654,7 @@ def check_bedrock_agent_guardrail_association(region: str = "") -> Dict[str, Any finding_name="Agent Guardrail Association Check", finding_details="No Bedrock agents configured in this region", resolution="When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/agents-guardrails.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-use.html", severity="High", status="N/A", region=region, @@ -5690,7 +5690,7 @@ def check_bedrock_agent_guardrail_association(region: str = "") -> Dict[str, Any finding_name="Agent Guardrail Association Check", finding_details=f"Bedrock agent '{agent['name']}' (ID: {agent['id']}) does not have a guardrail associated. Agent interactions are not subject to content filtering, PII protection, or denied-topic controls.", resolution="Associate a Bedrock guardrail with the agent by setting guardrailConfiguration (guardrailIdentifier and guardrailVersion) on the agent. Prepare the agent after updating so the change takes effect.", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/agents-guardrails.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-use.html", severity="High", status="Failed", region=region, @@ -5704,7 +5704,7 @@ def check_bedrock_agent_guardrail_association(region: str = "") -> Dict[str, Any finding_name="Agent Guardrail Association Check", finding_details=f"{len(agents_with_guardrail)} agents have an associated guardrail", resolution="No action required. Continue associating guardrails with new agents.", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/agents-guardrails.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-use.html", severity="Low", status="Passed", region=region, @@ -5724,7 +5724,7 @@ def check_bedrock_agent_guardrail_association(region: str = "") -> Dict[str, Any e, "Bedrock Agents API", region ), resolution="Bedrock Agents may not be available in all regions", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/agents-guardrails.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-use.html", severity="Low", status="N/A", region=region, @@ -5765,7 +5765,7 @@ def check_bedrock_agent_guardrail_association(region: str = "") -> Dict[str, Any finding_name="Agent Guardrail Association Check", finding_details=f"Error during check: {str(e)}", resolution="Investigate error and retry assessment", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/agents-guardrails.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-use.html", severity="High", status="Failed", region=region, @@ -6406,7 +6406,7 @@ def check_bedrock_cloudwatch_alarms(region: str = "") -> Dict[str, Any]: e, "CloudWatch alarm check", region ), resolution="Grant cloudwatch:DescribeAlarms permission to the assessment role", - reference="https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/iam-access-control-overview-cw.html", + reference="https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/security_iam_id-based-policy-examples.html", severity="Medium", status="Failed", region=region, diff --git a/aiml-security-assessment/functions/security/finserv_assessments/app.py b/aiml-security-assessment/functions/security/finserv_assessments/app.py index abfcd39..01a09a0 100644 --- a/aiml-security-assessment/functions/security/finserv_assessments/app.py +++ b/aiml-security-assessment/functions/security/finserv_assessments/app.py @@ -437,7 +437,8 @@ def require(inventory: "ResourceInventory | None", field_name: str): # --------------------------------------------------------------------------- -# SEVERITY METHODOLOGY (see docs/severity-methodology.md + severity-register.md) +# SEVERITY METHODOLOGY (see docs/SECURITY_CHECKS_FINSERV_SEVERITY_METHODOLOGY.md +# + docs/SECURITY_CHECKS_FINSERV_SEVERITY_REGISTER.md) # # Severity = property of the CONTROL (the risk it mitigates), assigned once via a # Likelihood (L) x Impact (I) matrix mapped to the AWS Security Hub ASFF label set, @@ -485,7 +486,7 @@ def _label_from_matrix(impact: int, likelihood: int) -> str: # Authoritative per-finding severity register (keyed by finding-name). -# Source of truth derived from docs/severity-register.md. The test suite +# Source of truth derived from docs/SECURITY_CHECKS_FINSERV_SEVERITY_REGISTER.md. The test suite # (test_severity_register.py) asserts every emitted severity matches this map. # Entries: finding_name -> (severity, disposition). I/L rationale lives in the doc. SEVERITY_REGISTER: Dict[str, str] = { @@ -716,7 +717,7 @@ def _could_not_assess_row(check_id: str, check_name: str, err: Any) -> Dict[str, """ Synthesize one visible finding row for a check that errored out and produced no rows. Uses Status="N/A", Severity="Low" (the COULD_NOT_ASSESS disposition — - see severity-methodology.md §3.4) so the gap surfaces in the report as an + see SECURITY_CHECKS_FINSERV_SEVERITY_METHODOLOGY.md §3.4) so the gap surfaces in the report as an unknown/assessment-gap without inflating the Failed count or implying a confirmed control failure. """ @@ -1250,7 +1251,7 @@ def check_cloudwatch_token_alarms() -> Dict[str, Any]: "- AWS/Bedrock TokensProcessed (threshold based on quota)\n" "- Custom application-level token counters via EMF" ), - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/monitoring-cw.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/monitoring-runtime-metrics.html", severity="Medium", status="Failed", compliance_frameworks=COMPLIANCE_MAP["FS-05"], @@ -1266,7 +1267,7 @@ def check_cloudwatch_token_alarms() -> Dict[str, Any]: f"{len(throttle_alarms)} covering throttling." ), resolution="Ensure alarms have SNS actions and are in OK state.", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/monitoring-cw.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/monitoring-runtime-metrics.html", severity="Medium", status="Passed", compliance_frameworks=COMPLIANCE_MAP["FS-05"], @@ -1495,7 +1496,7 @@ def check_agentcore_policy_engine() -> Dict[str, Any]: finding_name="AgentCore Policy Engine — Access Check", finding_details="Unable to enumerate AgentCore runtimes (access denied or service unavailable in region).", resolution="Ensure assessment role has bedrock-agentcore:ListAgentRuntimes permission.", - reference="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/security-authorization.html", + reference="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-oauth.html", severity="Low", status="N/A", compliance_frameworks=COMPLIANCE_MAP["FS-08"], @@ -1511,7 +1512,7 @@ def check_agentcore_policy_engine() -> Dict[str, Any]: finding_name="No AgentCore Runtimes Found", finding_details="No AgentCore runtimes found; policy engine check not applicable.", resolution="If using AgentCore, configure the Policy Engine to authorize tool calls.", - reference="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/security-authorization.html", + reference="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-oauth.html", severity="Informational", status="N/A", compliance_frameworks=COMPLIANCE_MAP["FS-08"], @@ -1538,7 +1539,7 @@ def check_agentcore_policy_engine() -> Dict[str, Any]: "Configure an authorizer (Lambda or Cedar policy store) on each AgentCore runtime " "to enforce fine-grained tool-call authorization." ), - reference="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/security-authorization.html", + reference="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-oauth.html", severity="High", status="Failed", compliance_frameworks=COMPLIANCE_MAP["FS-08"], @@ -1551,7 +1552,7 @@ def check_agentcore_policy_engine() -> Dict[str, Any]: finding_name="AgentCore Policy Engine Configured", finding_details=f"All {len(runtimes)} runtime(s) have authorizer configurations.", resolution="No action required.", - reference="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/security-authorization.html", + reference="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-oauth.html", severity="High", status="Passed", compliance_frameworks=COMPLIANCE_MAP["FS-08"], @@ -1757,7 +1758,7 @@ def check_agent_rate_alarms() -> Dict[str, Any]: "- Lambda invocation errors for agent functions\n" "- Step Functions execution failures and timeouts" ), - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/monitoring-cw.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/monitoring-agents-cw-metrics.html", severity="Medium", status="Failed", compliance_frameworks=COMPLIANCE_MAP["FS-11"], @@ -1770,7 +1771,7 @@ def check_agent_rate_alarms() -> Dict[str, Any]: finding_name="Agent Rate Alarms Present", finding_details=f"Found {len(agent_alarms)} agent-related CloudWatch alarm(s).", resolution="No action required.", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/monitoring-cw.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/monitoring-agents-cw-metrics.html", severity="Medium", status="Passed", compliance_frameworks=COMPLIANCE_MAP["FS-11"], @@ -2026,7 +2027,7 @@ def check_bedrock_model_evaluation_adversarial() -> Dict[str, Any]: "2. Use FMEval library for automated robustness testing.\n" "3. Schedule periodic re-evaluation after model updates." ), - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/model-evaluation.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/evaluation-automatic.html", severity="Medium", status="Failed", compliance_frameworks=COMPLIANCE_MAP["FS-15"], @@ -2039,7 +2040,7 @@ def check_bedrock_model_evaluation_adversarial() -> Dict[str, Any]: finding_name="Bedrock Evaluation Jobs Present", finding_details=f"Found {len(evals)} evaluation job(s). Verify adversarial datasets are included.", resolution="Ensure evaluation datasets include adversarial/red-team test cases.", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/model-evaluation.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/evaluation-automatic.html", severity="Medium", status="Passed", compliance_frameworks=COMPLIANCE_MAP["FS-15"], @@ -2678,7 +2679,7 @@ def check_guardrail_contextual_grounding(inventory) -> Dict[str, Any]: "Configure Bedrock Guardrails with contextual grounding checks " "(grounding threshold ≥0.7 and relevance threshold ≥0.7 for FinServ use cases)." ), - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-grounding.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-contextual-grounding-check.html", severity="Informational", status="N/A", compliance_frameworks=COMPLIANCE_MAP["FS-27"], @@ -2713,7 +2714,7 @@ def check_guardrail_contextual_grounding(inventory) -> Dict[str, Any]: "Also consider enabling Automated Reasoning checks (bedrock:ListAutomatedReasoningPolicies) " "for policy-based formal verification of factual claims — see FS-27 ARC check." ), - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-grounding.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-contextual-grounding-check.html", severity="High", status="Failed", compliance_frameworks=COMPLIANCE_MAP["FS-27"], @@ -2729,7 +2730,7 @@ def check_guardrail_contextual_grounding(inventory) -> Dict[str, Any]: "No action required for contextual grounding. " "Also consider enabling Automated Reasoning checks for formal policy verification." ), - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-grounding.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-contextual-grounding-check.html", severity="High", status="Passed", compliance_frameworks=COMPLIANCE_MAP["FS-27"], @@ -3045,7 +3046,7 @@ def check_bedrock_evaluation_compliance_datasets() -> Dict[str, Any]: "- UDAP/UDAAP unfair/deceptive practice scenarios\n" "- AML/KYC edge cases" ), - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/model-evaluation.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/evaluation-automatic.html", severity="Informational", status="N/A", compliance_frameworks=COMPLIANCE_MAP["FS-30"], @@ -3435,7 +3436,7 @@ def check_fmeval_harmful_content() -> Dict[str, Any]: "- Hate speech classification\n" "- Violence/self-harm content" ), - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/model-evaluation.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/evaluation-automatic.html", severity="Informational", status="N/A", compliance_frameworks=COMPLIANCE_MAP["FS-35"], @@ -3752,7 +3753,7 @@ def check_bedrock_evaluation_bias_datasets() -> Dict[str, Any]: "- Equal opportunity scenarios\n" "- Counterfactual fairness tests" ), - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/model-evaluation.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/evaluation-automatic.html", severity="Informational", status="N/A", compliance_frameworks=COMPLIANCE_MAP["FS-40"], @@ -4185,7 +4186,7 @@ def check_guardrail_grounding_threshold(inventory) -> Dict[str, Any]: finding_name="No Guardrails — Grounding Threshold Not Applicable", finding_details="No Bedrock Guardrails configured.", resolution="Configure guardrails with contextual grounding checks.", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-grounding.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-contextual-grounding-check.html", severity="Informational", status="N/A", compliance_frameworks=COMPLIANCE_MAP["FS-47"], @@ -4412,7 +4413,7 @@ def check_guardrail_relevance_grounding(inventory) -> Dict[str, Any]: "the user query. Also enable the GROUNDING filter (≥0.7) to block " "responses not supported by the retrieved source context." ), - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-grounding.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-contextual-grounding-check.html", severity="Medium", status="Failed", compliance_frameworks=COMPLIANCE_MAP["FS-50"], @@ -4428,7 +4429,7 @@ def check_guardrail_relevance_grounding(inventory) -> Dict[str, Any]: f"{', '.join(guardrails_with_relevance)}." ), resolution="No action required.", - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-grounding.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-contextual-grounding-check.html", severity="Medium", status="Passed", compliance_frameworks=COMPLIANCE_MAP["FS-50"], @@ -4811,7 +4812,7 @@ def check_penetration_testing_evidence() -> Dict[str, Any]: # CATEGORY 13: IMPROPER OUTPUT HANDLING (FS-55 to FS-58) # CATEGORY 14: OFF-TOPIC & INAPPROPRIATE OUTPUT (FS-59 to FS-60) # CATEGORY 15: OUT-OF-DATE TRAINING DATA (FS-61 to FS-63) -# COMPLIANCE_PLACEHOLDER: [SR 11-7, FFIEC CAT, NYDFS 500, OWASP LLM02] +# COMPLIANCE_PLACEHOLDER: [SR 11-7, FFIEC CAT, NYDFS 500, OWASP LLM05] # =========================================================================== @@ -4819,7 +4820,7 @@ def check_output_validation_lambda(inventory) -> Dict[str, Any]: """ FS-55 — Check for Lambda functions implementing output validation/sanitization in GenAI application pipelines. - COMPLIANCE_PLACEHOLDER: [NYDFS 500.06, FFIEC CAT, OWASP LLM02] + COMPLIANCE_PLACEHOLDER: [NYDFS 500.06, FFIEC CAT, OWASP LLM05] """ findings = _empty_findings("Output Validation Lambda Check") try: @@ -4850,7 +4851,7 @@ def check_output_validation_lambda(inventory) -> Dict[str, Any]: "3. Sanitize outputs before rendering in web UIs (XSS prevention).\n" "4. Encode outputs appropriately for the target context (HTML, SQL, JSON)." ), - reference="https://genai.owasp.org/llm-top-10/", + reference="https://genai.owasp.org/llmrisk/llm052025-improper-output-handling/", severity="Medium", status="Failed", compliance_frameworks=COMPLIANCE_MAP["FS-55"], @@ -4863,7 +4864,7 @@ def check_output_validation_lambda(inventory) -> Dict[str, Any]: finding_name="Output Validation Functions Present", finding_details=f"Found {len(validation_functions)} output validation/sanitization function(s).", resolution="No action required.", - reference="https://genai.owasp.org/llm-top-10/", + reference="https://genai.owasp.org/llmrisk/llm052025-improper-output-handling/", severity="Medium", status="Passed", compliance_frameworks=COMPLIANCE_MAP["FS-55"], @@ -4877,7 +4878,7 @@ def check_output_validation_lambda(inventory) -> Dict[str, Any]: def check_xss_prevention_waf(inventory) -> Dict[str, Any]: """ FS-56 — Verify WAF rules include XSS prevention for GenAI web application outputs. - COMPLIANCE_PLACEHOLDER: [NYDFS 500.06, FFIEC CAT, PCI-DSS 6.4.1, OWASP LLM02] + COMPLIANCE_PLACEHOLDER: [NYDFS 500.06, FFIEC CAT, PCI-DSS 6.4.1, OWASP LLM05] """ findings = _empty_findings("XSS Prevention WAF Check") try: @@ -4971,7 +4972,7 @@ def check_output_encoding_advisory() -> Dict[str, Any]: """ FS-57 — Advisory check: verify application encodes GenAI outputs appropriately for the rendering context. - COMPLIANCE_PLACEHOLDER: [NYDFS 500.06, FFIEC CAT, OWASP LLM02] + COMPLIANCE_PLACEHOLDER: [NYDFS 500.06, FFIEC CAT, OWASP LLM05] """ findings = _empty_findings("Output Encoding Advisory") findings["csv_data"].append( @@ -4988,7 +4989,7 @@ def check_output_encoding_advisory() -> Dict[str, Any]: "3. JSON-encode outputs before embedding in JavaScript contexts.\n" "4. Validate output length and format before passing to downstream APIs." ), - reference="https://genai.owasp.org/llm-top-10/", + reference="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", severity="Informational", status="N/A", compliance_frameworks=COMPLIANCE_MAP["FS-57"], @@ -5001,7 +5002,7 @@ def check_output_schema_validation(inventory) -> Dict[str, Any]: """ FS-58 — Check for structured output validation using Bedrock response schemas or application-level JSON schema validation. - COMPLIANCE_PLACEHOLDER: [NYDFS 500.06, FFIEC CAT, OWASP LLM02] + COMPLIANCE_PLACEHOLDER: [NYDFS 500.06, FFIEC CAT, OWASP LLM05] """ findings = _empty_findings("Output Schema Validation Check") try: @@ -5170,7 +5171,7 @@ def check_contextual_grounding_for_offtopic() -> Dict[str, Any]: "2. Use Bedrock Guardrails relevance grounding filter.\n" "3. Test with off-topic prompts in QA to verify rejection behavior." ), - reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-grounding.html", + reference="https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-contextual-grounding-check.html", severity="Informational", status="N/A", compliance_frameworks=COMPLIANCE_MAP["FS-60"], @@ -5601,7 +5602,7 @@ def check_agentcore_end_user_identity_propagation() -> Dict[str, Any]: finding_name="AgentCore Identity Propagation — Access Check", finding_details="Unable to enumerate AgentCore runtimes (access denied or service unavailable in region).", resolution="Ensure assessment role has bedrock-agentcore:ListAgentRuntimes permission.", - reference="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/security-authorization.html", + reference="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-oauth.html", severity="Low", status="N/A", compliance_frameworks=COMPLIANCE_MAP["FS-66"], @@ -5620,7 +5621,7 @@ def check_agentcore_end_user_identity_propagation() -> Dict[str, Any]: "If using AgentCore, configure token propagation so end-user identities " "are forwarded to tool services." ), - reference="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/security-authorization.html", + reference="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-oauth.html", severity="Informational", status="N/A", compliance_frameworks=COMPLIANCE_MAP["FS-66"], @@ -5653,7 +5654,7 @@ def check_agentcore_end_user_identity_propagation() -> Dict[str, Any]: "3. Ensure tool services validate the propagated identity before executing actions.\n" "4. Do not expose propagated identity tokens to unauthorized third parties." ), - reference="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/security-authorization.html", + reference="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-oauth.html", severity="High", status="Failed", compliance_frameworks=COMPLIANCE_MAP["FS-66"], @@ -5666,7 +5667,7 @@ def check_agentcore_end_user_identity_propagation() -> Dict[str, Any]: finding_name="AgentCore End-User Identity Propagation Configured", finding_details=f"All {len(runtimes)} runtime(s) have authorizer configurations supporting identity propagation.", resolution="No action required.", - reference="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/security-authorization.html", + reference="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-oauth.html", severity="High", status="Passed", compliance_frameworks=COMPLIANCE_MAP["FS-66"], @@ -5722,7 +5723,7 @@ def check_agent_financial_transaction_thresholds(inventory) -> Dict[str, Any]: "a policy constraint on tool calls.\n" "3. Reject or escalate to human review any transaction exceeding defined limits." ), - reference="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/policy-engine.html", + reference="https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_GatewayPolicyEngineConfiguration.html", severity="Informational", status="N/A", compliance_frameworks=COMPLIANCE_MAP["FS-67"], @@ -5765,7 +5766,7 @@ def check_agent_financial_transaction_thresholds(inventory) -> Dict[str, Any]: "3. Configure AgentCore Policy Engine rules to cap financial transaction amounts.\n" "4. Route transactions exceeding thresholds to a human-in-the-loop approval step." ), - reference="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/policy-engine.html", + reference="https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_GatewayPolicyEngineConfiguration.html", severity="High", status="Failed", compliance_frameworks=COMPLIANCE_MAP["FS-67"], @@ -5781,7 +5782,7 @@ def check_agent_financial_transaction_thresholds(inventory) -> Dict[str, Any]: "threshold/limit environment variables present." ), resolution="Verify threshold values are appropriate for your financial risk tolerance.", - reference="https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/policy-engine.html", + reference="https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_GatewayPolicyEngineConfiguration.html", severity="High", status="Passed", compliance_frameworks=COMPLIANCE_MAP["FS-67"], diff --git a/aiml-security-assessment/functions/security/finserv_tests/test_severity_register.py b/aiml-security-assessment/functions/security/finserv_tests/test_severity_register.py index f8ef822..f818b5b 100644 --- a/aiml-security-assessment/functions/security/finserv_tests/test_severity_register.py +++ b/aiml-security-assessment/functions/security/finserv_tests/test_severity_register.py @@ -1,5 +1,6 @@ """ -Drift-guard for the FinServ severity methodology (REQ-6 / severity-register.md). +Drift-guard for the FinServ severity methodology +(REQ-6 / SECURITY_CHECKS_FINSERV_SEVERITY_REGISTER.md). Asserts that: 1. The Likelihood x Impact matrix helper matches the documented table (methodology §3.3). diff --git a/aiml-security-assessment/functions/security/generate_consolidated_report/report_template.py b/aiml-security-assessment/functions/security/generate_consolidated_report/report_template.py index a6688e7..bb6bbe0 100644 --- a/aiml-security-assessment/functions/security/generate_consolidated_report/report_template.py +++ b/aiml-security-assessment/functions/security/generate_consolidated_report/report_template.py @@ -98,10 +98,17 @@ def generate_table_rows(findings: List[Dict], include_data_attrs: bool = True) - {account_id} {region} {check_id} - {finding_name} - {details} - {resolution} - {ref_html} + +
{finding_name}
+
+ Details and remediation +
+
Details

{details}

+
Resolution

{resolution}

+
Reference

{ref_html}

+
+
+ {severity_display} {status_display} """ @@ -110,10 +117,39 @@ def generate_table_rows(findings: List[Dict], include_data_attrs: bool = True) - return ( "\n".join(rows) if rows - else 'No findings to display' + else 'No findings to display' ) +def generate_assessment_summary( + service_key: str, + total: int, + failed: int, + passed: int, + na_count: int, + scope_text: str = "", +) -> str: + """Generate a compact assessment-area summary that filters the main table.""" + scope_html = ( + f'

{scope_text}

' + if scope_text + else "" + ) + return f"""
+ {scope_html} +
+
Failed
{failed}
Open findings
+
Passed
{passed}
Controls met
+
N/A
{na_count}
Not applicable
+
Total
{total}
Rows in report
+
+
+ + +
+
""" + + def get_html_template() -> str: """ Returns the HTML template string with placeholders. @@ -236,15 +272,15 @@ def get_html_template() -> str: .alert-category {{ font-size: 12px; color: var(--text-2); margin-top: 2px; }} .table-wrap {{ overflow-x: auto; max-height: 900px; overflow-y: auto; }} table {{ width: 100%; border-collapse: collapse; font-size: 13px; table-layout: fixed; min-width: 1000px; }} - table th:nth-child(1) {{ width: 10%; }} - table th:nth-child(2) {{ width: 9%; }} - table th:nth-child(3) {{ width: 6%; }} - table th:nth-child(4) {{ width: 12%; }} - table th:nth-child(5) {{ width: 18%; }} - table th:nth-child(6) {{ width: 18%; }} - table th:nth-child(7) {{ width: 6%; }} - table th:nth-child(8) {{ width: 9%; }} - table th:nth-child(9) {{ width: 9%; }} + #findingsTable th:nth-child(1) {{ width: 13%; }} + #findingsTable th:nth-child(2) {{ width: 11%; }} + #findingsTable th:nth-child(3) {{ width: 8%; }} + #findingsTable th:nth-child(4) {{ width: 46%; }} + #findingsTable th:nth-child(5) {{ width: 11%; }} + #findingsTable th:nth-child(6) {{ width: 11%; }} + #findingsTable.single-account-report {{ min-width: 780px; }} + #findingsTable.single-account-report th:nth-child(1), + #findingsTable.single-account-report td:nth-child(1) {{ display: none; }} th {{ text-align: left; padding: 14px 16px; font-weight: 700; font-size: 11px; text-transform: uppercase; letter-spacing: 0.5px; color: var(--text); background: var(--surface-2); border-bottom: 3px solid var(--accent); white-space: nowrap; position: sticky; top: 0; }} th.sortable {{ cursor: pointer; user-select: none; transition: background 0.15s; }} th.sortable:hover {{ background: var(--border); }} @@ -282,6 +318,14 @@ def get_html_template() -> str: .reference-btn svg {{ width: 14px; height: 14px; }} .finding-details {{ color: var(--text-2); font-size: 12px; line-height: 1.6; word-break: break-word; overflow-wrap: break-word; hyphens: auto; }} .resolution-text {{ color: var(--text-2); font-size: 12px; line-height: 1.6; word-break: break-word; overflow-wrap: break-word; hyphens: auto; }} + .finding-summary {{ text-align: left; }} + .finding-more {{ margin-top: 8px; color: var(--text-2); font-size: 12px; }} + .finding-more summary {{ cursor: pointer; color: var(--accent); font-weight: 600; }} + .finding-more-body {{ display: grid; gap: 10px; margin-top: 10px; padding: 12px; background: var(--surface-2); border-radius: 6px; text-align: left; }} + .finding-more-body strong {{ color: var(--text); font-size: 11px; text-transform: uppercase; letter-spacing: 0.3px; }} + .finding-more-body p {{ margin-top: 2px; }} + .assessment-summary-grid {{ display: grid; grid-template-columns: repeat(4, minmax(140px, 1fr)); gap: 16px; margin-bottom: 16px; }} + .assessment-actions {{ display: flex; flex-wrap: wrap; gap: 10px; }} @media (max-width: 1024px) {{ .layout {{ grid-template-columns: 1fr; }} .sidebar {{ display: none; }} .metrics {{ grid-template-columns: repeat(2, 1fr); }} }} @media (max-width: 640px) {{ .metrics {{ grid-template-columns: 1fr; }} .main {{ padding: 20px; }} }} .page-footer {{ padding: 16px 40px; border-top: 1px solid var(--border); font-size: 10px; line-height: 1.6; color: var(--text-3); text-align: center; background: var(--surface); }} @@ -358,7 +402,7 @@ def get_html_template() -> str:
Security Checks
{security_checks}
{security_checks_sub}
Total Findings
{total_findings}
{findings_sub}
-
Actionable Findings
{actionable_findings}
High, Medium, and Low severity
+
Actionable Findings
{actionable_findings}
Failed High, Medium, and Low findings
High Severity
{high_passed}/{high_count}
{high_pass_rate}% passed · Immediate action required
Medium Severity
{medium_passed}/{medium_count}
{medium_pass_rate}% passed · Should be addressed
Low Severity
{low_passed}/{low_count}
{low_pass_rate}% passed · Best practices
@@ -379,19 +423,6 @@ def get_html_template() -> str:
-
-
All Security Findings
-
-
- {account_filter} - {region_filter} -
-
-
- -
-
{all_rows}
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
-
Risk Distribution

Pass Rate by Severity

@@ -399,7 +430,7 @@ def get_html_template() -> str:
HIGH
{high_pass_rate}%
{high_passed} of {high_count} checks passed
MEDIUM
{medium_pass_rate}%
{medium_passed} of {medium_count} checks passed
LOW
{low_pass_rate}%
{low_passed} of {low_count} checks passed
-
Overall
{pass_rate}%
{passed_count} of {actionable_findings} actionable checks
+
Overall
{pass_rate}%
{passed_count} of {scored_findings} scored checks passed
{account_risk_section} {region_risk_section} @@ -412,48 +443,35 @@ def get_html_template() -> str: {finserv_service_card}
-
-
Amazon Bedrock Findings
+
+
All Security Findings
-
- {bedrock_account_filter} - {bedrock_region_filter} -
-
- +
+ {account_filter} + {region_filter} +
+
+
+
-
{bedrock_rows}
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
+
{all_rows}
Account IDRegionCheck IDFindingSeverityStatus
+
+
+
Amazon Bedrock Findings
+ {bedrock_summary}
Amazon SageMaker Findings
-
-
- {sagemaker_account_filter} - {sagemaker_region_filter} -
-
- -
-
{sagemaker_rows}
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
+ {sagemaker_summary}
Amazon Bedrock AgentCore Findings
-
-
- {agentcore_account_filter} - {agentcore_region_filter} -
-
- -
-
{agentcore_rows}
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
+ {agentcore_summary}
{agentic_section} {finserv_section}
Assessment Methodology
-

Severity Levels & Status Values

HighDirect security riskFailedRemediation needed
MediumDefense-in-depth gapPassedMeets requirements
LowBest practiceN/ANot applicable
InformationalNo action required
-

Remediation Guidance

High7 daysAddress immediately; block deployment if unresolved
Medium30 daysSchedule in next sprint; may require change window
Low90 daysInclude in backlog; address during regular maintenance

Assessment Notes

Point-in-time: Security posture changes as resources are modified. Scope limited: Passed checks verify tested controls only. Context matters: Adjust severity for compliance requirements and environment type.

Assessment Scope

Amazon Bedrock
Amazon SageMaker
Amazon Bedrock AgentCore

Based on AWS Well-Architected Framework (Generative AI Lens) and service-specific security documentation.

@@ -512,7 +530,7 @@ def get_html_template() -> str: if (document.getElementById('regionFilter')) document.getElementById('regionFilter').value = ''; document.getElementById('serviceFilter').value = ''; document.getElementById('severityFilter').value = ''; - document.getElementById('statusFilter').value = ''; + document.getElementById('statusFilter').value = 'failed'; applyFilters(); }}); document.getElementById('searchInput').addEventListener('input', applyFilters); @@ -521,6 +539,18 @@ def get_html_template() -> str: document.getElementById('serviceFilter').addEventListener('change', applyFilters); document.getElementById('severityFilter').addEventListener('change', applyFilters); document.getElementById('statusFilter').addEventListener('change', applyFilters); + function filterFindings(service, status = 'failed') {{ + document.getElementById('serviceFilter').value = service || ''; + document.getElementById('statusFilter').value = status; + applyFilters(); + document.getElementById('findings').scrollIntoView({{ behavior: 'smooth' }}); + }} + document.querySelectorAll('[data-filter-service]').forEach(button => {{ + button.addEventListener('click', function() {{ + const status = this.hasAttribute('data-filter-status') ? this.dataset.filterStatus : 'failed'; + filterFindings(this.dataset.filterService, status); + }}); + }}); window.addEventListener('scroll', () => {{ const sections = document.querySelectorAll('.section'); let current = ''; @@ -586,58 +616,6 @@ def get_html_template() -> str: rows.forEach(row => tbody.appendChild(row)); }}); }}); - // Service-specific filter functions - function createServiceFilter(tableId, searchId, accountId, regionId, severityId, statusId, resetId) {{ - const table = document.getElementById(tableId); - if (!table) return; - const searchInput = document.getElementById(searchId); - const accountFilter = document.getElementById(accountId); - const regionFilter = document.getElementById(regionId); - const severityFilter = document.getElementById(severityId); - const statusFilter = document.getElementById(statusId); - const resetBtn = document.getElementById(resetId); - function applyServiceFilters() {{ - const searchText = searchInput?.value.toLowerCase() || ''; - const accountValue = accountFilter?.value.toLowerCase() || ''; - const regionValue = regionFilter?.value.toLowerCase() || ''; - const severityValue = severityFilter?.value.toLowerCase() || ''; - const statusValue = statusFilter?.value.toLowerCase() || ''; - const rows = table.querySelectorAll('tbody tr'); - rows.forEach(row => {{ - const rowText = row.textContent.toLowerCase(); - const rowAccount = row.dataset.account || ''; - const rowRegion = row.dataset.region || ''; - const rowSeverity = row.dataset.severity || ''; - const rowStatus = row.dataset.status || ''; - let show = true; - if (searchText && !rowText.includes(searchText)) show = false; - if (accountValue && rowAccount !== accountValue) show = false; - if (regionValue && rowRegion.toLowerCase() !== regionValue) show = false; - if (severityValue && rowSeverity !== severityValue) show = false; - if (statusValue && rowStatus !== statusValue) show = false; - row.style.display = show ? '' : 'none'; - }}); - }} - searchInput?.addEventListener('input', applyServiceFilters); - accountFilter?.addEventListener('change', applyServiceFilters); - regionFilter?.addEventListener('change', applyServiceFilters); - severityFilter?.addEventListener('change', applyServiceFilters); - statusFilter?.addEventListener('change', applyServiceFilters); - resetBtn?.addEventListener('click', function() {{ - if (searchInput) searchInput.value = ''; - if (accountFilter) accountFilter.value = ''; - if (regionFilter) regionFilter.value = ''; - if (severityFilter) severityFilter.value = ''; - if (statusFilter) statusFilter.value = ''; - applyServiceFilters(); - }}); - }} - createServiceFilter('bedrockTable', 'bedrockSearchInput', 'bedrockAccountFilter', 'bedrockRegionFilter', 'bedrockSeverityFilter', 'bedrockStatusFilter', 'bedrockResetFilters'); - createServiceFilter('sagemakerTable', 'sagemakerSearchInput', 'sagemakerAccountFilter', 'sagemakerRegionFilter', 'sagemakerSeverityFilter', 'sagemakerStatusFilter', 'sagemakerResetFilters'); - createServiceFilter('agentcoreTable', 'agentcoreSearchInput', 'agentcoreAccountFilter', 'agentcoreRegionFilter', 'agentcoreSeverityFilter', 'agentcoreStatusFilter', 'agentcoreResetFilters'); - createServiceFilter('agenticTable', 'agenticSearchInput', 'agenticAccountFilter', 'agenticRegionFilter', 'agenticSeverityFilter', 'agenticStatusFilter', 'agenticResetFilters'); - createServiceFilter('finservTable', 'finservSearchInput', 'finservAccountFilter', 'finservRegionFilter', 'finservSeverityFilter', 'finservStatusFilter', 'finservResetFilters'); - // Apply initial filters for main table applyFilters(); @@ -692,9 +670,13 @@ def generate_html_report( for f in all_findings if f.get("severity", f.get("Severity", "")).lower() == "low" ) - actionable_findings = ( - high_count + medium_count + low_count - ) # Only High/Medium/Low severity + scored_findings = high_count + medium_count + low_count + actionable_findings = sum( + 1 + for f in all_findings + if f.get("severity", f.get("Severity", "")).lower() in {"high", "medium", "low"} + and f.get("status", f.get("Status", "")).lower() == "failed" + ) # Severity-specific pass rates high_passed = sum( @@ -717,9 +699,7 @@ def generate_html_report( ) passed_count = high_passed + medium_passed + low_passed pass_rate = ( - round((passed_count / actionable_findings * 100), 1) - if actionable_findings > 0 - else 0 + round((passed_count / scored_findings * 100), 1) if scored_findings > 0 else 0 ) high_pass_rate = round((high_passed / high_count * 100), 1) if high_count > 0 else 0 medium_pass_rate = ( @@ -800,26 +780,11 @@ def generate_html_report( # Generate table rows all_rows = generate_table_rows(all_findings, include_data_attrs=True) - bedrock_rows = generate_table_rows( - service_findings.get("bedrock", []), include_data_attrs=True - ) - sagemaker_rows = generate_table_rows( - service_findings.get("sagemaker", []), include_data_attrs=True - ) - agentcore_rows = generate_table_rows( - service_findings.get("agentcore", []), include_data_attrs=True - ) - agentic_rows = generate_table_rows( - service_findings.get("agentic", []), include_data_attrs=True - ) - finserv_rows = generate_table_rows( - service_findings.get("finserv", []), include_data_attrs=True - ) # Build region filter HTML (shared across modes, only shown when multiple regions). # "Global" tags IAM-only findings and is intentionally excluded from `regions` - # (it must not inflate the region count / tiles), but those findings still appear - # in the tables, so surface a "Global" filter option when any are present. + # (it must not inflate the scanned region count), but those findings still appear + # in the tables and in a separate risk scope card when any are present. has_global = any( (f.get("region") or f.get("Region")) == "Global" for f in all_findings ) @@ -833,16 +798,43 @@ def generate_html_report( if has_global: region_options += '' region_filter = f'
' - bedrock_region_filter = f'
' - sagemaker_region_filter = f'
' - agentcore_region_filter = f'
' - agentic_region_filter = f'
' else: region_filter = "" - bedrock_region_filter = "" - sagemaker_region_filter = "" - agentcore_region_filter = "" - agentic_region_filter = "" + + def failed_severity_counts(findings: List[Dict]) -> tuple[int, int, int]: + high = sum( + 1 + for finding in findings + if finding.get("severity", finding.get("Severity", "")).lower() == "high" + and finding.get("status", finding.get("Status", "")).lower() == "failed" + ) + medium = sum( + 1 + for finding in findings + if finding.get("severity", finding.get("Severity", "")).lower() == "medium" + and finding.get("status", finding.get("Status", "")).lower() == "failed" + ) + low = sum( + 1 + for finding in findings + if finding.get("severity", finding.get("Severity", "")).lower() == "low" + and finding.get("status", finding.get("Status", "")).lower() == "failed" + ) + return high, medium, low + + def risk_metric_card(label: str, high: int, medium: int, low: int) -> str: + total_failed = high + medium + low + if high > 0: + risk_class = "danger" + border_color = "var(--danger)" + elif medium > 0: + risk_class = "warning" + border_color = "var(--warning)" + else: + risk_class = "" + border_color = "var(--success)" + + return f"""
{label}
{total_failed}
{high} High · {medium} Med · {low} Low
""" # Mode-specific content num_accounts = len(account_ids) if account_ids else 1 @@ -865,11 +857,6 @@ def generate_html_report( ] ) account_filter = f'
' - bedrock_account_filter = f'
' - sagemaker_account_filter = f'
' - agentcore_account_filter = f'
' - agentic_account_filter = f'
' - finserv_account_filter = f'
' # Calculate per-account risk metrics account_metrics_html = "" @@ -879,38 +866,10 @@ def generate_html_report( for f in all_findings if f.get("account_id", f.get("Account_ID", "")) == acc_id ] - acc_high = sum( - 1 - for f in acc_findings - if f.get("severity", f.get("Severity", "")).lower() == "high" - and f.get("status", f.get("Status", "")).lower() == "failed" - ) - acc_medium = sum( - 1 - for f in acc_findings - if f.get("severity", f.get("Severity", "")).lower() == "medium" - and f.get("status", f.get("Status", "")).lower() == "failed" + acc_high, acc_medium, acc_low = failed_severity_counts(acc_findings) + account_metrics_html += risk_metric_card( + acc_id, acc_high, acc_medium, acc_low ) - acc_low = sum( - 1 - for f in acc_findings - if f.get("severity", f.get("Severity", "")).lower() == "low" - and f.get("status", f.get("Status", "")).lower() == "failed" - ) - acc_total_failed = acc_high + acc_medium + acc_low - - # Determine risk level color - if acc_high > 0: - risk_class = "danger" - border_color = "var(--danger)" - elif acc_medium > 0: - risk_class = "warning" - border_color = "var(--warning)" - else: - risk_class = "" - border_color = "var(--success)" - - account_metrics_html += f"""
{acc_id}
{acc_total_failed}
{acc_high} High · {acc_medium} Med · {acc_low} Low
""" account_risk_section = f"""

Risk by Account

{account_metrics_html}
""" @@ -929,53 +888,32 @@ def generate_html_report( findings_sub = "Across 1 account" security_checks_sub = "Evaluated per account" account_filter = "" - bedrock_account_filter = "" - sagemaker_account_filter = "" - agentcore_account_filter = "" - agentic_account_filter = "" - finserv_account_filter = "" account_risk_section = "" - # Build region risk section (shown when multiple regions) - if regions and len(regions) > 1: + # Build region / scope risk section (shown when multiple regions or global risks exist). + if (regions and len(regions) > 1) or has_global: region_metrics_html = "" - for reg in sorted(regions): + for reg in sorted(regions or []): reg_findings = [ f for f in all_findings if f.get("region", f.get("Region", "")) == reg ] - reg_high = sum( - 1 - for f in reg_findings - if f.get("severity", f.get("Severity", "")).lower() == "high" - and f.get("status", f.get("Status", "")).lower() == "failed" - ) - reg_medium = sum( - 1 - for f in reg_findings - if f.get("severity", f.get("Severity", "")).lower() == "medium" - and f.get("status", f.get("Status", "")).lower() == "failed" + reg_high, reg_medium, reg_low = failed_severity_counts(reg_findings) + region_metrics_html += risk_metric_card(reg, reg_high, reg_medium, reg_low) + + if has_global: + global_findings = [ + f + for f in all_findings + if f.get("region", f.get("Region", "")) == "Global" + ] + global_high, global_medium, global_low = failed_severity_counts( + global_findings ) - reg_low = sum( - 1 - for f in reg_findings - if f.get("severity", f.get("Severity", "")).lower() == "low" - and f.get("status", f.get("Status", "")).lower() == "failed" + region_metrics_html += risk_metric_card( + "Global", global_high, global_medium, global_low ) - reg_total_failed = reg_high + reg_medium + reg_low - - if reg_high > 0: - risk_class = "danger" - border_color = "var(--danger)" - elif reg_medium > 0: - risk_class = "warning" - border_color = "var(--warning)" - else: - risk_class = "" - border_color = "var(--success)" - - region_metrics_html += f"""
{reg}
{reg_total_failed}
{reg_high} High · {reg_medium} Med · {reg_low} Low
""" - region_risk_section = f"""

Risk by Region

+ region_risk_section = f"""

Risk by Region / Scope

{region_metrics_html}
""" else: region_risk_section = "" @@ -989,23 +927,6 @@ def generate_html_report( agentic_failed = service_stats.get("agentic", {}).get("failed", 0) agentic_passed = service_stats.get("agentic", {}).get("passed", 0) if agentic_total > 0: - agentic_regions = sorted( - { - f.get("region", f.get("Region", "")) - for f in service_findings.get("agentic", []) - if f.get("region", f.get("Region", "")) - } - ) - agentic_region_options = "".join( - [f'' for r in agentic_regions] - ) - agentic_region_filter = ( - '
' - '
' - if agentic_regions - else agentic_region_filter - ) agentic_nav = ( '' + AGENTIC_ICON @@ -1029,20 +950,15 @@ def generate_html_report( '
' + AGENTIC_ICON + "Agentic AI Security Findings
" - '
Scope: API-provable Agentic AI security controls mapped to the AWS Well-Architected Agentic AI Lens security guidance. ' - "Human-in-the-loop governance is referenced in methodology but not scored automatically unless an AWS API can prove the control.
" - '
' - '
' - + agentic_account_filter - + agentic_region_filter - + '
' - '
' - '' - "
" - '
' - + agentic_rows - + "
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
" - "
" + + generate_assessment_summary( + "agentic", + agentic_total, + agentic_failed, + agentic_passed, + service_stats.get("agentic", {}).get("na", 0), + "Scope: API-provable Agentic AI security controls mapped to the AWS Well-Architected Agentic AI Lens security guidance. Human-in-the-loop governance is referenced in methodology but not scored automatically unless an AWS API can prove the control.", + ) + + "" ) agentic_scope_block = ( '
' @@ -1074,23 +990,6 @@ def generate_html_report( finserv_failed = service_stats.get("finserv", {}).get("failed", 0) finserv_passed = service_stats.get("finserv", {}).get("passed", 0) if finserv_total > 0: - finserv_regions = sorted( - { - f.get("region", f.get("Region", "")) - for f in service_findings.get("finserv", []) - if f.get("region", f.get("Region", "")) - } - ) - finserv_region_options = "".join( - [f'' for r in finserv_regions] - ) - finserv_region_filter = ( - '
' - '
' - if finserv_regions - else "" - ) finserv_nav = ( '
' + FINSERV_ICON @@ -1125,21 +1024,16 @@ def generate_html_report( '
' + FINSERV_ICON + "Financial Services GenAI Risk Findings
" - '
Scope: this assessment records findings against each resolved CloudFormation TargetRegions entry. These checks are based on ' - f'the AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption. ' - "Severities follow a documented Likelihood × Impact methodology (see docs).
" - '
' - '
' - + finserv_account_filter - + finserv_region_filter - + '
' - '
' - '' - "
" - '
' - + finserv_rows - + "
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
" - "" + + generate_assessment_summary( + "finserv", + finserv_total, + finserv_failed, + finserv_passed, + service_stats.get("finserv", {}).get("na", 0), + "Scope: this assessment records findings against each resolved CloudFormation TargetRegions entry. These checks are based on " + f'the AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption. Severities follow a documented Likelihood × Impact methodology.', + ) + + "" ) else: finserv_nav = "" @@ -1150,6 +1044,44 @@ def generate_html_report( finserv_scope_source = "" finserv_section = "" + def service_total(service_name: str) -> int: + stats = service_stats.get(service_name, {}) + return stats.get("passed", 0) + stats.get("failed", 0) + stats.get("na", 0) + + bedrock_total = service_total("bedrock") + bedrock_failed = service_stats.get("bedrock", {}).get("failed", 0) + bedrock_passed = service_stats.get("bedrock", {}).get("passed", 0) + bedrock_na = service_stats.get("bedrock", {}).get("na", 0) + sagemaker_total = service_total("sagemaker") + sagemaker_failed = service_stats.get("sagemaker", {}).get("failed", 0) + sagemaker_passed = service_stats.get("sagemaker", {}).get("passed", 0) + sagemaker_na = service_stats.get("sagemaker", {}).get("na", 0) + agentcore_total = service_total("agentcore") + agentcore_failed = service_stats.get("agentcore", {}).get("failed", 0) + agentcore_passed = service_stats.get("agentcore", {}).get("passed", 0) + agentcore_na = service_stats.get("agentcore", {}).get("na", 0) + bedrock_summary = generate_assessment_summary( + "bedrock", + bedrock_total, + bedrock_failed, + bedrock_passed, + bedrock_na, + ) + sagemaker_summary = generate_assessment_summary( + "sagemaker", + sagemaker_total, + sagemaker_failed, + sagemaker_passed, + sagemaker_na, + ) + agentcore_summary = generate_assessment_summary( + "agentcore", + agentcore_total, + agentcore_failed, + agentcore_passed, + agentcore_na, + ) + # Fill template html_template = get_html_template() @@ -1167,6 +1099,7 @@ def generate_html_report( total_findings=total_findings, findings_sub=findings_sub, actionable_findings=actionable_findings, + scored_findings=scored_findings, total_rows=total_findings, high_count=high_count, medium_count=medium_count, @@ -1179,40 +1112,24 @@ def generate_html_report( high_pass_rate=high_pass_rate, medium_pass_rate=medium_pass_rate, low_pass_rate=low_pass_rate, - bedrock_total=service_stats.get("bedrock", {}).get("passed", 0) - + service_stats.get("bedrock", {}).get("failed", 0) - + service_stats.get("bedrock", {}).get("na", 0), - bedrock_failed=service_stats.get("bedrock", {}).get("failed", 0), - bedrock_passed=service_stats.get("bedrock", {}).get("passed", 0), - sagemaker_total=service_stats.get("sagemaker", {}).get("passed", 0) - + service_stats.get("sagemaker", {}).get("failed", 0) - + service_stats.get("sagemaker", {}).get("na", 0), - sagemaker_failed=service_stats.get("sagemaker", {}).get("failed", 0), - sagemaker_passed=service_stats.get("sagemaker", {}).get("passed", 0), - agentcore_total=service_stats.get("agentcore", {}).get("passed", 0) - + service_stats.get("agentcore", {}).get("failed", 0) - + service_stats.get("agentcore", {}).get("na", 0), - agentcore_failed=service_stats.get("agentcore", {}).get("failed", 0), - agentcore_passed=service_stats.get("agentcore", {}).get("passed", 0), - agentic_total=service_stats.get("agentic", {}).get("passed", 0) - + service_stats.get("agentic", {}).get("failed", 0) - + service_stats.get("agentic", {}).get("na", 0), - agentic_failed=service_stats.get("agentic", {}).get("failed", 0), - agentic_passed=service_stats.get("agentic", {}).get("passed", 0), + bedrock_total=bedrock_total, + bedrock_failed=bedrock_failed, + bedrock_passed=bedrock_passed, + sagemaker_total=sagemaker_total, + sagemaker_failed=sagemaker_failed, + sagemaker_passed=sagemaker_passed, + agentcore_total=agentcore_total, + agentcore_failed=agentcore_failed, + agentcore_passed=agentcore_passed, + agentic_total=agentic_total, + agentic_failed=agentic_failed, + agentic_passed=agentic_passed, alerts=alerts_html, all_rows=all_rows, - bedrock_rows=bedrock_rows, - sagemaker_rows=sagemaker_rows, - agentcore_rows=agentcore_rows, - agentic_rows=agentic_rows, - bedrock_account_filter=bedrock_account_filter, - sagemaker_account_filter=sagemaker_account_filter, - agentcore_account_filter=agentcore_account_filter, - agentic_account_filter=agentic_account_filter, - bedrock_region_filter=bedrock_region_filter, - sagemaker_region_filter=sagemaker_region_filter, - agentcore_region_filter=agentcore_region_filter, - agentic_region_filter=agentic_region_filter, + bedrock_summary=bedrock_summary, + sagemaker_summary=sagemaker_summary, + agentcore_summary=agentcore_summary, + findings_table_class="single-account-report" if mode != "multi" else "", agentic_nav=agentic_nav, lens_nav=lens_nav, agentic_filter_option=agentic_filter_option, diff --git a/aiml-security-assessment/functions/security/generate_consolidated_report/test_generate_report.py b/aiml-security-assessment/functions/security/generate_consolidated_report/test_generate_report.py index 4f1c5be..f5cdb7d 100644 --- a/aiml-security-assessment/functions/security/generate_consolidated_report/test_generate_report.py +++ b/aiml-security-assessment/functions/security/generate_consolidated_report/test_generate_report.py @@ -178,6 +178,16 @@ def test_generate_viewable_report(self): self.assertIn("Methodology", content) self.assertIn("Severity Legend", content) self.assertIn("sortable", content) + self.assertIn("Failed High, Medium, and Low findings", content) + self.assertIn('', content) + self.assertIn('class="single-account-report"', content) + self.assertIn("Details and remediation", content) + self.assertLess(content.index('id="risk"'), content.index('id="findings"')) + self.assertIn( + "const status = this.hasAttribute('data-filter-status')", + content, + ) + self.assertNotIn("this.dataset.filterStatus || 'failed'", content) def test_generate_multi_account_report(self): """Test multi-account report generation using shared template directly""" @@ -348,13 +358,13 @@ def test_finserv_renders_when_present(self): } html = generate_html_report(data) self.assertIn('id="finserv"', html) - self.assertIn('id="finservTable"', html) + self.assertIn('id="findingsTable"', html) + self.assertNotIn('id="finservTable"', html) self.assertIn('', html) - self.assertIn('', html) + self.assertIn('data-filter-service="finserv"', html) + self.assertIn("View failed findings", html) self.assertIn('data-scope-service="finserv"', html) self.assertIn('class="scope-industry"', html) self.assertIn('class="scope-chip industry-chip"', html) @@ -407,7 +417,7 @@ def test_agentic_security_renders_when_present(self): "Finding": "Bedrock Agent Guardrail Association", "Finding_Details": "Agent has a guardrail.", "Resolution": "No action required.", - "Reference": "https://docs.aws.amazon.com/bedrock/latest/userguide/agents-guardrails.html", + "Reference": "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-use.html", "Severity": "High", "Status": "Passed", "Region": "us-east-1", @@ -429,12 +439,14 @@ def test_agentic_security_renders_when_present(self): html = generate_html_report(data) self.assertIn('id="agentic"', html) - self.assertIn('id="agenticTable"', html) + self.assertIn('id="findingsTable"', html) + self.assertNotIn('id="agenticTable"', html) self.assertIn('', html) self.assertIn("

By Lens

", html) self.assertIn('class="nav-section lens-nav"', html) self.assertIn("AG-01", html) self.assertIn('data-service="agentic"', html) + self.assertIn('data-filter-service="agentic"', html) self.assertIn("Agentic AI Security Findings", html) self.assertIn( "wellarchitected/latest/agentic-ai-lens/agentic-ai-lens.html", html @@ -466,6 +478,74 @@ def test_agentic_security_omitted_when_absent(self): "wellarchitected/latest/agentic-ai-lens/agentic-ai-lens.html", html ) + def test_region_risk_includes_global_scope_card(self): + """Global failed findings render in risk by region / scope without inflating regions.""" + all_findings = [ + { + "account_id": "123456789012", + "check_id": "BR-01", + "finding": "Regional Bedrock Check", + "details": "No regional issue.", + "resolution": "No action required.", + "reference": "https://example.com", + "severity": "High", + "status": "Passed", + "region": "us-east-1", + "_service": "bedrock", + }, + { + "account_id": "123456789012", + "check_id": "BR-03", + "finding": "Marketplace Subscription Access Check", + "details": "Overly permissive marketplace subscription access.", + "resolution": "Restrict subscription access.", + "reference": "https://example.com", + "severity": "High", + "status": "Failed", + "region": "Global", + "_service": "bedrock", + }, + { + "account_id": "123456789012", + "check_id": "AC-09", + "finding": "AgentCore Service-Linked Role Missing", + "details": "Service-linked role is missing.", + "resolution": "Allow service-linked role creation.", + "reference": "https://example.com", + "severity": "Medium", + "status": "Failed", + "region": "Global", + "_service": "agentcore", + }, + ] + + html = generate_report_direct( + all_findings=all_findings, + service_findings={ + "bedrock": all_findings[:2], + "agentcore": [all_findings[2]], + }, + service_stats={ + "bedrock": {"passed": 1, "failed": 1, "na": 0}, + "agentcore": {"passed": 0, "failed": 1, "na": 0}, + }, + mode="single", + account_id="123456789012", + regions=["eu-west-1", "us-east-1", "us-west-2"], + ) + + self.assertIn("Risk by Region / Scope", html) + self.assertIn('>eu-west-1
0
', html) + self.assertIn('>us-east-1
0
', html) + self.assertIn('>us-west-2
0
', html) + self.assertIn('>Global
2
', html) + self.assertIn( + '1 High · ' + '1 Med · ' + '0 Low', + html, + ) + def tearDown(self): """Clean up test files after running tests""" pass diff --git a/aiml-security-assessment/functions/security/sagemaker_assessments/app.py b/aiml-security-assessment/functions/security/sagemaker_assessments/app.py index 2946b20..d6f1eb0 100644 --- a/aiml-security-assessment/functions/security/sagemaker_assessments/app.py +++ b/aiml-security-assessment/functions/security/sagemaker_assessments/app.py @@ -1852,7 +1852,7 @@ def check_sagemaker_monitoring_network_isolation(region: str = "") -> Dict[str, finding_name="SageMaker Monitoring Network Isolation Disabled", finding_details=f"Monitoring schedule '{schedule['name']}' does not have network isolation enabled. Monitoring jobs can make outbound network calls.", resolution="Enable network isolation in the monitoring job definition NetworkConfig to prevent outbound network access.", - reference="https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-network-isolation.html", + reference="https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_MonitoringNetworkConfig.html", severity="Medium", status="Failed", region=region, @@ -1867,7 +1867,7 @@ def check_sagemaker_monitoring_network_isolation(region: str = "") -> Dict[str, finding_name="SageMaker Monitoring Network Isolation Check", finding_details=f"All {len(schedules_with_isolation)} monitoring schedules have network isolation enabled", resolution="No action required", - reference="https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-network-isolation.html", + reference="https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_MonitoringNetworkConfig.html", severity="Medium", status="Passed", region=region, @@ -1881,7 +1881,7 @@ def check_sagemaker_monitoring_network_isolation(region: str = "") -> Dict[str, finding_name="SageMaker Monitoring Network Isolation Check", finding_details="No monitoring schedules found", resolution="No action required", - reference="https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor-network-isolation.html", + reference="https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_MonitoringNetworkConfig.html", severity="Informational", status="N/A", region=region, @@ -2902,7 +2902,7 @@ def check_sagemaker_automl_network_isolation(region: str = "") -> Dict[str, Any] finding_name="SageMaker AutoML Job Network Isolation Disabled", finding_details=f"AutoML job '{job['name']}' does not have inter-container traffic encryption enabled. Data transmitted between containers during training is not encrypted.", resolution="Enable EnableInterContainerTrafficEncryption in AutoMLJobConfig.SecurityConfig when creating AutoML jobs.", - reference="https://docs.aws.amazon.com/sagemaker/latest/dg/autopilot-security.html", + reference="https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_AutoMLSecurityConfig.html", severity="Medium", status="Failed", region=region, @@ -2916,7 +2916,7 @@ def check_sagemaker_automl_network_isolation(region: str = "") -> Dict[str, Any] finding_name="SageMaker AutoML Job Network Isolation Summary", finding_details=f"Found {len(jobs_without_isolation)} total AutoML jobs without network isolation (showing first 15)", resolution="Review all AutoML jobs and enable inter-container traffic encryption", - reference="https://docs.aws.amazon.com/sagemaker/latest/dg/autopilot-security.html", + reference="https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_AutoMLSecurityConfig.html", severity="Medium", status="Failed", region=region, @@ -2931,7 +2931,7 @@ def check_sagemaker_automl_network_isolation(region: str = "") -> Dict[str, Any] finding_name="SageMaker AutoML Job Network Isolation Check", finding_details=f"All {len(jobs_with_isolation)} AutoML jobs have inter-container encryption enabled", resolution="No action required", - reference="https://docs.aws.amazon.com/sagemaker/latest/dg/autopilot-security.html", + reference="https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_AutoMLSecurityConfig.html", severity="Medium", status="Passed", region=region, @@ -2945,7 +2945,7 @@ def check_sagemaker_automl_network_isolation(region: str = "") -> Dict[str, Any] finding_name="SageMaker AutoML Job Network Isolation Check", finding_details="No AutoML jobs found", resolution="No action required", - reference="https://docs.aws.amazon.com/sagemaker/latest/dg/autopilot-security.html", + reference="https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_AutoMLSecurityConfig.html", severity="Informational", status="N/A", region=region, diff --git a/docs/DEVELOPER_GUIDE.md b/docs/DEVELOPER_GUIDE.md index 3195cdd..26f0c80 100644 --- a/docs/DEVELOPER_GUIDE.md +++ b/docs/DEVELOPER_GUIDE.md @@ -97,7 +97,7 @@ The AI/ML Security Assessment Framework is a serverless, multi-account security sample-aiml-security-assessment/ ├── aiml-security-assessment/ │ ├── functions/security/ -│ │ ├── bedrock_assessments/ # Bedrock security checks (14) +│ │ ├── bedrock_assessments/ # Bedrock security checks (32) │ │ ├── sagemaker_assessments/ # SageMaker security checks (25) │ │ ├── agentcore_assessments/ # AgentCore security checks (13) │ │ ├── finserv_assessments/ # Optional Financial Services GenAI risk checks (64) @@ -116,8 +116,12 @@ sample-aiml-security-assessment/ ├── deployment/ # AWS CloudFormation templates ├── docs/ # Documentation │ ├── DEVELOPER_GUIDE.md # This guide -│ ├── SECURITY_CHECKS.md # Security checks reference +│ ├── SECURITY_CHECKS.md # Security checks reference (core + Agentic) +│ ├── SECURITY_CHECKS_FINSERV.md # FinServ GenAI risk checks reference +│ ├── SECURITY_CHECKS_FINSERV_SEVERITY_METHODOLOGY.md # FinServ severity model +│ ├── SECURITY_CHECKS_FINSERV_SEVERITY_REGISTER.md # FinServ per-finding severities │ ├── TROUBLESHOOTING.md # Troubleshooting guide +│ ├── CLEANUP.md # Resource removal guide │ ├── diagrams/ # Architecture diagrams │ └── icons/ # AWS service icons ├── sample-reports/ # Sample assessment reports diff --git a/docs/SECURITY_CHECKS.md b/docs/SECURITY_CHECKS.md index 2b85c52..23393fd 100644 --- a/docs/SECURITY_CHECKS.md +++ b/docs/SECURITY_CHECKS.md @@ -87,7 +87,7 @@ Each security check has a unique identifier with a service prefix: ### SM-04: Amazon GuardDuty Integration -- **Severity:** Medium +- **Severity:** High - **Description:** Verifies Amazon GuardDuty runtime threat detection is enabled. ### SM-05: MLOps Features @@ -124,7 +124,7 @@ Each security check has a unique identifier with a service prefix: ### SM-11: Model Network Isolation -- **Severity:** Medium +- **Severity:** High - **AWS Security Hub Control:** SageMaker.4 - **Description:** Checks inference containers have network isolation. @@ -417,7 +417,7 @@ Each security check has a unique identifier with a service prefix: ### AC-07: Memory Encryption -- **Severity:** High +- **Severity:** Medium - **Description:** Checks agent memory encryption with AWS KMS. ### AC-08: Amazon VPC Endpoints diff --git a/docs/SECURITY_CHECKS_FINSERV.md b/docs/SECURITY_CHECKS_FINSERV.md index 7ee559a..13c609d 100644 --- a/docs/SECURITY_CHECKS_FINSERV.md +++ b/docs/SECURITY_CHECKS_FINSERV.md @@ -198,14 +198,14 @@ Each FS check maps to one or more FinServ regulatory frameworks (preliminary map | Framework | Description | Relevant Checks | |-----------|-------------|-----------------| -| SR 11-7 | Federal Reserve Model Risk Management Guidance | FS-07, FS-10, FS-12 to FS-16, FS-20, FS-21, FS-27 to FS-33, FS-34, FS-39 to FS-42, FS-66, FS-67 | -| FFIEC CAT | Cybersecurity Assessment Tool | All FS checks | -| NYDFS 500 | NY Cybersecurity Regulation | FS-22, FS-43 to FS-46, FS-51 to FS-54, FS-66 | -| PCI-DSS | Payment Card Industry Data Security Standard | FS-22, FS-25, FS-26, FS-43 to FS-46, FS-53, FS-56, FS-67, FS-68 | -| DORA | EU Digital Operational Resilience Act | FS-01 to FS-06, FS-08, FS-11, FS-54, FS-65, FS-68 | -| MAS TRM 9 | Monetary Authority of Singapore Technology Risk Management | FS-07 to FS-11, FS-15, FS-27 to FS-30, FS-32, FS-37, FS-39 to FS-42, FS-66, FS-67 | -| ISO 27001 | Information Security Management | FS-13, FS-14, FS-16, FS-21, FS-33, FS-46, FS-52, FS-63, FS-65 | -| ECOA/Fair Housing | Equal Credit Opportunity Act (US) | FS-39 to FS-42 (advisory — applicability depends on whether the model is used for ECOA-covered credit decisions; confirm with your compliance team) | +| SR 11-7 | Federal Reserve Model Risk Management Guidance | FS-03, FS-04, FS-06 to FS-10, FS-12 to FS-15, FS-20, FS-21, FS-27 to FS-42, FS-47 to FS-50, FS-59 to FS-63, FS-66, FS-67 | +| FFIEC CAT | Cybersecurity Assessment Tool | All FS checks except FS-08, FS-56, FS-66 | +| NYDFS 500 | NY Cybersecurity Regulation | FS-22, FS-24 to FS-26, FS-28 to FS-30, FS-43 to FS-46, FS-51 to FS-54, FS-56, FS-57, FS-66, FS-69 | +| PCI-DSS | Payment Card Industry Data Security Standard | FS-02, FS-22, FS-24 to FS-26, FS-43 to FS-46, FS-53, FS-56, FS-66 to FS-68 | +| DORA | EU Digital Operational Resilience Act | FS-01, FS-02, FS-05, FS-11, FS-16, FS-65, FS-68 | +| MAS TRM 9 | Monetary Authority of Singapore Technology Risk Management | FS-08, FS-10, FS-15, FS-27 to FS-29, FS-32, FS-37, FS-49, FS-62, FS-66, FS-67 | +| ISO 27001 | Information Security Management | FS-12 to FS-14, FS-16, FS-21, FS-33, FS-46, FS-52, FS-63, FS-65 | +| ECOA/Fair Housing | Equal Credit Opportunity Act (US) | FS-39, FS-40 (advisory — applicability depends on whether the model is used for ECOA-covered credit decisions; confirm with your compliance team) | | OWASP LLM Top 10 | OWASP LLM Application Security | FS-51 to FS-58, FS-68, FS-69 | > **FS-34 note:** FS-34 (TPRM for FM Providers) is listed above under SR 11-7. Although the @@ -1016,7 +1016,7 @@ Each FS check maps to one or more FinServ regulatory frameworks (preliminary map | Description | Checks for Lambda functions implementing output validation/sanitization before AI responses reach downstream consumers. | | Detection | Calls `lambda:ListFunctions` and searches for functions with naming patterns indicating output validation (e.g., "output-valid", "sanitiz", "post-process", "response-filter"). Flags if no such functions exist. | | Remediation | 1. Implement a post-processing Lambda that validates AI model output before it reaches the end user or downstream system. 2. Validate output against expected schema (JSON schema validation for structured responses). 3. Strip or escape any executable content (HTML tags, JavaScript, SQL fragments). 4. Log rejected outputs for security monitoring. | -| Reference | [AWS Well-Architected Security Pillar — Application Security](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/application-security.html), [Bedrock Prompt Injection Security](https://docs.aws.amazon.com/bedrock/latest/userguide/prompt-injection.html), [Well-Architected FSI Lens — FSISEC14 Monitor AI system outputs for security issues](https://docs.aws.amazon.com/wellarchitected/latest/financial-services-industry-lens/fsisec14.html) | +| Reference | [OWASP LLM05:2025 Improper Output Handling](https://genai.owasp.org/llmrisk/llm052025-improper-output-handling/), [AWS Well-Architected Security Pillar — Application Security](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/application-security.html), [Bedrock Prompt Injection Security](https://docs.aws.amazon.com/bedrock/latest/userguide/prompt-injection.html), [Well-Architected FSI Lens — FSISEC14 Monitor AI system outputs for security issues](https://docs.aws.amazon.com/wellarchitected/latest/financial-services-industry-lens/fsisec14.html) | #### FS-56 — XSS Prevention WAF diff --git a/docs/SECURITY_CHECKS_FINSERV_SEVERITY_METHODOLOGY.md b/docs/SECURITY_CHECKS_FINSERV_SEVERITY_METHODOLOGY.md index 6787733..f9929c7 100644 --- a/docs/SECURITY_CHECKS_FINSERV_SEVERITY_METHODOLOGY.md +++ b/docs/SECURITY_CHECKS_FINSERV_SEVERITY_METHODOLOGY.md @@ -123,7 +123,7 @@ a default band. Per-control I×L may refine within ±1 with a documented reason. | **Non-verifiable advisory** | app-layer; no API | **Informational** | FS-24, FS-29, FS-32, FS-37, FS-49, FS-54, FS-57, FS-58, FS-60, FS-62 | The authoritative per-finding assignments are in -[`severity-register.md`](./severity-register.md). +[`SECURITY_CHECKS_FINSERV_SEVERITY_REGISTER.md`](./SECURITY_CHECKS_FINSERV_SEVERITY_REGISTER.md). diff --git a/sample-reports/dashboard-overview-dark.png b/sample-reports/dashboard-overview-dark.png index a94cd0a..d1f7462 100644 Binary files a/sample-reports/dashboard-overview-dark.png and b/sample-reports/dashboard-overview-dark.png differ diff --git a/sample-reports/dashboard-overview-light.png b/sample-reports/dashboard-overview-light.png index af805da..bcca132 100644 Binary files a/sample-reports/dashboard-overview-light.png and b/sample-reports/dashboard-overview-light.png differ diff --git a/sample-reports/findings-table.png b/sample-reports/findings-table.png index 948e9ee..af8181b 100644 Binary files a/sample-reports/findings-table.png and b/sample-reports/findings-table.png differ diff --git a/sample-reports/multi-account-summary.png b/sample-reports/multi-account-summary.png index 78bbe13..a8c837a 100644 Binary files a/sample-reports/multi-account-summary.png and b/sample-reports/multi-account-summary.png differ diff --git a/sample-reports/security_assessment_multi_account.html b/sample-reports/security_assessment_multi_account.html index de48422..36b64d0 100644 --- a/sample-reports/security_assessment_multi_account.html +++ b/sample-reports/security_assessment_multi_account.html @@ -114,15 +114,15 @@ .alert-category { font-size: 12px; color: var(--text-2); margin-top: 2px; } .table-wrap { overflow-x: auto; max-height: 900px; overflow-y: auto; } table { width: 100%; border-collapse: collapse; font-size: 13px; table-layout: fixed; min-width: 1000px; } - table th:nth-child(1) { width: 10%; } - table th:nth-child(2) { width: 9%; } - table th:nth-child(3) { width: 6%; } - table th:nth-child(4) { width: 12%; } - table th:nth-child(5) { width: 18%; } - table th:nth-child(6) { width: 18%; } - table th:nth-child(7) { width: 6%; } - table th:nth-child(8) { width: 9%; } - table th:nth-child(9) { width: 9%; } + #findingsTable th:nth-child(1) { width: 13%; } + #findingsTable th:nth-child(2) { width: 11%; } + #findingsTable th:nth-child(3) { width: 8%; } + #findingsTable th:nth-child(4) { width: 46%; } + #findingsTable th:nth-child(5) { width: 11%; } + #findingsTable th:nth-child(6) { width: 11%; } + #findingsTable.single-account-report { min-width: 780px; } + #findingsTable.single-account-report th:nth-child(1), + #findingsTable.single-account-report td:nth-child(1) { display: none; } th { text-align: left; padding: 14px 16px; font-weight: 700; font-size: 11px; text-transform: uppercase; letter-spacing: 0.5px; color: var(--text); background: var(--surface-2); border-bottom: 3px solid var(--accent); white-space: nowrap; position: sticky; top: 0; } th.sortable { cursor: pointer; user-select: none; transition: background 0.15s; } th.sortable:hover { background: var(--border); } @@ -160,6 +160,14 @@ .reference-btn svg { width: 14px; height: 14px; } .finding-details { color: var(--text-2); font-size: 12px; line-height: 1.6; word-break: break-word; overflow-wrap: break-word; hyphens: auto; } .resolution-text { color: var(--text-2); font-size: 12px; line-height: 1.6; word-break: break-word; overflow-wrap: break-word; hyphens: auto; } + .finding-summary { text-align: left; } + .finding-more { margin-top: 8px; color: var(--text-2); font-size: 12px; } + .finding-more summary { cursor: pointer; color: var(--accent); font-weight: 600; } + .finding-more-body { display: grid; gap: 10px; margin-top: 10px; padding: 12px; background: var(--surface-2); border-radius: 6px; text-align: left; } + .finding-more-body strong { color: var(--text); font-size: 11px; text-transform: uppercase; letter-spacing: 0.3px; } + .finding-more-body p { margin-top: 2px; } + .assessment-summary-grid { display: grid; grid-template-columns: repeat(4, minmax(140px, 1fr)); gap: 16px; margin-bottom: 16px; } + .assessment-actions { display: flex; flex-wrap: wrap; gap: 10px; } @media (max-width: 1024px) { .layout { grid-template-columns: 1fr; } .sidebar { display: none; } .metrics { grid-template-columns: repeat(2, 1fr); } } @media (max-width: 640px) { .metrics { grid-template-columns: 1fr; } .main { padding: 20px; } } .page-footer { padding: 16px 40px; border-top: 1px solid var(--border); font-size: 10px; line-height: 1.6; color: var(--text-3); text-align: center; background: var(--surface); } @@ -187,7 +195,7 @@

Navigation

Security Findings - 1664 + 1124 @@ -203,23 +211,23 @@

By Service

Bedrock - 461 + 293 SageMaker - 423 + 261 AgentCore - 182 + 122 - - + + @@ -229,35 +237,29 @@

By Service

-
Security Checks
161
Evaluated across 5 regions
-
Total Findings
1664
Across 3 accounts · 5 regions
-
Actionable Findings
598
High, Medium, and Low severity
-
High Severity
28/219
12.8% passed · Immediate action required
-
Medium Severity
82/280
29.3% passed · Should be addressed
-
Low Severity
30/99
30.3% passed · Best practices
+
Security Checks
161
Evaluated across 3 regions
+
Total Findings
1124
Across 3 accounts · 3 regions
+
Actionable Findings
260
Failed High, Medium, and Low findings
+
High Severity
28/183
15.3% passed · Immediate action required
+
Medium Severity
64/232
27.6% passed · Should be addressed
+
Low Severity
24/75
32.0% passed · Best practices

Priority Recommendations

-
1
-
-
AgentCore Resource-Based Policies Missing
-
AgentCore
-
-
-
1
+
3
-
Agentic AI Gateway Tool Policy Enforcement Missing
-
Agentic AI
+
AmazonBedrockFullAccess role check
+
Bedrock
1
-
Agentic AI Resource Policy Boundary
-
Agentic AI
+
Marketplace Subscription Access Check
+
Bedrock
1
@@ -281,494 +283,433 @@

Security Assessment Overview

+
+
Risk Distribution
+

Pass Rate by Severity

+
+
HIGH
15.3%
28 of 183 checks passed
+
MEDIUM
27.6%
64 of 232 checks passed
+
LOW
32.0%
24 of 75 checks passed
+
Overall
23.7%
116 of 490 scored checks passed
+
+

Risk by Account

+
111122223333
193
78 High · 95 Med · 20 Low
444455556666
3
0 High · 3 Med · 0 Low
777788889999
64
28 High · 31 Med · 5 Low
+

Risk by Region / Scope

+
eu-west-1
0
0 High · 0 Med · 0 Low
us-east-1
157
52 High · 90 Med · 15 Low
us-west-2
64
22 High · 32 Med · 10 Low
Global
39
32 High · 7 Med · 0 Low
+

Findings by Assessment Area

+
+
Bedrock
293
50 Failed · 18 Passed
+
SageMaker
261
34 Failed · 37 Passed
+
AgentCore
122
39 Failed · 3 Passed
+
Agentic AI Security
244
47 Failed · 18 Passed
+
Financial Services Risk
204
90 Failed · 40 Passed
+
+
All Security Findings
-
+
-
+
-
+
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
- + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - - - - + @@ -776,11 +717,18 @@

Security Assessment Overview

- - - - + @@ -788,11 +736,18 @@

Security Assessment Overview

- - - - + @@ -800,10 +755,17 @@

Security Assessment Overview

- - - - + @@ -811,10 +773,17 @@

Security Assessment Overview

- - - - + @@ -822,10 +791,17 @@

Security Assessment Overview

- - - - + @@ -833,10 +809,17 @@

Security Assessment Overview

- - - - + @@ -844,10 +827,17 @@

Security Assessment Overview

- - - - + @@ -855,10 +845,17 @@

Security Assessment Overview

- - - - + @@ -866,10 +863,17 @@

Security Assessment Overview

- - - - + @@ -877,10 +881,17 @@

Security Assessment Overview

- - - - + @@ -888,10 +899,17 @@

Security Assessment Overview

- - - - + @@ -899,10 +917,17 @@

Security Assessment Overview

- - - - + @@ -910,10 +935,17 @@

Security Assessment Overview

- - - - + @@ -921,14 +953,21 @@

Security Assessment Overview

- - - - +- com.amazonaws.region.bedrock-agent-runtime

+
Reference

+ + + @@ -936,10 +975,17 @@

Security Assessment Overview

- - - - + @@ -947,10 +993,17 @@

Security Assessment Overview

- - - - + @@ -958,10 +1011,17 @@

Security Assessment Overview

- - - - + @@ -969,14 +1029,21 @@

Security Assessment Overview

- - - - +4. Maintain consistent prompt templates

+
Reference

+ + + @@ -984,10 +1051,17 @@

Security Assessment Overview

- - - - + @@ -995,13 +1069,20 @@

Security Assessment Overview

- - - - +4. Consider using CMK for transient data during ingestion

+
Reference

+ + + @@ -1009,13 +1090,20 @@

Security Assessment Overview

- - - - +4. Consider using CMK for transient data during ingestion

+
Reference

+ + + @@ -1023,13 +1111,20 @@

Security Assessment Overview

- - - - +4. Consider using CMK for transient data during ingestion

+
Reference

+ + + @@ -1037,13 +1132,20 @@

Security Assessment Overview

- - - - +3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}

+
Reference

+ + + @@ -1051,10 +1153,17 @@

Security Assessment Overview

- - - - + @@ -1062,12 +1171,19 @@

Security Assessment Overview

- - - - +3. Consider enabling S3 bucket versioning and MFA delete for log integrity

+
Reference

+ + + @@ -1075,10 +1191,17 @@

Security Assessment Overview

- - - - + @@ -1086,10 +1209,17 @@

Security Assessment Overview

- - - - + @@ -1097,10 +1227,17 @@

Security Assessment Overview

- - - - + @@ -1108,10 +1245,17 @@

Security Assessment Overview

- - - - + @@ -1119,10 +1263,17 @@

Security Assessment Overview

- - - - + @@ -1130,10 +1281,17 @@

Security Assessment Overview

- - - - + @@ -1141,13 +1299,20 @@

Security Assessment Overview

- - - - +4. Verify the customer-managed KMS key used for transient data during ingestion

+
Reference

+ + + @@ -1155,13 +1320,20 @@

Security Assessment Overview

- - - - +4. Verify the customer-managed KMS key used for transient data during ingestion

+
Reference

+ + + @@ -1169,13 +1341,20 @@

Security Assessment Overview

- - - - +4. Verify the customer-managed KMS key used for transient data during ingestion

+
Reference

+ + + @@ -1183,10 +1362,17 @@

Security Assessment Overview

- - - - + @@ -1194,10 +1380,17 @@

Security Assessment Overview

- - - - + @@ -1205,10 +1398,17 @@

Security Assessment Overview

- - - - + @@ -1216,10 +1416,17 @@

Security Assessment Overview

- - - - + @@ -1227,10 +1434,17 @@

Security Assessment Overview

- - - - + @@ -1238,10 +1452,17 @@

Security Assessment Overview

- - - - + @@ -1249,10 +1470,17 @@

Security Assessment Overview

- - - - + @@ -1260,10 +1488,17 @@

Security Assessment Overview

- - - - + @@ -1271,10 +1506,17 @@

Security Assessment Overview

- - - - + @@ -1282,10 +1524,17 @@

Security Assessment Overview

- - - - + @@ -1293,10 +1542,17 @@

Security Assessment Overview

- - - - + @@ -1304,10 +1560,17 @@

Security Assessment Overview

- - - - + @@ -1315,10 +1578,17 @@

Security Assessment Overview

- - - - + @@ -1326,10 +1596,17 @@

Security Assessment Overview

- - - - + @@ -1337,10 +1614,17 @@

Security Assessment Overview

- - - - + @@ -1348,10 +1632,17 @@

Security Assessment Overview

- - - - + @@ -1359,10 +1650,17 @@

Security Assessment Overview

- - - - + @@ -1370,10 +1668,17 @@

Security Assessment Overview

- - - - + @@ -1381,10 +1686,17 @@

Security Assessment Overview

- - - - + @@ -1392,10 +1704,17 @@

Security Assessment Overview

- - - - + @@ -1403,10 +1722,17 @@

Security Assessment Overview

- - - - + @@ -1414,10 +1740,17 @@

Security Assessment Overview

- - - - + @@ -1425,10 +1758,17 @@

Security Assessment Overview

- - - - + @@ -1436,10 +1776,17 @@

Security Assessment Overview

- - - - + @@ -1447,10 +1794,17 @@

Security Assessment Overview

- - - - + @@ -1458,10 +1812,17 @@

Security Assessment Overview

- - - - + @@ -1469,10 +1830,17 @@

Security Assessment Overview

- - - - + @@ -1480,3265 +1848,5301 @@

Security Assessment Overview

- - - - + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - + + + - + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - + + + - + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + + + + + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - + + + - + + + + + + + + + - - - - - - + + + + + + + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - - + + + + - + - - - - - - - - + + + + + - + - - - - - - - + + + + - + - - - - - - + + + - + - - - - - + + - + - - - - - - + + + - + - - - - - + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - + + + - + - - - - - + + - + - - - - - - + + + - - - - - - - - - - - - + - - - - - + + - + - - - - - - - + + + + - + - - - - - + + - + - - - - - - + + + - + - - - - - + + - + - - - - - - - - + + + + + - + - - - - - - - + + + + - + - - - - - - + + + - + - - - - - - + + + - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - - + + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - + + - + - - - - - - + + + - + - - - - - + + + + + + + + + + - + - + - - - - - - - + + + + - + - - - - - - + + + - + - + - - - - - - - + + + + - + + + + + + + + + - - - - - + + + + + + + + + + - + - - - - - + + - + + + + + + + + + - - - - - + + + + + + + + + + - + - - - - - + + - + - + - - - - - - + + + - + - - - - - + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - + + - + - - - - - - + + + - + - - - - - - - + + + + - + - - - - - - + + + - + - - - - - - - - - - - - - - - - + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - - + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - - + + + + - + - - - - - - + + + - + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - + - - - - - - + + + - + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + + + + + + + + + - + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + + + + + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - - - - - - - - - - - - + - + - - - - - - + + + - + - - - - - - + + + - - - - - - - - - - - - + - + - - - - - - + + + - + - + - - - - - - + + + - + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - + - - - - - - + + + - + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + + + + + + + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - - + + + + - + - - - - - - + + + - + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - - + + + + - + - - - - - + + - + - - - - - + + - + - - - - - - - + + + + - + - - - - - - - - + + + + + - + - - - - - - - - - - - - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - + + - + - + - - - - - - - + + + + - + - - - - - + + + + + + + + + + - + - - - - - - + + + - + - - - - - - + + + + + + + + + + + - + - - - - - - - + + + + - + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - - - - - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - + + + - - - - - - - - - - - - + - + - - - - - + + - + - - - - - + + - + - - - - - - + + + - + - - - - - + + + + + + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - + + - + - - - - - + + - + - - - - - - + + + - + - - - - - + + - + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - + + - - - - - - - - - - - - + - - - - - + + - - - - - - - - - - - - + - - - - + @@ -4746,10 +7150,17 @@

Security Assessment Overview

- - - - + @@ -4757,10 +7168,17 @@

Security Assessment Overview

- - - - + @@ -4768,10 +7186,17 @@

Security Assessment Overview

- - - - + @@ -4779,10 +7204,17 @@

Security Assessment Overview

- - - - + @@ -4790,10 +7222,17 @@

Security Assessment Overview

- - - - + @@ -4801,10 +7240,17 @@

Security Assessment Overview

- - - - + @@ -4812,10 +7258,17 @@

Security Assessment Overview

- - - - + @@ -4823,10 +7276,17 @@

Security Assessment Overview

- - - - + @@ -4834,10 +7294,17 @@

Security Assessment Overview

- - - - + @@ -4845,10 +7312,17 @@

Security Assessment Overview

- - - - + @@ -4856,10 +7330,17 @@

Security Assessment Overview

- - - - + @@ -4867,10 +7348,17 @@

Security Assessment Overview

- - - - + @@ -4878,10 +7366,17 @@

Security Assessment Overview

- - - - + @@ -4889,10 +7384,17 @@

Security Assessment Overview

- - - - + @@ -4900,10 +7402,17 @@

Security Assessment Overview

- - - - + @@ -4911,10 +7420,17 @@

Security Assessment Overview

- - - - + @@ -4922,10 +7438,17 @@

Security Assessment Overview

- - - - + @@ -4933,10 +7456,17 @@

Security Assessment Overview

- - - - + @@ -4944,10 +7474,17 @@

Security Assessment Overview

- - - - + @@ -4955,10 +7492,17 @@

Security Assessment Overview

- - - - + @@ -4966,10 +7510,17 @@

Security Assessment Overview

- - - - + @@ -4977,10 +7528,17 @@

Security Assessment Overview

- - - - + @@ -4988,10 +7546,17 @@

Security Assessment Overview

- - - - + @@ -4999,10 +7564,17 @@

Security Assessment Overview

- - - - + @@ -5010,10 +7582,17 @@

Security Assessment Overview

- - - - + @@ -5021,29290 +7600,8763 @@

Security Assessment Overview

- - - - + - + - - - - - + + - + - - - - - - - + + + + - + - - - - - + + - + - - - - - - - + + + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + - + - - - - - + + - + - - - - - + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - - + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - - - - - - - - - - - - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - - + + + + - + - - - - - - - - + + + + + - + - - - - - - - + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - - + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - + + + - + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + + + + + + + + + - + - - - - - - + + + - + + + + + + + + + - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - - - + + + + - - + + - - - - - - - + + + + - - + + - - - - - + + - - - - - - - - - - + + + + + + + - - - - - - - - - - + + + + + + + - - - - - - - - - - + + + + + + + - - - - - - - - - - + + + + + + + - - - - - - - - - - + + + + + + + - - - - - - - - - - + + + + + + + - - - - - - - - - - + + + + + + + - - + + - - - - - - - - - - - - - - - - - - + + + + - - + + - - - - - - - - - - - - - - - - - - + + + + - - + + - - - - - - - - - - - - - - - - - - + + + + - - + + - - - - - - - - - - - - - - - - + + - - + + - - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account IDRegionCheck IDFindingSeverityStatus
111122223333ap-south-1eu-west-1 AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action required +
AgentCore VPC Configuration Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1eu-west-1 AC-04AgentCore Observability CheckNo AgentCore resources foundNo action required +
AgentCore Observability Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1eu-west-1 AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action required +
AgentCore Encryption Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1eu-west-1 AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action required +
AgentCore Browser Tool Recording Check
+
+ Details and remediation +
+
Details

No AgentCore Runtimes found to check browser tool configuration

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1eu-west-1 AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action required +
AgentCore Memory Configuration Check
+
+ Details and remediation +
+
Details

No Memory resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1eu-west-1 AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action required +
AgentCore Gateway Configuration Check
+
+ Details and remediation +
+
Details

No Gateway resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1eu-west-1 AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action required +
AgentCore VPC Endpoints Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1eu-west-1 AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action required +
AgentCore Resource-Based Policies Check
+
+ Details and remediation +
+
Details

No AgentCore resources found to check for resource-based policies

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1eu-west-1 AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action required +
AgentCore Policy Engine Encryption Check
+
+ Details and remediation +
+
Details

No Policy Engines found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1eu-west-1 AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action required +
AgentCore Gateway Encryption Check
+
+ Details and remediation +
+
Details

No Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1eu-west-1 AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action required +
Agentic AI Gateway Inbound Authorization
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1eu-west-1 AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action required +
Agentic AI Gateway Tool Policy Enforcement
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1eu-west-1 AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action required +
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1eu-west-1 AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action required +
Agentic AI Gateway WAF Protection
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1eu-west-1 AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. +
Agentic AI Runtime Network Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found

+
Resolution

Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1eu-west-1 AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. +
Agentic AI AgentCore Observability
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found

+
Resolution

Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1eu-west-1 AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions. +
Agentic AI Memory Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found

+
Resolution

Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1eu-west-1 AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability. +
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found

+
Resolution

Create required VPC endpoints for AgentCore services and validate endpoint availability.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1eu-west-1 AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources. +
Agentic AI Resource Policy Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies

+
Resolution

Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1eu-west-1 AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required. +
Agentic AI Policy Engine Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found

+
Resolution

Configure policy engines with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1eu-west-1 AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
111122223333us-west-2AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333us-west-2AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333us-west-2AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333us-west-2AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
111122223333us-west-2AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
111122223333us-west-2AC-13AgentCore Gateway Configuration CheckFound 1 Gateway resourcesNo action requiredMediumPassed
111122223333us-west-2AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333us-west-2AC-10AgentCore Resource-Based Policies MissingThe following AgentCore resources do not have resource-based policies: Gateway 'aws-news-mcp'. Without RBPs, access control relies solely on identity-based policies.Attach resource-based policies to AgentCore resources to: -1. Implement defense-in-depth access control -2. Enable cross-account access control -3. Restrict access based on source VPC or IP -4. Implement hierarchical authorization for Agent RuntimesHighFailed
111122223333us-west-2AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
111122223333us-west-2AC-12AgentCore Gateway Encryption MissingThe following Gateways do not use customer-managed KMS encryption: 'aws-news-mcp'. Gateway configuration data uses AWS-managed keys.1. Create gateways with customer-managed KMS keys for additional control -2. AWS-managed keys are single-tenant and region-specific -3. Consider CMK for enhanced audit capabilities and key rotation controlLowFailed
111122223333us-west-2AG-24Agentic AI Gateway Inbound AuthorizationGateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) uses authorizerType CUSTOM_JWT.No action requiredHighPassed
111122223333us-west-2AG-25Agentic AI Gateway Tool Policy Enforcement MissingGateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.HighFailed
111122223333us-west-2AG-26Agentic AI Gateway Error Detail ExposureGateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) does not expose DEBUG-level exception detail.No action requiredMediumPassed
111122223333us-west-2AG-27Agentic AI Gateway WAF Protection MissingGateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) is not associated with an AWS WAF web ACL.Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.LowFailed
111122223333us-west-2AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
111122223333us-west-2AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
111122223333us-west-2AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
111122223333us-west-2AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
111122223333us-west-2AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: The following AgentCore resources do not have resource-based policies: Gateway 'aws-news-mcp'. Without RBPs, access control relies solely on identity-based policies.Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.HighFailed
111122223333us-west-2AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required. +
Agentic AI Gateway Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found

+
Resolution

Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
Informational N/A
111122223333us-west-2AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: The following Gateways do not use customer-managed KMS encryption: 'aws-news-mcp'. Gateway configuration data uses AWS-managed keys.Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.LowFailed
111122223333 Global BR-01AmazonBedrockFullAccess role checkRole 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonBedrockFullAccess policy attachedLimit the AmazonBedrockFullAccess policy only to required access +
AmazonBedrockFullAccess role check
+
+ Details and remediation +
+
Details

Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonBedrockFullAccess policy attached

+
Resolution

Limit the AmazonBedrockFullAccess policy only to required access

+
Reference

+
+
+
High Failed
111122223333 Global BR-01AmazonBedrockFullAccess role checkRole 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonBedrockFullAccess policy attachedLimit the AmazonBedrockFullAccess policy only to required access +
AmazonBedrockFullAccess role check
+
+ Details and remediation +
+
Details

Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonBedrockFullAccess policy attached

+
Resolution

Limit the AmazonBedrockFullAccess policy only to required access

+
Reference

+
+
+
High Failed
111122223333 Global BR-01AmazonBedrockFullAccess role checkRole 'myAskMeAnything-role-kmsizqwf' has AmazonBedrockFullAccess policy attachedLimit the AmazonBedrockFullAccess policy only to required access +
AmazonBedrockFullAccess role check
+
+ Details and remediation +
+
Details

Role 'myAskMeAnything-role-kmsizqwf' has AmazonBedrockFullAccess policy attached

+
Resolution

Limit the AmazonBedrockFullAccess policy only to required access

+
Reference

+
+
+
High Failed
111122223333 Global BR-03Marketplace Subscription Access CheckRole 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-cdk_agent_core'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check. +
Marketplace Subscription Access Check
+
+ Details and remediation +
+
Details

Role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-cdk_agent_core'

+
Resolution

Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.

+
Reference

+
+
+
High Failed
111122223333 Global BR-03Marketplace Subscription Access CheckRole 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-neoCyan_Agent'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check. +
Marketplace Subscription Access Check
+
+ Details and remediation +
+
Details

Role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-neoCyan_Agent'

+
Resolution

Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.

+
Reference

+
+
+
High Failed
111122223333 Global BR-03Marketplace Subscription Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_knnc9' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_knnc9'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check. +
Marketplace Subscription Access Check
+
+ Details and remediation +
+
Details

Role 'AmazonBedrockExecutionRoleForKnowledgeBase_knnc9' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_knnc9'

+
Resolution

Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.

+
Reference

+
+
+
High Failed
111122223333 Global BR-03Marketplace Subscription Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_qxqw2' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_qxqw2'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check. +
Marketplace Subscription Access Check
+
+ Details and remediation +
+
Details

Role 'AmazonBedrockExecutionRoleForKnowledgeBase_qxqw2' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_qxqw2'

+
Resolution

Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.

+
Reference

+
+
+
High Failed
111122223333 Global BR-03Marketplace Subscription Access CheckRole 'AmazonSageMaker-ExecutionRole-20250525T153161' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check. +
Marketplace Subscription Access Check
+
+ Details and remediation +
+
Details

Role 'AmazonSageMaker-ExecutionRole-20250525T153161' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'

+
Resolution

Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.

+
Reference

+
+
+
High Failed
111122223333 Global BR-03Marketplace Subscription Access CheckRole 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check. +
Marketplace Subscription Access Check
+
+ Details and remediation +
+
Details

Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'

+
Resolution

Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.

+
Reference

+
+
+
High Failed
111122223333 Global BR-03Marketplace Subscription Access CheckRole 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check. +
Marketplace Subscription Access Check
+
+ Details and remediation +
+
Details

Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'

+
Resolution

Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.

+
Reference

+
+
+
High Failed
111122223333 Global BR-03Marketplace Subscription Access CheckRole 'myAskMeAnything-role-kmsizqwf' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check. +
Marketplace Subscription Access Check
+
+ Details and remediation +
+
Details

Role 'myAskMeAnything-role-kmsizqwf' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'

+
Resolution

Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.

+
Reference

+
+
+
High Failed
111122223333 Global BR-03Marketplace Subscription Access CheckUser 'BedrockAPIKey-20pp' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check. +
Marketplace Subscription Access Check
+
+ Details and remediation +
+
Details

User 'BedrockAPIKey-20pp' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'

+
Resolution

Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.

+
Reference

+
+
+
High Failed
111122223333 Global BR-03Marketplace Subscription Access CheckUser 'BedrockAPIKey-yhc3' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check. +
Marketplace Subscription Access Check
+
+ Details and remediation +
+
Details

User 'BedrockAPIKey-yhc3' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'

+
Resolution

Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.

+
Reference

+
+
+
High Failed
111122223333 Global BR-03Marketplace Subscription Access CheckUser 'BedrockClientUser' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check. +
Marketplace Subscription Access Check
+
+ Details and remediation +
+
Details

User 'BedrockClientUser' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'

+
Resolution

Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.

+
Reference

+
+
+
High Failed
111122223333 us-east-1 BR-02Amazon Bedrock private connectivity not usedNo Bedrock service VPC endpoints found in VPCs: vpc-03472be90d65c2f68, vpc-39319f44, vpc-064f3e808e378cbc8, vpc-02d020a365a06c7feCreate a VPC endpoint in your VPC with any of the following Bedrock service endpoints that your application may be using: + +
Amazon Bedrock private connectivity not used
+
+ Details and remediation +
+
Details

No Bedrock service VPC endpoints found in VPCs: vpc-03472be90d65c2f68, vpc-39319f44, vpc-064f3e808e378cbc8, vpc-02d020a365a06c7fe

+
Resolution

Create a VPC endpoint in your VPC with any of the following Bedrock service endpoints that your application may be using: - com.amazonaws.region.bedrock - com.amazonaws.region.bedrock-runtime - com.amazonaws.region.bedrock-agent -- com.amazonaws.region.bedrock-agent-runtime

Medium Failed
111122223333 us-east-1 BR-04Bedrock Model Invocation Logging CheckModel invocation logging is properly configured with delivery to: Amazon S3, CloudWatch LogsNo action required +
Bedrock Model Invocation Logging Check
+
+ Details and remediation +
+
Details

Model invocation logging is properly configured with delivery to: Amazon S3, CloudWatch Logs

+
Resolution

No action required

+
Reference

+
+
+
Medium Passed
111122223333 us-east-1 BR-05Bedrock Guardrails CheckAmazon Bedrock Guardrails are properly configured with 1 guardrailsNo action required. Continue monitoring and updating guardrails as needed. +
Bedrock Guardrails Check
+
+ Details and remediation +
+
Details

Amazon Bedrock Guardrails are properly configured with 1 guardrails

+
Resolution

No action required. Continue monitoring and updating guardrails as needed.

+
Reference

+
+
+
High Passed
111122223333 us-east-1 BR-06Bedrock CloudTrail Logging CheckCloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETENo action required. Continue monitoring CloudTrail logs for Bedrock activity. +
Bedrock CloudTrail Logging Check
+
+ Details and remediation +
+
Details

CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE

+
Resolution

No action required. Continue monitoring CloudTrail logs for Bedrock activity.

+
Reference

+
+
+
Medium Passed
111122223333 us-east-1 BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: + +
Bedrock Prompt Management Check
+
+ Details and remediation +
+
Details

Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.

+
Resolution

Implement Prompt Management to: 1. Create and version your prompts 2. Test different prompt variants 3. Share prompts across your organization -4. Maintain consistent prompt templates

Informational N/A
111122223333 us-east-1 BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action required +
Bedrock Agent IAM Roles Check
+
+ Details and remediation +
+
Details

No Bedrock agents found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 us-east-1 BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'knowledge-base-semiconductors' (RQYFDSE1LT) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level + +
Bedrock Knowledge Base Encryption Review
+
+ Details and remediation +
+
Details

Knowledge Base 'knowledge-base-semiconductors' (RQYFDSE1LT) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.

+
Resolution

1. For OpenSearch Serverless: Verify encryption with CMK at collection level 2. For S3 data sources: Verify CMK-encrypted S3 buckets 3. For RDS: Verify KMS encryption on the database -4. Consider using CMK for transient data during ingestion

Informational N/A
111122223333 us-east-1 BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base '111122223333-us-east-1-kb' (PAJOKBSIMQ) uses 'S3_VECTORS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level + +
Bedrock Knowledge Base Encryption Review
+
+ Details and remediation +
+
Details

Knowledge Base '111122223333-us-east-1-kb' (PAJOKBSIMQ) uses 'S3_VECTORS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.

+
Resolution

1. For OpenSearch Serverless: Verify encryption with CMK at collection level 2. For S3 data sources: Verify CMK-encrypted S3 buckets 3. For RDS: Verify KMS encryption on the database -4. Consider using CMK for transient data during ingestion

Informational N/A
111122223333 us-east-1 BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'e2e-rag-knowledgebase' (ESIYAYSYTJ) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level + +
Bedrock Knowledge Base Encryption Review
+
+ Details and remediation +
+
Details

Knowledge Base 'e2e-rag-knowledgebase' (ESIYAYSYTJ) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.

+
Resolution

1. For OpenSearch Serverless: Verify encryption with CMK at collection level 2. For S3 data sources: Verify CMK-encrypted S3 buckets 3. For RDS: Verify KMS encryption on the database -4. Consider using CMK for transient data during ingestion

Informational N/A
111122223333 us-east-1 BR-10Bedrock Guardrail IAM Enforcement MissingThe following roles can invoke Bedrock models without enforced guardrails: 111122223333-us-east-1-kb-bedrock-service-role, agentcore-wildrydes_gateway_role_ab3991f6-role, AgentCoreEvalsSDK-us-east-1-d04ba7b68b, AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76, AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b, AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D, AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ, AmazonBedrockExecutionRoleForKnowledgeBase_072pr, AmazonBedrockExecutionRoleForKnowledgeBase_byjin, AmazonBedrockExecutionRoleForKnowledgeBase_h9718...Add IAM policy conditions to enforce guardrail usage: + +
Bedrock Guardrail IAM Enforcement Missing
+
+ Details and remediation +
+
Details

The following roles can invoke Bedrock models without enforced guardrails: 111122223333-us-east-1-kb-bedrock-service-role, agentcore-wildrydes_gateway_role_ab3991f6-role, AgentCoreEvalsSDK-us-east-1-d04ba7b68b, AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76, AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b, AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D, AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ, AmazonBedrockExecutionRoleForKnowledgeBase_072pr, AmazonBedrockExecutionRoleForKnowledgeBase_byjin, AmazonBedrockExecutionRoleForKnowledgeBase_h9718...

+
Resolution

Add IAM policy conditions to enforce guardrail usage: 1. Use 'bedrock:GuardrailIdentifier' condition key 2. Specify required guardrail ARN or ID -3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}

High Failed
111122223333 us-east-1 BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action required +
Bedrock Custom Model Encryption Check
+
+ Details and remediation +
+
Details

No custom/fine-tuned models found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 us-east-1 BR-12Bedrock Invocation Log EncryptionS3 bucket 'nistairmfguardrail-invocationlogsbucket8fe5371b-wmlsng7pkyhm' for invocation logs uses SSE-S3 encryption instead of customer-managed KMS. Invocation logs may contain sensitive prompts and responses.1. Enable SSE-KMS with a customer-managed key on the S3 bucket + +
Bedrock Invocation Log Encryption
+
+ Details and remediation +
+
Details

S3 bucket 'nistairmfguardrail-invocationlogsbucket8fe5371b-wmlsng7pkyhm' for invocation logs uses SSE-S3 encryption instead of customer-managed KMS. Invocation logs may contain sensitive prompts and responses.

+
Resolution

1. Enable SSE-KMS with a customer-managed key on the S3 bucket 2. Update bucket policy to require encrypted uploads -3. Consider enabling S3 bucket versioning and MFA delete for log integrity

Medium Failed
111122223333 us-east-1 BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action required +
Bedrock Flows Guardrails Check
+
+ Details and remediation +
+
Details

No Bedrock Flows found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 Global BR-15Cross-Account Guardrails Enforcement CheckCheck must run in AWS Organizations management account to evaluate organizational policiesRun assessment in management account to check cross-account guardrails enforcement +
Cross-Account Guardrails Enforcement Check
+
+ Details and remediation +
+
Details

Check must run in AWS Organizations management account to evaluate organizational policies

+
Resolution

Run assessment in management account to check cross-account guardrails enforcement

+
Reference

+
+
+
Medium N/A
111122223333 us-east-1 BR-16Guardrail Tier Validation CheckGuardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) is using the 'CLASSIC' content-filter tier instead of 'STANDARD'. The STANDARD tier provides more robust content filtering and broader language support than the CLASSIC tier.Update the guardrail to use the STANDARD content-filter tier for improved contextual understanding, better prompt attack filtering (distinguishing jailbreaks from prompt injection), and broader language support. The STANDARD tier requires cross-Region inference. Review pricing implications before upgrading. +
Guardrail Tier Validation Check
+
+ Details and remediation +
+
Details

Guardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) is using the 'CLASSIC' content-filter tier instead of 'STANDARD'. The STANDARD tier provides more robust content filtering and broader language support than the CLASSIC tier.

+
Resolution

Update the guardrail to use the STANDARD content-filter tier for improved contextual understanding, better prompt attack filtering (distinguishing jailbreaks from prompt injection), and broader language support. The STANDARD tier requires cross-Region inference. Review pricing implications before upgrading.

+
Reference

+
+
+
Medium Failed
111122223333 us-east-1 BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys +
Custom Model Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

No custom (fine-tuned) Bedrock models found in this region

+
Resolution

When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys

+
Reference

+
+
+
High N/A
111122223333 us-east-1 BR-18Model Evaluation Implementation CheckNo Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment. +
Model Evaluation Implementation Check
+
+ Details and remediation +
+
Details

No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.

+
Resolution

Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.

+
Reference

+
+
+
Medium Failed
111122223333 us-east-1 BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment +
Prompt Flow Validation Check
+
+ Details and remediation +
+
Details

No Bedrock prompt flows configured in this region

+
Resolution

When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment

+
Reference

+
+
+
Medium N/A
111122223333 us-east-1 BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'knowledge-base-semiconductors' (ID: RQYFDSE1LT) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key + +
Knowledge Base Customer-Managed KMS Encryption Review
+
+ Details and remediation +
+
Details

Knowledge base 'knowledge-base-semiconductors' (ID: RQYFDSE1LT) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.

+
Resolution

1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key 2. For Amazon RDS/Aurora: verify KMS encryption on the database 3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration -4. Verify the customer-managed KMS key used for transient data during ingestion

Informational N/A
111122223333 us-east-1 BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base '111122223333-us-east-1-kb' (ID: PAJOKBSIMQ) uses 'S3_VECTORS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key + +
Knowledge Base Customer-Managed KMS Encryption Review
+
+ Details and remediation +
+
Details

Knowledge base '111122223333-us-east-1-kb' (ID: PAJOKBSIMQ) uses 'S3_VECTORS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.

+
Resolution

1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key 2. For Amazon RDS/Aurora: verify KMS encryption on the database 3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration -4. Verify the customer-managed KMS key used for transient data during ingestion

Informational N/A
111122223333 us-east-1 BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'e2e-rag-knowledgebase' (ID: ESIYAYSYTJ) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key + +
Knowledge Base Customer-Managed KMS Encryption Review
+
+ Details and remediation +
+
Details

Knowledge base 'e2e-rag-knowledgebase' (ID: ESIYAYSYTJ) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.

+
Resolution

1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key 2. For Amazon RDS/Aurora: verify KMS encryption on the database 3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration -4. Verify the customer-managed KMS key used for transient data during ingestion

Informational N/A
111122223333 us-east-1 BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principles +
Agent Action Group IAM Least Privilege Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents with action groups, ensure Lambda execution roles follow least privilege principles

+
Reference

+
+
+
High N/A
111122223333 us-east-1 BR-22Model Invocation Throttling Limits Check11 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Continue monitoring quota utilization. Review and adjust quotas as application requirements change. +
Model Invocation Throttling Limits Check
+
+ Details and remediation +
+
Details

11 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.

+
Resolution

Continue monitoring quota utilization. Review and adjust quotas as application requirements change.

+
Reference

+
+
+
Low Passed
111122223333 us-east-1 BR-23Guardrail Content Filter Coverage Check1 guardrails have complete content filter coverage (hate, insults, sexual, violence)No action required. Continue monitoring filter effectiveness and adjust thresholds as needed. +
Guardrail Content Filter Coverage Check
+
+ Details and remediation +
+
Details

1 guardrails have complete content filter coverage (hate, insults, sexual, violence)

+
Resolution

No action required. Continue monitoring filter effectiveness and adjust thresholds as needed.

+
Reference

+
+
+
Low Passed
111122223333 us-east-1 BR-24Automated Reasoning Policy Implementation CheckGuardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.Configure Automated Reasoning policies on guardrails to mathematically verify model responses. Define policies that specify allowed and disallowed behaviors. Use for high-assurance use cases where formal verification is required. +
Automated Reasoning Policy Implementation Check
+
+ Details and remediation +
+
Details

Guardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.

+
Resolution

Configure Automated Reasoning policies on guardrails to mathematically verify model responses. Define policies that specify allowed and disallowed behaviors. Use for high-assurance use cases where formal verification is required.

+
Reference

+
+
+
Medium Failed
111122223333 us-east-1 BR-25RAG Evaluation Jobs CheckKnowledge base 'knowledge-base-semiconductors' (ID: RQYFDSE1LT) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality. +
RAG Evaluation Jobs Check
+
+ Details and remediation +
+
Details

Knowledge base 'knowledge-base-semiconductors' (ID: RQYFDSE1LT) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.

+
Resolution

Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.

+
Reference

+
+
+
Low Failed
111122223333 us-east-1 BR-25RAG Evaluation Jobs CheckKnowledge base '111122223333-us-east-1-kb' (ID: PAJOKBSIMQ) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality. +
RAG Evaluation Jobs Check
+
+ Details and remediation +
+
Details

Knowledge base '111122223333-us-east-1-kb' (ID: PAJOKBSIMQ) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.

+
Resolution

Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.

+
Reference

+
+
+
Low Failed
111122223333 us-east-1 BR-25RAG Evaluation Jobs CheckKnowledge base 'e2e-rag-knowledgebase' (ID: ESIYAYSYTJ) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality. +
RAG Evaluation Jobs Check
+
+ Details and remediation +
+
Details

Knowledge base 'e2e-rag-knowledgebase' (ID: ESIYAYSYTJ) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.

+
Resolution

Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.

+
Reference

+
+
+
Low Failed
111122223333 us-east-1 BR-26Guardrail Sensitive Information Filter Check1 guardrails have sensitive-information (PII) filters configuredNo action required. Periodically review the PII entity types and regex patterns to ensure coverage matches your data. +
Guardrail Sensitive Information Filter Check
+
+ Details and remediation +
+
Details

1 guardrails have sensitive-information (PII) filters configured

+
Resolution

No action required. Periodically review the PII entity types and regex patterns to ensure coverage matches your data.

+
Reference

+
+
+
Low Passed
111122223333 us-east-1 BR-27Guardrail Contextual Grounding Check1 guardrails have contextual grounding checks enabledNo action required. Review grounding and relevance thresholds periodically to balance hallucination detection against false positives. +
Guardrail Contextual Grounding Check
+
+ Details and remediation +
+
Details

1 guardrails have contextual grounding checks enabled

+
Resolution

No action required. Review grounding and relevance thresholds periodically to balance hallucination detection against false positives.

+
Reference

+
+
+
Low Passed
111122223333 us-east-1 BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics +
Agent Guardrail Association Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics

+
Reference

+
+
+
High N/A
111122223333 us-east-1 BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable +
Agent Idle Session TTL Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable

+
Reference

+
+
+
Low N/A
111122223333 us-east-1 BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys +
Imported Model Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

No imported custom Bedrock models found in this region

+
Resolution

When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys

+
Reference

+
+
+
High N/A
111122223333 us-east-1 BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output +
Batch Inference Output Encryption Check
+
+ Details and remediation +
+
Details

No Bedrock batch inference (model invocation) jobs found in this region

+
Resolution

When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output

+
Reference

+
+
+
Medium N/A
111122223333 us-east-1 BR-32Bedrock CloudWatch Alarm CheckNo CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification. +
Bedrock CloudWatch Alarm Check
+
+ Details and remediation +
+
Details

No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.

+
Resolution

Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.

+
Reference

+
+
+
Medium Failed
111122223333 us-east-1 AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is properly configured with delivery to: Amazon S3, CloudWatch LogsEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements. +
Agentic AI Model Invocation Logging
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is properly configured with delivery to: Amazon S3, CloudWatch Logs

+
Resolution

Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.

+
Reference

+
+
+
Medium Passed
111122223333 us-east-1 AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETEEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured. +
Agentic AI API Audit Trail
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE

+
Resolution

Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.

+
Reference

+
+
+
Medium Passed
111122223333 Global AG-09Agentic AI Guardrail Enforcement BoundaryAgentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policiesUse IAM and organization controls to require approved guardrails for model and agent invocations where supported. +
Agentic AI Guardrail Enforcement Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policies

+
Resolution

Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.

+
Reference

+
+
+
Informational N/A
111122223333 us-east-1 AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Configure model or application evaluations that include adversarial, safety, and security-relevant test cases. +
Agentic AI Adversarial Evaluation Coverage
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.

+
Resolution

Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.

+
Reference

+
+
+
Medium Failed
111122223333 us-east-1 AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. +
Agentic AI Prompt Flow Validation
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region

+
Resolution

Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.

+
Reference

+
+
+
Informational N/A
111122223333 us-east-1 AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. +
Agentic AI Tool Execution Least Privilege
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region

+
Resolution

Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.

+
Reference

+
+
+
Informational N/A
111122223333 us-east-1 AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 11 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns. +
Agentic AI Invocation Abuse Controls
+
+ Details and remediation +
+
Details

Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 11 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.

+
Resolution

Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.

+
Reference

+
+
+
Low Passed
111122223333 us-east-1 AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: 1 guardrails have complete content filter coverage (hate, insults, sexual, violence)Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads. +
Agentic AI Harmful Content Guardrail Coverage
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: 1 guardrails have complete content filter coverage (hate, insults, sexual, violence)

+
Resolution

Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.

+
Reference

+
+
+
Low Passed
111122223333 us-east-1 AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: Guardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.Configure automated reasoning policies on guardrails where formal response validation is required. +
Agentic AI Automated Reasoning Guardrails
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: Guardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.

+
Resolution

Configure automated reasoning policies on guardrails where formal response validation is required.

+
Reference

+
+
+
Medium Failed
111122223333 us-east-1 AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: 1 guardrails have sensitive-information (PII) filters configuredConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. +
Agentic AI Sensitive Information Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: 1 guardrails have sensitive-information (PII) filters configured

+
Resolution

Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.

+
Reference

+
+
+
Low Passed
111122223333 us-east-1 AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: 1 guardrails have contextual grounding checks enabledEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. +
Agentic AI Grounding Controls
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: 1 guardrails have contextual grounding checks enabled

+
Resolution

Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.

+
Reference

+
+
+
Low Passed
111122223333 us-east-1 AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. +
Agentic AI Agent Guardrail Association
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region

+
Resolution

Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.

+
Reference

+
+
+
Informational N/A
111122223333 us-east-1 AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements. +
Agentic AI Session Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region

+
Resolution

Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.

+
Reference

+
+
+
Informational N/A
111122223333 us-east-1 AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available. +
Agentic AI Operational Abuse Alarms
+
+ Details and remediation +
+
Details

Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.

+
Resolution

Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.

+
Reference

+
+
+
Medium Failed
111122223333ap-south-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/Aus-east-1FS-01 +
AWS Shield Advanced Not Enabled
+
+ Details and remediation +
+
Details

AWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.

+
Resolution

1. Subscribe to AWS Shield Advanced for DDoS protection. +2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection. +3. Enable Shield Response Team (SRT) access and configure proactive engagement. +4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.

+
Reference

+
+
+
LowFailed
111122223333ap-south-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/Aus-west-2FS-01 +
AWS Shield Advanced Not Enabled
+
+ Details and remediation +
+
Details

AWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.

+
Resolution

1. Subscribe to AWS Shield Advanced for DDoS protection. +2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection. +3. Enable Shield Response Team (SRT) access and configure proactive engagement. +4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.

+
Reference

+
+
+
LowFailed
111122223333ap-south-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/Aus-east-1FS-01 +
No Regional WAF Web ACLs Found
+
+ Details and remediation +
+
Details

No AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.

+
Resolution

1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP). +2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock. +3. Add AWS Managed Rules for known bad inputs.

+
Reference

+
+
+
MediumFailed
111122223333ap-south-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/Aus-west-2FS-01 +
No Regional WAF Web ACLs Found
+
+ Details and remediation +
+
Details

No AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.

+
Resolution

1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP). +2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock. +3. Add AWS Managed Rules for known bad inputs.

+
Reference

+
+
+
MediumFailed
111122223333ap-south-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/Aus-east-1FS-02 +
API Gateway Usage Plans Missing Throttle
+
+ Details and remediation +
+
Details

Usage plans without throttling: myAskMeAnything-UsagePlan. Unbounded API calls can exhaust Bedrock token quotas and inflate costs.

+
Resolution

Set rateLimit and burstLimit on all usage plans associated with GenAI API stages. Consider per-consumer API keys with individual quotas.

+
Reference

+
+
+
MediumFailed
111122223333ap-south-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/Aus-west-2FS-02 +
API Gateway Usage Plans Missing Throttle
+
+ Details and remediation +
+
Details

Usage plans without throttling: myAskMeAnything-UsagePlan. Unbounded API calls can exhaust Bedrock token quotas and inflate costs.

+
Resolution

Set rateLimit and burstLimit on all usage plans associated with GenAI API stages. Consider per-consumer API keys with individual quotas.

+
Reference

+
+
+
MediumFailed
111122223333ap-south-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/Aus-east-1FS-03 +
Bedrock Token Quotas Customized
+
+ Details and remediation +
+
Details

Found 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.

+
Resolution

No action required. Periodically re-review quotas against expected peak load.

+
Reference

+
+
+
MediumPassed
111122223333ap-south-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/Aus-west-2FS-03 +
Bedrock Token Quotas Customized
+
+ Details and remediation +
+
Details

Found 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.

+
Resolution

No action required. Periodically re-review quotas against expected peak load.

+
Reference

+
+
+
MediumPassed
111122223333ap-south-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/Aus-east-1FS-04 +
No Cost Anomaly Detection Monitors
+
+ Details and remediation +
+
Details

No AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.

+
Resolution

1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker. +2. Configure alert subscriptions (SNS/email) for anomalies above threshold. +3. Set daily spend budgets with AWS Budgets as a secondary control.

+
Reference

+
+
+
MediumFailed
111122223333ap-south-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/Aus-west-2FS-04 +
No Cost Anomaly Detection Monitors
+
+ Details and remediation +
+
Details

No AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.

+
Resolution

1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker. +2. Configure alert subscriptions (SNS/email) for anomalies above threshold. +3. Set daily spend budgets with AWS Budgets as a secondary control.

+
Reference

+
+
+
MediumFailed
111122223333ap-south-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/Aus-east-1FS-05 +
No Bedrock CloudWatch Alarms Found
+
+ Details and remediation +
+
Details

No CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.

+
Resolution

Create CloudWatch alarms for: +- AWS/Bedrock InvocationThrottles (threshold > 0) +- AWS/Bedrock TokensProcessed (threshold based on quota) +- Custom application-level token counters via EMF

+
Reference

+
+
+
MediumFailed
111122223333ap-south-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionus-west-2FS-05 +
No Bedrock CloudWatch Alarms Found
+
+ Details and remediation +
+
Details

No CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.

+
Resolution

Create CloudWatch alarms for: +- AWS/Bedrock InvocationThrottles (threshold > 0) +- AWS/Bedrock TokensProcessed (threshold based on quota) +- Custom application-level token counters via EMF

+
Reference

+
+
+
MediumN/AFailed
111122223333ap-south-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/Aus-east-1FS-06 +
No AI/ML Service Budgets Configured
+
+ Details and remediation +
+
Details

No AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.

+
Resolution

1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds. +2. Add SNS notifications to on-call channels. +3. Consider budget actions to apply IAM deny policies when thresholds are breached.

+
Reference

+
+
+
MediumFailed
111122223333ap-south-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/Aus-west-2FS-06 +
No AI/ML Service Budgets Configured
+
+ Details and remediation +
+
Details

No AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.

+
Resolution

1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds. +2. Add SNS notifications to on-call channels. +3. Consider budget actions to apply IAM deny policies when thresholds are breached.

+
Reference

+
+
+
MediumFailed
111122223333ap-south-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumus-east-1FS-07 +
Agent Action Boundary Check
+
+ Details and remediation +
+
Details

No Bedrock agents found.

+
Resolution

No action required.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighus-west-2FS-07 +
Agent Action Boundary Check
+
+ Details and remediation +
+
Details

No Bedrock agents found.

+
Resolution

No action required.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesus-east-1FS-08 +
AgentCore Runtimes Missing Policy Engine
+
+ Details and remediation +
+
Details

Runtimes without authorizer configuration: origami_expeditions, neoCyan_Agent, customer_support_agent, cdk_agent_core, awsapimcpserver. Without a policy engine, agents can invoke any registered tool without authorization checks.

+
Resolution

Configure an authorizer (Lambda or Cedar policy store) on each AgentCore runtime to enforce fine-grained tool-call authorization.

+
Reference

+
+
+
HighN/AFailed
111122223333ap-south-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/Aus-west-2FS-08 +
AgentCore Runtimes Missing Policy Engine
+
+ Details and remediation +
+
Details

Runtimes without authorizer configuration: origami_expeditions, neoCyan_Agent, customer_support_agent, cdk_agent_core, awsapimcpserver. Without a policy engine, agents can invoke any registered tool without authorization checks.

+
Resolution

Configure an authorizer (Lambda or Cedar policy store) on each AgentCore runtime to enforce fine-grained tool-call authorization.

+
Reference

+
+
+
HighFailed
111122223333ap-south-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/Aus-east-1FS-09 +
Agent Lambda Functions Without Concurrency Limits
+
+ Details and remediation +
+
Details

Agent-related Lambda functions without reserved concurrency: aiml-security-aiml-security-111122223333-FinServAssessment, resco-aiml-IAMPermissionCaching, aiml-security-aiml-security-111122223333-SagemakerAssessment, resco-aiml-CleanupBucket, aiml-security-aiml-security-111122223333-BedrockAssessment, resco-aiml-BedrockAssessment, aiml-security-aiml-security-111122223333-CleanupBucket, aiml-security-aiml-security-111122223333-AgentCoreAssessment, e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Unlimited concurrency allows runaway agent loops to exhaust account limits.

+
Resolution

1. Set reserved concurrency on agent Lambda functions. +2. Implement maximum iteration counts in agent orchestration logic. +3. Use Step Functions with MaxConcurrency and timeout states. +4. Add circuit-breaker patterns to agent tool invocations.

+
Reference

+
+
+
MediumFailed
111122223333ap-south-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesus-west-2FS-09 +
Agent Lambda Functions Without Concurrency Limits
+
+ Details and remediation +
+
Details

Agent-related Lambda functions without reserved concurrency: aiml-security-aiml-security-111122223333-FinServAssessment, resco-aiml-IAMPermissionCaching, aiml-security-aiml-security-111122223333-SagemakerAssessment, resco-aiml-CleanupBucket, aiml-security-aiml-security-111122223333-BedrockAssessment, resco-aiml-BedrockAssessment, aiml-security-aiml-security-111122223333-CleanupBucket, aiml-security-aiml-security-111122223333-AgentCoreAssessment, e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Unlimited concurrency allows runaway agent loops to exhaust account limits.

+
Resolution

1. Set reserved concurrency on agent Lambda functions. +2. Implement maximum iteration counts in agent orchestration logic. +3. Use Step Functions with MaxConcurrency and timeout states. +4. Add circuit-breaker patterns to agent tool invocations.

+
Reference

+
+
+
MediumN/AFailed
111122223333ap-south-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowus-east-1FS-10 +
Human-in-the-Loop Check — No Agent Workflows Found
+
+ Details and remediation +
+
Details

No Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.

+
Resolution

Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighus-west-2FS-10 +
Human-in-the-Loop Check — No Agent Workflows Found
+
+ Details and remediation +
+
Details

No Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.

+
Resolution

Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsus-east-1FS-11 +
No Agent Rate Alarms Found
+
+ Details and remediation +
+
Details

No CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.

+
Resolution

Create CloudWatch alarms on: +- Bedrock agent invocation counts (threshold based on expected max) +- Lambda invocation errors for agent functions +- Step Functions execution failures and timeouts

+
Reference

+
+
+
MediumN/AFailed
111122223333ap-south-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/Aus-west-2FS-11 +
No Agent Rate Alarms Found
+
+ Details and remediation +
+
Details

No CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.

+
Resolution

Create CloudWatch alarms on: +- Bedrock agent invocation counts (threshold based on expected max) +- Lambda invocation errors for agent functions +- Step Functions execution failures and timeouts

+
Reference

+
+
+
MediumFailed
111122223333ap-south-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/Aus-east-1FS-12 +
No Bedrock-Scoped SCPs Found
+
+ Details and remediation +
+
Details

No Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.

+
Resolution

1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list. +2. Use bedrock:ModelId condition key to allowlist approved models. +3. Maintain a model inventory and update the SCP when models are approved/retired.

+
Reference

+
+
+
HighFailed
111122223333ap-south-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/Aus-west-2FS-12 +
No Bedrock-Scoped SCPs Found
+
+ Details and remediation +
+
Details

No Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.

+
Resolution

1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list. +2. Use bedrock:ModelId condition key to allowlist approved models. +3. Maintain a model inventory and update the SCP when models are approved/retired.

+
Reference

+
+
+
HighFailed
111122223333ap-south-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputus-east-1FS-13 +
Model Provenance Tags Present
+
+ Details and remediation +
+
Details

All reviewed models have required provenance tags.

+
Resolution

No action required.

+
Reference

+
+
+
MediumN/APassed
111122223333ap-south-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/Aus-west-2FS-13 +
Model Provenance Tags Present
+
+ Details and remediation +
+
Details

All reviewed models have required provenance tags.

+
Resolution

No action required.

+
Reference

+
+
+
MediumPassed
111122223333ap-south-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/Aus-east-1FS-14 +
Model Governance Config Rules Present
+
+ Details and remediation +
+
Details

Found 11 model-related Config rule(s).

+
Resolution

No action required.

+
Reference

+
+
+
MediumPassed
111122223333ap-south-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/Aus-west-2FS-14 +
Model Governance Config Rules Present
+
+ Details and remediation +
+
Details

Found 11 model-related Config rule(s).

+
Resolution

No action required.

+
Reference

+
+
+
MediumPassed
111122223333ap-south-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/Aus-east-1FS-15 +
No Bedrock Evaluation Jobs Found
+
+ Details and remediation +
+
Details

No Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.

+
Resolution

1. Run Bedrock Model Evaluation with adversarial/red-team datasets. +2. Use FMEval library for automated robustness testing. +3. Schedule periodic re-evaluation after model updates.

+
Reference

+
+
+
MediumFailed
111122223333ap-south-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/Aus-west-2FS-15 +
No Bedrock Evaluation Jobs Found
+
+ Details and remediation +
+
Details

No Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.

+
Resolution

1. Run Bedrock Model Evaluation with adversarial/red-team datasets. +2. Use FMEval library for automated robustness testing. +3. Schedule periodic re-evaluation after model updates.

+
Reference

+
+
+
MediumFailed
111122223333ap-south-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/Aus-east-1FS-16 +
ECR Repositories Without Image Scanning
+
+ Details and remediation +
+
Details

4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111122223333-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.

+
Resolution

Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.

+
Reference

+
+
+
HighFailed
111122223333ap-south-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/Aus-west-2FS-16 +
ECR Repositories Without Image Scanning
+
+ Details and remediation +
+
Details

4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111122223333-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.

+
Resolution

Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.

+
Reference

+
+
+
HighFailed
111122223333ap-south-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.us-east-1FS-20 +
No SageMaker Feature Groups Found
+
+ Details and remediation +
+
Details

No SageMaker Feature Store groups found.

+
Resolution

No action required.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.us-west-2FS-20 +
No SageMaker Feature Groups Found
+
+ Details and remediation +
+
Details

No SageMaker Feature Store groups found.

+
Resolution

No action required.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/Aus-east-1FS-21 +
Training Data Buckets Without Versioning
+
+ Details and remediation +
+
Details

13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111122223333-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111122223333-huo1mvme4t.

+
Resolution

Enable S3 versioning on all training data buckets. Consider enabling MFA Delete for additional protection against poisoning.

+
Reference

+
+
+
HighFailed
111122223333ap-south-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/Aus-west-2FS-21 +
Training Data Buckets Without Versioning
+
+ Details and remediation +
+
Details

13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111122223333-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111122223333-huo1mvme4t.

+
Resolution

Enable S3 versioning on all training data buckets. Consider enabling MFA Delete for additional protection against poisoning.

+
Reference

+
+
+
HighFailed
111122223333us-east-1FS-22 +
Overly Permissive Knowledge Base IAM Roles
+
+ Details and remediation +
+
Details

827 role(s) with wildcard KB permissions: +- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'Admin' allows '*' +- Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' allows 'bedrock:*' +- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'Agentic-AI-MCP-Strands-SDK-Works-VSCodeInstanceRole-NCTUnlnRBFO6' allows '*' +- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)

+
Resolution

Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.

+
Reference

+
+
+
HighFailed
111122223333ap-south-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/Aus-west-2FS-22 +
Overly Permissive Knowledge Base IAM Roles
+
+ Details and remediation +
+
Details

827 role(s) with wildcard KB permissions: +- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'Admin' allows '*' +- Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' allows 'bedrock:*' +- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'Agentic-AI-MCP-Strands-SDK-Works-VSCodeInstanceRole-NCTUnlnRBFO6' allows '*' +- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)

+
Resolution

Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.

+
Reference

+
+
+
HighFailed
111122223333ap-south-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.us-east-1FS-24 +
ADVISORY: Knowledge Base Metadata Filtering — Manual Review Required
+
+ Details and remediation +
+
Details

Found 3 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.

+
Resolution

1. Add metadata fields (tenantId, dataClassification) to KB data sources. +2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls. +3. Validate filters in integration tests to prevent cross-tenant data leakage.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.us-west-2FS-24 +
ADVISORY: Knowledge Base Metadata Filtering — Manual Review Required
+
+ Details and remediation +
+
Details

Found 3 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.

+
Resolution

1. Add metadata fields (tenantId, dataClassification) to KB data sources. +2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls. +3. Validate filters in integration tests to prevent cross-tenant data leakage.

+
Reference

+
+
+
Informational N/A
111122223333us-east-1FS-25 +
OpenSearch Serverless Encryption Policies Present
+
+ Details and remediation +
+
Details

Found 5 encryption policy(ies); 5 use a customer-managed KMS key.

+
Resolution

Verify all vector store collections use customer-managed KMS keys.

+
Reference

+
+
+
HighPassed
111122223333 us-west-2BR-02Amazon Bedrock private connectivity not usedNo Bedrock service VPC endpoints found in VPCs: vpc-0f85a6754ab37efb7, vpc-5c3b6524, vpc-03bcafcb58a3029fcCreate a VPC endpoint in your VPC with any of the following Bedrock service endpoints that your application may be using: -- com.amazonaws.region.bedrock -- com.amazonaws.region.bedrock-runtime -- com.amazonaws.region.bedrock-agent -- com.amazonaws.region.bedrock-agent-runtimeMediumFS-25 +
OpenSearch Serverless Encryption Policies Present
+
+ Details and remediation +
+
Details

Found 5 encryption policy(ies); 5 use a customer-managed KMS key.

+
Resolution

Verify all vector store collections use customer-managed KMS keys.

+
Reference

+
+
+
HighPassed
111122223333us-east-1FS-26 +
OpenSearch Serverless Collections Not VPC-Restricted
+
+ Details and remediation +
+
Details

Found 5 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.

+
Resolution

Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.

+
Reference

+
+
+
High Failed
111122223333 us-west-2BR-04Bedrock Model Invocation Logging CheckModel invocation logging is not enabled. This limits your ability to track and audit model usage.Enable model invocation logging to collect invocation logs, model input data, and model output data. Configure logging to deliver to Amazon S3, CloudWatch Logs, or both for comprehensive monitoring.MediumFS-26 +
OpenSearch Serverless Collections Not VPC-Restricted
+
+ Details and remediation +
+
Details

Found 5 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.

+
Resolution

Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.

+
Reference

+
+
+
High Failed
111122223333us-west-2BR-05Bedrock Guardrails CheckAmazon Bedrock Guardrails are properly configured with 1 guardrailsNo action required. Continue monitoring and updating guardrails as needed.us-east-1FS-27 +
Contextual Grounding Enabled on Guardrails
+
+ Details and remediation +
+
Details

Guardrails with contextual grounding: nist-ai-rmf-guardrail.

+
Resolution

No action required for contextual grounding. Also consider enabling Automated Reasoning checks for formal policy verification.

+
Reference

+
+
+
High Passed
111122223333 us-west-2BR-06Bedrock CloudTrail Logging CheckCloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETENo action required. Continue monitoring CloudTrail logs for Bedrock activity.MediumFS-27 +
Contextual Grounding Enabled on Guardrails
+
+ Details and remediation +
+
Details

Guardrails with contextual grounding: nist-ai-rmf-guardrail.

+
Resolution

No action required for contextual grounding. Also consider enabling Automated Reasoning checks for formal policy verification.

+
Reference

+
+
+
High Passed
111122223333us-west-2BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/Aus-east-1FS-27 +
No Automated Reasoning Policies Found
+
+ Details and remediation +
+
Details

No Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.

+
Resolution

1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds). +2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail). +3. Set confidenceThreshold on the policy to control strictness. +4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response). +5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).

+
Reference

+
+
+
MediumFailed
111122223333 us-west-2BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/AFS-27 +
No Automated Reasoning Policies Found
+
+ Details and remediation +
+
Details

No Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.

+
Resolution

1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds). +2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail). +3. Set confidenceThreshold on the policy to control strictness. +4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response). +5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).

+
Reference

+
+
+
MediumFailed
111122223333us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'knowledge-base-bedrock-agent' (XSPYLN4FQL) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level -2. For S3 data sources: Verify CMK-encrypted S3 buckets -3. For RDS: Verify KMS encryption on the database -4. Consider using CMK for transient data during ingestionInformationalN/Aus-east-1FS-28 +
Denied Topics Configured on CLASSIC Tier
+
+ Details and remediation +
+
Details

Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides broader language support and improved detection for denied topics.

+
Resolution

Verify topics cover regulated financial advice categories. For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (set topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile on the guardrail). When authoring denied-topic policies, use existing compliance materials as the source: employee policies, training materials, procedure documents, and incident reports (PDF §1.2.1 Practical guidance).

+
Reference

+
+
+
HighPassed
111122223333 us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (SUGAG7RGYD) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level -2. For S3 data sources: Verify CMK-encrypted S3 buckets -3. For RDS: Verify KMS encryption on the database -4. Consider using CMK for transient data during ingestionInformationalN/AFS-28 +
Denied Topics Configured on CLASSIC Tier
+
+ Details and remediation +
+
Details

Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides broader language support and improved detection for denied topics.

+
Resolution

Verify topics cover regulated financial advice categories. For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (set topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile on the guardrail). When authoring denied-topic policies, use existing compliance materials as the source: employee policies, training materials, procedure documents, and incident reports (PDF §1.2.1 Practical guidance).

+
Reference

+
+
+
HighPassed
111122223333us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'promptfoo-rag-workshop-111122223333-kb' (N74ZIKTUFL) uses 'RDS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level -2. For S3 data sources: Verify CMK-encrypted S3 buckets -3. For RDS: Verify KMS encryption on the database -4. Consider using CMK for transient data during ingestionus-east-1FS-29 +
ADVISORY: Compliance Disclaimer — Manual Review Required
+
+ Details and remediation +
+
Details

Application-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.

+
Resolution

1. Implement post-processing to append required disclaimers to GenAI outputs. +2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures. +3. Document disclaimer requirements in the AI use case register. +4. Test disclaimer presence in QA/UAT before production deployment.

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'InvestmentResearchKB' (M1GMUG3BP0) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level -2. For S3 data sources: Verify CMK-encrypted S3 buckets -3. For RDS: Verify KMS encryption on the database -4. Consider using CMK for transient data during ingestionFS-29 +
ADVISORY: Compliance Disclaimer — Manual Review Required
+
+ Details and remediation +
+
Details

Application-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.

+
Resolution

1. Implement post-processing to append required disclaimers to GenAI outputs. +2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures. +3. Document disclaimer requirements in the AI use case register. +4. Test disclaimer presence in QA/UAT before production deployment.

+
Reference

+
+
+
Informational N/A
111122223333us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'knowledge-base-quick-start-xtwwd' (ENFHSBBLMV) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level -2. For S3 data sources: Verify CMK-encrypted S3 buckets -3. For RDS: Verify KMS encryption on the database -4. Consider using CMK for transient data during ingestionus-east-1FS-30 +
ADVISORY: Compliance Dataset Coverage — Manual Review Required
+
+ Details and remediation +
+
Details

Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.

+
Resolution

Run Bedrock Model Evaluation with compliance-specific datasets: +- Fair lending test cases (ECOA, Fair Housing Act) +- UDAP/UDAAP unfair/deceptive practice scenarios +- AML/KYC edge cases

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'kb-s3-vector-store' (116IXQU5VP) uses 'S3_VECTORS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level -2. For S3 data sources: Verify CMK-encrypted S3 buckets -3. For RDS: Verify KMS encryption on the database -4. Consider using CMK for transient data during ingestionFS-30 +
ADVISORY: Compliance Dataset Coverage — Manual Review Required
+
+ Details and remediation +
+
Details

Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.

+
Resolution

Run Bedrock Model Evaluation with compliance-specific datasets: +- Fair lending test cases (ECOA, Fair Housing Act) +- UDAP/UDAAP unfair/deceptive practice scenarios +- AML/KYC edge cases

+
Reference

+
+
+
Informational N/A
111122223333us-west-2BR-10Bedrock Guardrail IAM Enforcement MissingThe following roles can invoke Bedrock models without enforced guardrails: 111122223333-us-east-1-kb-bedrock-service-role, agentcore-wildrydes_gateway_role_ab3991f6-role, AgentCoreEvalsSDK-us-east-1-d04ba7b68b, AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76, AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b, AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D, AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ, AmazonBedrockExecutionRoleForKnowledgeBase_072pr, AmazonBedrockExecutionRoleForKnowledgeBase_byjin, AmazonBedrockExecutionRoleForKnowledgeBase_h9718...Add IAM policy conditions to enforce guardrail usage: -1. Use 'bedrock:GuardrailIdentifier' condition key -2. Specify required guardrail ARN or ID -3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}Highus-east-1FS-31 +
Knowledge Base Data Sources Past Review Threshold
+
+ Details and remediation +
+
Details

2 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit): +- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 722 days ago +- KB '111122223333-us-east-1-kb' source '111122223333-us-east-1-kb-datasource' last synced 200 days ago +Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.

+
Resolution

1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match. +2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61. +3. Set CloudWatch alarms on sync job failures.

+
Reference

+
+
+
Medium Failed
111122223333 us-west-2BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/AFS-31 +
Knowledge Base Data Sources Past Review Threshold
+
+ Details and remediation +
+
Details

2 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit): +- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 722 days ago +- KB '111122223333-us-east-1-kb' source '111122223333-us-east-1-kb-datasource' last synced 200 days ago +Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.

+
Resolution

1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match. +2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61. +3. Set CloudWatch alarms on sync job failures.

+
Reference

+
+
+
MediumFailed
111122223333us-west-2BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionus-east-1FS-32 +
ADVISORY: Source Attribution — Manual Review Required
+
+ Details and remediation +
+
Details

Source attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.

+
Resolution

1. Use Bedrock RetrieveAndGenerate with citations enabled. +2. Include source document references in response post-processing. +3. Test citation accuracy in QA before production deployment. +4. Consider Bedrock Guardrails grounding checks to validate response accuracy.

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredFS-32 +
ADVISORY: Source Attribution — Manual Review Required
+
+ Details and remediation +
+
Details

Source attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.

+
Resolution

1. Use Bedrock RetrieveAndGenerate with citations enabled. +2. Include source document references in response post-processing. +3. Test citation accuracy in QA before production deployment. +4. Consider Bedrock Guardrails grounding checks to validate response accuracy.

+
Reference

+
+
+
Informational N/A
111122223333us-west-2BR-16Guardrail Tier Validation CheckGuardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is using the 'CLASSIC' content-filter tier instead of 'STANDARD'. The STANDARD tier provides more robust content filtering and broader language support than the CLASSIC tier.Update the guardrail to use the STANDARD content-filter tier for improved contextual understanding, better prompt attack filtering (distinguishing jailbreaks from prompt injection), and broader language support. The STANDARD tier requires cross-Region inference. Review pricing implications before upgrading.us-east-1FS-33 +
KB Data Source Buckets Without Versioning
+
+ Details and remediation +
+
Details

KB data source S3 buckets without versioning: 111122223333-us-east-1-kb-data-bucket.

+
Resolution

Enable S3 versioning on all KB data source buckets. Enable S3 Object Integrity (checksum) for tamper detection.

+
Reference

+
+
+
Medium Failed
111122223333us-west-2BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
111122223333 us-west-2BR-18Model Evaluation Implementation CheckNo Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.FS-33 +
KB Data Source Buckets Without Versioning
+
+ Details and remediation +
+
Details

KB data source S3 buckets without versioning: 111122223333-us-east-1-kb-data-bucket.

+
Resolution

Enable S3 versioning on all KB data source buckets. Enable S3 Object Integrity (checksum) for tamper detection.

+
Reference

+
+
+
Medium Failed
111122223333us-west-2BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumus-east-1FS-34 +
Legacy Foundation Models Available in Region
+
+ Details and remediation +
+
Details

Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.

+
Resolution

1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config). +2. Migrate active usage to current model versions. +3. Document training-data cutoff dates for all models in use. +4. Add data-currency disclaimers to outputs from models with old cutoffs.

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'knowledge-base-bedrock-agent' (ID: XSPYLN4FQL) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key -2. For Amazon RDS/Aurora: verify KMS encryption on the database -3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration -4. Verify the customer-managed KMS key used for transient data during ingestionFS-34 +
Legacy Foundation Models Available in Region
+
+ Details and remediation +
+
Details

Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.

+
Resolution

1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config). +2. Migrate active usage to current model versions. +3. Document training-data cutoff dates for all models in use. +4. Add data-currency disclaimers to outputs from models with old cutoffs.

+
Reference

+
+
+
Informational N/A
111122223333us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (ID: SUGAG7RGYD) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key -2. For Amazon RDS/Aurora: verify KMS encryption on the database -3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration -4. Verify the customer-managed KMS key used for transient data during ingestionus-east-1FS-35 +
ADVISORY: Harmful-Content Test Coverage — Manual Review Required
+
+ Details and remediation +
+
Details

Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.

+
Resolution

Run Bedrock Model Evaluation or FMEval with harmful content datasets: +- Toxicity detection +- Hate speech classification +- Violence/self-harm content

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'promptfoo-rag-workshop-111122223333-kb' (ID: N74ZIKTUFL) uses 'RDS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key -2. For Amazon RDS/Aurora: verify KMS encryption on the database -3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration -4. Verify the customer-managed KMS key used for transient data during ingestionFS-35 +
ADVISORY: Harmful-Content Test Coverage — Manual Review Required
+
+ Details and remediation +
+
Details

Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.

+
Resolution

Run Bedrock Model Evaluation or FMEval with harmful content datasets: +- Toxicity detection +- Hate speech classification +- Violence/self-harm content

+
Reference

+
+
+
Informational N/A
111122223333us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'InvestmentResearchKB' (ID: M1GMUG3BP0) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key -2. For Amazon RDS/Aurora: verify KMS encryption on the database -3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration -4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/Aus-east-1FS-36 +
Guardrail Content Filters on CLASSIC Tier
+
+ Details and remediation +
+
Details

Guardrails with content filters: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides improved contextual understanding, typographical error detection, 60+ language support, and better prompt-attack classification (distinguishes jailbreaks from prompt injection).

+
Resolution

Consider upgrading to STANDARD tier content filters for FinServ workloads that handle multiple languages or require higher detection accuracy. STANDARD tier requires cross-region inference (crossRegionDetails.guardrailProfileArn on the guardrail). To upgrade: update the guardrail's contentPolicy.filtersConfig.contentFiltersTierConfig with tierName=STANDARD and configure a guardrail cross-region profile.

+
Reference

+
+
+
HighPassed
111122223333 us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'knowledge-base-quick-start-xtwwd' (ID: ENFHSBBLMV) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key -2. For Amazon RDS/Aurora: verify KMS encryption on the database -3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration -4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/AFS-36 +
Guardrail Content Filters on CLASSIC Tier
+
+ Details and remediation +
+
Details

Guardrails with content filters: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides improved contextual understanding, typographical error detection, 60+ language support, and better prompt-attack classification (distinguishes jailbreaks from prompt injection).

+
Resolution

Consider upgrading to STANDARD tier content filters for FinServ workloads that handle multiple languages or require higher detection accuracy. STANDARD tier requires cross-region inference (crossRegionDetails.guardrailProfileArn on the guardrail). To upgrade: update the guardrail's contentPolicy.filtersConfig.contentFiltersTierConfig with tierName=STANDARD and configure a guardrail cross-region profile.

+
Reference

+
+
+
HighPassed
111122223333us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'kb-s3-vector-store' (ID: 116IXQU5VP) uses 'S3_VECTORS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key -2. For Amazon RDS/Aurora: verify KMS encryption on the database -3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration -4. Verify the customer-managed KMS key used for transient data during ingestionus-east-1FS-37 +
ADVISORY: User Feedback Mechanism — Manual Review Required
+
+ Details and remediation +
+
Details

User feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.

+
Resolution

1. Implement thumbs-up/down or flag-for-review UI in GenAI applications. +2. Route flagged outputs to human reviewers via SQS/SNS. +3. Log feedback to DynamoDB/S3 for model improvement. +4. Define SLAs for reviewing flagged content.

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighFS-37 +
ADVISORY: User Feedback Mechanism — Manual Review Required
+
+ Details and remediation +
+
Details

User feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.

+
Resolution

1. Implement thumbs-up/down or flag-for-review UI in GenAI applications. +2. Route flagged outputs to human reviewers via SQS/SNS. +3. Log feedback to DynamoDB/S3 for model improvement. +4. Define SLAs for reviewing flagged content.

+
Reference

+
+
+
Informational N/A
111122223333us-west-2BR-22Model Invocation Throttling Limits Check7 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Continue monitoring quota utilization. Review and adjust quotas as application requirements change.LowPassed
111122223333us-west-2BR-23Guardrail Content Filter Coverage CheckGuardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is missing content filters: HATE, VIOLENCE, SEXUAL, INSULTS. Complete content filter coverage is essential for comprehensive content safety.Update guardrail to enable all content filters (HATE, INSULTS, SEXUAL, VIOLENCE). Configure appropriate threshold levels (LOW, MEDIUM, HIGH) for both input and output filtering based on your use case. Review AWS documentation for threshold guidance.HighFailed
111122223333us-west-2BR-24Automated Reasoning Policy Implementation CheckGuardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.Configure Automated Reasoning policies on guardrails to mathematically verify model responses. Define policies that specify allowed and disallowed behaviors. Use for high-assurance use cases where formal verification is required.us-east-1FS-38 +
No Guardrails With Word Filters
+
+ Details and remediation +
+
Details

Found 1 guardrail(s) but none have word/phrase filters. Profanity and prohibited financial terms may appear in outputs.

+
Resolution

Add word filters to guardrails: +- Enable AWS managed profanity list +- Add custom denylist for prohibited financial terms +- Add allowlist for required regulatory language

+
Reference

+
+
+
Medium Failed
111122223333 us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'knowledge-base-bedrock-agent' (ID: XSPYLN4FQL) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFS-38 +
No Guardrails With Word Filters
+
+ Details and remediation +
+
Details

Found 1 guardrail(s) but none have word/phrase filters. Profanity and prohibited financial terms may appear in outputs.

+
Resolution

Add word filters to guardrails: +- Enable AWS managed profanity list +- Add custom denylist for prohibited financial terms +- Add allowlist for required regulatory language

+
Reference

+
+
+
Medium Failed
111122223333us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (ID: SUGAG7RGYD) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.Lowus-east-1FS-39 +
No SageMaker Clarify Bias Monitoring
+
+ Details and remediation +
+
Details

No SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.

+
Resolution

1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions. +2. Define protected attributes (age, gender, race proxies). +3. Set bias metric thresholds and alert on violations. +4. Document bias testing results for regulatory examination.

+
Reference

+
+
+
High Failed
111122223333 us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'promptfoo-rag-workshop-111122223333-kb' (ID: N74ZIKTUFL) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFS-39 +
No SageMaker Clarify Bias Monitoring
+
+ Details and remediation +
+
Details

No SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.

+
Resolution

1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions. +2. Define protected attributes (age, gender, race proxies). +3. Set bias metric thresholds and alert on violations. +4. Document bias testing results for regulatory examination.

+
Reference

+
+
+
High Failed
111122223333us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'InvestmentResearchKB' (ID: M1GMUG3BP0) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailedus-east-1FS-40 +
ADVISORY: Bias Dataset Coverage — Manual Review Required
+
+ Details and remediation +
+
Details

Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.

+
Resolution

Run Bedrock Model Evaluation with bias test datasets: +- Demographic parity test cases +- Equal opportunity scenarios +- Counterfactual fairness tests

+
Reference

+
+
+
InformationalN/A
111122223333 us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'knowledge-base-quick-start-xtwwd' (ID: ENFHSBBLMV) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailedFS-40 +
ADVISORY: Bias Dataset Coverage — Manual Review Required
+
+ Details and remediation +
+
Details

Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.

+
Resolution

Run Bedrock Model Evaluation with bias test datasets: +- Demographic parity test cases +- Equal opportunity scenarios +- Counterfactual fairness tests

+
Reference

+
+
+
InformationalN/A
111122223333us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'kb-s3-vector-store' (ID: 116IXQU5VP) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.Lowus-east-1FS-41 +
No SageMaker Clarify Explainability Monitoring
+
+ Details and remediation +
+
Details

No SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).

+
Resolution

1. Configure SageMaker Clarify explainability for credit/lending models. +2. Generate SHAP values for feature importance. +3. Map top features to human-readable adverse action reason codes. +4. Store explanations for regulatory examination.

+
Reference

+
+
+
High Failed
111122223333 us-west-2BR-26Guardrail Sensitive Information Filter CheckGuardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) has no sensitive-information filters configured (no PII entities or regex patterns). Prompts and model responses are not screened for sensitive data such as PII.Configure sensitive-information filters on the guardrail: add PII entity types (e.g. NAME, EMAIL, SSN, CREDIT_DEBIT_CARD_NUMBER) and/or custom regex patterns, and set the appropriate BLOCK or ANONYMIZE action for input and output.FS-41 +
No SageMaker Clarify Explainability Monitoring
+
+ Details and remediation +
+
Details

No SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).

+
Resolution

1. Configure SageMaker Clarify explainability for credit/lending models. +2. Generate SHAP values for feature importance. +3. Map top features to human-readable adverse action reason codes. +4. Store explanations for regulatory examination.

+
Reference

+
+
+
High Failed
111122223333us-west-2BR-27Guardrail Contextual Grounding CheckGuardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have contextual grounding checks enabled. Without grounding and relevance checks, the guardrail cannot detect hallucinated (ungrounded) or off-topic model responses.Enable contextual grounding checks (GROUNDING and RELEVANCE filter types) on the guardrail with appropriate thresholds. This is especially important for RAG applications to ensure responses are grounded in the retrieved source material.us-east-1FS-42 +
No SageMaker Model Cards Found
+
+ Details and remediation +
+
Details

No SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.

+
Resolution

1. Create SageMaker Model Cards for all production models. +2. Document: intended use, out-of-scope uses, training data, bias evaluations. +3. Include regulatory compliance attestations. +4. Review and update cards at each model version release.

+
Reference

+
+
+
Medium Failed
111122223333 us-west-2BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsFS-42 +
No SageMaker Model Cards Found
+
+ Details and remediation +
+
Details

No SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.

+
Resolution

1. Create SageMaker Model Cards for all production models. +2. Document: intended use, out-of-scope uses, training data, bias evaluations. +3. Include regulatory compliance attestations. +4. Review and update cards at each model version release.

+
Reference

+
+
+
MediumFailed
111122223333us-east-1FS-43 +
No CloudWatch Logs Data Protection Policies
+
+ Details and remediation +
+
Details

No CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.

+
Resolution

1. Create CloudWatch Logs data protection policies to mask PII. +2. Enable masking for: SSN, credit card numbers, bank account numbers, email. +3. Apply policies to Bedrock invocation log groups. +4. Test masking with synthetic PII before production deployment.

+
Reference

+
+
+
HighN/AFailed
111122223333 us-west-2BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/AFS-43 +
No CloudWatch Logs Data Protection Policies
+
+ Details and remediation +
+
Details

No CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.

+
Resolution

1. Create CloudWatch Logs data protection policies to mask PII. +2. Enable masking for: SSN, credit card numbers, bank account numbers, email. +3. Apply policies to Bedrock invocation log groups. +4. Test masking with synthetic PII before production deployment.

+
Reference

+
+
+
HighFailed
111122223333us-west-2BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysus-east-1FS-44 +
Amazon Macie Enabled
+
+ Details and remediation +
+
Details

Amazon Macie is enabled and scanning S3 buckets.

+
Resolution

Verify Macie jobs cover training data and KB data source buckets.

+
Reference

+
+
+
HighN/APassed
111122223333 us-west-2BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/AFS-44 +
Amazon Macie Enabled
+
+ Details and remediation +
+
Details

Amazon Macie is enabled and scanning S3 buckets.

+
Resolution

Verify Macie jobs cover training data and KB data source buckets.

+
Reference

+
+
+
HighPassed
111122223333us-east-1FS-45 +
Guardrail PII Filters Configured
+
+ Details and remediation +
+
Details

Guardrails with PII filters: nist-ai-rmf-guardrail.

+
Resolution

No action required.

+
Reference

+
+
+
HighPassed
111122223333 us-west-2BR-32Bedrock CloudWatch Alarm CheckNo CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.FS-45 +
Guardrail PII Filters Configured
+
+ Details and remediation +
+
Details

Guardrails with PII filters: nist-ai-rmf-guardrail.

+
Resolution

No action required.

+
Reference

+
+
+
HighPassed
111122223333us-east-1FS-46 +
AI/ML Buckets Without Data Classification Tags
+
+ Details and remediation +
+
Details

18 AI/ML bucket(s) without data-classification tags: 111122223333-us-east-1-kb-data-bucket, ancbedrocklogging, ancknowledgebase, aws-streaming-data-solut-outputaccesslogsbucket8b-1o7m0kb4bafm4, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, create-customer-resources-kb-bucket-111122223333.

+
Resolution

Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule.

+
Reference

+
+
+
Medium Failed
111122223333 us-west-2AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is not enabled. This limits your ability to track and audit model usage.Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.FS-46 +
AI/ML Buckets Without Data Classification Tags
+
+ Details and remediation +
+
Details

18 AI/ML bucket(s) without data-classification tags: 111122223333-us-east-1-kb-data-bucket, ancbedrocklogging, ancknowledgebase, aws-streaming-data-solut-outputaccesslogsbucket8b-1o7m0kb4bafm4, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, create-customer-resources-kb-bucket-111122223333.

+
Resolution

Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule.

+
Reference

+
+
+
Medium Failed
111122223333us-east-1FS-47 +
Guardrail Grounding Thresholds Appropriate
+
+ Details and remediation +
+
Details

All 1 guardrail(s) with a GROUNDING filter have thresholds ≥0.7.

+
Resolution

No action required.

+
Reference

+
+
+
HighPassed
111122223333 us-west-2AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETEEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.FS-47 +
Guardrail Grounding Thresholds Appropriate
+
+ Details and remediation +
+
Details

All 1 guardrail(s) with a GROUNDING filter have thresholds ≥0.7.

+
Resolution

No action required.

+
Reference

+
+
+
HighPassed
111122223333us-east-1FS-48 +
Active Knowledge Bases for RAG Present
+
+ Details and remediation +
+
Details

Found 3 active Knowledge Base(s) for RAG grounding.

+
Resolution

No action required.

+
Reference

+
+
+
Medium Passed
111122223333 us-west-2AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.FS-48 +
Active Knowledge Bases for RAG Present
+
+ Details and remediation +
+
Details

Found 3 active Knowledge Base(s) for RAG grounding.

+
Resolution

No action required.

+
Reference

+
+
+
MediumFailedPassed
111122223333us-west-2AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.us-east-1FS-49 +
ADVISORY: Hallucination Disclaimer — Manual Review Required
+
+ Details and remediation +
+
Details

Application-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.

+
Resolution

1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.' +2. Implement post-processing to append disclaimers. +3. Test disclaimer presence in QA before production.

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.FS-49 +
ADVISORY: Hallucination Disclaimer — Manual Review Required
+
+ Details and remediation +
+
Details

Application-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.

+
Resolution

1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.' +2. Implement post-processing to append disclaimers. +3. Test disclaimer presence in QA before production.

+
Reference

+
+
+
Informational N/A
111122223333us-west-2AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 7 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.Lowus-east-1FS-50 +
Relevance Grounding Filters Present
+
+ Details and remediation +
+
Details

Guardrails with RELEVANCE grounding filters: nist-ai-rmf-guardrail.

+
Resolution

No action required.

+
Reference

+
+
+
Medium Passed
111122223333 us-west-2AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is missing content filters: HATE, VIOLENCE, SEXUAL, INSULTS. Complete content filter coverage is essential for comprehensive content safety.Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.HighFailedFS-50 +
Relevance Grounding Filters Present
+
+ Details and remediation +
+
Details

Guardrails with RELEVANCE grounding filters: nist-ai-rmf-guardrail.

+
Resolution

No action required.

+
Reference

+
+
+
MediumPassed
111122223333us-west-2AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.Configure automated reasoning policies on guardrails where formal response validation is required.Mediumus-east-1FS-51 +
No Guardrails With Prompt Attack Filters
+
+ Details and remediation +
+
Details

Found 1 guardrail(s) but none have PROMPT_ATTACK filters. Prompt injection attacks may bypass system prompts and access controls.

+
Resolution

1. Enable PROMPT_ATTACK content filter in Bedrock Guardrails. +2. Set input filter strength to HIGH. +3. Use input tags () to differentiate user inputs from developer-provided prompts — required for PROMPT_ATTACK filters to work correctly with InvokeModel/InvokeModelWithResponseStream. +4. Consider STANDARD tier (GA June 2025) for better jailbreak vs. injection classification and broader language support. +5. Implement application-level input sanitization as defense-in-depth.

+
Reference

+
+
+
High Failed
111122223333 us-west-2AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) has no sensitive-information filters configured (no PII entities or regex patterns). Prompts and model responses are not screened for sensitive data such as PII.Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.FS-51 +
No Guardrails With Prompt Attack Filters
+
+ Details and remediation +
+
Details

Found 1 guardrail(s) but none have PROMPT_ATTACK filters. Prompt injection attacks may bypass system prompts and access controls.

+
Resolution

1. Enable PROMPT_ATTACK content filter in Bedrock Guardrails. +2. Set input filter strength to HIGH. +3. Use input tags () to differentiate user inputs from developer-provided prompts — required for PROMPT_ATTACK filters to work correctly with InvokeModel/InvokeModelWithResponseStream. +4. Consider STANDARD tier (GA June 2025) for better jailbreak vs. injection classification and broader language support. +5. Implement application-level input sanitization as defense-in-depth.

+
Reference

+
+
+
High Failed
111122223333us-west-2AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have contextual grounding checks enabled. Without grounding and relevance checks, the guardrail cannot detect hallucinated (ungrounded) or off-topic model responses.Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.us-east-1FS-52 +
Bedrock Lambda Functions on Deprecated Runtimes
+
+ Details and remediation +
+
Details

Functions on deprecated runtimes: e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Deprecated runtimes may use outdated boto3/SDK versions lacking security patches.

+
Resolution

1. Upgrade Lambda functions to a supported runtime — Python 3.12+, Node.js 22.x or 24.x, Java 21+, or .NET 8+. +2. Update boto3 to the latest version in Lambda layers (pin the version in requirements.txt and redeploy). +3. Enable Lambda runtime management controls for automatic minor-version updates (runtimeManagementConfig.updateRuntimeOn = 'Auto'). +4. Refer to https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html for the authoritative list of supported and deprecated runtimes.

+
Reference

+
+
+
Medium Failed
111122223333 us-west-2AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/AFS-52 +
Bedrock Lambda Functions on Deprecated Runtimes
+
+ Details and remediation +
+
Details

Functions on deprecated runtimes: e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Deprecated runtimes may use outdated boto3/SDK versions lacking security patches.

+
Resolution

1. Upgrade Lambda functions to a supported runtime — Python 3.12+, Node.js 22.x or 24.x, Java 21+, or .NET 8+. +2. Update boto3 to the latest version in Lambda layers (pin the version in requirements.txt and redeploy). +3. Enable Lambda runtime management controls for automatic minor-version updates (runtimeManagementConfig.updateRuntimeOn = 'Auto'). +4. Refer to https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html for the authoritative list of supported and deprecated runtimes.

+
Reference

+
+
+
MediumFailed
111122223333us-west-2AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.us-east-1FS-53 +
No WAF Web ACLs — Injection Rules Not Applicable
+
+ Details and remediation +
+
Details

No regional WAF Web ACLs found.

+
Resolution

Create WAF Web ACLs with injection protection rules (see FS-01).

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.MediumFailed
111122223333sa-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredFS-53 +
No WAF Web ACLs — Injection Rules Not Applicable
+
+ Details and remediation +
+
Details

No regional WAF Web ACLs found.

+
Resolution

Create WAF Web ACLs with injection protection rules (see FS-01).

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredus-east-1FS-54 +
ADVISORY: Penetration Testing — Manual Review Required
+
+ Details and remediation +
+
Details

Penetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.

+
Resolution

1. Conduct penetration testing of GenAI applications at least annually and before major releases. +2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts. +3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it. +4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail. +5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredus-west-2FS-54 +
ADVISORY: Penetration Testing — Manual Review Required
+
+ Details and remediation +
+
Details

Penetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.

+
Resolution

1. Conduct penetration testing of GenAI applications at least annually and before major releases. +2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts. +3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it. +4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail. +5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/Aus-east-1FS-55 +
No Output Validation Functions Found
+
+ Details and remediation +
+
Details

No Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.

+
Resolution

1. Implement output validation Lambda functions in GenAI pipelines. +2. Validate output schema, length, and content before downstream use. +3. Sanitize outputs before rendering in web UIs (XSS prevention). +4. Encode outputs appropriately for the target context (HTML, SQL, JSON).

+
Reference

+
+
+
MediumFailed
111122223333sa-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/Aus-west-2FS-55 +
No Output Validation Functions Found
+
+ Details and remediation +
+
Details

No Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.

+
Resolution

1. Implement output validation Lambda functions in GenAI pipelines. +2. Validate output schema, length, and content before downstream use. +3. Sanitize outputs before rendering in web UIs (XSS prevention). +4. Encode outputs appropriately for the target context (HTML, SQL, JSON).

+
Reference

+
+
+
MediumFailed
111122223333sa-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredus-east-1FS-56 +
No WAF ACLs — XSS Prevention Not Applicable
+
+ Details and remediation +
+
Details

No regional WAF Web ACLs found.

+
Resolution

Create WAF ACLs with XSS prevention rules.

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredus-west-2FS-56 +
No WAF ACLs — XSS Prevention Not Applicable
+
+ Details and remediation +
+
Details

No regional WAF Web ACLs found.

+
Resolution

Create WAF ACLs with XSS prevention rules.

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesus-east-1FS-57 +
ADVISORY: Output Encoding — Manual Review Required
+
+ Details and remediation +
+
Details

Output encoding practices cannot be verified via AWS APIs. Manual code review required.

+
Resolution

1. HTML-encode GenAI outputs before rendering in web UIs. +2. Use parameterized queries when GenAI output is used in database operations. +3. JSON-encode outputs before embedding in JavaScript contexts. +4. Validate output length and format before passing to downstream APIs.

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredus-west-2FS-57 +
ADVISORY: Output Encoding — Manual Review Required
+
+ Details and remediation +
+
Details

Output encoding practices cannot be verified via AWS APIs. Manual code review required.

+
Resolution

1. HTML-encode GenAI outputs before rendering in web UIs. +2. Use parameterized queries when GenAI output is used in database operations. +3. JSON-encode outputs before embedding in JavaScript contexts. +4. Validate output length and format before passing to downstream APIs.

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionus-east-1FS-58 +
ADVISORY: Output Schema Validation — Manual Review Required
+
+ Details and remediation +
+
Details

Found 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.

+
Resolution

1. Use Bedrock structured output (response schemas) where supported. +2. Implement JSON schema validation on Lambda output processors. +3. Reject malformed outputs and return safe error responses. +4. Log schema validation failures to CloudWatch for monitoring.

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredus-west-2FS-58 +
ADVISORY: Output Schema Validation — Manual Review Required
+
+ Details and remediation +
+
Details

Found 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.

+
Resolution

1. Use Bedrock structured output (response schemas) where supported. +2. Implement JSON schema validation on Lambda output processors. +3. Reject malformed outputs and return safe error responses. +4. Log schema validation failures to CloudWatch for monitoring.

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionus-east-1FS-59 +
Topic Restrictions Configured on CLASSIC Tier
+
+ Details and remediation +
+
Details

Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only; the STANDARD tier (GA June 2025) adds broader language support for off-topic detection.

+
Resolution

For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile).

+
Reference

+
+
+
MediumN/APassed
111122223333sa-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/Aus-west-2FS-59 +
Topic Restrictions Configured on CLASSIC Tier
+
+ Details and remediation +
+
Details

Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only; the STANDARD tier (GA June 2025) adds broader language support for off-topic detection.

+
Resolution

For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile).

+
Reference

+
+
+
MediumPassed
111122223333sa-east-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredus-east-1FS-60 +
ADVISORY: Contextual Grounding for Off-Topic Prevention
+
+ Details and remediation +
+
Details

Contextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.

+
Resolution

1. Include explicit scope instructions in system prompts. +2. Use Bedrock Guardrails relevance grounding filter. +3. Test with off-topic prompts in QA to verify rejection behavior.

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumus-west-2FS-60 +
ADVISORY: Contextual Grounding for Off-Topic Prevention
+
+ Details and remediation +
+
Details

Contextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.

+
Resolution

1. Include explicit scope instructions in system prompts. +2. Use Bedrock Guardrails relevance grounding filter. +3. Test with off-topic prompts in QA to verify rejection behavior.

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/Aus-east-1FS-61 +
No Automated KB Sync Schedules Detected
+
+ Details and remediation +
+
Details

Found 3 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.

+
Resolution

1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature. +2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync. +3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance). +4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.

+
Reference

+
+
+
MediumFailed
111122223333sa-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/Aus-west-2FS-61 +
No Automated KB Sync Schedules Detected
+
+ Details and remediation +
+
Details

Found 3 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.

+
Resolution

1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature. +2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync. +3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance). +4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.

+
Reference

+
+
+
MediumFailed
111122223333sa-east-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredus-east-1FS-62 +
ADVISORY: Data Currency Disclaimer — Manual Review Required
+
+ Details and remediation +
+
Details

Data currency disclaimers cannot be verified via AWS APIs. Manual review required.

+
Resolution

1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].' +2. Expose KB last sync timestamp in application responses. +3. Alert users when KB data is older than defined threshold.

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighus-west-2FS-62 +
ADVISORY: Data Currency Disclaimer — Manual Review Required
+
+ Details and remediation +
+
Details

Data currency disclaimers cannot be verified via AWS APIs. Manual review required.

+
Resolution

1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].' +2. Expose KB last sync timestamp in application responses. +3. Alert users when KB data is older than defined threshold.

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesus-east-1FS-63 +
Foundation Model Lifecycle Management
+
+ Details and remediation +
+
Details

No legacy models detected. 10 lifecycle-related Config rule(s) found.

+
Resolution

No action required.

+
Reference

+
+
+
MediumN/APassed
111122223333sa-east-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/Aus-west-2FS-63 +
Foundation Model Lifecycle Management
+
+ Details and remediation +
+
Details

No legacy models detected. 10 lifecycle-related Config rule(s) found.

+
Resolution

No action required.

+
Reference

+
+
+
MediumPassed
111122223333sa-east-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/Aus-east-1FS-65 +
KB Data Source Buckets Missing S3 Event Notifications
+
+ Details and remediation +
+
Details

The following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time: +- semiconductor-demo-9999 +- 111122223333-us-east-1-kb-data-bucket

+
Resolution

1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket. +2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting. +3. Integrate alerts into your security incident response workflow.

+
Reference

+
+
+
MediumFailed
111122223333sa-east-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsus-west-2FS-65 +
KB Data Source Buckets Missing S3 Event Notifications
+
+ Details and remediation +
+
Details

The following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time: +- semiconductor-demo-9999 +- 111122223333-us-east-1-kb-data-bucket

+
Resolution

1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket. +2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting. +3. Integrate alerts into your security incident response workflow.

+
Reference

+
+
+
MediumN/AFailed
111122223333sa-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsus-east-1FS-66 +
AgentCore Runtimes Missing End-User Identity Propagation
+
+ Details and remediation +
+
Details

The following runtimes have no JWT or IAM authorizer configured for end-user identity propagation. Tool calls are authorized only by the agent execution role, not the originating user: +- origami_expeditions +- neoCyan_Agent +- customer_support_agent +- cdk_agent_core +- awsapimcpserver

+
Resolution

1. Configure a custom JWT authorizer or IAM authorizer on each AgentCore runtime. +2. Propagate the end-user's identity token to downstream tool services. +3. Ensure tool services validate the propagated identity before executing actions. +4. Do not expose propagated identity tokens to unauthorized third parties.

+
Reference

+
+
+
HighN/AFailed
111122223333sa-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/Aus-west-2FS-66 +
AgentCore Runtimes Missing End-User Identity Propagation
+
+ Details and remediation +
+
Details

The following runtimes have no JWT or IAM authorizer configured for end-user identity propagation. Tool calls are authorized only by the agent execution role, not the originating user: +- origami_expeditions +- neoCyan_Agent +- customer_support_agent +- cdk_agent_core +- awsapimcpserver

+
Resolution

1. Configure a custom JWT authorizer or IAM authorizer on each AgentCore runtime. +2. Propagate the end-user's identity token to downstream tool services. +3. Ensure tool services validate the propagated identity before executing actions. +4. Do not expose propagated identity tokens to unauthorized third parties.

+
Reference

+
+
+
HighFailed
111122223333sa-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/Aus-east-1FS-67 +
Agent Action-Group Lambdas May Lack Transaction Thresholds
+
+ Details and remediation +
+
Details

The following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions: +- aiml-security-aiml-security-111122223333-FinServAssessment +- aiml-security-aiml-security-111122223333-BedrockAssessment +- resco-aiml-BedrockAssessment +- aiml-security-aiml-security-111122223333-AgentCoreAssessment +- e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk +- e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII +- resco-aiml-AgentCoreAssessment

+
Resolution

1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda. +2. Implement threshold enforcement logic in the Lambda handler. +3. Configure AgentCore Policy Engine rules to cap financial transaction amounts. +4. Route transactions exceeding thresholds to a human-in-the-loop approval step.

+
Reference

+
+
+
HighFailed
111122223333sa-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputus-west-2FS-67 +
Agent Action-Group Lambdas May Lack Transaction Thresholds
+
+ Details and remediation +
+
Details

The following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions: +- aiml-security-aiml-security-111122223333-FinServAssessment +- aiml-security-aiml-security-111122223333-BedrockAssessment +- resco-aiml-BedrockAssessment +- aiml-security-aiml-security-111122223333-AgentCoreAssessment +- e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk +- e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII +- resco-aiml-AgentCoreAssessment

+
Resolution

1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda. +2. Implement threshold enforcement logic in the Lambda handler. +3. Configure AgentCore Policy Engine rules to cap financial transaction amounts. +4. Route transactions exceeding thresholds to a human-in-the-loop approval step.

+
Reference

+
+
+
HighFailed
111122223333us-east-1FS-68 +
API Gateway Request Body Size Limits Not Enforced
+
+ Details and remediation +
+
Details

Found 3 REST API(s) and 0 regional WAF Web ACL(s), but none enforce a maximum request-body size. Note: an API Gateway request validator does NOT cap body size (it validates the schema and required params; the REST limit is a fixed 10 MB), and a WAF body SizeConstraint only inspects the first ~16 KB of the body by default. Oversized prompts can exhaust Bedrock token quotas and inflate costs.

+
Resolution

1. Add a maxLength (or maxItems/maxProperties) bound to the request-body JSON-Schema model used by your request validator, so oversized prompts are rejected with a 400. +2. Add a WAF SizeConstraintStatement on the request Body sized within WAF's body-inspection window (default 16 KB; raise via the web ACL AssociationConfig, or set OversizeHandling=MATCH to block bodies beyond the window), and associate the ACL with the API stage. +3. Set the max_tokens parameter in Bedrock API calls to cap output length. +4. Implement client-side token counting before submitting requests.

+
Reference

+
+
+
MediumN/AFailed
111122223333sa-east-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/Aus-west-2FS-68 +
API Gateway Request Body Size Limits Not Enforced
+
+ Details and remediation +
+
Details

Found 3 REST API(s) and 0 regional WAF Web ACL(s), but none enforce a maximum request-body size. Note: an API Gateway request validator does NOT cap body size (it validates the schema and required params; the REST limit is a fixed 10 MB), and a WAF body SizeConstraint only inspects the first ~16 KB of the body by default. Oversized prompts can exhaust Bedrock token quotas and inflate costs.

+
Resolution

1. Add a maxLength (or maxItems/maxProperties) bound to the request-body JSON-Schema model used by your request validator, so oversized prompts are rejected with a 400. +2. Add a WAF SizeConstraintStatement on the request Body sized within WAF's body-inspection window (default 16 KB; raise via the web ACL AssociationConfig, or set OversizeHandling=MATCH to block bodies beyond the window), and associate the ACL with the API stage. +3. Set the max_tokens parameter in Bedrock API calls to cap output length. +4. Implement client-side token counting before submitting requests.

+
Reference

+
+
+
MediumFailed
111122223333sa-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/Aus-east-1FS-69 +
Prompt Input Validation Functions Present
+
+ Details and remediation +
+
Details

Found 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111122223333-CleanupBucket.

+
Resolution

Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.

+
Reference

+
+
+
MediumPassed
111122223333sa-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.us-west-2FS-69 +
Prompt Input Validation Functions Present
+
+ Details and remediation +
+
Details

Found 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111122223333-CleanupBucket.

+
Resolution

Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.

+
Reference

+
+
+
MediumPassed
111122223333eu-west-1FS-00 +
FinServ Regional Scope Not Applicable
+
+ Details and remediation +
+
Details

No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.

+
Resolution

No action required unless GenAI workloads are expected in this region.

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.eu-west-1BR-02 +
Amazon Bedrock private connectivity check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to assess private connectivity

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.eu-west-1BR-04 +
Bedrock Model Invocation Logging Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to monitor with invocation logging

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.eu-west-1BR-05 +
Bedrock Guardrails Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to protect with guardrails

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.eu-west-1BR-06 +
Bedrock CloudTrail Logging Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.eu-west-1BR-07 +
Bedrock Prompt Management Check
+
+ Details and remediation +
+
Details

Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.

+
Resolution

Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templates

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.eu-west-1BR-08 +
Bedrock Agent IAM Roles Check
+
+ Details and remediation +
+
Details

No Bedrock agents found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.eu-west-1BR-09 +
Bedrock Knowledge Base Encryption Check
+
+ Details and remediation +
+
Details

No Knowledge Bases found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.eu-west-1BR-10 +
Bedrock Guardrail IAM Enforcement Check
+
+ Details and remediation +
+
Details

No guardrails configured - IAM enforcement check not applicable

+
Resolution

Configure Bedrock Guardrails first, then enforce their use via IAM policies

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.eu-west-1BR-11 +
Bedrock Custom Model Encryption Check
+
+ Details and remediation +
+
Details

No custom/fine-tuned models found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.eu-west-1BR-12 +
Bedrock Invocation Log Encryption Check
+
+ Details and remediation +
+
Details

Model invocation logging to S3 is not configured

+
Resolution

If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.eu-west-1BR-13 +
Bedrock Flows Guardrails Check
+
+ Details and remediation +
+
Details

No Bedrock Flows found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333GlobalAC-02AgentCore IAM Full Access PolicyThe following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161Replace with least-privilege policies scoped to specific AgentCore resources and actionsHighFailedeu-west-1BR-16 +
Guardrail Tier Validation Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create Bedrock guardrails with Standard tier for enhanced content filtering and protection

+
Reference

+
+
+
MediumN/A
111122223333GlobalAC-02AgentCore IAM Wildcard PermissionsThe following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-roleScope permissions to specific AgentCore resources using resource ARNseu-west-1BR-17 +
Custom Model Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

No custom (fine-tuned) Bedrock models found in this region

+
Resolution

When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys

+
Reference

+
+
+
HighFailed
111122223333GlobalAC-03AgentCore Stale AccessThe following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (199 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (199 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (199 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (82 days)Review and remove unused AgentCore permissions following least privilege principleMediumFailedN/A
111122223333GlobalAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CloudSeerTrustedServiceRole', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW'Review and remove unused AgentCore permissions following least privilege principleeu-west-1BR-18 +
Model Evaluation Implementation Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to assess with model evaluation jobs

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333GlobalAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.eu-west-1BR-19 +
Prompt Flow Validation Check
+
+ Details and remediation +
+
Details

No Bedrock prompt flows configured in this region

+
Resolution

When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment

+
Reference

+
+
+
MediumFailed
111122223333us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)HighFailedN/A
111122223333us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)eu-west-1BR-20 +
Knowledge Base Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

No Bedrock knowledge bases found in this region

+
Resolution

When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption

+
Reference

+
+
+
HighFailedN/A
111122223333us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)eu-west-1BR-21 +
Agent Action Group IAM Least Privilege Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents with action groups, ensure Lambda execution roles follow least privilege principles

+
Reference

+
+
+
HighFailedN/A
111122223333us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)HighFailedeu-west-1BR-22 +
Model Invocation Throttling Limits Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to assess model invocation throttling quotas

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)eu-west-1BR-23 +
Guardrail Content Filter Coverage Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds

+
Reference

+
+
+
HighFailedN/A
111122223333us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingeu-west-1BR-24 +
Automated Reasoning Policy Implementation Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with Automated Reasoning policies for formal verification of model responses

+
Reference

+
+
+
MediumFailedN/A
111122223333us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailedeu-west-1BR-25 +
RAG Evaluation Jobs Check
+
+ Details and remediation +
+
Details

No Bedrock knowledge bases found in this region

+
Resolution

When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations

+
Reference

+
+
+
LowN/A
111122223333us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailedeu-west-1BR-26 +
Guardrail Sensitive Information Filter Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses

+
Reference

+
+
+
HighN/A
111122223333us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysiseu-west-1BR-27 +
Guardrail Contextual Grounding Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications

+
Reference

+
+
+
MediumFailedN/A
111122223333us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailedeu-west-1BR-28 +
Agent Guardrail Association Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics

+
Reference

+
+
+
HighN/A
111122223333us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailedeu-west-1BR-29 +
Agent Idle Session TTL Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable

+
Reference

+
+
+
LowN/A
111122223333us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailedeu-west-1BR-30 +
Imported Model Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.

+
Resolution

Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.

+
Reference

+
+
+
LowN/A
111122223333us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysiseu-west-1BR-31 +
Batch Inference Output Encryption Check
+
+ Details and remediation +
+
Details

No Bedrock batch inference (model invocation) jobs found in this region

+
Resolution

When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output

+
Reference

+
+
+
MediumFailedN/A
111122223333us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailedeu-west-1BR-32 +
Bedrock CloudWatch Alarm Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to monitor with CloudWatch alarms

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailedeu-west-1AG-07 +
Agentic AI Model Invocation Logging
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging

+
Resolution

Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AC-05AgentCore ECR Repository AWS-Managed KeysECR repository 'bedrock-agentcore-customer_support_agent' uses AWS-managed keys instead of customer-managed KMS keysConsider using customer-managed KMS keys for better control and audit capabilitiesLowFailedeu-west-1AG-08 +
Agentic AI API Audit Trail
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage

+
Resolution

Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AC-05AgentCore ECR Repository AWS-Managed KeysECR repository 'bedrock-agentcore-origami_expeditions' uses AWS-managed keys instead of customer-managed KMS keysConsider using customer-managed KMS keys for better control and audit capabilitiesLowFailedeu-west-1AG-10 +
Agentic AI Adversarial Evaluation Coverage
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs

+
Resolution

Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailedeu-west-1AG-11 +
Agentic AI Prompt Flow Validation
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region

+
Resolution

Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailedeu-west-1AG-06 +
Agentic AI Tool Execution Least Privilege
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region

+
Resolution

Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailedeu-west-1AG-12 +
Agentic AI Invocation Abuse Controls
+
+ Details and remediation +
+
Details

Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas

+
Resolution

Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailedeu-west-1AG-02 +
Agentic AI Harmful Content Guardrail Coverage
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region

+
Resolution

Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailedeu-west-1AG-04 +
Agentic AI Automated Reasoning Guardrails
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region

+
Resolution

Configure automated reasoning policies on guardrails where formal response validation is required.

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AC-07AgentCore Memory EncryptionMemory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configuredEnable encryption with customer-managed KMS keysMediumFailedeu-west-1AG-03 +
Agentic AI Sensitive Information Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region

+
Resolution

Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AC-07AgentCore Memory EncryptionMemory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configuredEnable encryption with customer-managed KMS keysMediumFailedeu-west-1AG-05 +
Agentic AI Grounding Controls
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region

+
Resolution

Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AC-07AgentCore Memory EncryptionMemory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configuredEnable encryption with customer-managed KMS keysMediumFailedeu-west-1AG-01 +
Agentic AI Agent Guardrail Association
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region

+
Resolution

Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AC-13AgentCore Gateway Configuration CheckFound 2 Gateway resourcesNo action requiredMediumPassedeu-west-1AG-13 +
Agentic AI Session Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region

+
Resolution

Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AC-08AgentCore VPC Endpoints MissingNo AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.Create VPC interface endpoints for AgentCore services: -1. com.amazonaws.region.bedrock-agentcore -2. com.amazonaws.region.bedrock-agentcore-control -3. com.amazonaws.region.bedrock-agentcore-runtime -This enables private connectivity via AWS PrivateLinkeu-west-1AG-14 +
Agentic AI Operational Abuse Alarms
+
+ Details and remediation +
+
Details

Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms

+
Resolution

Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.

+
Reference

+
+
+
InformationalN/A
111122223333GlobalSM-02 +
SageMaker Full Access Policy Used
+
+ Details and remediation +
+
Details

Role 'AmazonSageMaker-ExecutionRole-20231014T200029' has AmazonSageMakerFullAccess policy attached

+
Resolution

Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege

+
Reference

+
+
+
High Failed
111122223333us-east-1AC-10AgentCore Resource-Based Policies MissingThe following AgentCore resources do not have resource-based policies: Runtime 'origami_expeditions', Runtime 'neoCyan_Agent', Runtime 'customer_support_agent', Runtime 'cdk_agent_core', Runtime 'awsapimcpserver' and 2 more. Without RBPs, access control relies solely on identity-based policies.Attach resource-based policies to AgentCore resources to: -1. Implement defense-in-depth access control -2. Enable cross-account access control -3. Restrict access based on source VPC or IP -4. Implement hierarchical authorization for Agent RuntimesGlobalSM-02 +
SageMaker Full Access Policy Used
+
+ Details and remediation +
+
Details

Role 'AmazonSageMaker-ExecutionRole-20250525T153161' has AmazonSageMakerFullAccess policy attached

+
Resolution

Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege

+
Reference

+
+
+
High Failed
111122223333us-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/AGlobalSM-02 +
SageMaker Full Access Policy Used
+
+ Details and remediation +
+
Details

Role 'AmazonSageMakerServiceCatalogProductsExecutionRole' has AmazonSageMakerFullAccess policy attached

+
Resolution

Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege

+
Reference

+
+
+
HighFailed
111122223333us-east-1AC-12AgentCore Gateway Encryption MissingThe following Gateways do not use customer-managed KMS encryption: 'customersupport-gw', 'wildrydes-gateway-ab3991f6'. Gateway configuration data uses AWS-managed keys.1. Create gateways with customer-managed KMS keys for additional control -2. AWS-managed keys are single-tenant and region-specific -3. Consider CMK for enhanced audit capabilities and key rotation controlLowGlobalSM-02 +
SageMaker Full Access Policy Used
+
+ Details and remediation +
+
Details

Role 'EMR_EC2_DefaultRole' has AmazonSageMakerFullAccess policy attached

+
Resolution

Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege

+
Reference

+
+
+
High Failed
111122223333us-east-1AG-24Agentic AI Gateway Inbound AuthorizationGateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) uses authorizerType CUSTOM_JWT.No action requiredGlobalSM-02 +
SageMaker Full Access Policy Used
+
+ Details and remediation +
+
Details

Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonSageMakerFullAccess policy attached

+
Resolution

Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege

+
Reference

+
+
+
HighPassedFailed
111122223333us-east-1AG-25Agentic AI Gateway Tool Policy Enforcement MissingGateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.GlobalSM-02 +
SageMaker Full Access Policy Used
+
+ Details and remediation +
+
Details

Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonSageMakerFullAccess policy attached

+
Resolution

Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege

+
Reference

+
+
+
High Failed
111122223333us-east-1AG-26Agentic AI Gateway Error Detail ExposureGateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) does not expose DEBUG-level exception detail.No action requiredMediumPassedGlobalSM-02 +
SageMaker Full Access Policy Used
+
+ Details and remediation +
+
Details

Role 'SageMaker-EMR-ExecutionRole' has AmazonSageMakerFullAccess policy attached

+
Resolution

Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege

+
Reference

+
+
+
HighFailed
111122223333 us-east-1AG-27Agentic AI Gateway WAF Protection MissingGateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) is not associated with an AWS WAF web ACL.Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.LowSM-01 +
Non-VPC Only Network Access
+
+ Details and remediation +
+
Details

SageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is not configured for VPC-only access

+
Resolution

Configure the SageMaker domain to use VPC-only network access type

+
Reference

+
+
+
High Failed
111122223333 us-east-1AG-24Agentic AI Gateway Inbound AuthorizationGateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) uses authorizerType CUSTOM_JWT.No action requiredHighPassedSM-02 +
SSO Not Properly Configured
+
+ Details and remediation +
+
Details

SageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is using authentication mode: IAM

+
Resolution

Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.

+
Reference

+
+
+
MediumFailed
111122223333 us-east-1AG-25Agentic AI Gateway Tool Policy Enforcement MissingGateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.SM-03 +
Missing Encryption Configuration
+
+ Details and remediation +
+
Details

Domain 'QuickSetupDomain-20250525T153160' - No KMS key configured

+
Resolution

Configure encryption using AWS KMS customer managed keys for enhanced security

+
Reference

+
+
+
High Failed
111122223333 us-east-1AG-26Agentic AI Gateway Error Detail ExposureGateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) does not expose DEBUG-level exception detail.No action requiredSM-04 +
GuardDuty Enabled
+
+ Details and remediation +
+
Details

Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.

+
Resolution

No action required

+
Reference

+
+
+
Medium Passed
111122223333 us-east-1AG-27Agentic AI Gateway WAF Protection MissingGateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) is not associated with an AWS WAF web ACL.Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.LowFailedSM-05 +
SageMaker Model Registry Issue
+
+ Details and remediation +
+
Details

No model package groups found

+
Resolution

Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment

+
Reference

+
+
+
InformationalN/A
111122223333GlobalAG-16Agentic AI AgentCore Least PrivilegeAgentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.HighFailedus-east-1SM-05 +
SageMaker Feature Store Issue
+
+ Details and remediation +
+
Details

No feature groups found

+
Resolution

Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production

+
Reference

+
+
+
InformationalN/A
111122223333GlobalAG-16Agentic AI AgentCore Least PrivilegeAgentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-roleReplace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.HighFailed
111122223333GlobalAG-17Agentic AI Stale AgentCore AccessAgentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (199 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (199 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (199 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (82 days)Remove or restrict stale AgentCore permissions for principals that no longer need access.MediumFailedus-east-1SM-05 +
SageMaker Pipelines Issue
+
+ Details and remediation +
+
Details

No ML pipelines found

+
Resolution

Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment

+
Reference

+
+
+
InformationalN/A
111122223333GlobalAG-17Agentic AI Stale AgentCore AccessAgentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CloudSeerTrustedServiceRole', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW'Remove or restrict stale AgentCore permissions for principals that no longer need access.us-east-1SM-06 +
SageMaker Clarify No Clarify Usage
+
+ Details and remediation +
+
Details

No SageMaker Clarify jobs found

+
Resolution

Implement SageMaker Clarify for model explainability and bias detection

+
Reference

+
+
+
Informational N/A
111122223333 us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.HighFailedSM-07 +
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation +
+
Details

No Model Monitor schedules found

+
Resolution

Configure comprehensive model monitoring schedules

+
Reference

+
+
+
InformationalN/A
111122223333 us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.HighFailedSM-08 +
Model Registry Registry Not Used
+
+ Details and remediation +
+
Details

Model Registry is not being utilized

+
Resolution

Implement proper model versioning and approval workflows

+
Reference

+
+
+
InformationalN/A
111122223333 us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.HighFailedSM-09 +
SageMaker Notebook Root Access Check
+
+ Details and remediation +
+
Details

No notebook instances found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333 us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.HighFailedSM-10 +
SageMaker Notebook VPC Deployment Check
+
+ Details and remediation +
+
Details

No notebook instances found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333 us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.HighFailedSM-11 +
SageMaker Model Network Isolation Check
+
+ Details and remediation +
+
Details

No models found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333 us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configuredEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailedSM-12 +
SageMaker Endpoint Instance Count Check
+
+ Details and remediation +
+
Details

No InService endpoints found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333 us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabledEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailedSM-13 +
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation +
+
Details

No monitoring schedules found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333 us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configuredEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailedSM-14 +
SageMaker Model Repository Access Check
+
+ Details and remediation +
+
Details

No models found or all use default Platform access

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333 us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabledEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailedSM-15 +
SageMaker Feature Store Encryption Check
+
+ Details and remediation +
+
Details

No feature groups with offline stores found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333 us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configuredEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailedSM-16 +
SageMaker Data Quality Job Encryption Check
+
+ Details and remediation +
+
Details

No data quality job definitions found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333 us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabledEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailedSM-17 +
SageMaker Processing Job Encryption Check
+
+ Details and remediation +
+
Details

No processing jobs found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333 us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configuredEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailedSM-18 +
SageMaker Transform Job Encryption Check
+
+ Details and remediation +
+
Details

No transform jobs found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333 us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabledEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailedSM-19 +
SageMaker Hyperparameter Tuning Job Encryption Check
+
+ Details and remediation +
+
Details

No hyperparameter tuning jobs found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333 us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configuredEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailedSM-20 +
SageMaker Compilation Job Encryption Check
+
+ Details and remediation +
+
Details

No compilation jobs found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333 us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabledEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailedSM-21 +
SageMaker AutoML Job Network Isolation Check
+
+ Details and remediation +
+
Details

No AutoML jobs found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333 us-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configuredConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.MediumFailedSM-22 +
Model Approval Workflow Check
+
+ Details and remediation +
+
Details

No model package groups found. Model Registry is not being used for model governance.

+
Resolution

Implement Model Registry to track model versions and enforce approval workflows before production deployment.

+
Reference

+
+
+
InformationalN/A
111122223333 us-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configuredConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.SM-23 +
Model Drift Detection Check
+
+ Details and remediation +
+
Details

No InService endpoints found to monitor.

+
Resolution

No action required

+
Reference

+
+
+
MediumFailedPassed
111122223333 us-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configuredConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.MediumFailedSM-24 +
A/B Testing and Shadow Deployment Check
+
+ Details and remediation +
+
Details

No InService endpoints found.

+
Resolution

No action required

+
Reference

+
+
+
LowPassed
111122223333 us-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.Create required VPC endpoints for AgentCore services and validate endpoint availability.SM-25 +
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation +
+
Details

No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.

+
Resolution

Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.

+
Reference

+
+
+
InformationalN/A
111122223333GlobalAC-02 +
AgentCore IAM Full Access Policy
+
+ Details and remediation +
+
Details

The following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161

+
Resolution

Replace with least-privilege policies scoped to specific AgentCore resources and actions

+
Reference

+
+
+
High Failed
111122223333us-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: The following AgentCore resources do not have resource-based policies: Runtime 'origami_expeditions', Runtime 'neoCyan_Agent', Runtime 'customer_support_agent', Runtime 'cdk_agent_core', Runtime 'awsapimcpserver' and 2 more. Without RBPs, access control relies solely on identity-based policies.Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.GlobalAC-02 +
AgentCore IAM Wildcard Permissions
+
+ Details and remediation +
+
Details

The following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-role

+
Resolution

Scope permissions to specific AgentCore resources using resource ARNs

+
Reference

+
+
+
High Failed
111122223333us-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.GlobalAC-03 +
AgentCore Stale Access
+
+ Details and remediation +
+
Details

The following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (200 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (200 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (200 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (82 days)

+
Resolution

Review and remove unused AgentCore permissions following least privilege principle

+
Reference

+
+
+
MediumFailed
111122223333GlobalAC-03 +
AgentCore Unused Permissions
+
+ Details and remediation +
+
Details

The following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CloudSeerTrustedServiceRole', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW'

+
Resolution

Review and remove unused AgentCore permissions following least privilege principle

+
Reference

+
+
+
Informational N/A
111122223333us-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: The following Gateways do not use customer-managed KMS encryption: 'customersupport-gw', 'wildrydes-gateway-ab3991f6'. Gateway configuration data uses AWS-managed keys.Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.LowGlobalAC-09 +
AgentCore Service-Linked Role Missing
+
+ Details and remediation +
+
Details

Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.

+
Resolution

The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.

+
Reference

+
+
+
Medium Failed
111122223333sa-east-1us-east-1 AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A +
AgentCore Runtime VPC Configuration
+
+ Details and remediation +
+
Details

Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.

+
Resolution

Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)

+
Reference

+
+
+
HighFailed
111122223333sa-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/Aus-east-1AC-01 +
AgentCore Runtime VPC Configuration
+
+ Details and remediation +
+
Details

Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.

+
Resolution

Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)

+
Reference

+
+
+
HighFailed
111122223333sa-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/Aus-east-1AC-01 +
AgentCore Runtime VPC Configuration
+
+ Details and remediation +
+
Details

Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.

+
Resolution

Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)

+
Reference

+
+
+
HighFailed
111122223333sa-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/Aus-east-1AC-01 +
AgentCore Runtime VPC Configuration
+
+ Details and remediation +
+
Details

Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.

+
Resolution

Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)

+
Reference

+
+
+
HighFailed
111122223333sa-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
111122223333sa-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/Aus-east-1AC-01 +
AgentCore Runtime VPC Configuration
+
+ Details and remediation +
+
Details

Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.

+
Resolution

Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)

+
Reference

+
+
+
HighFailed
111122223333sa-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/Aus-east-1AC-04 +
AgentCore Runtime CloudWatch Logs
+
+ Details and remediation +
+
Details

Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configured

+
Resolution

Enable CloudWatch Logs for monitoring and troubleshooting

+
Reference

+
+
+
MediumFailed
111122223333sa-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/Aus-east-1AC-04 +
AgentCore Runtime X-Ray Tracing
+
+ Details and remediation +
+
Details

Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabled

+
Resolution

Enable X-Ray tracing for distributed tracing and performance analysis

+
Reference

+
+
+
MediumFailed
111122223333sa-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/Aus-east-1AC-04 +
AgentCore Runtime CloudWatch Logs
+
+ Details and remediation +
+
Details

Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configured

+
Resolution

Enable CloudWatch Logs for monitoring and troubleshooting

+
Reference

+
+
+
MediumFailed
111122223333sa-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/Aus-east-1AC-04 +
AgentCore Runtime X-Ray Tracing
+
+ Details and remediation +
+
Details

Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabled

+
Resolution

Enable X-Ray tracing for distributed tracing and performance analysis

+
Reference

+
+
+
MediumFailed
111122223333sa-east-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/Aus-east-1AC-04 +
AgentCore Runtime CloudWatch Logs
+
+ Details and remediation +
+
Details

Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configured

+
Resolution

Enable CloudWatch Logs for monitoring and troubleshooting

+
Reference

+
+
+
MediumFailed
111122223333sa-east-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/Aus-east-1AC-04 +
AgentCore Runtime X-Ray Tracing
+
+ Details and remediation +
+
Details

Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabled

+
Resolution

Enable X-Ray tracing for distributed tracing and performance analysis

+
Reference

+
+
+
MediumFailed
111122223333sa-east-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/Aus-east-1AC-04 +
AgentCore Runtime CloudWatch Logs
+
+ Details and remediation +
+
Details

Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configured

+
Resolution

Enable CloudWatch Logs for monitoring and troubleshooting

+
Reference

+
+
+
MediumFailed
111122223333sa-east-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/Aus-east-1AC-04 +
AgentCore Runtime X-Ray Tracing
+
+ Details and remediation +
+
Details

Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabled

+
Resolution

Enable X-Ray tracing for distributed tracing and performance analysis

+
Reference

+
+
+
MediumFailed
111122223333sa-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/Aus-east-1AC-04 +
AgentCore Runtime CloudWatch Logs
+
+ Details and remediation +
+
Details

Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configured

+
Resolution

Enable CloudWatch Logs for monitoring and troubleshooting

+
Reference

+
+
+
MediumFailed
111122223333sa-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/Aus-east-1AC-04 +
AgentCore Runtime X-Ray Tracing
+
+ Details and remediation +
+
Details

Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabled

+
Resolution

Enable X-Ray tracing for distributed tracing and performance analysis

+
Reference

+
+
+
MediumFailed
111122223333sa-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/Aus-east-1AC-05 +
AgentCore ECR Repository AWS-Managed Keys
+
+ Details and remediation +
+
Details

ECR repository 'bedrock-agentcore-customer_support_agent' uses AWS-managed keys instead of customer-managed KMS keys

+
Resolution

Consider using customer-managed KMS keys for better control and audit capabilities

+
Reference

+
+
+
LowFailed
111122223333sa-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/Aus-east-1AC-05 +
AgentCore ECR Repository AWS-Managed Keys
+
+ Details and remediation +
+
Details

ECR repository 'bedrock-agentcore-origami_expeditions' uses AWS-managed keys instead of customer-managed KMS keys

+
Resolution

Consider using customer-managed KMS keys for better control and audit capabilities

+
Reference

+
+
+
LowFailed
111122223333sa-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/Aus-east-1AC-06 +
AgentCore Runtime Storage Configuration
+
+ Details and remediation +
+
Details

Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have storage configuration for browser tools

+
Resolution

Configure S3 storage for browser tool session recordings and artifacts

+
Reference

+
+
+
MediumFailed
111122223333sa-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/Aus-east-1AC-06 +
AgentCore Runtime Storage Configuration
+
+ Details and remediation +
+
Details

Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have storage configuration for browser tools

+
Resolution

Configure S3 storage for browser tool session recordings and artifacts

+
Reference

+
+
+
MediumFailed
111122223333sa-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/Aus-east-1AC-06 +
AgentCore Runtime Storage Configuration
+
+ Details and remediation +
+
Details

Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have storage configuration for browser tools

+
Resolution

Configure S3 storage for browser tool session recordings and artifacts

+
Reference

+
+
+
MediumFailed
111122223333ap-south-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/Aus-east-1AC-06 +
AgentCore Runtime Storage Configuration
+
+ Details and remediation +
+
Details

Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have storage configuration for browser tools

+
Resolution

Configure S3 storage for browser tool session recordings and artifacts

+
Reference

+
+
+
MediumFailed
111122223333ap-south-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredus-east-1AC-06 +
AgentCore Runtime Storage Configuration
+
+ Details and remediation +
+
Details

Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have storage configuration for browser tools

+
Resolution

Configure S3 storage for browser tool session recordings and artifacts

+
Reference

+
+
+
MediumPassedFailed
111122223333ap-south-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/Aus-east-1AC-07 +
AgentCore Memory Encryption
+
+ Details and remediation +
+
Details

Memory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configured

+
Resolution

Enable encryption with customer-managed KMS keys

+
Reference

+
+
+
MediumFailed
111122223333ap-south-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredus-east-1AC-07 +
AgentCore Memory Encryption
+
+ Details and remediation +
+
Details

Memory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configured

+
Resolution

Enable encryption with customer-managed KMS keys

+
Reference

+
+
+
MediumPassedFailed
111122223333ap-south-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/Aus-east-1AC-07 +
AgentCore Memory Encryption
+
+ Details and remediation +
+
Details

Memory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configured

+
Resolution

Enable encryption with customer-managed KMS keys

+
Reference

+
+
+
MediumFailed
111122223333ap-south-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/Aus-east-1AC-13 +
AgentCore Gateway Configuration Check
+
+ Details and remediation +
+
Details

Found 2 Gateway resources

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
111122223333ap-south-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/Aus-east-1AC-08 +
AgentCore VPC Endpoints Missing
+
+ Details and remediation +
+
Details

No AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.

+
Resolution

Create VPC interface endpoints for AgentCore services: +1. com.amazonaws.region.bedrock-agentcore +2. com.amazonaws.region.bedrock-agentcore-control +3. com.amazonaws.region.bedrock-agentcore-runtime +This enables private connectivity via AWS PrivateLink

+
Reference

+
+
+
HighFailed
111122223333ap-south-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/Aus-east-1AC-10 +
AgentCore Resource-Based Policies Missing
+
+ Details and remediation +
+
Details

The following AgentCore resources do not have resource-based policies: Runtime 'origami_expeditions', Runtime 'neoCyan_Agent', Runtime 'customer_support_agent', Runtime 'cdk_agent_core', Runtime 'awsapimcpserver' and 2 more. Without RBPs, access control relies solely on identity-based policies.

+
Resolution

Attach resource-based policies to AgentCore resources to: +1. Implement defense-in-depth access control +2. Enable cross-account access control +3. Restrict access based on source VPC or IP +4. Implement hierarchical authorization for Agent Runtimes

+
Reference

+
+
+
HighFailed
111122223333ap-south-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesus-east-1AC-11 +
AgentCore Policy Engine Encryption Check
+
+ Details and remediation +
+
Details

No Policy Engines found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/Aus-east-1AC-12 +
AgentCore Gateway Encryption Missing
+
+ Details and remediation +
+
Details

The following Gateways do not use customer-managed KMS encryption: 'customersupport-gw', 'wildrydes-gateway-ab3991f6'. Gateway configuration data uses AWS-managed keys.

+
Resolution

1. Create gateways with customer-managed KMS keys for additional control +2. AWS-managed keys are single-tenant and region-specific +3. Consider CMK for enhanced audit capabilities and key rotation control

+
Reference

+
+
+
LowFailed
111122223333ap-south-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/Aus-east-1AG-24 +
Agentic AI Gateway Inbound Authorization
+
+ Details and remediation +
+
Details

Gateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) uses authorizerType CUSTOM_JWT.

+
Resolution

No action required

+
Reference

+
+
+
HighPassed
111122223333ap-south-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/Aus-east-1AG-25 +
Agentic AI Gateway Tool Policy Enforcement Missing
+
+ Details and remediation +
+
Details

Gateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.

+
Resolution

Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.

+
Reference

+
+
+
HighFailed
111122223333ap-south-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
111122223333ap-south-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
111122223333ap-south-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
111122223333ap-south-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
111122223333ap-south-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
111122223333ap-south-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
111122223333ap-south-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
111122223333ap-south-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
111122223333ap-south-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/Aus-east-1AG-26 +
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation +
+
Details

Gateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) does not expose DEBUG-level exception detail.

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
111122223333ap-south-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/Aus-east-1AG-27 +
Agentic AI Gateway WAF Protection Missing
+
+ Details and remediation +
+
Details

Gateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) is not associated with an AWS WAF web ACL.

+
Resolution

Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.

+
Reference

+
+
+
LowFailed
111122223333ap-south-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/Aus-east-1AG-24 +
Agentic AI Gateway Inbound Authorization
+
+ Details and remediation +
+
Details

Gateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) uses authorizerType CUSTOM_JWT.

+
Resolution

No action required

+
Reference

+
+
+
HighPassed
111122223333ap-south-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/Aus-east-1AG-25 +
Agentic AI Gateway Tool Policy Enforcement Missing
+
+ Details and remediation +
+
Details

Gateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.

+
Resolution

Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.

+
Reference

+
+
+
HighFailed
111122223333ap-south-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredus-east-1AG-26 +
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation +
+
Details

Gateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) does not expose DEBUG-level exception detail.

+
Resolution

No action required

+
Reference

+
+
+
Medium Passed
111122223333ap-south-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredus-east-1AG-27 +
Agentic AI Gateway WAF Protection Missing
+
+ Details and remediation +
+
Details

Gateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) is not associated with an AWS WAF web ACL.

+
Resolution

Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.

+
Reference

+
+
+
LowPassed
111122223333ap-south-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/AFailed
111122223333 GlobalSM-02SageMaker Full Access Policy UsedRole 'AmazonSageMaker-ExecutionRole-20231014T200029' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeAG-16 +
Agentic AI AgentCore Least Privilege
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161

+
Resolution

Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.

+
Reference

+
+
+
High Failed
111122223333 GlobalSM-02SageMaker Full Access Policy UsedRole 'AmazonSageMaker-ExecutionRole-20250525T153161' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeAG-16 +
Agentic AI AgentCore Least Privilege
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-role

+
Resolution

Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.

+
Reference

+
+
+
High Failed
111122223333 GlobalSM-02SageMaker Full Access Policy UsedRole 'AmazonSageMakerServiceCatalogProductsExecutionRole' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighAG-17 +
Agentic AI Stale AgentCore Access
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (200 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (200 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (200 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (82 days)

+
Resolution

Remove or restrict stale AgentCore permissions for principals that no longer need access.

+
Reference

+
+
+
Medium Failed
111122223333 GlobalSM-02SageMaker Full Access Policy UsedRole 'EMR_EC2_DefaultRole' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeAG-17 +
Agentic AI Stale AgentCore Access
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CloudSeerTrustedServiceRole', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW'

+
Resolution

Remove or restrict stale AgentCore permissions for principals that no longer need access.

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AG-15 +
Agentic AI Runtime Network Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.

+
Resolution

Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.

+
Reference

+
+
+
High Failed
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeus-east-1AG-15 +
Agentic AI Runtime Network Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.

+
Resolution

Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.

+
Reference

+
+
+
High Failed
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeus-east-1AG-15 +
Agentic AI Runtime Network Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.

+
Resolution

Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.

+
Reference

+
+
+
High Failed
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'SageMaker-EMR-ExecutionRole' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeus-east-1AG-15 +
Agentic AI Runtime Network Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.

+
Resolution

Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.

+
Reference

+
+
+
High Failed
111122223333 us-east-1SM-01Non-VPC Only Network AccessSageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is not configured for VPC-only accessConfigure the SageMaker domain to use VPC-only network access typeAG-15 +
Agentic AI Runtime Network Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.

+
Resolution

Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.

+
Reference

+
+
+
High Failed
111122223333 us-east-1SM-02SSO Not Properly ConfiguredSageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.AG-18 +
Agentic AI AgentCore Observability
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configured

+
Resolution

Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.

+
Reference

+
+
+
Medium Failed
111122223333 us-east-1SM-03Missing Encryption ConfigurationDomain 'QuickSetupDomain-20250525T153160' - No KMS key configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHighAG-18 +
Agentic AI AgentCore Observability
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabled

+
Resolution

Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.

+
Reference

+
+
+
Medium Failed
111122223333 us-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredAG-18 +
Agentic AI AgentCore Observability
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configured

+
Resolution

Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.

+
Reference

+
+
+
MediumPassedFailed
111122223333 us-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/AAG-18 +
Agentic AI AgentCore Observability
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabled

+
Resolution

Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.

+
Reference

+
+
+
MediumFailed
111122223333 us-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/AAG-18 +
Agentic AI AgentCore Observability
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configured

+
Resolution

Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.

+
Reference

+
+
+
MediumFailed
111122223333 us-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/AAG-18 +
Agentic AI AgentCore Observability
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabled

+
Resolution

Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.

+
Reference

+
+
+
MediumFailed
111122223333 us-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/AAG-18 +
Agentic AI AgentCore Observability
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configured

+
Resolution

Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.

+
Reference

+
+
+
MediumFailed
111122223333 us-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/AAG-18 +
Agentic AI AgentCore Observability
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabled

+
Resolution

Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.

+
Reference

+
+
+
MediumFailed
111122223333 us-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/AAG-18 +
Agentic AI AgentCore Observability
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configured

+
Resolution

Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.

+
Reference

+
+
+
MediumFailed
111122223333 us-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/AAG-18 +
Agentic AI AgentCore Observability
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabled

+
Resolution

Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.

+
Reference

+
+
+
MediumFailed
111122223333 us-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/AAG-19 +
Agentic AI Memory Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configured

+
Resolution

Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.

+
Reference

+
+
+
MediumFailed
111122223333 us-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/AAG-19 +
Agentic AI Memory Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configured

+
Resolution

Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.

+
Reference

+
+
+
MediumFailed
111122223333 us-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
111122223333us-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
111122223333us-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
111122223333us-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
111122223333us-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
111122223333us-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
111122223333us-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
111122223333us-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/AAG-19 +
Agentic AI Memory Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configured

+
Resolution

Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.

+
Reference

+
+
+
MediumFailed
111122223333 us-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/AAG-20 +
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.

+
Resolution

Create required VPC endpoints for AgentCore services and validate endpoint availability.

+
Reference

+
+
+
HighFailed
111122223333 us-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/AAG-21 +
Agentic AI Resource Policy Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: The following AgentCore resources do not have resource-based policies: Runtime 'origami_expeditions', Runtime 'neoCyan_Agent', Runtime 'customer_support_agent', Runtime 'cdk_agent_core', Runtime 'awsapimcpserver' and 2 more. Without RBPs, access control relies solely on identity-based policies.

+
Resolution

Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.

+
Reference

+
+
+
HighFailed
111122223333 us-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.AG-22 +
Agentic AI Policy Engine Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found

+
Resolution

Configure policy engines with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
Informational N/A
111122223333us-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
111122223333 us-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredAG-23 +
Agentic AI Gateway Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: The following Gateways do not use customer-managed KMS encryption: 'customersupport-gw', 'wildrydes-gateway-ab3991f6'. Gateway configuration data uses AWS-managed keys.

+
Resolution

Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
LowPassed
111122223333us-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/AFailed
111122223333 us-west-2 SM-01Non-VPC Only Network AccessSageMaker domain 'd-krxh4fmtaxjl' (PromptEvaluationDomain) is not configured for VPC-only accessConfigure the SageMaker domain to use VPC-only network access type +
Non-VPC Only Network Access
+
+ Details and remediation +
+
Details

SageMaker domain 'd-krxh4fmtaxjl' (PromptEvaluationDomain) is not configured for VPC-only access

+
Resolution

Configure the SageMaker domain to use VPC-only network access type

+
Reference

+
+
+
High Failed
111122223333 us-west-2 SM-02SSO Not Properly ConfiguredSageMaker domain 'd-krxh4fmtaxjl' (PromptEvaluationDomain) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured. +
SSO Not Properly Configured
+
+ Details and remediation +
+
Details

SageMaker domain 'd-krxh4fmtaxjl' (PromptEvaluationDomain) is using authentication mode: IAM

+
Resolution

Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.

+
Reference

+
+
+
Medium Failed
111122223333 us-west-2 SM-03Missing Encryption ConfigurationDomain 'PromptEvaluationDomain' - No KMS key configuredConfigure encryption using AWS KMS customer managed keys for enhanced security +
Missing Encryption Configuration
+
+ Details and remediation +
+
Details

Domain 'PromptEvaluationDomain' - No KMS key configured

+
Resolution

Configure encryption using AWS KMS customer managed keys for enhanced security

+
Reference

+
+
+
High Failed
111122223333 us-west-2 SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action required +
GuardDuty Enabled
+
+ Details and remediation +
+
Details

Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.

+
Resolution

No action required

+
Reference

+
+
+
Medium Passed
111122223333 us-west-2 SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment +
SageMaker Model Registry Issue
+
+ Details and remediation +
+
Details

No model package groups found

+
Resolution

Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2 SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and production +
SageMaker Feature Store Issue
+
+ Details and remediation +
+
Details

No feature groups found

+
Resolution

Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2 SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment +
SageMaker Pipelines Issue
+
+ Details and remediation +
+
Details

No ML pipelines found

+
Resolution

Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2 SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detection +
SageMaker Clarify No Clarify Usage
+
+ Details and remediation +
+
Details

No SageMaker Clarify jobs found

+
Resolution

Implement SageMaker Clarify for model explainability and bias detection

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2 SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedules +
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation +
+
Details

No Model Monitor schedules found

+
Resolution

Configure comprehensive model monitoring schedules

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2 SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflows +
Model Registry Registry Not Used
+
+ Details and remediation +
+
Details

Model Registry is not being utilized

+
Resolution

Implement proper model versioning and approval workflows

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2 SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action required +
SageMaker Notebook Root Access Check
+
+ Details and remediation +
+
Details

No notebook instances found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2 SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action required +
SageMaker Notebook VPC Deployment Check
+
+ Details and remediation +
+
Details

No notebook instances found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2 SM-11SageMaker Model Network Isolation CheckNo models foundNo action required +
SageMaker Model Network Isolation Check
+
+ Details and remediation +
+
Details

No models found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2 SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action required +
SageMaker Endpoint Instance Count Check
+
+ Details and remediation +
+
Details

No InService endpoints found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2 SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action required +
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation +
+
Details

No monitoring schedules found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2 SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action required +
SageMaker Model Repository Access Check
+
+ Details and remediation +
+
Details

No models found or all use default Platform access

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2 SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action required +
SageMaker Feature Store Encryption Check
+
+ Details and remediation +
+
Details

No feature groups with offline stores found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2 SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action required +
SageMaker Data Quality Job Encryption Check
+
+ Details and remediation +
+
Details

No data quality job definitions found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2 SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action required +
SageMaker Processing Job Encryption Check
+
+ Details and remediation +
+
Details

No processing jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2 SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action required +
SageMaker Transform Job Encryption Check
+
+ Details and remediation +
+
Details

No transform jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2 SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action required +
SageMaker Hyperparameter Tuning Job Encryption Check
+
+ Details and remediation +
+
Details

No hyperparameter tuning jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2 SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action required +
SageMaker Compilation Job Encryption Check
+
+ Details and remediation +
+
Details

No compilation jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2 SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action required +
SageMaker AutoML Job Network Isolation Check
+
+ Details and remediation +
+
Details

No AutoML jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2 SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment. +
Model Approval Workflow Check
+
+ Details and remediation +
+
Details

No model package groups found. Model Registry is not being used for model governance.

+
Resolution

Implement Model Registry to track model versions and enforce approval workflows before production deployment.

+
Reference

+
+
+
Informational N/A
111122223333 us-west-2 SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action required +
Model Drift Detection Check
+
+ Details and remediation +
+
Details

No InService endpoints found to monitor.

+
Resolution

No action required

+
Reference

+
+
+
Medium Passed
111122223333 us-west-2 SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action required +
A/B Testing and Shadow Deployment Check
+
+ Details and remediation +
+
Details

No InService endpoints found.

+
Resolution

No action required

+
Reference

+
+
+
Low Passed
111122223333 us-west-2 SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability. +
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation +
+
Details

No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.

+
Resolution

Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredSM-01 +
SageMaker Internet Access Check
+
+ Details and remediation +
+
Details

No SageMaker notebook instances or domains found to check

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/ASM-02 +
SageMaker SSO Configuration Check
+
+ Details and remediation +
+
Details

No SageMaker domains found, or all domains use SSO with IAM Identity Center configured

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
111122223333 eu-west-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredSM-03 +
Data Protection Check
+
+ Details and remediation +
+
Details

No SageMaker resources found to check for data protection

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/ASM-04 +
GuardDuty Enabled
+
+ Details and remediation +
+
Details

Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
111122223333 eu-west-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesSM-05 +
SageMaker Model Registry Issue
+
+ Details and remediation +
+
Details

No model package groups found

+
Resolution

Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredSM-05 +
SageMaker Feature Store Issue
+
+ Details and remediation +
+
Details

No feature groups found

+
Resolution

Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredSM-05 +
SageMaker Pipelines Issue
+
+ Details and remediation +
+
Details

No ML pipelines found

+
Resolution

Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesSM-06 +
SageMaker Clarify No Clarify Usage
+
+ Details and remediation +
+
Details

No SageMaker Clarify jobs found

+
Resolution

Implement SageMaker Clarify for model explainability and bias detection

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredSM-07 +
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation +
+
Details

No Model Monitor schedules found

+
Resolution

Configure comprehensive model monitoring schedules

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionSM-08 +
Model Registry Registry Not Used
+
+ Details and remediation +
+
Details

Model Registry is not being utilized

+
Resolution

Implement proper model versioning and approval workflows

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredSM-09 +
SageMaker Notebook Root Access Check
+
+ Details and remediation +
+
Details

No notebook instances found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumSM-10 +
SageMaker Notebook VPC Deployment Check
+
+ Details and remediation +
+
Details

No notebook instances found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighSM-11 +
SageMaker Model Network Isolation Check
+
+ Details and remediation +
+
Details

No models found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredSM-12 +
SageMaker Endpoint Instance Count Check
+
+ Details and remediation +
+
Details

No InService endpoints found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumSM-13 +
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation +
+
Details

No monitoring schedules found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighSM-14 +
SageMaker Model Repository Access Check
+
+ Details and remediation +
+
Details

No models found or all use default Platform access

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighSM-15 +
SageMaker Feature Store Encryption Check
+
+ Details and remediation +
+
Details

No feature groups with offline stores found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredSM-16 +
SageMaker Data Quality Job Encryption Check
+
+ Details and remediation +
+
Details

No data quality job definitions found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighSM-17 +
SageMaker Processing Job Encryption Check
+
+ Details and remediation +
+
Details

No processing jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumSM-18 +
SageMaker Transform Job Encryption Check
+
+ Details and remediation +
+
Details

No transform jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowSM-19 +
SageMaker Hyperparameter Tuning Job Encryption Check
+
+ Details and remediation +
+
Details

No hyperparameter tuning jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
111122223333eu-west-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
111122223333eu-west-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
111122223333eu-west-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
111122223333eu-west-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
111122223333eu-west-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumSM-20 +
SageMaker Compilation Job Encryption Check
+
+ Details and remediation +
+
Details

No compilation jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredSM-21 +
SageMaker AutoML Job Network Isolation Check
+
+ Details and remediation +
+
Details

No AutoML jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.SM-22 +
Model Approval Workflow Check
+
+ Details and remediation +
+
Details

No model package groups found. Model Registry is not being used for model governance.

+
Resolution

Implement Model Registry to track model versions and enforce approval workflows before production deployment.

+
Reference

+
+
+
Informational N/A
111122223333 eu-west-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/ASM-23 +
Model Drift Detection Check
+
+ Details and remediation +
+
Details

No InService endpoints found to monitor.

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
111122223333 eu-west-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/ASM-24 +
A/B Testing and Shadow Deployment Check
+
+ Details and remediation +
+
Details

No InService endpoints found.

+
Resolution

No action required

+
Reference

+
+
+
LowPassed
111122223333 eu-west-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.SM-25 +
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation +
+
Details

No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.

+
Resolution

Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.us-west-2AC-01 +
AgentCore VPC Configuration Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.us-west-2AC-04 +
AgentCore Observability Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.us-west-2AC-05 +
AgentCore Encryption Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.us-west-2AC-06 +
AgentCore Browser Tool Recording Check
+
+ Details and remediation +
+
Details

No AgentCore Runtimes found to check browser tool configuration

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.us-west-2AC-07 +
AgentCore Memory Configuration Check
+
+ Details and remediation +
+
Details

No Memory resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/Aus-west-2AC-13 +
AgentCore Gateway Configuration Check
+
+ Details and remediation +
+
Details

Found 1 Gateway resources

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
111122223333eu-west-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.us-west-2AC-08 +
AgentCore VPC Endpoints Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/Aus-west-2AC-10 +
AgentCore Resource-Based Policies Missing
+
+ Details and remediation +
+
Details

The following AgentCore resources do not have resource-based policies: Gateway 'aws-news-mcp'. Without RBPs, access control relies solely on identity-based policies.

+
Resolution

Attach resource-based policies to AgentCore resources to: +1. Implement defense-in-depth access control +2. Enable cross-account access control +3. Restrict access based on source VPC or IP +4. Implement hierarchical authorization for Agent Runtimes

+
Reference

+
+
+
HighFailed
111122223333eu-west-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.us-west-2AC-11 +
AgentCore Policy Engine Encryption Check
+
+ Details and remediation +
+
Details

No Policy Engines found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/Aus-west-2AC-12 +
AgentCore Gateway Encryption Missing
+
+ Details and remediation +
+
Details

The following Gateways do not use customer-managed KMS encryption: 'aws-news-mcp'. Gateway configuration data uses AWS-managed keys.

+
Resolution

1. Create gateways with customer-managed KMS keys for additional control +2. AWS-managed keys are single-tenant and region-specific +3. Consider CMK for enhanced audit capabilities and key rotation control

+
Reference

+
+
+
LowFailed
111122223333sa-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumus-west-2AG-24 +
Agentic AI Gateway Inbound Authorization
+
+ Details and remediation +
+
Details

Gateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) uses authorizerType CUSTOM_JWT.

+
Resolution

No action required

+
Reference

+
+
+
High Passed
111122223333sa-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/Aus-west-2AG-25 +
Agentic AI Gateway Tool Policy Enforcement Missing
+
+ Details and remediation +
+
Details

Gateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.

+
Resolution

Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.

+
Reference

+
+
+
HighFailed
111122223333sa-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredus-west-2AG-26 +
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation +
+
Details

Gateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) does not expose DEBUG-level exception detail.

+
Resolution

No action required

+
Reference

+
+
+
Medium Passed
111122223333sa-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
111122223333sa-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/Aus-west-2AG-27 +
Agentic AI Gateway WAF Protection Missing
+
+ Details and remediation +
+
Details

Gateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) is not associated with an AWS WAF web ACL.

+
Resolution

Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.

+
Reference

+
+
+
LowFailed
111122223333sa-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentus-west-2AG-15 +
Agentic AI Runtime Network Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found

+
Resolution

Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionus-west-2AG-18 +
Agentic AI AgentCore Observability
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found

+
Resolution

Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesus-west-2AG-19 +
Agentic AI Memory Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found

+
Resolution

Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsus-west-2AG-20 +
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found

+
Resolution

Create required VPC endpoints for AgentCore services and validate endpoint availability.

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/Aus-west-2AG-21 +
Agentic AI Resource Policy Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: The following AgentCore resources do not have resource-based policies: Gateway 'aws-news-mcp'. Without RBPs, access control relies solely on identity-based policies.

+
Resolution

Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.

+
Reference

+
+
+
HighFailed
111122223333sa-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredus-west-2AG-22 +
Agentic AI Policy Engine Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found

+
Resolution

Configure policy engines with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/Aus-west-2AG-23 +
Agentic AI Gateway Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: The following Gateways do not use customer-managed KMS encryption: 'aws-news-mcp'. Gateway configuration data uses AWS-managed keys.

+
Resolution

Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
LowFailed
111122223333sa-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/Aus-west-2BR-02 +
Amazon Bedrock private connectivity not used
+
+ Details and remediation +
+
Details

No Bedrock service VPC endpoints found in VPCs: vpc-0f85a6754ab37efb7, vpc-5c3b6524, vpc-03bcafcb58a3029fc

+
Resolution

Create a VPC endpoint in your VPC with any of the following Bedrock service endpoints that your application may be using: +- com.amazonaws.region.bedrock +- com.amazonaws.region.bedrock-runtime +- com.amazonaws.region.bedrock-agent +- com.amazonaws.region.bedrock-agent-runtime

+
Reference

+
+
+
MediumFailed
111122223333sa-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/Aus-west-2BR-04 +
Bedrock Model Invocation Logging Check
+
+ Details and remediation +
+
Details

Model invocation logging is not enabled. This limits your ability to track and audit model usage.

+
Resolution

Enable model invocation logging to collect invocation logs, model input data, and model output data. Configure logging to deliver to Amazon S3, CloudWatch Logs, or both for comprehensive monitoring.

+
Reference

+
+
+
MediumFailed
111122223333sa-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/Aus-west-2BR-05 +
Bedrock Guardrails Check
+
+ Details and remediation +
+
Details

Amazon Bedrock Guardrails are properly configured with 1 guardrails

+
Resolution

No action required. Continue monitoring and updating guardrails as needed.

+
Reference

+
+
+
HighPassed
111122223333sa-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/Aus-west-2BR-06 +
Bedrock CloudTrail Logging Check
+
+ Details and remediation +
+
Details

CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE

+
Resolution

No action required. Continue monitoring CloudTrail logs for Bedrock activity.

+
Reference

+
+
+
MediumPassed
111122223333sa-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredus-west-2BR-07 +
Bedrock Prompt Management Check
+
+ Details and remediation +
+
Details

Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.

+
Resolution

Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templates

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredus-west-2BR-08 +
Bedrock Agent IAM Roles Check
+
+ Details and remediation +
+
Details

No Bedrock agents found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredus-west-2BR-09 +
Bedrock Knowledge Base Encryption Review
+
+ Details and remediation +
+
Details

Knowledge Base 'knowledge-base-bedrock-agent' (XSPYLN4FQL) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.

+
Resolution

1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestion

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredus-west-2BR-09 +
Bedrock Knowledge Base Encryption Review
+
+ Details and remediation +
+
Details

Knowledge Base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (SUGAG7RGYD) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.

+
Resolution

1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestion

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredus-west-2BR-09 +
Bedrock Knowledge Base Encryption Review
+
+ Details and remediation +
+
Details

Knowledge Base 'promptfoo-rag-workshop-111122223333-kb' (N74ZIKTUFL) uses 'RDS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.

+
Resolution

1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestion

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredus-west-2BR-09 +
Bedrock Knowledge Base Encryption Review
+
+ Details and remediation +
+
Details

Knowledge Base 'InvestmentResearchKB' (M1GMUG3BP0) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.

+
Resolution

1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestion

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.us-west-2BR-09 +
Bedrock Knowledge Base Encryption Review
+
+ Details and remediation +
+
Details

Knowledge Base 'knowledge-base-quick-start-xtwwd' (ENFHSBBLMV) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.

+
Resolution

1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestion

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
111122223333sa-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
111122223333sa-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.us-west-2BR-09 +
Bedrock Knowledge Base Encryption Review
+
+ Details and remediation +
+
Details

Knowledge Base 'kb-s3-vector-store' (116IXQU5VP) uses 'S3_VECTORS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.

+
Resolution

1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestion

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/Aus-west-2BR-10 +
Bedrock Guardrail IAM Enforcement Missing
+
+ Details and remediation +
+
Details

The following roles can invoke Bedrock models without enforced guardrails: 111122223333-us-east-1-kb-bedrock-service-role, agentcore-wildrydes_gateway_role_ab3991f6-role, AgentCoreEvalsSDK-us-east-1-d04ba7b68b, AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76, AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b, AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D, AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ, AmazonBedrockExecutionRoleForKnowledgeBase_072pr, AmazonBedrockExecutionRoleForKnowledgeBase_byjin, AmazonBedrockExecutionRoleForKnowledgeBase_h9718...

+
Resolution

Add IAM policy conditions to enforce guardrail usage: +1. Use 'bedrock:GuardrailIdentifier' condition key +2. Specify required guardrail ARN or ID +3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}

+
Reference

+
+
+
HighFailed
111122223333eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredus-west-2BR-11 +
Bedrock Custom Model Encryption Check
+
+ Details and remediation +
+
Details

No custom/fine-tuned models found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredus-west-2BR-12 +
Bedrock Invocation Log Encryption Check
+
+ Details and remediation +
+
Details

Model invocation logging to S3 is not configured

+
Resolution

If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredus-west-2BR-13 +
Bedrock Flows Guardrails Check
+
+ Details and remediation +
+
Details

No Bedrock Flows found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/Aus-west-2BR-16 +
Guardrail Tier Validation Check
+
+ Details and remediation +
+
Details

Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is using the 'CLASSIC' content-filter tier instead of 'STANDARD'. The STANDARD tier provides more robust content filtering and broader language support than the CLASSIC tier.

+
Resolution

Update the guardrail to use the STANDARD content-filter tier for improved contextual understanding, better prompt attack filtering (distinguishing jailbreaks from prompt injection), and broader language support. The STANDARD tier requires cross-Region inference. Review pricing implications before upgrading.

+
Reference

+
+
+
MediumFailed
111122223333eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalus-west-2BR-17 +
Custom Model Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

No custom (fine-tuned) Bedrock models found in this region

+
Resolution

When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys

+
Reference

+
+
+
High N/A
111122223333eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/Aus-west-2BR-18 +
Model Evaluation Implementation Check
+
+ Details and remediation +
+
Details

No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.

+
Resolution

Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.

+
Reference

+
+
+
MediumFailed
111122223333eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalus-west-2BR-19 +
Prompt Flow Validation Check
+
+ Details and remediation +
+
Details

No Bedrock prompt flows configured in this region

+
Resolution

When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment

+
Reference

+
+
+
Medium N/A
111122223333eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredus-west-2BR-20 +
Knowledge Base Customer-Managed KMS Encryption Review
+
+ Details and remediation +
+
Details

Knowledge base 'knowledge-base-bedrock-agent' (ID: XSPYLN4FQL) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.

+
Resolution

1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestion

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredus-west-2BR-20 +
Knowledge Base Customer-Managed KMS Encryption Review
+
+ Details and remediation +
+
Details

Knowledge base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (ID: SUGAG7RGYD) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.

+
Resolution

1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestion

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredus-west-2BR-20 +
Knowledge Base Customer-Managed KMS Encryption Review
+
+ Details and remediation +
+
Details

Knowledge base 'promptfoo-rag-workshop-111122223333-kb' (ID: N74ZIKTUFL) uses 'RDS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.

+
Resolution

1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestion

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredus-west-2BR-20 +
Knowledge Base Customer-Managed KMS Encryption Review
+
+ Details and remediation +
+
Details

Knowledge base 'InvestmentResearchKB' (ID: M1GMUG3BP0) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.

+
Resolution

1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestion

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredus-west-2BR-20 +
Knowledge Base Customer-Managed KMS Encryption Review
+
+ Details and remediation +
+
Details

Knowledge base 'knowledge-base-quick-start-xtwwd' (ID: ENFHSBBLMV) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.

+
Resolution

1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestion

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredus-west-2BR-20 +
Knowledge Base Customer-Managed KMS Encryption Review
+
+ Details and remediation +
+
Details

Knowledge base 'kb-s3-vector-store' (ID: 116IXQU5VP) uses 'S3_VECTORS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.

+
Resolution

1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestion

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.Informationalus-west-2BR-21 +
Agent Action Group IAM Least Privilege Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents with action groups, ensure Lambda execution roles follow least privilege principles

+
Reference

+
+
+
High N/A
111122223333eu-west-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/Aus-west-2BR-22 +
Model Invocation Throttling Limits Check
+
+ Details and remediation +
+
Details

7 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.

+
Resolution

Continue monitoring quota utilization. Review and adjust quotas as application requirements change.

+
Reference

+
+
+
LowPassed
111122223333eu-west-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/Aus-west-2BR-23 +
Guardrail Content Filter Coverage Check
+
+ Details and remediation +
+
Details

Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is missing content filters: VIOLENCE, SEXUAL, HATE, INSULTS. Complete content filter coverage is essential for comprehensive content safety.

+
Resolution

Update guardrail to enable all content filters (HATE, INSULTS, SEXUAL, VIOLENCE). Configure appropriate threshold levels (LOW, MEDIUM, HIGH) for both input and output filtering based on your use case. Review AWS documentation for threshold guidance.

+
Reference

+
+
+
HighFailed
111122223333eu-west-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/Aus-west-2BR-24 +
Automated Reasoning Policy Implementation Check
+
+ Details and remediation +
+
Details

Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.

+
Resolution

Configure Automated Reasoning policies on guardrails to mathematically verify model responses. Define policies that specify allowed and disallowed behaviors. Use for high-assurance use cases where formal verification is required.

+
Reference

+
+
+
MediumFailed
111122223333eu-west-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.Informationalus-west-2BR-25 +
RAG Evaluation Jobs Check
+
+ Details and remediation +
+
Details

Knowledge base 'knowledge-base-bedrock-agent' (ID: XSPYLN4FQL) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.

+
Resolution

Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.

+
Reference

+
+
+
LowFailed
111122223333us-west-2BR-25 +
RAG Evaluation Jobs Check
+
+ Details and remediation +
+
Details

Knowledge base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (ID: SUGAG7RGYD) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.

+
Resolution

Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.

+
Reference

+
+
+
LowFailed
111122223333us-west-2BR-25 +
RAG Evaluation Jobs Check
+
+ Details and remediation +
+
Details

Knowledge base 'promptfoo-rag-workshop-111122223333-kb' (ID: N74ZIKTUFL) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.

+
Resolution

Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.

+
Reference

+
+
+
LowFailed
111122223333us-west-2BR-25 +
RAG Evaluation Jobs Check
+
+ Details and remediation +
+
Details

Knowledge base 'InvestmentResearchKB' (ID: M1GMUG3BP0) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.

+
Resolution

Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.

+
Reference

+
+
+
LowFailed
111122223333us-west-2BR-25 +
RAG Evaluation Jobs Check
+
+ Details and remediation +
+
Details

Knowledge base 'knowledge-base-quick-start-xtwwd' (ID: ENFHSBBLMV) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.

+
Resolution

Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.

+
Reference

+
+
+
LowFailed
111122223333us-west-2BR-25 +
RAG Evaluation Jobs Check
+
+ Details and remediation +
+
Details

Knowledge base 'kb-s3-vector-store' (ID: 116IXQU5VP) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.

+
Resolution

Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.

+
Reference

+
+
+
LowFailed
111122223333us-west-2BR-26 +
Guardrail Sensitive Information Filter Check
+
+ Details and remediation +
+
Details

Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) has no sensitive-information filters configured (no PII entities or regex patterns). Prompts and model responses are not screened for sensitive data such as PII.

+
Resolution

Configure sensitive-information filters on the guardrail: add PII entity types (e.g. NAME, EMAIL, SSN, CREDIT_DEBIT_CARD_NUMBER) and/or custom regex patterns, and set the appropriate BLOCK or ANONYMIZE action for input and output.

+
Reference

+
+
+
HighFailed
111122223333us-west-2BR-27 +
Guardrail Contextual Grounding Check
+
+ Details and remediation +
+
Details

Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have contextual grounding checks enabled. Without grounding and relevance checks, the guardrail cannot detect hallucinated (ungrounded) or off-topic model responses.

+
Resolution

Enable contextual grounding checks (GROUNDING and RELEVANCE filter types) on the guardrail with appropriate thresholds. This is especially important for RAG applications to ensure responses are grounded in the retrieved source material.

+
Reference

+
+
+
MediumFailed
111122223333us-west-2BR-28 +
Agent Guardrail Association Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics

+
Reference

+
+
+
High N/A
111122223333eu-west-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.Informationalus-west-2BR-29 +
Agent Idle Session TTL Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable

+
Reference

+
+
+
Low N/A
111122223333eu-west-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.Informationalus-west-2BR-30 +
Imported Model Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

No imported custom Bedrock models found in this region

+
Resolution

When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys

+
Reference

+
+
+
High N/A
111122223333eu-west-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalus-west-2BR-31 +
Batch Inference Output Encryption Check
+
+ Details and remediation +
+
Details

No Bedrock batch inference (model invocation) jobs found in this region

+
Resolution

When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output

+
Reference

+
+
+
Medium N/A
111122223333eu-west-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredus-west-2BR-32 +
Bedrock CloudWatch Alarm Check
+
+ Details and remediation +
+
Details

No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.

+
Resolution

Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.

+
Reference

+
+
+
MediumPassedFailed
111122223333eu-west-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/Aus-west-2AG-07 +
Agentic AI Model Invocation Logging
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is not enabled. This limits your ability to track and audit model usage.

+
Resolution

Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.

+
Reference

+
+
+
MediumFailed
111122223333eu-west-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredus-west-2AG-08 +
Agentic AI API Audit Trail
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE

+
Resolution

Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.

+
Reference

+
+
+
Medium Passed
111122223333eu-west-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/Aus-west-2AG-10 +
Agentic AI Adversarial Evaluation Coverage
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.

+
Resolution

Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.

+
Reference

+
+
+
MediumFailed
111122223333eu-west-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionus-west-2AG-11 +
Agentic AI Prompt Flow Validation
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region

+
Resolution

Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentus-west-2AG-06 +
Agentic AI Tool Execution Least Privilege
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region

+
Resolution

Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/Aus-west-2AG-12 +
Agentic AI Invocation Abuse Controls
+
+ Details and remediation +
+
Details

Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 7 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.

+
Resolution

Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.

+
Reference

+
+
+
LowPassed
111122223333eu-west-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/Aus-west-2AG-02 +
Agentic AI Harmful Content Guardrail Coverage
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is missing content filters: VIOLENCE, SEXUAL, HATE, INSULTS. Complete content filter coverage is essential for comprehensive content safety.

+
Resolution

Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.

+
Reference

+
+
+
HighFailed
111122223333eu-west-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/Aus-west-2AG-04 +
Agentic AI Automated Reasoning Guardrails
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.

+
Resolution

Configure automated reasoning policies on guardrails where formal response validation is required.

+
Reference

+
+
+
MediumFailed
111122223333eu-west-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/Aus-west-2AG-03 +
Agentic AI Sensitive Information Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) has no sensitive-information filters configured (no PII entities or regex patterns). Prompts and model responses are not screened for sensitive data such as PII.

+
Resolution

Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.

+
Reference

+
+
+
HighFailed
111122223333eu-west-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredus-west-2AG-05 +
Agentic AI Grounding Controls
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have contextual grounding checks enabled. Without grounding and relevance checks, the guardrail cannot detect hallucinated (ungrounded) or off-topic model responses.

+
Resolution

Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.

+
Reference

+
+
+
MediumFailed
111122223333us-west-2AG-01 +
Agentic AI Agent Guardrail Association
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region

+
Resolution

Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredus-west-2AG-13 +
Agentic AI Session Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region

+
Resolution

Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.

+
Reference

+
+
+
Informational N/A
111122223333us-west-2AG-14 +
Agentic AI Operational Abuse Alarms
+
+ Details and remediation +
+
Details

Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.

+
Resolution

Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.

+
Reference

+
+
+
MediumFailed
444455556666 eu-west-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredAC-01 +
AgentCore VPC Configuration Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 eu-west-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredAC-04 +
AgentCore Observability Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 eu-west-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredAC-05 +
AgentCore Encryption Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 eu-west-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredAC-06 +
AgentCore Browser Tool Recording Check
+
+ Details and remediation +
+
Details

No AgentCore Runtimes found to check browser tool configuration

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 eu-west-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredAC-07 +
AgentCore Memory Configuration Check
+
+ Details and remediation +
+
Details

No Memory resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 eu-west-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredAC-13 +
AgentCore Gateway Configuration Check
+
+ Details and remediation +
+
Details

No Gateway resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 eu-west-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredAC-08 +
AgentCore VPC Endpoints Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 eu-west-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredAC-10 +
AgentCore Resource-Based Policies Check
+
+ Details and remediation +
+
Details

No AgentCore resources found to check for resource-based policies

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 eu-west-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredAC-11 +
AgentCore Policy Engine Encryption Check
+
+ Details and remediation +
+
Details

No Policy Engines found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 eu-west-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredAC-12 +
AgentCore Gateway Encryption Check
+
+ Details and remediation +
+
Details

No Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 eu-west-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.AG-24 +
Agentic AI Gateway Inbound Authorization
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 eu-west-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassedAG-25 +
Agentic AI Gateway Tool Policy Enforcement
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 eu-west-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassedAG-26 +
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 eu-west-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.AG-27 +
Agentic AI Gateway WAF Protection
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333us-east-1FS-01AWS Shield Advanced Not EnabledAWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.1. Subscribe to AWS Shield Advanced for DDoS protection. -2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection. -3. Enable Shield Response Team (SRT) access and configure proactive engagement. -4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.LowFailed
444455556666eu-west-1AG-15 +
Agentic AI Runtime Network Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found

+
Resolution

Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.

+
Reference

+
+
+
InformationalN/A
111122223333us-west-2FS-01AWS Shield Advanced Not EnabledAWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.1. Subscribe to AWS Shield Advanced for DDoS protection. -2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection. -3. Enable Shield Response Team (SRT) access and configure proactive engagement. -4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.LowFailed
444455556666eu-west-1AG-18 +
Agentic AI AgentCore Observability
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found

+
Resolution

Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1FS-01No Regional WAF Web ACLs FoundNo AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP). -2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock. -3. Add AWS Managed Rules for known bad inputs.MediumFailed
444455556666eu-west-1AG-19 +
Agentic AI Memory Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found

+
Resolution

Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.

+
Reference

+
+
+
InformationalN/A
111122223333us-west-2FS-01No Regional WAF Web ACLs FoundNo AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP). -2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock. -3. Add AWS Managed Rules for known bad inputs.MediumFailed
444455556666eu-west-1AG-20 +
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found

+
Resolution

Create required VPC endpoints for AgentCore services and validate endpoint availability.

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1FS-02API Gateway Usage Plans Missing ThrottleUsage plans without throttling: myAskMeAnything-UsagePlan. Unbounded API calls can exhaust Bedrock token quotas and inflate costs.Set rateLimit and burstLimit on all usage plans associated with GenAI API stages. Consider per-consumer API keys with individual quotas.MediumFailed
444455556666eu-west-1AG-21 +
Agentic AI Resource Policy Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies

+
Resolution

Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.

+
Reference

+
+
+
InformationalN/A
111122223333us-west-2FS-02API Gateway Usage Plans Missing ThrottleUsage plans without throttling: myAskMeAnything-UsagePlan. Unbounded API calls can exhaust Bedrock token quotas and inflate costs.Set rateLimit and burstLimit on all usage plans associated with GenAI API stages. Consider per-consumer API keys with individual quotas.MediumFailed
444455556666eu-west-1AG-22 +
Agentic AI Policy Engine Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found

+
Resolution

Configure policy engines with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1FS-03Bedrock Token Quotas CustomizedFound 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.No action required. Periodically re-review quotas against expected peak load.MediumPassed
444455556666eu-west-1AG-23 +
Agentic AI Gateway Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found

+
Resolution

Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-west-2FS-03Bedrock Token Quotas CustomizedFound 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.No action required. Periodically re-review quotas against expected peak load.MediumPassed
111122223333us-east-1FS-04No Cost Anomaly Detection MonitorsNo AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker. -2. Configure alert subscriptions (SNS/email) for anomalies above threshold. -3. Set daily spend budgets with AWS Budgets as a secondary control.MediumFailedBR-02 +
Amazon Bedrock private connectivity check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to assess private connectivity

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-west-2FS-04No Cost Anomaly Detection MonitorsNo AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker. -2. Configure alert subscriptions (SNS/email) for anomalies above threshold. -3. Set daily spend budgets with AWS Budgets as a secondary control.MediumFailed
111122223333us-east-1FS-05No Bedrock CloudWatch Alarms FoundNo CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.Create CloudWatch alarms for: -- AWS/Bedrock InvocationThrottles (threshold > 0) -- AWS/Bedrock TokensProcessed (threshold based on quota) -- Custom application-level token counters via EMFMediumFailedBR-04 +
Bedrock Model Invocation Logging Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to monitor with invocation logging

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-west-2FS-05No Bedrock CloudWatch Alarms FoundNo CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.Create CloudWatch alarms for: -- AWS/Bedrock InvocationThrottles (threshold > 0) -- AWS/Bedrock TokensProcessed (threshold based on quota) -- Custom application-level token counters via EMFMediumFailed
111122223333us-east-1FS-06No AI/ML Service Budgets ConfiguredNo AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds. -2. Add SNS notifications to on-call channels. -3. Consider budget actions to apply IAM deny policies when thresholds are breached.MediumFailedBR-05 +
Bedrock Guardrails Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to protect with guardrails

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-west-2FS-06No AI/ML Service Budgets ConfiguredNo AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds. -2. Add SNS notifications to on-call channels. -3. Consider budget actions to apply IAM deny policies when thresholds are breached.MediumFailed
111122223333us-east-1FS-07Agent Action Boundary CheckNo Bedrock agents found.No action required.BR-06 +
Bedrock CloudTrail Logging Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 us-west-2FS-07Agent Action Boundary CheckNo Bedrock agents found.No action required.BR-07 +
Bedrock Prompt Management Check
+
+ Details and remediation +
+
Details

Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.

+
Resolution

Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templates

+
Reference

+
+
+
Informational N/A
111122223333us-east-1FS-08AgentCore Runtimes Missing Policy EngineRuntimes without authorizer configuration: origami_expeditions, neoCyan_Agent, customer_support_agent, cdk_agent_core, awsapimcpserver. Without a policy engine, agents can invoke any registered tool without authorization checks.Configure an authorizer (Lambda or Cedar policy store) on each AgentCore runtime to enforce fine-grained tool-call authorization.HighFailed
111122223333us-west-2FS-08AgentCore Runtimes Missing Policy EngineRuntimes without authorizer configuration: origami_expeditions, neoCyan_Agent, customer_support_agent, cdk_agent_core, awsapimcpserver. Without a policy engine, agents can invoke any registered tool without authorization checks.Configure an authorizer (Lambda or Cedar policy store) on each AgentCore runtime to enforce fine-grained tool-call authorization.HighFailed
111122223333us-east-1FS-09Agent Lambda Functions Without Concurrency LimitsAgent-related Lambda functions without reserved concurrency: aiml-security-aiml-security-111122223333-FinServAssessment, resco-aiml-IAMPermissionCaching, aiml-security-aiml-security-111122223333-SagemakerAssessment, resco-aiml-CleanupBucket, aiml-security-aiml-security-111122223333-BedrockAssessment, resco-aiml-BedrockAssessment, aiml-security-aiml-security-111122223333-CleanupBucket, aiml-security-aiml-security-111122223333-AgentCoreAssessment, e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Unlimited concurrency allows runaway agent loops to exhaust account limits.1. Set reserved concurrency on agent Lambda functions. -2. Implement maximum iteration counts in agent orchestration logic. -3. Use Step Functions with MaxConcurrency and timeout states. -4. Add circuit-breaker patterns to agent tool invocations.MediumFailed
111122223333us-west-2FS-09Agent Lambda Functions Without Concurrency LimitsAgent-related Lambda functions without reserved concurrency: aiml-security-aiml-security-111122223333-FinServAssessment, resco-aiml-IAMPermissionCaching, aiml-security-aiml-security-111122223333-SagemakerAssessment, resco-aiml-CleanupBucket, aiml-security-aiml-security-111122223333-BedrockAssessment, resco-aiml-BedrockAssessment, aiml-security-aiml-security-111122223333-CleanupBucket, aiml-security-aiml-security-111122223333-AgentCoreAssessment, e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Unlimited concurrency allows runaway agent loops to exhaust account limits.1. Set reserved concurrency on agent Lambda functions. -2. Implement maximum iteration counts in agent orchestration logic. -3. Use Step Functions with MaxConcurrency and timeout states. -4. Add circuit-breaker patterns to agent tool invocations.MediumFailed
111122223333us-east-1FS-10Human-in-the-Loop Check — No Agent Workflows FoundNo Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.InformationalN/A
111122223333us-west-2FS-10Human-in-the-Loop Check — No Agent Workflows FoundNo Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.InformationalN/A
111122223333us-east-1FS-11No Agent Rate Alarms FoundNo CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.Create CloudWatch alarms on: -- Bedrock agent invocation counts (threshold based on expected max) -- Lambda invocation errors for agent functions -- Step Functions execution failures and timeoutsMediumFailed
111122223333us-west-2FS-11No Agent Rate Alarms FoundNo CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.Create CloudWatch alarms on: -- Bedrock agent invocation counts (threshold based on expected max) -- Lambda invocation errors for agent functions -- Step Functions execution failures and timeoutsMediumFailed
111122223333us-east-1FS-12No Bedrock-Scoped SCPs FoundNo Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list. -2. Use bedrock:ModelId condition key to allowlist approved models. -3. Maintain a model inventory and update the SCP when models are approved/retired.HighFailed
111122223333us-west-2FS-12No Bedrock-Scoped SCPs FoundNo Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list. -2. Use bedrock:ModelId condition key to allowlist approved models. -3. Maintain a model inventory and update the SCP when models are approved/retired.HighFailed
111122223333us-east-1FS-13Model Provenance Tags PresentAll reviewed models have required provenance tags.No action required.MediumPassed
111122223333us-west-2FS-13Model Provenance Tags PresentAll reviewed models have required provenance tags.No action required.MediumPassed
111122223333us-east-1FS-14Model Governance Config Rules PresentFound 11 model-related Config rule(s).No action required.MediumPassed
111122223333us-west-2FS-14Model Governance Config Rules PresentFound 11 model-related Config rule(s).No action required.MediumPassed
111122223333us-east-1FS-15No Bedrock Evaluation Jobs FoundNo Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.1. Run Bedrock Model Evaluation with adversarial/red-team datasets. -2. Use FMEval library for automated robustness testing. -3. Schedule periodic re-evaluation after model updates.MediumFailed
111122223333us-west-2FS-15No Bedrock Evaluation Jobs FoundNo Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.1. Run Bedrock Model Evaluation with adversarial/red-team datasets. -2. Use FMEval library for automated robustness testing. -3. Schedule periodic re-evaluation after model updates.MediumFailed
111122223333us-east-1FS-16ECR Repositories Without Image Scanning4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111122223333-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.HighFailed
111122223333us-west-2FS-16ECR Repositories Without Image Scanning4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111122223333-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.HighFailed
111122223333us-east-1FS-20No SageMaker Feature Groups FoundNo SageMaker Feature Store groups found.No action required.InformationalN/A
111122223333us-west-2FS-20No SageMaker Feature Groups FoundNo SageMaker Feature Store groups found.No action required.InformationalN/A
111122223333us-east-1FS-21Training Data Buckets Without Versioning13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111122223333-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111122223333-huo1mvme4t.Enable S3 versioning on all training data buckets. Consider enabling MFA Delete for additional protection against poisoning.HighFailed
111122223333us-west-2FS-21Training Data Buckets Without Versioning13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111122223333-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111122223333-huo1mvme4t.Enable S3 versioning on all training data buckets. Consider enabling MFA Delete for additional protection against poisoning.HighFailed
111122223333us-east-1FS-22Overly Permissive Knowledge Base IAM Roles827 role(s) with wildcard KB permissions: -- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'Admin' allows '*' -- Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' allows 'bedrock:*' -- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'Agentic-AI-MCP-Strands-SDK-Works-VSCodeInstanceRole-NCTUnlnRBFO6' allows '*' -- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.HighFailed
111122223333us-west-2FS-22Overly Permissive Knowledge Base IAM Roles827 role(s) with wildcard KB permissions: -- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'Admin' allows '*' -- Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' allows 'bedrock:*' -- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'Agentic-AI-MCP-Strands-SDK-Works-VSCodeInstanceRole-NCTUnlnRBFO6' allows '*' -- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.HighFailed
111122223333us-east-1FS-24ADVISORY: Knowledge Base Metadata Filtering — Manual Review RequiredFound 3 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.1. Add metadata fields (tenantId, dataClassification) to KB data sources. -2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls. -3. Validate filters in integration tests to prevent cross-tenant data leakage.InformationalN/A
111122223333us-west-2FS-24ADVISORY: Knowledge Base Metadata Filtering — Manual Review RequiredFound 3 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.1. Add metadata fields (tenantId, dataClassification) to KB data sources. -2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls. -3. Validate filters in integration tests to prevent cross-tenant data leakage.InformationalN/A
111122223333us-east-1FS-25OpenSearch Serverless Encryption Policies PresentFound 5 encryption policy(ies); 5 use a customer-managed KMS key.Verify all vector store collections use customer-managed KMS keys.HighPassed
111122223333us-west-2FS-25OpenSearch Serverless Encryption Policies PresentFound 5 encryption policy(ies); 5 use a customer-managed KMS key.Verify all vector store collections use customer-managed KMS keys.HighPassed
111122223333us-east-1FS-26OpenSearch Serverless Collections Not VPC-RestrictedFound 5 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.HighFailed
111122223333us-west-2FS-26OpenSearch Serverless Collections Not VPC-RestrictedFound 5 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.HighFailed
111122223333us-east-1FS-27Contextual Grounding Enabled on GuardrailsGuardrails with contextual grounding: nist-ai-rmf-guardrail.No action required for contextual grounding. Also consider enabling Automated Reasoning checks for formal policy verification.HighPassed
111122223333us-west-2FS-27Contextual Grounding Enabled on GuardrailsGuardrails with contextual grounding: nist-ai-rmf-guardrail.No action required for contextual grounding. Also consider enabling Automated Reasoning checks for formal policy verification.HighPassed
111122223333us-east-1FS-27No Automated Reasoning Policies FoundNo Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds). -2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail). -3. Set confidenceThreshold on the policy to control strictness. -4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response). -5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).MediumFailed
111122223333us-west-2FS-27No Automated Reasoning Policies FoundNo Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds). -2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail). -3. Set confidenceThreshold on the policy to control strictness. -4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response). -5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).MediumFailed
111122223333us-east-1FS-28Denied Topics Configured on CLASSIC TierGuardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides broader language support and improved detection for denied topics.Verify topics cover regulated financial advice categories. For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (set topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile on the guardrail). When authoring denied-topic policies, use existing compliance materials as the source: employee policies, training materials, procedure documents, and incident reports (PDF §1.2.1 Practical guidance).HighPassed
111122223333us-west-2FS-28Denied Topics Configured on CLASSIC TierGuardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides broader language support and improved detection for denied topics.Verify topics cover regulated financial advice categories. For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (set topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile on the guardrail). When authoring denied-topic policies, use existing compliance materials as the source: employee policies, training materials, procedure documents, and incident reports (PDF §1.2.1 Practical guidance).HighPassed
111122223333us-east-1FS-29ADVISORY: Compliance Disclaimer — Manual Review RequiredApplication-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.1. Implement post-processing to append required disclaimers to GenAI outputs. -2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures. -3. Document disclaimer requirements in the AI use case register. -4. Test disclaimer presence in QA/UAT before production deployment.InformationalN/A
111122223333us-west-2FS-29ADVISORY: Compliance Disclaimer — Manual Review RequiredApplication-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.1. Implement post-processing to append required disclaimers to GenAI outputs. -2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures. -3. Document disclaimer requirements in the AI use case register. -4. Test disclaimer presence in QA/UAT before production deployment.InformationalN/A
111122223333us-east-1FS-30ADVISORY: Compliance Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with compliance-specific datasets: -- Fair lending test cases (ECOA, Fair Housing Act) -- UDAP/UDAAP unfair/deceptive practice scenarios -- AML/KYC edge casesInformationalN/A
111122223333us-west-2FS-30ADVISORY: Compliance Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with compliance-specific datasets: -- Fair lending test cases (ECOA, Fair Housing Act) -- UDAP/UDAAP unfair/deceptive practice scenarios -- AML/KYC edge casesInformationalN/A
111122223333us-east-1FS-31Knowledge Base Data Sources Past Review Threshold2 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit): -- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 722 days ago -- KB '111122223333-us-east-1-kb' source '111122223333-us-east-1-kb-datasource' last synced 199 days ago -Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match. -2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61. -3. Set CloudWatch alarms on sync job failures.MediumFailed
111122223333us-west-2FS-31Knowledge Base Data Sources Past Review Threshold2 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit): -- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 722 days ago -- KB '111122223333-us-east-1-kb' source '111122223333-us-east-1-kb-datasource' last synced 199 days ago -Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match. -2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61. -3. Set CloudWatch alarms on sync job failures.MediumFailed
111122223333us-east-1FS-32ADVISORY: Source Attribution — Manual Review RequiredSource attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.1. Use Bedrock RetrieveAndGenerate with citations enabled. -2. Include source document references in response post-processing. -3. Test citation accuracy in QA before production deployment. -4. Consider Bedrock Guardrails grounding checks to validate response accuracy.InformationalN/A
111122223333us-west-2FS-32ADVISORY: Source Attribution — Manual Review RequiredSource attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.1. Use Bedrock RetrieveAndGenerate with citations enabled. -2. Include source document references in response post-processing. -3. Test citation accuracy in QA before production deployment. -4. Consider Bedrock Guardrails grounding checks to validate response accuracy.InformationalN/A
111122223333us-east-1FS-33KB Data Source Buckets Without VersioningKB data source S3 buckets without versioning: 111122223333-us-east-1-kb-data-bucket.Enable S3 versioning on all KB data source buckets. Enable S3 Object Integrity (checksum) for tamper detection.MediumFailed
111122223333us-west-2FS-33KB Data Source Buckets Without VersioningKB data source S3 buckets without versioning: 111122223333-us-east-1-kb-data-bucket.Enable S3 versioning on all KB data source buckets. Enable S3 Object Integrity (checksum) for tamper detection.MediumFailed
111122223333us-east-1FS-34Legacy Foundation Models Available in RegionLegacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config). -2. Migrate active usage to current model versions. -3. Document training-data cutoff dates for all models in use. -4. Add data-currency disclaimers to outputs from models with old cutoffs.InformationalN/A
111122223333us-west-2FS-34Legacy Foundation Models Available in RegionLegacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config). -2. Migrate active usage to current model versions. -3. Document training-data cutoff dates for all models in use. -4. Add data-currency disclaimers to outputs from models with old cutoffs.InformationalN/A
111122223333us-east-1FS-35ADVISORY: Harmful-Content Test Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation or FMEval with harmful content datasets: -- Toxicity detection -- Hate speech classification -- Violence/self-harm contentInformationalN/A
111122223333us-west-2FS-35ADVISORY: Harmful-Content Test Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation or FMEval with harmful content datasets: -- Toxicity detection -- Hate speech classification -- Violence/self-harm contentInformationalN/A
111122223333us-east-1FS-36Guardrail Content Filters on CLASSIC TierGuardrails with content filters: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides improved contextual understanding, typographical error detection, 60+ language support, and better prompt-attack classification (distinguishes jailbreaks from prompt injection).Consider upgrading to STANDARD tier content filters for FinServ workloads that handle multiple languages or require higher detection accuracy. STANDARD tier requires cross-region inference (crossRegionDetails.guardrailProfileArn on the guardrail). To upgrade: update the guardrail's contentPolicy.filtersConfig.contentFiltersTierConfig with tierName=STANDARD and configure a guardrail cross-region profile.HighPassed
111122223333us-west-2FS-36Guardrail Content Filters on CLASSIC TierGuardrails with content filters: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides improved contextual understanding, typographical error detection, 60+ language support, and better prompt-attack classification (distinguishes jailbreaks from prompt injection).Consider upgrading to STANDARD tier content filters for FinServ workloads that handle multiple languages or require higher detection accuracy. STANDARD tier requires cross-region inference (crossRegionDetails.guardrailProfileArn on the guardrail). To upgrade: update the guardrail's contentPolicy.filtersConfig.contentFiltersTierConfig with tierName=STANDARD and configure a guardrail cross-region profile.HighPassed
111122223333us-east-1FS-37ADVISORY: User Feedback Mechanism — Manual Review RequiredUser feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.1. Implement thumbs-up/down or flag-for-review UI in GenAI applications. -2. Route flagged outputs to human reviewers via SQS/SNS. -3. Log feedback to DynamoDB/S3 for model improvement. -4. Define SLAs for reviewing flagged content.InformationalN/A
111122223333us-west-2FS-37ADVISORY: User Feedback Mechanism — Manual Review RequiredUser feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.1. Implement thumbs-up/down or flag-for-review UI in GenAI applications. -2. Route flagged outputs to human reviewers via SQS/SNS. -3. Log feedback to DynamoDB/S3 for model improvement. -4. Define SLAs for reviewing flagged content.InformationalN/A
111122223333us-east-1FS-38No Guardrails With Word FiltersFound 1 guardrail(s) but none have word/phrase filters. Profanity and prohibited financial terms may appear in outputs.Add word filters to guardrails: -- Enable AWS managed profanity list -- Add custom denylist for prohibited financial terms -- Add allowlist for required regulatory languageMediumFailed
111122223333us-west-2FS-38No Guardrails With Word FiltersFound 1 guardrail(s) but none have word/phrase filters. Profanity and prohibited financial terms may appear in outputs.Add word filters to guardrails: -- Enable AWS managed profanity list -- Add custom denylist for prohibited financial terms -- Add allowlist for required regulatory languageMediumFailed
111122223333us-east-1FS-39No SageMaker Clarify Bias MonitoringNo SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions. -2. Define protected attributes (age, gender, race proxies). -3. Set bias metric thresholds and alert on violations. -4. Document bias testing results for regulatory examination.HighFailed
111122223333us-west-2FS-39No SageMaker Clarify Bias MonitoringNo SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions. -2. Define protected attributes (age, gender, race proxies). -3. Set bias metric thresholds and alert on violations. -4. Document bias testing results for regulatory examination.HighFailed
111122223333us-east-1FS-40ADVISORY: Bias Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with bias test datasets: -- Demographic parity test cases -- Equal opportunity scenarios -- Counterfactual fairness testsInformationalN/A
111122223333us-west-2FS-40ADVISORY: Bias Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with bias test datasets: -- Demographic parity test cases -- Equal opportunity scenarios -- Counterfactual fairness testsInformationalN/A
111122223333us-east-1FS-41No SageMaker Clarify Explainability MonitoringNo SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).1. Configure SageMaker Clarify explainability for credit/lending models. -2. Generate SHAP values for feature importance. -3. Map top features to human-readable adverse action reason codes. -4. Store explanations for regulatory examination.HighFailed
111122223333us-west-2FS-41No SageMaker Clarify Explainability MonitoringNo SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).1. Configure SageMaker Clarify explainability for credit/lending models. -2. Generate SHAP values for feature importance. -3. Map top features to human-readable adverse action reason codes. -4. Store explanations for regulatory examination.HighFailed
111122223333us-east-1FS-42No SageMaker Model Cards FoundNo SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.1. Create SageMaker Model Cards for all production models. -2. Document: intended use, out-of-scope uses, training data, bias evaluations. -3. Include regulatory compliance attestations. -4. Review and update cards at each model version release.MediumFailed
111122223333us-west-2FS-42No SageMaker Model Cards FoundNo SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.1. Create SageMaker Model Cards for all production models. -2. Document: intended use, out-of-scope uses, training data, bias evaluations. -3. Include regulatory compliance attestations. -4. Review and update cards at each model version release.MediumFailed
111122223333us-east-1FS-43No CloudWatch Logs Data Protection PoliciesNo CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.1. Create CloudWatch Logs data protection policies to mask PII. -2. Enable masking for: SSN, credit card numbers, bank account numbers, email. -3. Apply policies to Bedrock invocation log groups. -4. Test masking with synthetic PII before production deployment.HighFailed
111122223333us-west-2FS-43No CloudWatch Logs Data Protection PoliciesNo CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.1. Create CloudWatch Logs data protection policies to mask PII. -2. Enable masking for: SSN, credit card numbers, bank account numbers, email. -3. Apply policies to Bedrock invocation log groups. -4. Test masking with synthetic PII before production deployment.HighFailed
111122223333us-east-1FS-44Amazon Macie EnabledAmazon Macie is enabled and scanning S3 buckets.Verify Macie jobs cover training data and KB data source buckets.HighPassed
111122223333us-west-2FS-44Amazon Macie EnabledAmazon Macie is enabled and scanning S3 buckets.Verify Macie jobs cover training data and KB data source buckets.HighPassed
111122223333us-east-1FS-45Guardrail PII Filters ConfiguredGuardrails with PII filters: nist-ai-rmf-guardrail.No action required.HighPassed
111122223333us-west-2FS-45Guardrail PII Filters ConfiguredGuardrails with PII filters: nist-ai-rmf-guardrail.No action required.HighPassed
111122223333us-east-1FS-46AI/ML Buckets Without Data Classification Tags18 AI/ML bucket(s) without data-classification tags: 111122223333-us-east-1-kb-data-bucket, ancbedrocklogging, ancknowledgebase, aws-streaming-data-solut-outputaccesslogsbucket8b-1o7m0kb4bafm4, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, create-customer-resources-kb-bucket-111122223333.Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule.MediumFailed
111122223333us-west-2FS-46AI/ML Buckets Without Data Classification Tags18 AI/ML bucket(s) without data-classification tags: 111122223333-us-east-1-kb-data-bucket, ancbedrocklogging, ancknowledgebase, aws-streaming-data-solut-outputaccesslogsbucket8b-1o7m0kb4bafm4, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, create-customer-resources-kb-bucket-111122223333.Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule.MediumFailed
111122223333us-east-1FS-47Guardrail Grounding Thresholds AppropriateAll 1 guardrail(s) with a GROUNDING filter have thresholds ≥0.7.No action required.HighPassed
111122223333us-west-2FS-47Guardrail Grounding Thresholds AppropriateAll 1 guardrail(s) with a GROUNDING filter have thresholds ≥0.7.No action required.HighPassed
111122223333us-east-1FS-48Active Knowledge Bases for RAG PresentFound 3 active Knowledge Base(s) for RAG grounding.No action required.MediumPassed
111122223333us-west-2FS-48Active Knowledge Bases for RAG PresentFound 3 active Knowledge Base(s) for RAG grounding.No action required.MediumPassed
111122223333us-east-1FS-49ADVISORY: Hallucination Disclaimer — Manual Review RequiredApplication-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.' -2. Implement post-processing to append disclaimers. -3. Test disclaimer presence in QA before production.InformationalN/A
111122223333us-west-2FS-49ADVISORY: Hallucination Disclaimer — Manual Review RequiredApplication-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.' -2. Implement post-processing to append disclaimers. -3. Test disclaimer presence in QA before production.InformationalN/A
111122223333us-east-1FS-50Relevance Grounding Filters PresentGuardrails with RELEVANCE grounding filters: nist-ai-rmf-guardrail.No action required.MediumPassed
111122223333us-west-2FS-50Relevance Grounding Filters PresentGuardrails with RELEVANCE grounding filters: nist-ai-rmf-guardrail.No action required.MediumPassed
111122223333us-east-1FS-51No Guardrails With Prompt Attack FiltersFound 1 guardrail(s) but none have PROMPT_ATTACK filters. Prompt injection attacks may bypass system prompts and access controls.1. Enable PROMPT_ATTACK content filter in Bedrock Guardrails. -2. Set input filter strength to HIGH. -3. Use input tags () to differentiate user inputs from developer-provided prompts — required for PROMPT_ATTACK filters to work correctly with InvokeModel/InvokeModelWithResponseStream. -4. Consider STANDARD tier (GA June 2025) for better jailbreak vs. injection classification and broader language support. -5. Implement application-level input sanitization as defense-in-depth.HighFailed
111122223333us-west-2FS-51No Guardrails With Prompt Attack FiltersFound 1 guardrail(s) but none have PROMPT_ATTACK filters. Prompt injection attacks may bypass system prompts and access controls.1. Enable PROMPT_ATTACK content filter in Bedrock Guardrails. -2. Set input filter strength to HIGH. -3. Use input tags () to differentiate user inputs from developer-provided prompts — required for PROMPT_ATTACK filters to work correctly with InvokeModel/InvokeModelWithResponseStream. -4. Consider STANDARD tier (GA June 2025) for better jailbreak vs. injection classification and broader language support. -5. Implement application-level input sanitization as defense-in-depth.HighFailed
111122223333us-east-1FS-52Bedrock Lambda Functions on Deprecated RuntimesFunctions on deprecated runtimes: e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Deprecated runtimes may use outdated boto3/SDK versions lacking security patches.1. Upgrade Lambda functions to a supported runtime — Python 3.12+, Node.js 22.x or 24.x, Java 21+, or .NET 8+. -2. Update boto3 to the latest version in Lambda layers (pin the version in requirements.txt and redeploy). -3. Enable Lambda runtime management controls for automatic minor-version updates (runtimeManagementConfig.updateRuntimeOn = 'Auto'). -4. Refer to https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html for the authoritative list of supported and deprecated runtimes.MediumFailed
111122223333us-west-2FS-52Bedrock Lambda Functions on Deprecated RuntimesFunctions on deprecated runtimes: e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Deprecated runtimes may use outdated boto3/SDK versions lacking security patches.1. Upgrade Lambda functions to a supported runtime — Python 3.12+, Node.js 22.x or 24.x, Java 21+, or .NET 8+. -2. Update boto3 to the latest version in Lambda layers (pin the version in requirements.txt and redeploy). -3. Enable Lambda runtime management controls for automatic minor-version updates (runtimeManagementConfig.updateRuntimeOn = 'Auto'). -4. Refer to https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html for the authoritative list of supported and deprecated runtimes.MediumFailed
111122223333us-east-1FS-53No WAF Web ACLs — Injection Rules Not ApplicableNo regional WAF Web ACLs found.Create WAF Web ACLs with injection protection rules (see FS-01).InformationalN/A
111122223333us-west-2FS-53No WAF Web ACLs — Injection Rules Not ApplicableNo regional WAF Web ACLs found.Create WAF Web ACLs with injection protection rules (see FS-01).InformationalN/A
111122223333us-east-1FS-54ADVISORY: Penetration Testing — Manual Review RequiredPenetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.1. Conduct penetration testing of GenAI applications at least annually and before major releases. -2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts. -3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it. -4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail. -5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.InformationalN/A
111122223333us-west-2FS-54ADVISORY: Penetration Testing — Manual Review RequiredPenetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.1. Conduct penetration testing of GenAI applications at least annually and before major releases. -2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts. -3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it. -4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail. -5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.InformationalN/A
111122223333us-east-1FS-55No Output Validation Functions FoundNo Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.1. Implement output validation Lambda functions in GenAI pipelines. -2. Validate output schema, length, and content before downstream use. -3. Sanitize outputs before rendering in web UIs (XSS prevention). -4. Encode outputs appropriately for the target context (HTML, SQL, JSON).MediumFailed
111122223333us-west-2FS-55No Output Validation Functions FoundNo Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.1. Implement output validation Lambda functions in GenAI pipelines. -2. Validate output schema, length, and content before downstream use. -3. Sanitize outputs before rendering in web UIs (XSS prevention). -4. Encode outputs appropriately for the target context (HTML, SQL, JSON).MediumFailed
111122223333us-east-1FS-56No WAF ACLs — XSS Prevention Not ApplicableNo regional WAF Web ACLs found.Create WAF ACLs with XSS prevention rules.InformationalN/A
111122223333us-west-2FS-56No WAF ACLs — XSS Prevention Not ApplicableNo regional WAF Web ACLs found.Create WAF ACLs with XSS prevention rules.InformationalN/A
111122223333us-east-1FS-57ADVISORY: Output Encoding — Manual Review RequiredOutput encoding practices cannot be verified via AWS APIs. Manual code review required.1. HTML-encode GenAI outputs before rendering in web UIs. -2. Use parameterized queries when GenAI output is used in database operations. -3. JSON-encode outputs before embedding in JavaScript contexts. -4. Validate output length and format before passing to downstream APIs.InformationalN/A
111122223333us-west-2FS-57ADVISORY: Output Encoding — Manual Review RequiredOutput encoding practices cannot be verified via AWS APIs. Manual code review required.1. HTML-encode GenAI outputs before rendering in web UIs. -2. Use parameterized queries when GenAI output is used in database operations. -3. JSON-encode outputs before embedding in JavaScript contexts. -4. Validate output length and format before passing to downstream APIs.InformationalN/A
111122223333us-east-1FS-58ADVISORY: Output Schema Validation — Manual Review RequiredFound 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.1. Use Bedrock structured output (response schemas) where supported. -2. Implement JSON schema validation on Lambda output processors. -3. Reject malformed outputs and return safe error responses. -4. Log schema validation failures to CloudWatch for monitoring.InformationalN/A
111122223333us-west-2FS-58ADVISORY: Output Schema Validation — Manual Review RequiredFound 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.1. Use Bedrock structured output (response schemas) where supported. -2. Implement JSON schema validation on Lambda output processors. -3. Reject malformed outputs and return safe error responses. -4. Log schema validation failures to CloudWatch for monitoring.InformationalN/A
111122223333us-east-1FS-59Topic Restrictions Configured on CLASSIC TierGuardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only; the STANDARD tier (GA June 2025) adds broader language support for off-topic detection.For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile).MediumPassed
111122223333us-west-2FS-59Topic Restrictions Configured on CLASSIC TierGuardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only; the STANDARD tier (GA June 2025) adds broader language support for off-topic detection.For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile).MediumPassed
111122223333us-east-1FS-60ADVISORY: Contextual Grounding for Off-Topic PreventionContextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.1. Include explicit scope instructions in system prompts. -2. Use Bedrock Guardrails relevance grounding filter. -3. Test with off-topic prompts in QA to verify rejection behavior.InformationalN/A
111122223333us-west-2FS-60ADVISORY: Contextual Grounding for Off-Topic PreventionContextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.1. Include explicit scope instructions in system prompts. -2. Use Bedrock Guardrails relevance grounding filter. -3. Test with off-topic prompts in QA to verify rejection behavior.InformationalN/A
111122223333us-east-1FS-61No Automated KB Sync Schedules DetectedFound 3 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature. -2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync. -3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance). -4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.MediumFailed
111122223333us-west-2FS-61No Automated KB Sync Schedules DetectedFound 3 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature. -2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync. -3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance). -4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.MediumFailed
111122223333us-east-1FS-62ADVISORY: Data Currency Disclaimer — Manual Review RequiredData currency disclaimers cannot be verified via AWS APIs. Manual review required.1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].' -2. Expose KB last sync timestamp in application responses. -3. Alert users when KB data is older than defined threshold.InformationalN/A
111122223333us-west-2FS-62ADVISORY: Data Currency Disclaimer — Manual Review RequiredData currency disclaimers cannot be verified via AWS APIs. Manual review required.1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].' -2. Expose KB last sync timestamp in application responses. -3. Alert users when KB data is older than defined threshold.InformationalN/A
111122223333us-east-1FS-63Foundation Model Lifecycle ManagementNo legacy models detected. 10 lifecycle-related Config rule(s) found.No action required.MediumPassed
111122223333us-west-2FS-63Foundation Model Lifecycle ManagementNo legacy models detected. 10 lifecycle-related Config rule(s) found.No action required.MediumPassed
111122223333us-east-1FS-65KB Data Source Buckets Missing S3 Event NotificationsThe following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time: -- semiconductor-demo-9999 -- 111122223333-us-east-1-kb-data-bucket1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket. -2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting. -3. Integrate alerts into your security incident response workflow.MediumFailed
111122223333us-west-2FS-65KB Data Source Buckets Missing S3 Event NotificationsThe following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time: -- semiconductor-demo-9999 -- 111122223333-us-east-1-kb-data-bucket1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket. -2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting. -3. Integrate alerts into your security incident response workflow.MediumFailed
111122223333us-east-1FS-66AgentCore Runtimes Missing End-User Identity PropagationThe following runtimes have no JWT or IAM authorizer configured for end-user identity propagation. Tool calls are authorized only by the agent execution role, not the originating user: -- origami_expeditions -- neoCyan_Agent -- customer_support_agent -- cdk_agent_core -- awsapimcpserver1. Configure a custom JWT authorizer or IAM authorizer on each AgentCore runtime. -2. Propagate the end-user's identity token to downstream tool services. -3. Ensure tool services validate the propagated identity before executing actions. -4. Do not expose propagated identity tokens to unauthorized third parties.HighFailed
111122223333us-west-2FS-66AgentCore Runtimes Missing End-User Identity PropagationThe following runtimes have no JWT or IAM authorizer configured for end-user identity propagation. Tool calls are authorized only by the agent execution role, not the originating user: -- origami_expeditions -- neoCyan_Agent -- customer_support_agent -- cdk_agent_core -- awsapimcpserver1. Configure a custom JWT authorizer or IAM authorizer on each AgentCore runtime. -2. Propagate the end-user's identity token to downstream tool services. -3. Ensure tool services validate the propagated identity before executing actions. -4. Do not expose propagated identity tokens to unauthorized third parties.HighFailed
111122223333us-east-1FS-67Agent Action-Group Lambdas May Lack Transaction ThresholdsThe following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions: -- aiml-security-aiml-security-111122223333-FinServAssessment -- aiml-security-aiml-security-111122223333-BedrockAssessment -- resco-aiml-BedrockAssessment -- aiml-security-aiml-security-111122223333-AgentCoreAssessment -- e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk -- e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII -- resco-aiml-AgentCoreAssessment1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda. -2. Implement threshold enforcement logic in the Lambda handler. -3. Configure AgentCore Policy Engine rules to cap financial transaction amounts. -4. Route transactions exceeding thresholds to a human-in-the-loop approval step.HighFailed
111122223333us-west-2FS-67Agent Action-Group Lambdas May Lack Transaction ThresholdsThe following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions: -- aiml-security-aiml-security-111122223333-FinServAssessment -- aiml-security-aiml-security-111122223333-BedrockAssessment -- resco-aiml-BedrockAssessment -- aiml-security-aiml-security-111122223333-AgentCoreAssessment -- e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk -- e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII -- resco-aiml-AgentCoreAssessment1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda. -2. Implement threshold enforcement logic in the Lambda handler. -3. Configure AgentCore Policy Engine rules to cap financial transaction amounts. -4. Route transactions exceeding thresholds to a human-in-the-loop approval step.HighFailed
111122223333us-east-1FS-68API Gateway Request Body Size Limits Not EnforcedFound 3 REST API(s) and 0 regional WAF Web ACL(s), but none enforce a maximum request-body size. Note: an API Gateway request validator does NOT cap body size (it validates the schema and required params; the REST limit is a fixed 10 MB), and a WAF body SizeConstraint only inspects the first ~16 KB of the body by default. Oversized prompts can exhaust Bedrock token quotas and inflate costs.1. Add a maxLength (or maxItems/maxProperties) bound to the request-body JSON-Schema model used by your request validator, so oversized prompts are rejected with a 400. -2. Add a WAF SizeConstraintStatement on the request Body sized within WAF's body-inspection window (default 16 KB; raise via the web ACL AssociationConfig, or set OversizeHandling=MATCH to block bodies beyond the window), and associate the ACL with the API stage. -3. Set the max_tokens parameter in Bedrock API calls to cap output length. -4. Implement client-side token counting before submitting requests.MediumFailed
111122223333us-west-2FS-68API Gateway Request Body Size Limits Not EnforcedFound 3 REST API(s) and 0 regional WAF Web ACL(s), but none enforce a maximum request-body size. Note: an API Gateway request validator does NOT cap body size (it validates the schema and required params; the REST limit is a fixed 10 MB), and a WAF body SizeConstraint only inspects the first ~16 KB of the body by default. Oversized prompts can exhaust Bedrock token quotas and inflate costs.1. Add a maxLength (or maxItems/maxProperties) bound to the request-body JSON-Schema model used by your request validator, so oversized prompts are rejected with a 400. -2. Add a WAF SizeConstraintStatement on the request Body sized within WAF's body-inspection window (default 16 KB; raise via the web ACL AssociationConfig, or set OversizeHandling=MATCH to block bodies beyond the window), and associate the ACL with the API stage. -3. Set the max_tokens parameter in Bedrock API calls to cap output length. -4. Implement client-side token counting before submitting requests.MediumFailed
111122223333us-east-1FS-69Prompt Input Validation Functions PresentFound 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111122223333-CleanupBucket.Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.MediumPassed
111122223333us-west-2FS-69Prompt Input Validation Functions PresentFound 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111122223333-CleanupBucket.Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.MediumPassed
111122223333eu-west-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
111122223333ap-south-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
111122223333sa-east-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
444455556666ap-south-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666ap-south-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666ap-south-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666ap-south-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
444455556666ap-south-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
444455556666ap-south-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
444455556666ap-south-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666ap-south-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
444455556666ap-south-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
444455556666ap-south-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
444455556666ap-south-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666ap-south-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666ap-south-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666ap-south-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666ap-south-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
444455556666ap-south-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
444455556666ap-south-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
444455556666ap-south-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
444455556666ap-south-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
444455556666ap-south-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666ap-south-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666us-east-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
444455556666us-west-2FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
444455556666eu-west-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
444455556666ap-south-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
444455556666sa-east-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
444455556666ap-south-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
444455556666ap-south-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
444455556666ap-south-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
444455556666ap-south-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
444455556666ap-south-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
444455556666ap-south-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
444455556666ap-south-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
444455556666ap-south-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
444455556666ap-south-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
444455556666ap-south-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
444455556666ap-south-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
444455556666ap-south-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
444455556666ap-south-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666ap-south-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
444455556666ap-south-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
444455556666ap-south-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
444455556666ap-south-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
444455556666ap-south-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
444455556666ap-south-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
444455556666ap-south-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
444455556666ap-south-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
444455556666ap-south-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
444455556666ap-south-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
444455556666ap-south-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
444455556666ap-south-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
444455556666ap-south-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
444455556666ap-south-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
444455556666ap-south-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
444455556666ap-south-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
444455556666ap-south-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
444455556666ap-south-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
444455556666ap-south-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
444455556666ap-south-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
444455556666ap-south-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
444455556666ap-south-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
444455556666ap-south-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
444455556666ap-south-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
444455556666ap-south-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
444455556666ap-south-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
444455556666ap-south-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
444455556666ap-south-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
444455556666GlobalBR-01AmazonBedrockFullAccess role checkNo roles found with AmazonBedrockFullAccess policyNo action requiredHighPassed
444455556666GlobalBR-03Marketplace Subscription Access CheckNo identities found with overly permissive marketplace subscription accessNo action requiredMediumPassed
444455556666us-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
444455556666us-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
444455556666us-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
444455556666us-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
444455556666us-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
444455556666us-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
444455556666us-east-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
444455556666us-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
444455556666us-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
444455556666us-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
444455556666us-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
444455556666GlobalBR-15Cross-Account Guardrails Enforcement CheckCheck must run in AWS Organizations management account to evaluate organizational policiesRun assessment in management account to check cross-account guardrails enforcementMediumN/A
444455556666us-east-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
444455556666us-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666us-east-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
444455556666us-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
444455556666us-east-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
444455556666us-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
444455556666us-east-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
444455556666us-east-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
444455556666us-east-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
444455556666us-east-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
444455556666us-east-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
444455556666us-east-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
444455556666us-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
444455556666us-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
444455556666us-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666us-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
444455556666us-east-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
444455556666us-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
444455556666us-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
444455556666GlobalAG-09Agentic AI Guardrail Enforcement BoundaryAgentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policiesUse IAM and organization controls to require approved guardrails for model and agent invocations where supported.InformationalN/A
444455556666us-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
444455556666us-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
444455556666us-east-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
444455556666us-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
444455556666us-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
444455556666us-east-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
444455556666us-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
444455556666us-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
444455556666us-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
444455556666us-east-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
444455556666us-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
444455556666us-west-2AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-west-2AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-west-2AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-west-2AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
444455556666us-west-2AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
444455556666us-west-2AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
444455556666us-west-2AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-west-2AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
444455556666us-west-2AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
444455556666us-west-2AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
444455556666us-west-2AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666us-west-2AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666us-west-2AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666us-west-2AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666us-west-2AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
444455556666us-west-2AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
444455556666us-west-2AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
444455556666us-west-2AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
444455556666us-west-2AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
444455556666us-west-2AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666us-west-2AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666sa-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666sa-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666sa-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666sa-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
444455556666sa-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
444455556666sa-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
444455556666sa-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666sa-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
444455556666sa-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
444455556666sa-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
444455556666sa-east-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666sa-east-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666sa-east-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666sa-east-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666sa-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
444455556666sa-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
444455556666sa-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
444455556666sa-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
444455556666sa-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
444455556666sa-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666sa-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666eu-west-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
444455556666eu-west-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
444455556666eu-west-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
444455556666eu-west-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
444455556666eu-west-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
444455556666eu-west-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
444455556666eu-west-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
444455556666eu-west-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
444455556666eu-west-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
444455556666eu-west-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
444455556666eu-west-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
444455556666eu-west-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
444455556666eu-west-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666eu-west-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
444455556666eu-west-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
444455556666eu-west-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
444455556666eu-west-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
444455556666eu-west-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
444455556666eu-west-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
444455556666eu-west-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
444455556666eu-west-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
444455556666eu-west-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
444455556666eu-west-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
444455556666eu-west-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
444455556666eu-west-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
444455556666eu-west-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
444455556666eu-west-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
444455556666eu-west-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
444455556666eu-west-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
444455556666eu-west-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
444455556666eu-west-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
444455556666eu-west-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
444455556666eu-west-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
444455556666eu-west-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
444455556666eu-west-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
444455556666eu-west-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
444455556666eu-west-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
444455556666eu-west-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
444455556666eu-west-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
444455556666eu-west-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
444455556666eu-west-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
444455556666GlobalAC-02AgentCore IAM Full Access CheckNo roles with overly permissive AgentCore access foundNo action requiredHighPassed
444455556666GlobalAC-03AgentCore Stale AccessThe following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (82 days)Review and remove unused AgentCore permissions following least privilege principleMediumFailed
444455556666GlobalAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'Review and remove unused AgentCore permissions following least privilege principleInformationalN/A
444455556666GlobalAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.MediumFailed
444455556666us-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
444455556666us-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
444455556666us-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
444455556666us-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
444455556666us-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
444455556666us-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
444455556666us-east-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666us-east-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666us-east-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666us-east-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666GlobalAG-16Agentic AI AgentCore Least PrivilegeAgentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: No roles with overly permissive AgentCore access foundReplace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.HighPassed
444455556666GlobalAG-17Agentic AI Stale AgentCore AccessAgentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (82 days)Remove or restrict stale AgentCore permissions for principals that no longer need access.MediumFailed
444455556666GlobalAG-17Agentic AI Stale AgentCore AccessAgentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'Remove or restrict stale AgentCore permissions for principals that no longer need access.InformationalN/A
444455556666us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
444455556666us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
444455556666us-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
444455556666us-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
444455556666us-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
444455556666us-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666us-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
444455556666eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
444455556666eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
444455556666eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
444455556666eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
444455556666eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
444455556666eu-west-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666eu-west-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666eu-west-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666eu-west-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666eu-west-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
444455556666eu-west-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
444455556666eu-west-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
444455556666eu-west-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
444455556666eu-west-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
444455556666eu-west-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666eu-west-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666eu-west-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
444455556666eu-west-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
444455556666eu-west-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
444455556666eu-west-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
444455556666eu-west-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
444455556666eu-west-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
444455556666eu-west-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
444455556666eu-west-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
444455556666eu-west-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
444455556666eu-west-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
444455556666eu-west-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666eu-west-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666eu-west-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
444455556666eu-west-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
444455556666eu-west-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
444455556666eu-west-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
444455556666eu-west-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
444455556666eu-west-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
444455556666eu-west-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
444455556666eu-west-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
444455556666eu-west-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
444455556666eu-west-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
444455556666eu-west-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
444455556666eu-west-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
444455556666eu-west-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
444455556666eu-west-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
444455556666eu-west-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
444455556666GlobalSM-02SageMaker IAM Permissions CheckNo issues found with IAM permissions and no stale access detectedNo action requiredHighPassed
444455556666us-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
444455556666us-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
444455556666us-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
444455556666us-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
444455556666us-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
444455556666us-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
444455556666us-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
444455556666us-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
444455556666us-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
444455556666us-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
444455556666us-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666us-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666us-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
444455556666us-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
444455556666us-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
444455556666us-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
444455556666us-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
444455556666us-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
444455556666us-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
444455556666us-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
444455556666us-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
444455556666us-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
444455556666us-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
444455556666us-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
444455556666us-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
444455556666us-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
444455556666us-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
444455556666ap-south-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
444455556666ap-south-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
444455556666ap-south-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
444455556666ap-south-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
444455556666ap-south-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
444455556666ap-south-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
444455556666ap-south-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
444455556666ap-south-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
444455556666ap-south-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
444455556666ap-south-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
444455556666ap-south-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666ap-south-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666ap-south-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
444455556666ap-south-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
444455556666ap-south-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
444455556666ap-south-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
444455556666ap-south-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
444455556666ap-south-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
444455556666ap-south-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
444455556666ap-south-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
444455556666ap-south-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
444455556666ap-south-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
444455556666ap-south-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
444455556666ap-south-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
444455556666ap-south-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
444455556666ap-south-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
444455556666ap-south-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
444455556666sa-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
444455556666sa-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
444455556666sa-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
444455556666sa-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
444455556666sa-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
444455556666sa-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
444455556666sa-east-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
444455556666sa-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
444455556666sa-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
444455556666sa-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
444455556666sa-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
444455556666sa-east-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
444455556666sa-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666sa-east-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
444455556666sa-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
444455556666sa-east-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
444455556666sa-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
444455556666sa-east-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
444455556666sa-east-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
444455556666sa-east-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
444455556666sa-east-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
444455556666sa-east-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
444455556666sa-east-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
444455556666sa-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
444455556666sa-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
444455556666sa-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
444455556666sa-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
444455556666sa-east-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
444455556666sa-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
444455556666sa-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
444455556666sa-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
444455556666sa-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
444455556666sa-east-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
444455556666sa-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
444455556666sa-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
444455556666sa-east-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
444455556666sa-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
444455556666sa-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
444455556666sa-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
444455556666sa-east-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
444455556666sa-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
444455556666sa-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
444455556666sa-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
444455556666sa-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
444455556666sa-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
444455556666sa-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
444455556666sa-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
444455556666sa-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
444455556666sa-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
444455556666sa-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
444455556666sa-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
444455556666sa-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666sa-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666sa-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
444455556666sa-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
444455556666sa-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
444455556666sa-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
444455556666sa-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
444455556666sa-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
444455556666sa-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
444455556666sa-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
444455556666sa-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
444455556666sa-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
444455556666sa-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
444455556666sa-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
444455556666sa-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
444455556666sa-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
444455556666sa-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
444455556666us-west-2SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
444455556666us-west-2SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
444455556666us-west-2SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
444455556666us-west-2SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
444455556666us-west-2SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
444455556666us-west-2SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
444455556666us-west-2SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
444455556666us-west-2SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
444455556666us-west-2SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
444455556666us-west-2SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
444455556666us-west-2SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666us-west-2SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666us-west-2SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
444455556666us-west-2SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
444455556666us-west-2SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
444455556666us-west-2SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
444455556666us-west-2SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
444455556666us-west-2SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
444455556666us-west-2SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
444455556666us-west-2SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
444455556666us-west-2SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
444455556666us-west-2SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
444455556666us-west-2SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
444455556666us-west-2SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
444455556666us-west-2SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
444455556666us-west-2SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
444455556666us-west-2SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
444455556666us-west-2BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
444455556666us-west-2BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
444455556666us-west-2BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
444455556666us-west-2BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
444455556666us-west-2BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
444455556666us-west-2BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
444455556666us-west-2BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
444455556666us-west-2BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
444455556666us-west-2BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
444455556666us-west-2BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
444455556666us-west-2BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
444455556666us-west-2BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
444455556666us-west-2BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666us-west-2BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
444455556666us-west-2BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
444455556666us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
444455556666us-west-2BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
444455556666us-west-2BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
444455556666us-west-2BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
444455556666us-west-2BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
444455556666us-west-2BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
444455556666us-west-2BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
444455556666us-west-2BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
444455556666us-west-2BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
444455556666us-west-2BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
444455556666us-west-2BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666us-west-2BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
444455556666us-west-2BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
444455556666us-west-2AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
444455556666us-west-2AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
444455556666us-west-2AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
444455556666us-west-2AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
444455556666us-west-2AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
444455556666us-west-2AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
444455556666us-west-2AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
444455556666us-west-2AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
444455556666us-west-2AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
444455556666us-west-2AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
444455556666us-west-2AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
444455556666us-west-2AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
444455556666us-west-2AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
777788889999ap-south-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999ap-south-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999ap-south-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999ap-south-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
777788889999ap-south-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
777788889999ap-south-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
777788889999ap-south-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999ap-south-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
777788889999ap-south-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
777788889999ap-south-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
777788889999ap-south-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999ap-south-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999ap-south-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999ap-south-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999ap-south-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
777788889999ap-south-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
777788889999ap-south-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
777788889999ap-south-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
777788889999ap-south-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
777788889999ap-south-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
777788889999ap-south-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
777788889999sa-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
777788889999sa-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
777788889999sa-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
777788889999sa-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
777788889999sa-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
777788889999sa-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
777788889999sa-east-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
777788889999sa-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
777788889999sa-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
777788889999sa-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
777788889999sa-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
777788889999sa-east-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
777788889999sa-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
777788889999sa-east-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
777788889999sa-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
777788889999sa-east-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
777788889999sa-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
777788889999sa-east-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
777788889999sa-east-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
777788889999sa-east-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
777788889999sa-east-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
777788889999sa-east-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
777788889999sa-east-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
777788889999sa-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
777788889999sa-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
777788889999sa-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
777788889999sa-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
777788889999sa-east-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
777788889999sa-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
777788889999sa-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
777788889999sa-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
777788889999sa-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
777788889999sa-east-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
777788889999sa-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
777788889999sa-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
777788889999sa-east-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
777788889999sa-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
777788889999sa-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
777788889999sa-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
777788889999sa-east-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
777788889999sa-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
777788889999us-east-1FS-01AWS Shield Advanced Not EnabledAWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.1. Subscribe to AWS Shield Advanced for DDoS protection. -2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection. -3. Enable Shield Response Team (SRT) access and configure proactive engagement. -4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.LowFailed
777788889999us-east-1FS-01No Regional WAF Web ACLs FoundNo AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP). -2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock. -3. Add AWS Managed Rules for known bad inputs.MediumFailed
777788889999us-east-1FS-02No API Gateway Usage Plans FoundNo usage plans configured. GenAI API endpoints may have no rate limits.Create API Gateway usage plans with throttle settings (rateLimit and burstLimit) for all Bedrock-facing APIs.InformationalN/A
777788889999us-east-1FS-03Bedrock Token Quotas CustomizedFound 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.No action required. Periodically re-review quotas against expected peak load.MediumPassed
777788889999us-east-1FS-04No Cost Anomaly Detection MonitorsNo AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker. -2. Configure alert subscriptions (SNS/email) for anomalies above threshold. -3. Set daily spend budgets with AWS Budgets as a secondary control.MediumFailed
777788889999us-east-1FS-05No Bedrock CloudWatch Alarms FoundNo CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.Create CloudWatch alarms for: -- AWS/Bedrock InvocationThrottles (threshold > 0) -- AWS/Bedrock TokensProcessed (threshold based on quota) -- Custom application-level token counters via EMFMediumFailed
777788889999us-east-1FS-06No AI/ML Service Budgets ConfiguredNo AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds. -2. Add SNS notifications to on-call channels. -3. Consider budget actions to apply IAM deny policies when thresholds are breached.MediumFailed
777788889999us-east-1FS-07Agent Action Boundaries Look AppropriateReviewed 1 agent(s); no wildcard sensitive actions found.No action required.HighPassed
777788889999us-east-1FS-08No AgentCore Runtimes FoundNo AgentCore runtimes found; policy engine check not applicable.If using AgentCore, configure the Policy Engine to authorize tool calls.InformationalN/A
777788889999us-east-1FS-09Agent Lambda Functions Without Concurrency LimitsAgent-related Lambda functions without reserved concurrency: aiml-security-aiml-security-mgmt-FinServAssessment, aiml-sec-test-resources-SageMakerJobCustomResource-ZA5QCAi0pN3d, AIMLSecurityAssessment-CodeBuildStartBuildLambda-VYOqtzWoNo3m, aiml-security-aiml-security-mgmt-CleanupBucket, aiml-security-aiml-security-mgmt-SagemakerAssessment, aiml-security-aiml-security-mgmt-GenerateReport, aiml-security-aiml-security-mgmt-IAMPermissionCaching, aiml-security-aiml-security-mgmt-AgentCoreAssessment, aiml-security-aiml-security-mgmt-BedrockAssessment, aiml-security-aiml-security-mgmt-ResolveRegions. Unlimited concurrency allows runaway agent loops to exhaust account limits.1. Set reserved concurrency on agent Lambda functions. -2. Implement maximum iteration counts in agent orchestration logic. -3. Use Step Functions with MaxConcurrency and timeout states. -4. Add circuit-breaker patterns to agent tool invocations.MediumFailed
777788889999us-east-1FS-10Human-in-the-Loop Check — No Agent Workflows FoundNo Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.InformationalN/A
777788889999us-east-1FS-11No Agent Rate Alarms FoundNo CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.Create CloudWatch alarms on: -- Bedrock agent invocation counts (threshold based on expected max) -- Lambda invocation errors for agent functions -- Step Functions execution failures and timeoutsMediumFailed
777788889999us-east-1FS-12No Bedrock-Scoped SCPs FoundNo Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list. -2. Use bedrock:ModelId condition key to allowlist approved models. -3. Maintain a model inventory and update the SCP when models are approved/retired.HighFailed
777788889999us-east-1FS-13Models Missing Provenance Tags2 model(s) missing required provenance tags: -- SageMaker model 'SageMakerModelWithIsolation-JASFpUHjajdk' missing tags: {'version', 'approval-date', 'source'} -- SageMaker model 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' missing tags: {'version', 'approval-date', 'source'}Tag all models with: source (e.g., 'aws-marketplace', 'internal'), version, and approval-date. Enforce tagging via SCP or AWS Config rule.MediumFailed
777788889999us-east-1FS-14Model Governance Config Rules PresentFound 13 model-related Config rule(s).No action required.MediumPassed
777788889999us-east-1FS-15No Bedrock Evaluation Jobs FoundNo Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.1. Run Bedrock Model Evaluation with adversarial/red-team datasets. -2. Use FMEval library for automated robustness testing. -3. Schedule periodic re-evaluation after model updates.MediumFailed
777788889999us-east-1FS-16ECR Repositories Without Image Scanning2 ECR repo(s) without scan-on-push: cdk-hnb659fds-container-assets-777788889999-us-east-1, aiml-sec-test-agentcore-no-encryption.Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.HighFailed
777788889999us-east-1FS-20Feature Groups Without Offline Store1 feature group(s) lack an active offline store: aiml-sec-test-feature-group. Without offline store, historical feature data cannot be used for rollback.1. Enable offline store (S3-backed) for all production feature groups. -2. Enable S3 versioning on the offline store bucket. -3. Document rollback procedures for poisoned feature data.MediumFailed
777788889999us-east-1FS-21Training Data Buckets Have VersioningAll 2 training bucket(s) have versioning enabled.No action required.HighPassed
777788889999us-east-1FS-22Overly Permissive Knowledge Base IAM Roles823 role(s) with wildcard KB permissions: -- Role 'Admin' allows '*' -- Role 'aiml-sec-test-resources-BedrockAgentRole-RScmoTZfp2sC' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-sec-test-resources-BedrockAgentRole-RScmoTZfp2sC' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' allows 'bedrock:*' -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:GetModelInvocationLoggingConfiguration' on Resource '*' (no ARN scoping to specific Knowledge Bases)Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.HighFailed
777788889999us-east-1FS-24ADVISORY: Knowledge Base Metadata Filtering — Manual Review RequiredFound 1 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.1. Add metadata fields (tenantId, dataClassification) to KB data sources. -2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls. -3. Validate filters in integration tests to prevent cross-tenant data leakage.InformationalN/A
777788889999us-east-1FS-25OpenSearch Serverless Encryption Policies PresentFound 1 encryption policy(ies); 1 use a customer-managed KMS key.Verify all vector store collections use customer-managed KMS keys.HighPassed
777788889999us-east-1FS-26OpenSearch Serverless Collections Not VPC-RestrictedFound 1 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.HighFailed
777788889999us-east-1FS-27COULD NOT ASSESS: Guardrail Contextual Grounding CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). -2. Confirm the service/feature is supported in the assessed region. -3. Ensure botocore meets the version floor in requirements.txt. -4. Re-run the assessment; assess this control manually until it succeeds.LowN/A
777788889999us-east-1FS-27No Automated Reasoning Policies FoundNo Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds). -2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail). -3. Set confidenceThreshold on the policy to control strictness. -4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response). -5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).MediumFailed
777788889999us-east-1FS-28COULD NOT ASSESS: Financial Denied Topics CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). -2. Confirm the service/feature is supported in the assessed region. -3. Ensure botocore meets the version floor in requirements.txt. -4. Re-run the assessment; assess this control manually until it succeeds.LowN/A
777788889999us-east-1FS-29ADVISORY: Compliance Disclaimer — Manual Review RequiredApplication-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.1. Implement post-processing to append required disclaimers to GenAI outputs. -2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures. -3. Document disclaimer requirements in the AI use case register. -4. Test disclaimer presence in QA/UAT before production deployment.InformationalN/A
777788889999us-east-1FS-30ADVISORY: Compliance Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with compliance-specific datasets: -- Fair lending test cases (ECOA, Fair Housing Act) -- UDAP/UDAAP unfair/deceptive practice scenarios -- AML/KYC edge casesInformationalN/A
777788889999us-east-1FS-31Knowledge Base Data Sources Past Review Threshold1 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit): -- KB 'knowledge-base-prowler-findings' source 'knowledge-base-quick-start-9lb68-data-source' last synced 423 days ago -Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match. -2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61. -3. Set CloudWatch alarms on sync job failures.MediumFailed
777788889999us-east-1FS-32ADVISORY: Source Attribution — Manual Review RequiredSource attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.1. Use Bedrock RetrieveAndGenerate with citations enabled. -2. Include source document references in response post-processing. -3. Test citation accuracy in QA before production deployment. -4. Consider Bedrock Guardrails grounding checks to validate response accuracy.InformationalN/A
777788889999us-east-1FS-33KB Data Source Buckets Have VersioningAll reviewed KB data source buckets have versioning enabled.No action required.MediumPassed
777788889999us-east-1FS-34Legacy Foundation Models Available in RegionLegacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config). -2. Migrate active usage to current model versions. -3. Document training-data cutoff dates for all models in use. -4. Add data-currency disclaimers to outputs from models with old cutoffs.InformationalN/A
777788889999us-east-1FS-35ADVISORY: Harmful-Content Test Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation or FMEval with harmful content datasets: -- Toxicity detection -- Hate speech classification -- Violence/self-harm contentInformationalN/A
777788889999us-east-1FS-36COULD NOT ASSESS: Guardrail Content Filters CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). -2. Confirm the service/feature is supported in the assessed region. -3. Ensure botocore meets the version floor in requirements.txt. -4. Re-run the assessment; assess this control manually until it succeeds.LowN/A
777788889999us-east-1FS-37ADVISORY: User Feedback Mechanism — Manual Review RequiredUser feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.1. Implement thumbs-up/down or flag-for-review UI in GenAI applications. -2. Route flagged outputs to human reviewers via SQS/SNS. -3. Log feedback to DynamoDB/S3 for model improvement. -4. Define SLAs for reviewing flagged content.InformationalN/A
777788889999us-east-1FS-38COULD NOT ASSESS: Guardrail Word Filters CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). -2. Confirm the service/feature is supported in the assessed region. -3. Ensure botocore meets the version floor in requirements.txt. -4. Re-run the assessment; assess this control manually until it succeeds.LowN/A
777788889999us-east-1FS-39No SageMaker Clarify Bias MonitoringNo SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions. -2. Define protected attributes (age, gender, race proxies). -3. Set bias metric thresholds and alert on violations. -4. Document bias testing results for regulatory examination.HighFailed
777788889999us-east-1FS-40ADVISORY: Bias Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with bias test datasets: -- Demographic parity test cases -- Equal opportunity scenarios -- Counterfactual fairness testsInformationalN/A
777788889999us-east-1FS-41No SageMaker Clarify Explainability MonitoringNo SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).1. Configure SageMaker Clarify explainability for credit/lending models. -2. Generate SHAP values for feature importance. -3. Map top features to human-readable adverse action reason codes. -4. Store explanations for regulatory examination.HighFailed
777788889999us-east-1FS-42No SageMaker Model Cards FoundNo SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.1. Create SageMaker Model Cards for all production models. -2. Document: intended use, out-of-scope uses, training data, bias evaluations. -3. Include regulatory compliance attestations. -4. Review and update cards at each model version release.MediumFailed
777788889999us-east-1FS-43No CloudWatch Logs Data Protection PoliciesNo CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.1. Create CloudWatch Logs data protection policies to mask PII. -2. Enable masking for: SSN, credit card numbers, bank account numbers, email. -3. Apply policies to Bedrock invocation log groups. -4. Test masking with synthetic PII before production deployment.HighFailed
777788889999us-east-1FS-44Amazon Macie Not EnabledAmazon Macie is not enabled. S3 buckets containing training data and KB data sources are not being scanned for PII/sensitive data.1. Enable Amazon Macie in all regions where AI/ML data is stored. -2. Create Macie classification jobs for training data and KB buckets. -3. Configure Macie findings to route to Security Hub and SNS. -4. Remediate PII findings before using data for model training.HighFailed
777788889999us-east-1FS-45COULD NOT ASSESS: Guardrail PII Filters CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). -2. Confirm the service/feature is supported in the assessed region. -3. Ensure botocore meets the version floor in requirements.txt. -4. Re-run the assessment; assess this control manually until it succeeds.LowN/A
777788889999us-east-1FS-46AI/ML Buckets Without Data Classification Tags3 AI/ML bucket(s) without data-classification tags: aiml-sec-test-resources-bedrockloggingbucket-wtuvpinrlpmd, aiml-sec-test-resources-sagemakerbucket-6zzmxxaxco6g, aiml-security-mgmt-aimlassessmentbucket-kbitsdgexylv.Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule.MediumFailed
777788889999us-east-1FS-47COULD NOT ASSESS: Guardrail Grounding Threshold CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). -2. Confirm the service/feature is supported in the assessed region. -3. Ensure botocore meets the version floor in requirements.txt. -4. Re-run the assessment; assess this control manually until it succeeds.LowN/A
777788889999us-east-1FS-48Active Knowledge Bases for RAG PresentFound 1 active Knowledge Base(s) for RAG grounding.No action required.MediumPassed
777788889999us-east-1FS-49ADVISORY: Hallucination Disclaimer — Manual Review RequiredApplication-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.' -2. Implement post-processing to append disclaimers. -3. Test disclaimer presence in QA before production.InformationalN/A
777788889999us-east-1FS-50COULD NOT ASSESS: Guardrail Relevance Grounding CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). -2. Confirm the service/feature is supported in the assessed region. -3. Ensure botocore meets the version floor in requirements.txt. -4. Re-run the assessment; assess this control manually until it succeeds.LowN/A
777788889999us-east-1FS-51COULD NOT ASSESS: Prompt Injection Input Validation CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). -2. Confirm the service/feature is supported in the assessed region. -3. Ensure botocore meets the version floor in requirements.txt. -4. Re-run the assessment; assess this control manually until it succeeds.LowN/A
777788889999us-east-1FS-52Bedrock Lambda Functions on Current RuntimesAll 10 Bedrock Lambda function(s) use current runtimes.No action required.MediumPassed
777788889999us-east-1FS-53No WAF Web ACLs — Injection Rules Not ApplicableNo regional WAF Web ACLs found.Create WAF Web ACLs with injection protection rules (see FS-01).InformationalN/A
777788889999us-east-1FS-54ADVISORY: Penetration Testing — Manual Review RequiredPenetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.1. Conduct penetration testing of GenAI applications at least annually and before major releases. -2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts. -3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it. -4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail. -5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.InformationalN/A
777788889999us-east-1FS-55No Output Validation Functions FoundNo Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.1. Implement output validation Lambda functions in GenAI pipelines. -2. Validate output schema, length, and content before downstream use. -3. Sanitize outputs before rendering in web UIs (XSS prevention). -4. Encode outputs appropriately for the target context (HTML, SQL, JSON).MediumFailed
777788889999us-east-1FS-56No WAF ACLs — XSS Prevention Not ApplicableNo regional WAF Web ACLs found.Create WAF ACLs with XSS prevention rules.InformationalN/A
777788889999us-east-1FS-57ADVISORY: Output Encoding — Manual Review RequiredOutput encoding practices cannot be verified via AWS APIs. Manual code review required.1. HTML-encode GenAI outputs before rendering in web UIs. -2. Use parameterized queries when GenAI output is used in database operations. -3. JSON-encode outputs before embedding in JavaScript contexts. -4. Validate output length and format before passing to downstream APIs.InformationalN/A
777788889999us-east-1FS-58ADVISORY: Output Schema Validation — Manual Review RequiredFound 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.1. Use Bedrock structured output (response schemas) where supported. -2. Implement JSON schema validation on Lambda output processors. -3. Reject malformed outputs and return safe error responses. -4. Log schema validation failures to CloudWatch for monitoring.InformationalN/A
777788889999us-east-1FS-59COULD NOT ASSESS: Guardrail Topic Allowlist CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). -2. Confirm the service/feature is supported in the assessed region. -3. Ensure botocore meets the version floor in requirements.txt. -4. Re-run the assessment; assess this control manually until it succeeds.LowN/A
777788889999us-east-1FS-60ADVISORY: Contextual Grounding for Off-Topic PreventionContextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.1. Include explicit scope instructions in system prompts. -2. Use Bedrock Guardrails relevance grounding filter. -3. Test with off-topic prompts in QA to verify rejection behavior.InformationalN/A
777788889999us-east-1FS-61No Automated KB Sync Schedules DetectedFound 1 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature. -2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync. -3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance). -4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.MediumFailed
777788889999us-east-1FS-62ADVISORY: Data Currency Disclaimer — Manual Review RequiredData currency disclaimers cannot be verified via AWS APIs. Manual review required.1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].' -2. Expose KB last sync timestamp in application responses. -3. Alert users when KB data is older than defined threshold.InformationalN/A
777788889999us-east-1FS-63Foundation Model Lifecycle ManagementNo legacy models detected. 11 lifecycle-related Config rule(s) found.No action required.MediumPassed
777788889999us-east-1FS-65KB Data Source Buckets Missing S3 Event NotificationsThe following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time: -- sat2-prowler-2025-prowlerfindingsbucket-wc1k0mza7lpk1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket. -2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting. -3. Integrate alerts into your security incident response workflow.MediumFailed
777788889999us-east-1FS-66No AgentCore Runtimes FoundNo AgentCore runtimes found; identity propagation check not applicable.If using AgentCore, configure token propagation so end-user identities are forwarded to tool services.InformationalN/A
777788889999us-east-1FS-67Agent Action-Group Lambdas May Lack Transaction ThresholdsThe following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions: -- aiml-security-aiml-security-mgmt-FinServAssessment -- aiml-security-aiml-security-mgmt-AgentCoreAssessment -- aiml-security-aiml-security-mgmt-BedrockAssessment1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda. -2. Implement threshold enforcement logic in the Lambda handler. -3. Configure AgentCore Policy Engine rules to cap financial transaction amounts. -4. Route transactions exceeding thresholds to a human-in-the-loop approval step.HighFailed
777788889999us-east-1FS-68API Gateway Request Body Size Limits — Not ApplicableNo API Gateway REST APIs and no regional WAF Web ACLs were found in this region. There is no input-payload surface to assess for body-size limits.If GenAI endpoints are fronted by API Gateway or WAF in another region, run the assessment there. Otherwise no action is required.InformationalN/A
777788889999us-east-1FS-69Prompt Input Validation Functions PresentFound 1 Lambda function(s) with input validation/sanitization naming patterns: aiml-security-aiml-security-mgmt-CleanupBucket.Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.MediumPassed
777788889999us-west-2FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
777788889999eu-west-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
777788889999ap-south-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
777788889999sa-east-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
777788889999eu-west-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
777788889999eu-west-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
777788889999eu-west-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
777788889999eu-west-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
777788889999eu-west-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
777788889999eu-west-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
777788889999eu-west-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
777788889999eu-west-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
777788889999eu-west-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
777788889999eu-west-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
777788889999eu-west-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
777788889999eu-west-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
777788889999eu-west-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
777788889999eu-west-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
777788889999eu-west-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
777788889999eu-west-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
777788889999eu-west-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
777788889999eu-west-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
777788889999eu-west-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
777788889999eu-west-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
777788889999eu-west-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
777788889999eu-west-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
777788889999eu-west-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
777788889999eu-west-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
777788889999eu-west-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
777788889999eu-west-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
777788889999eu-west-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
777788889999eu-west-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
777788889999eu-west-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
777788889999eu-west-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
777788889999eu-west-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
777788889999eu-west-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
777788889999eu-west-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
777788889999eu-west-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
777788889999eu-west-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
777788889999eu-west-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
777788889999eu-west-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
777788889999eu-west-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
777788889999eu-west-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
777788889999eu-west-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
777788889999eu-west-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
777788889999ap-south-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
777788889999ap-south-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
777788889999ap-south-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
777788889999ap-south-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
777788889999ap-south-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
777788889999ap-south-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
777788889999ap-south-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
777788889999ap-south-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
777788889999ap-south-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
777788889999ap-south-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
777788889999ap-south-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
777788889999ap-south-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
777788889999ap-south-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
777788889999ap-south-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
777788889999ap-south-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
777788889999ap-south-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
777788889999ap-south-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
777788889999ap-south-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
777788889999ap-south-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
777788889999ap-south-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
777788889999ap-south-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
777788889999ap-south-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
777788889999ap-south-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
777788889999ap-south-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
777788889999ap-south-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
777788889999ap-south-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
777788889999ap-south-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
777788889999ap-south-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
777788889999ap-south-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
777788889999ap-south-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
777788889999ap-south-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
777788889999ap-south-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
777788889999ap-south-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
777788889999ap-south-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
777788889999ap-south-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
777788889999ap-south-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
777788889999ap-south-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
777788889999ap-south-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
777788889999ap-south-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
777788889999ap-south-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
777788889999ap-south-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
777788889999us-west-2AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999us-west-2AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999us-west-2AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999us-west-2AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
777788889999us-west-2AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
777788889999us-west-2AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
777788889999us-west-2AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999us-west-2AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
777788889999us-west-2AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
777788889999us-west-2AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
777788889999us-west-2AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999us-west-2AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999us-west-2AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999us-west-2AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999us-west-2AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
777788889999us-west-2AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
777788889999us-west-2AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
777788889999us-west-2AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
777788889999us-west-2AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
777788889999us-west-2AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
777788889999us-west-2AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
777788889999sa-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999sa-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999sa-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999sa-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
777788889999sa-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
777788889999sa-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
777788889999sa-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999sa-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
777788889999sa-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
777788889999sa-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
777788889999sa-east-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999sa-east-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999sa-east-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999sa-east-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999sa-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
777788889999sa-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
777788889999sa-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
777788889999sa-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
777788889999sa-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
777788889999sa-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
777788889999sa-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
777788889999eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
777788889999eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
777788889999eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
777788889999eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
777788889999eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
777788889999eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
777788889999eu-west-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999eu-west-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999eu-west-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999eu-west-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999eu-west-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
777788889999eu-west-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
777788889999eu-west-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
777788889999eu-west-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
777788889999eu-west-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
777788889999eu-west-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
777788889999eu-west-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
777788889999GlobalAC-02AgentCore IAM Wildcard PermissionsThe following roles have wildcard AgentCore permissions on all resources: aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOVScope permissions to specific AgentCore resources using resource ARNsHighFailed
777788889999GlobalAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV', role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'Review and remove unused AgentCore permissions following least privilege principleInformationalN/A
777788889999GlobalAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.MediumFailed
777788889999us-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999us-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999us-east-1AC-05AgentCore ECR Repository AWS-Managed KeysECR repository 'aiml-sec-test-agentcore-no-encryption' uses AWS-managed keys instead of customer-managed KMS keysConsider using customer-managed KMS keys for better control and audit capabilitiesLowFailed
777788889999us-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
777788889999us-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
777788889999us-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
777788889999us-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999us-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
777788889999us-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
777788889999us-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
777788889999us-east-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999us-east-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999us-east-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999us-east-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/A
777788889999GlobalAG-16Agentic AI AgentCore Least PrivilegeAgentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have wildcard AgentCore permissions on all resources: aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOVReplace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.HighFailed
777788889999GlobalAG-17Agentic AI Stale AgentCore AccessAgentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV', role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'Remove or restrict stale AgentCore permissions for principals that no longer need access.InformationalN/A
777788889999us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/A
777788889999us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/A
777788889999us-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/A
777788889999us-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/A
777788889999us-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
777788889999us-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
777788889999us-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
777788889999ap-south-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
777788889999ap-south-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
777788889999ap-south-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
777788889999ap-south-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
777788889999ap-south-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
777788889999ap-south-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
777788889999ap-south-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
777788889999ap-south-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
777788889999ap-south-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
777788889999ap-south-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
777788889999ap-south-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999ap-south-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999ap-south-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
777788889999ap-south-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
777788889999ap-south-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
777788889999ap-south-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
777788889999ap-south-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
777788889999ap-south-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
777788889999ap-south-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
777788889999ap-south-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
777788889999ap-south-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
777788889999ap-south-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
777788889999ap-south-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
777788889999ap-south-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
777788889999ap-south-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
777788889999ap-south-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
777788889999ap-south-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
777788889999GlobalSM-02SageMaker Full Access Policy UsedRole 'aiml-sec-test-resources-SageMakerFullAccessRole-ZREdSNCErx2S' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
777788889999us-east-1SM-01Direct Internet Access EnabledSageMaker notebook instance 'aiml-sec-test-notebook-with-internet' has direct internet access enabledConfigure the notebook instance to use VPC connectivity and disable direct internet accessHighFailed
777788889999us-east-1SM-01Non-VPC Only Network AccessSageMaker domain 'd-ilmtsfeenavc' (aiml-sec-test-domain-fail-028e1010-52cbf970) is not configured for VPC-only accessConfigure the SageMaker domain to use VPC-only network access typeHighFailed
777788889999us-east-1SM-01Non-VPC Only Network AccessSageMaker domain 'd-cmz7ohkxxop3' (aiml-sec-test-domain-fail-fef4e7f0-bb429d11) is not configured for VPC-only accessConfigure the SageMaker domain to use VPC-only network access typeHighFailed
777788889999us-east-1SM-02SSO Not Properly ConfiguredSageMaker domain 'd-7zl8skw96ppk' (aiml-sec-test-domain-pass-028e1010-3dba8b08) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.MediumFailed
777788889999us-east-1SM-02SSO Not Properly ConfiguredSageMaker domain 'd-ilmtsfeenavc' (aiml-sec-test-domain-fail-028e1010-52cbf970) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.MediumFailed
777788889999us-east-1SM-02SSO Not Properly ConfiguredSageMaker domain 'd-uqjoi05f0zzp' (aiml-sec-test-domain-pass-fef4e7f0-51d1e898) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.MediumFailed
777788889999us-east-1SM-02SSO Not Properly ConfiguredSageMaker domain 'd-cmz7ohkxxop3' (aiml-sec-test-domain-fail-fef4e7f0-bb429d11) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.MediumFailed
777788889999us-east-1SM-03Missing Encryption ConfigurationNotebook Instance 'aiml-sec-test-notebook-with-internet' - No KMS key configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHighFailed
777788889999us-east-1SM-03Missing Encryption ConfigurationDomain 'aiml-sec-test-domain-fail-028e1010-52cbf970' - No KMS key configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHighFailed
777788889999us-east-1SM-03Missing Encryption ConfigurationDomain 'aiml-sec-test-domain-fail-fef4e7f0-bb429d11' - No KMS key configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHighFailed
777788889999us-east-1SM-03Missing Encryption ConfigurationTraining Job 'aiml-sec-test-training-no-encryption-028e1010-e2fb8765' - No output encryption configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHighFailed
777788889999us-east-1SM-03Missing VPC EncryptionTraining Job 'aiml-sec-test-training-no-encryption-028e1010-e2fb8765' - Inter-container traffic encryption not enabledEnable encryption for inter-container traffic and VPC communicationMediumFailed
777788889999us-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
777788889999us-east-1SM-05SageMaker Model Registry IssueModel group 'aiml-sec-test-model-package-group' has minimal versioningImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentLowFailed
777788889999us-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
777788889999us-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
777788889999us-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
777788889999us-east-1SM-08Model Registry Empty Model GroupModel group aiml-sec-test-model-package-group has no registered modelsImplement proper model versioning and approval workflowsLowFailed
777788889999us-east-1SM-09SageMaker Notebook Root Access EnabledNotebook instance 'aiml-sec-test-notebook-with-internet' has root access enabled. Root access allows users to install arbitrary software, modify system configurations, and potentially escalate privileges.Disable root access by updating the notebook instance with RootAccess=Disabled. Note: Lifecycle configurations will still run with root access.HighFailed
777788889999us-east-1SM-10SageMaker Notebook Not in VPCNotebook instance 'aiml-sec-test-notebook-with-internet' is not deployed in a custom VPC. This uses SageMaker's service VPC with reduced network isolation.Create the notebook instance within a custom VPC by specifying SubnetId and SecurityGroupIds. This provides network isolation and allows use of VPC endpoints.HighFailed
777788889999us-east-1SM-11SageMaker Model Network Isolation DisabledModel 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' does not have network isolation enabled. Model containers can make outbound network calls, potentially exfiltrating data.Enable network isolation by setting EnableNetworkIsolation=True when creating models. This prevents containers from making outbound network calls.HighFailed
777788889999us-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
777788889999us-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
777788889999us-east-1SM-14SageMaker Model Platform Repository AccessModel 'SageMakerModelWithIsolation-JASFpUHjajdk' uses Platform repository access mode. Container images are pulled from public/external registries, exposing supply chain risks.Configure RepositoryAccessMode=Vpc in ImageConfig to pull images from private ECR repositories through VPC. This provides supply chain security.MediumFailed
777788889999us-east-1SM-14SageMaker Model Platform Repository AccessModel 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' uses Platform repository access mode. Container images are pulled from public/external registries, exposing supply chain risks.Configure RepositoryAccessMode=Vpc in ImageConfig to pull images from private ECR repositories through VPC. This provides supply chain security.MediumFailed
777788889999us-east-1SM-15SageMaker Feature Store Offline Encryption MissingFeature group 'aiml-sec-test-feature-group' offline store does not have KMS encryption configured. Feature data in S3 may not be encrypted with customer-managed keys.Configure KmsKeyId in OfflineStoreConfig.S3StorageConfig when creating feature groups to encrypt offline store data with customer-managed KMS keys.MediumFailed
777788889999us-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
777788889999us-east-1SM-17SageMaker Processing Job Encryption CheckAll 1 processing jobs have volume encryption configuredNo action requiredMediumPassed
777788889999us-east-1SM-18SageMaker Transform Job Encryption CheckAll 1 transform jobs have volume encryption configuredNo action requiredMediumPassed
777788889999us-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
777788889999us-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
777788889999us-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
777788889999us-east-1SM-22Model Approval Workflow CheckChecked 1 model package groups. Approval workflows appear to be properly configured.No action requiredMediumPassed
777788889999us-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
777788889999us-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
777788889999us-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
777788889999eu-west-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
777788889999eu-west-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
777788889999eu-west-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
777788889999eu-west-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
777788889999eu-west-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
777788889999eu-west-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
777788889999eu-west-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
777788889999eu-west-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
777788889999eu-west-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
777788889999eu-west-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
777788889999eu-west-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999eu-west-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999eu-west-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
777788889999eu-west-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
777788889999eu-west-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
777788889999eu-west-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
777788889999eu-west-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
777788889999eu-west-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
777788889999eu-west-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
777788889999eu-west-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
777788889999eu-west-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
777788889999eu-west-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
777788889999eu-west-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
777788889999eu-west-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
777788889999eu-west-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
777788889999eu-west-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
777788889999eu-west-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
777788889999us-west-2SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
777788889999us-west-2SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
777788889999us-west-2SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
777788889999us-west-2SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
777788889999us-west-2SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
777788889999us-west-2SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
777788889999us-west-2SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
777788889999us-west-2SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
777788889999us-west-2SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
777788889999us-west-2SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
777788889999us-west-2SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999us-west-2SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999us-west-2SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
777788889999us-west-2SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
777788889999us-west-2SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
777788889999us-west-2SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
777788889999us-west-2SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
777788889999us-west-2SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
777788889999us-west-2SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
777788889999us-west-2SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
777788889999us-west-2SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
777788889999us-west-2SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
777788889999us-west-2SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
777788889999us-west-2SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
777788889999us-west-2SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
777788889999us-west-2SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
777788889999us-west-2SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
777788889999sa-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
777788889999sa-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
777788889999sa-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
777788889999sa-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
777788889999sa-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
777788889999sa-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
777788889999sa-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
777788889999sa-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
777788889999sa-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
777788889999sa-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
777788889999sa-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999sa-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999sa-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
777788889999sa-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
777788889999sa-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
777788889999sa-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
777788889999sa-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
777788889999sa-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
777788889999sa-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
777788889999sa-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
777788889999sa-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
777788889999sa-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
777788889999sa-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
777788889999sa-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
777788889999sa-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
777788889999sa-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
777788889999sa-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
777788889999GlobalBR-01AmazonBedrockFullAccess role checkRole 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' has AmazonBedrockFullAccess policy attachedLimit the AmazonBedrockFullAccess policy only to required accessHighFailed
777788889999GlobalBR-03Marketplace Subscription Access CheckRole 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
777788889999GlobalBR-03Marketplace Subscription Access CheckRole 'aiml-sec-test-resources-MarketplaceOverlyPermissive-igL3hGIapee1' has overly permissive marketplace subscription access through policy 'OverlyPermissiveMarketplace'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
777788889999GlobalBR-03Marketplace Subscription Access CheckRole 'ProwlerApp-EC2-Role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
777788889999us-east-1BR-02Amazon Bedrock private connectivityBedrock VPC endpoints found: VPC vpc-089a9d593e34658c6 has endpoint com.amazonaws.us-east-1.bedrock-runtimeNo action requiredHighPassed
777788889999us-east-1BR-04Bedrock Model Invocation Logging CheckModel invocation logging is not enabled. This limits your ability to track and audit model usage.Enable model invocation logging to collect invocation logs, model input data, and model output data. Configure logging to deliver to Amazon S3, CloudWatch Logs, or both for comprehensive monitoring.MediumFailed
777788889999us-east-1BR-05Bedrock Guardrails CheckAmazon Bedrock Guardrails are properly configured with 1 guardrailsNo action required. Continue monitoring and updating guardrails as needed.HighPassed
777788889999us-east-1BR-06Bedrock CloudTrail Logging CheckCloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETENo action required. Continue monitoring CloudTrail logs for Bedrock activity.MediumPassed
777788889999us-east-1BR-07Bedrock Prompt Management CheckPrompt Management is being used with 1 promptsNo action required. Continue using Prompt Management for consistent and optimized prompts.LowPassed
777788889999us-east-1BR-08Bedrock Agent IAM Roles CheckError during check: An error occurred (AccessDeniedException) when calling the GetAgent operation: You do not have sufficient permissions to the key. Check credentials for appropriate permissions to the key (kms:Decrypt, kms:GenerateDataKey) and try again.Investigate error and retry assessmentHighFailed
777788889999us-east-1BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'knowledge-base-prowler-findings' (9K2QZLVCZW) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level -2. For S3 data sources: Verify CMK-encrypted S3 buckets -3. For RDS: Verify KMS encryption on the database -4. Consider using CMK for transient data during ingestionInformationalN/A
777788889999us-east-1BR-10Bedrock Guardrail IAM Enforcement MissingThe following roles can invoke Bedrock models without enforced guardrails: aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G, aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a, aiml-sec-test-resources-BedrockKnowledgeBaseRole-6NNC1i9FuTbM, AmazonBedrockExecutionRoleForKnowledgeBase_7erx6, ProwlerApp-EC2-RoleAdd IAM policy conditions to enforce guardrail usage: -1. Use 'bedrock:GuardrailIdentifier' condition key -2. Specify required guardrail ARN or ID -3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}HighFailed
777788889999us-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
777788889999us-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
777788889999us-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
777788889999GlobalBR-15Cross-Account Guardrails Enforcement CheckCheck must run in AWS Organizations management account to evaluate organizational policiesRun assessment in management account to check cross-account guardrails enforcementMediumN/A
777788889999us-east-1BR-16Guardrail Tier Validation CheckGuardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.InformationalN/A
777788889999us-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
777788889999us-east-1BR-18Model Evaluation Implementation CheckNo Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.MediumFailed
777788889999us-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
777788889999us-east-1BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'knowledge-base-prowler-findings' (ID: 9K2QZLVCZW) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key -2. For Amazon RDS/Aurora: verify KMS encryption on the database -3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration -4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
777788889999us-east-1BR-22Model Invocation Throttling Limits Check9 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Continue monitoring quota utilization. Review and adjust quotas as application requirements change.LowPassed
777788889999us-east-1BR-23Guardrail Content Filter Coverage CheckGuardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.InformationalN/A
777788889999us-east-1BR-25RAG Evaluation Jobs CheckKnowledge base 'knowledge-base-prowler-findings' (ID: 9K2QZLVCZW) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
777788889999us-east-1BR-26Guardrail Sensitive Information Filter CheckGuardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.InformationalN/A
777788889999us-east-1BR-27Guardrail Contextual Grounding CheckGuardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.InformationalN/A
777788889999us-east-1BR-28Agent Guardrail Association Check1 agents have an associated guardrailNo action required. Continue associating guardrails with new agents.LowPassed
777788889999us-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
777788889999us-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
777788889999us-east-1BR-32Bedrock CloudWatch Alarm CheckNo CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.MediumFailed
777788889999us-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is not enabled. This limits your ability to track and audit model usage.Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.MediumFailed
777788889999us-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETEEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.MediumPassed
777788889999GlobalAG-09Agentic AI Guardrail Enforcement BoundaryAgentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policiesUse IAM and organization controls to require approved guardrails for model and agent invocations where supported.InformationalN/A
777788889999us-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.MediumFailed
777788889999us-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
777788889999us-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 9 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.LowPassed
777788889999us-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
777788889999us-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
777788889999us-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
777788889999us-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: 1 agents have an associated guardrailAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.LowPassed
777788889999us-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.MediumFailed
777788889999us-west-2BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
777788889999us-west-2BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
777788889999us-west-2BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
777788889999us-west-2BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
777788889999us-west-2BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
777788889999us-west-2BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
777788889999us-west-2BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
777788889999us-west-2BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
777788889999us-west-2BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
777788889999us-west-2BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
777788889999us-west-2BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
777788889999us-west-2BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
777788889999us-west-2BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
777788889999us-west-2BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
777788889999us-west-2BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
777788889999us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
777788889999us-west-2BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
777788889999us-west-2BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
777788889999us-west-2BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
777788889999us-west-2BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
777788889999us-west-2BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
777788889999us-west-2BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
777788889999us-west-2BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
777788889999us-west-2BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
777788889999us-west-2BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
777788889999us-west-2BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
777788889999us-west-2BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
777788889999us-west-2BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
777788889999us-west-2AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/A
777788889999us-west-2AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
777788889999us-west-2AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/A
777788889999us-west-2AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/A
777788889999us-west-2AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/A
777788889999us-west-2AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/A
777788889999us-west-2AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.InformationalN/A
777788889999us-west-2AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.InformationalN/A
777788889999us-west-2AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.InformationalN/A
777788889999us-west-2AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/A
777788889999us-west-2AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/A
777788889999us-west-2AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/A
777788889999us-west-2AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/A
-
-
-
Risk Distribution
-

Pass Rate by Severity

-
-
HIGH
12.8%
28 of 219 checks passed
-
MEDIUM
29.3%
82 of 280 checks passed
-
LOW
30.3%
30 of 99 checks passed
-
Overall
23.4%
140 of 598 actionable checks
-
-

Risk by Account

-
111122223333
193
78 High · 95 Med · 20 Low
444455556666
3
0 High · 3 Med · 0 Low
777788889999
64
28 High · 31 Med · 5 Low
-

Risk by Region

-
ap-south-1
0
0 High · 0 Med · 0 Low
eu-west-1
0
0 High · 0 Med · 0 Low
sa-east-1
0
0 High · 0 Med · 0 Low
us-east-1
157
52 High · 90 Med · 15 Low
us-west-2
64
22 High · 32 Med · 10 Low
-

Findings by Assessment Area

-
-
Bedrock
461
50 Failed · 18 Passed
-
SageMaker
423
34 Failed · 61 Passed
-
AgentCore
182
39 Failed · 3 Passed
-
Agentic AI Security
388
47 Failed · 18 Passed
-
Financial Services Risk
210
90 Failed · 40 Passed
-
-
-
-
Amazon Bedrock Findings
-
-
-
-
-
-
- -
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
111122223333GlobalBR-01AmazonBedrockFullAccess role checkRole 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonBedrockFullAccess policy attachedLimit the AmazonBedrockFullAccess policy only to required accessHighFailed
111122223333GlobalBR-01AmazonBedrockFullAccess role checkRole 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonBedrockFullAccess policy attachedLimit the AmazonBedrockFullAccess policy only to required accessHighFailed
111122223333GlobalBR-01AmazonBedrockFullAccess role checkRole 'myAskMeAnything-role-kmsizqwf' has AmazonBedrockFullAccess policy attachedLimit the AmazonBedrockFullAccess policy only to required accessHighFailed
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-cdk_agent_core'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-neoCyan_Agent'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_knnc9' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_knnc9'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonBedrockExecutionRoleForKnowledgeBase_qxqw2' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_qxqw2'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'AmazonSageMaker-ExecutionRole-20250525T153161' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333GlobalBR-03Marketplace Subscription Access CheckRole 'myAskMeAnything-role-kmsizqwf' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333GlobalBR-03Marketplace Subscription Access CheckUser 'BedrockAPIKey-20pp' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333GlobalBR-03Marketplace Subscription Access CheckUser 'BedrockAPIKey-yhc3' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333GlobalBR-03Marketplace Subscription Access CheckUser 'BedrockClientUser' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
111122223333us-east-1BR-02Amazon Bedrock private connectivity not usedNo Bedrock service VPC endpoints found in VPCs: vpc-03472be90d65c2f68, vpc-39319f44, vpc-064f3e808e378cbc8, vpc-02d020a365a06c7feCreate a VPC endpoint in your VPC with any of the following Bedrock service endpoints that your application may be using: -- com.amazonaws.region.bedrock -- com.amazonaws.region.bedrock-runtime -- com.amazonaws.region.bedrock-agent -- com.amazonaws.region.bedrock-agent-runtimeMediumFailed
111122223333us-east-1BR-04Bedrock Model Invocation Logging CheckModel invocation logging is properly configured with delivery to: Amazon S3, CloudWatch LogsNo action requiredMediumPassed
111122223333us-east-1BR-05Bedrock Guardrails CheckAmazon Bedrock Guardrails are properly configured with 1 guardrailsNo action required. Continue monitoring and updating guardrails as needed.HighPassed
111122223333us-east-1BR-06Bedrock CloudTrail Logging CheckCloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETENo action required. Continue monitoring CloudTrail logs for Bedrock activity.MediumPassed
111122223333us-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
111122223333us-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
111122223333us-east-1BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'knowledge-base-semiconductors' (RQYFDSE1LT) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level -2. For S3 data sources: Verify CMK-encrypted S3 buckets -3. For RDS: Verify KMS encryption on the database -4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-east-1BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base '111122223333-us-east-1-kb' (PAJOKBSIMQ) uses 'S3_VECTORS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level -2. For S3 data sources: Verify CMK-encrypted S3 buckets -3. For RDS: Verify KMS encryption on the database -4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-east-1BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'e2e-rag-knowledgebase' (ESIYAYSYTJ) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level -2. For S3 data sources: Verify CMK-encrypted S3 buckets -3. For RDS: Verify KMS encryption on the database -4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-east-1BR-10Bedrock Guardrail IAM Enforcement MissingThe following roles can invoke Bedrock models without enforced guardrails: 111122223333-us-east-1-kb-bedrock-service-role, agentcore-wildrydes_gateway_role_ab3991f6-role, AgentCoreEvalsSDK-us-east-1-d04ba7b68b, AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76, AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b, AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D, AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ, AmazonBedrockExecutionRoleForKnowledgeBase_072pr, AmazonBedrockExecutionRoleForKnowledgeBase_byjin, AmazonBedrockExecutionRoleForKnowledgeBase_h9718...Add IAM policy conditions to enforce guardrail usage: -1. Use 'bedrock:GuardrailIdentifier' condition key -2. Specify required guardrail ARN or ID -3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}HighFailed
111122223333us-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
111122223333us-east-1BR-12Bedrock Invocation Log EncryptionS3 bucket 'nistairmfguardrail-invocationlogsbucket8fe5371b-wmlsng7pkyhm' for invocation logs uses SSE-S3 encryption instead of customer-managed KMS. Invocation logs may contain sensitive prompts and responses.1. Enable SSE-KMS with a customer-managed key on the S3 bucket -2. Update bucket policy to require encrypted uploads -3. Consider enabling S3 bucket versioning and MFA delete for log integrityMediumFailed
111122223333us-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
111122223333GlobalBR-15Cross-Account Guardrails Enforcement CheckCheck must run in AWS Organizations management account to evaluate organizational policiesRun assessment in management account to check cross-account guardrails enforcementMediumN/A
111122223333us-east-1BR-16Guardrail Tier Validation CheckGuardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) is using the 'CLASSIC' content-filter tier instead of 'STANDARD'. The STANDARD tier provides more robust content filtering and broader language support than the CLASSIC tier.Update the guardrail to use the STANDARD content-filter tier for improved contextual understanding, better prompt attack filtering (distinguishing jailbreaks from prompt injection), and broader language support. The STANDARD tier requires cross-Region inference. Review pricing implications before upgrading.MediumFailed
111122223333us-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
111122223333us-east-1BR-18Model Evaluation Implementation CheckNo Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.MediumFailed
111122223333us-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
111122223333us-east-1BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'knowledge-base-semiconductors' (ID: RQYFDSE1LT) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key -2. For Amazon RDS/Aurora: verify KMS encryption on the database -3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration -4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-east-1BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base '111122223333-us-east-1-kb' (ID: PAJOKBSIMQ) uses 'S3_VECTORS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key -2. For Amazon RDS/Aurora: verify KMS encryption on the database -3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration -4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-east-1BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'e2e-rag-knowledgebase' (ID: ESIYAYSYTJ) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key -2. For Amazon RDS/Aurora: verify KMS encryption on the database -3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration -4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
111122223333us-east-1BR-22Model Invocation Throttling Limits Check11 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Continue monitoring quota utilization. Review and adjust quotas as application requirements change.LowPassed
111122223333us-east-1BR-23Guardrail Content Filter Coverage Check1 guardrails have complete content filter coverage (hate, insults, sexual, violence)No action required. Continue monitoring filter effectiveness and adjust thresholds as needed.LowPassed
111122223333us-east-1BR-24Automated Reasoning Policy Implementation CheckGuardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.Configure Automated Reasoning policies on guardrails to mathematically verify model responses. Define policies that specify allowed and disallowed behaviors. Use for high-assurance use cases where formal verification is required.MediumFailed
111122223333us-east-1BR-25RAG Evaluation Jobs CheckKnowledge base 'knowledge-base-semiconductors' (ID: RQYFDSE1LT) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
111122223333us-east-1BR-25RAG Evaluation Jobs CheckKnowledge base '111122223333-us-east-1-kb' (ID: PAJOKBSIMQ) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
111122223333us-east-1BR-25RAG Evaluation Jobs CheckKnowledge base 'e2e-rag-knowledgebase' (ID: ESIYAYSYTJ) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
111122223333us-east-1BR-26Guardrail Sensitive Information Filter Check1 guardrails have sensitive-information (PII) filters configuredNo action required. Periodically review the PII entity types and regex patterns to ensure coverage matches your data.LowPassed
111122223333us-east-1BR-27Guardrail Contextual Grounding Check1 guardrails have contextual grounding checks enabledNo action required. Review grounding and relevance thresholds periodically to balance hallucination detection against false positives.LowPassed
111122223333us-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
111122223333us-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
111122223333us-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
111122223333us-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
111122223333us-east-1BR-32Bedrock CloudWatch Alarm CheckNo CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.MediumFailed
111122223333ap-south-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
111122223333ap-south-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
111122223333ap-south-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
111122223333ap-south-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
111122223333ap-south-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
111122223333ap-south-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
111122223333ap-south-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
111122223333ap-south-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
111122223333ap-south-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
111122223333ap-south-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
111122223333ap-south-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
111122223333ap-south-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
111122223333ap-south-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
111122223333ap-south-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
111122223333ap-south-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
111122223333ap-south-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
111122223333ap-south-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
111122223333ap-south-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
111122223333ap-south-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
111122223333ap-south-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
111122223333ap-south-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
111122223333ap-south-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
111122223333ap-south-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
111122223333ap-south-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
111122223333ap-south-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
111122223333ap-south-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
111122223333ap-south-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
111122223333ap-south-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
111122223333us-west-2BR-02Amazon Bedrock private connectivity not usedNo Bedrock service VPC endpoints found in VPCs: vpc-0f85a6754ab37efb7, vpc-5c3b6524, vpc-03bcafcb58a3029fcCreate a VPC endpoint in your VPC with any of the following Bedrock service endpoints that your application may be using: -- com.amazonaws.region.bedrock -- com.amazonaws.region.bedrock-runtime -- com.amazonaws.region.bedrock-agent -- com.amazonaws.region.bedrock-agent-runtimeMediumFailed
111122223333us-west-2BR-04Bedrock Model Invocation Logging CheckModel invocation logging is not enabled. This limits your ability to track and audit model usage.Enable model invocation logging to collect invocation logs, model input data, and model output data. Configure logging to deliver to Amazon S3, CloudWatch Logs, or both for comprehensive monitoring.MediumFailed
111122223333us-west-2BR-05Bedrock Guardrails CheckAmazon Bedrock Guardrails are properly configured with 1 guardrailsNo action required. Continue monitoring and updating guardrails as needed.HighPassed
111122223333us-west-2BR-06Bedrock CloudTrail Logging CheckCloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETENo action required. Continue monitoring CloudTrail logs for Bedrock activity.MediumPassed
111122223333us-west-2BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
111122223333us-west-2BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
111122223333us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'knowledge-base-bedrock-agent' (XSPYLN4FQL) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level -2. For S3 data sources: Verify CMK-encrypted S3 buckets -3. For RDS: Verify KMS encryption on the database -4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (SUGAG7RGYD) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level -2. For S3 data sources: Verify CMK-encrypted S3 buckets -3. For RDS: Verify KMS encryption on the database -4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'promptfoo-rag-workshop-111122223333-kb' (N74ZIKTUFL) uses 'RDS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level -2. For S3 data sources: Verify CMK-encrypted S3 buckets -3. For RDS: Verify KMS encryption on the database -4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'InvestmentResearchKB' (M1GMUG3BP0) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level -2. For S3 data sources: Verify CMK-encrypted S3 buckets -3. For RDS: Verify KMS encryption on the database -4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'knowledge-base-quick-start-xtwwd' (ENFHSBBLMV) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level -2. For S3 data sources: Verify CMK-encrypted S3 buckets -3. For RDS: Verify KMS encryption on the database -4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-west-2BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'kb-s3-vector-store' (116IXQU5VP) uses 'S3_VECTORS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level -2. For S3 data sources: Verify CMK-encrypted S3 buckets -3. For RDS: Verify KMS encryption on the database -4. Consider using CMK for transient data during ingestionInformationalN/A
111122223333us-west-2BR-10Bedrock Guardrail IAM Enforcement MissingThe following roles can invoke Bedrock models without enforced guardrails: 111122223333-us-east-1-kb-bedrock-service-role, agentcore-wildrydes_gateway_role_ab3991f6-role, AgentCoreEvalsSDK-us-east-1-d04ba7b68b, AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76, AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b, AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D, AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ, AmazonBedrockExecutionRoleForKnowledgeBase_072pr, AmazonBedrockExecutionRoleForKnowledgeBase_byjin, AmazonBedrockExecutionRoleForKnowledgeBase_h9718...Add IAM policy conditions to enforce guardrail usage: -1. Use 'bedrock:GuardrailIdentifier' condition key -2. Specify required guardrail ARN or ID -3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}HighFailed
111122223333us-west-2BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
111122223333us-west-2BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
111122223333us-west-2BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
111122223333us-west-2BR-16Guardrail Tier Validation CheckGuardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is using the 'CLASSIC' content-filter tier instead of 'STANDARD'. The STANDARD tier provides more robust content filtering and broader language support than the CLASSIC tier.Update the guardrail to use the STANDARD content-filter tier for improved contextual understanding, better prompt attack filtering (distinguishing jailbreaks from prompt injection), and broader language support. The STANDARD tier requires cross-Region inference. Review pricing implications before upgrading.MediumFailed
111122223333us-west-2BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
111122223333us-west-2BR-18Model Evaluation Implementation CheckNo Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.MediumFailed
111122223333us-west-2BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
111122223333us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'knowledge-base-bedrock-agent' (ID: XSPYLN4FQL) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key -2. For Amazon RDS/Aurora: verify KMS encryption on the database -3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration -4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (ID: SUGAG7RGYD) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key -2. For Amazon RDS/Aurora: verify KMS encryption on the database -3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration -4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'promptfoo-rag-workshop-111122223333-kb' (ID: N74ZIKTUFL) uses 'RDS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key -2. For Amazon RDS/Aurora: verify KMS encryption on the database -3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration -4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'InvestmentResearchKB' (ID: M1GMUG3BP0) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key -2. For Amazon RDS/Aurora: verify KMS encryption on the database -3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration -4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'knowledge-base-quick-start-xtwwd' (ID: ENFHSBBLMV) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key -2. For Amazon RDS/Aurora: verify KMS encryption on the database -3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration -4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'kb-s3-vector-store' (ID: 116IXQU5VP) uses 'S3_VECTORS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key -2. For Amazon RDS/Aurora: verify KMS encryption on the database -3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration -4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
111122223333us-west-2BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
111122223333us-west-2BR-22Model Invocation Throttling Limits Check7 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Continue monitoring quota utilization. Review and adjust quotas as application requirements change.LowPassed
111122223333us-west-2BR-23Guardrail Content Filter Coverage CheckGuardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is missing content filters: HATE, VIOLENCE, SEXUAL, INSULTS. Complete content filter coverage is essential for comprehensive content safety.Update guardrail to enable all content filters (HATE, INSULTS, SEXUAL, VIOLENCE). Configure appropriate threshold levels (LOW, MEDIUM, HIGH) for both input and output filtering based on your use case. Review AWS documentation for threshold guidance.HighFailed
111122223333us-west-2BR-24Automated Reasoning Policy Implementation CheckGuardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.Configure Automated Reasoning policies on guardrails to mathematically verify model responses. Define policies that specify allowed and disallowed behaviors. Use for high-assurance use cases where formal verification is required.MediumFailed
111122223333us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'knowledge-base-bedrock-agent' (ID: XSPYLN4FQL) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
111122223333us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (ID: SUGAG7RGYD) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
111122223333us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'promptfoo-rag-workshop-111122223333-kb' (ID: N74ZIKTUFL) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
111122223333us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'InvestmentResearchKB' (ID: M1GMUG3BP0) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
111122223333us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'knowledge-base-quick-start-xtwwd' (ID: ENFHSBBLMV) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
111122223333us-west-2BR-25RAG Evaluation Jobs CheckKnowledge base 'kb-s3-vector-store' (ID: 116IXQU5VP) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
111122223333us-west-2BR-26Guardrail Sensitive Information Filter CheckGuardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) has no sensitive-information filters configured (no PII entities or regex patterns). Prompts and model responses are not screened for sensitive data such as PII.Configure sensitive-information filters on the guardrail: add PII entity types (e.g. NAME, EMAIL, SSN, CREDIT_DEBIT_CARD_NUMBER) and/or custom regex patterns, and set the appropriate BLOCK or ANONYMIZE action for input and output.HighFailed
111122223333us-west-2BR-27Guardrail Contextual Grounding CheckGuardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have contextual grounding checks enabled. Without grounding and relevance checks, the guardrail cannot detect hallucinated (ungrounded) or off-topic model responses.Enable contextual grounding checks (GROUNDING and RELEVANCE filter types) on the guardrail with appropriate thresholds. This is especially important for RAG applications to ensure responses are grounded in the retrieved source material.MediumFailed
111122223333us-west-2BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
111122223333us-west-2BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
111122223333us-west-2BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
111122223333us-west-2BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
111122223333us-west-2BR-32Bedrock CloudWatch Alarm CheckNo CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.MediumFailed
111122223333sa-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
111122223333sa-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
111122223333sa-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
111122223333sa-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
111122223333sa-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
111122223333sa-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
111122223333sa-east-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
111122223333sa-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
111122223333sa-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
111122223333sa-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
111122223333sa-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
111122223333sa-east-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
111122223333sa-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
111122223333sa-east-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
111122223333sa-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
111122223333sa-east-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
111122223333sa-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
111122223333sa-east-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
111122223333sa-east-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
111122223333sa-east-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
111122223333sa-east-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
111122223333sa-east-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
111122223333sa-east-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
111122223333sa-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
111122223333sa-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
111122223333sa-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
111122223333sa-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
111122223333sa-east-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
111122223333eu-west-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
111122223333eu-west-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
111122223333eu-west-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
111122223333eu-west-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
111122223333eu-west-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
111122223333eu-west-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
111122223333eu-west-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
111122223333eu-west-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
111122223333eu-west-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
111122223333eu-west-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
111122223333eu-west-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
111122223333eu-west-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
111122223333eu-west-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
111122223333eu-west-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
111122223333eu-west-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
111122223333eu-west-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
111122223333eu-west-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
111122223333eu-west-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
111122223333eu-west-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
111122223333eu-west-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
111122223333eu-west-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
111122223333eu-west-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
111122223333eu-west-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
111122223333eu-west-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
111122223333eu-west-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
111122223333eu-west-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
111122223333eu-west-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
111122223333eu-west-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
444455556666ap-south-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
444455556666ap-south-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
444455556666ap-south-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
444455556666ap-south-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
444455556666ap-south-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
444455556666ap-south-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
444455556666ap-south-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
444455556666ap-south-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
444455556666ap-south-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
444455556666ap-south-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
444455556666ap-south-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
444455556666ap-south-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
444455556666ap-south-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666ap-south-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
444455556666ap-south-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
444455556666ap-south-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
444455556666ap-south-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
444455556666ap-south-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
444455556666ap-south-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
444455556666ap-south-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
444455556666ap-south-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
444455556666ap-south-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
444455556666ap-south-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
444455556666ap-south-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
444455556666ap-south-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
444455556666ap-south-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
444455556666ap-south-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
444455556666ap-south-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
444455556666GlobalBR-01AmazonBedrockFullAccess role checkNo roles found with AmazonBedrockFullAccess policyNo action requiredHighPassed
444455556666GlobalBR-03Marketplace Subscription Access CheckNo identities found with overly permissive marketplace subscription accessNo action requiredMediumPassed
444455556666us-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
444455556666us-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
444455556666us-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
444455556666us-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
444455556666us-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
444455556666us-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
444455556666us-east-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
444455556666us-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
444455556666us-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
444455556666us-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
444455556666us-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
444455556666GlobalBR-15Cross-Account Guardrails Enforcement CheckCheck must run in AWS Organizations management account to evaluate organizational policiesRun assessment in management account to check cross-account guardrails enforcementMediumN/A
444455556666us-east-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
444455556666us-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666us-east-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
444455556666us-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
444455556666us-east-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
444455556666us-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
444455556666us-east-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
444455556666us-east-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
444455556666us-east-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
444455556666us-east-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
444455556666us-east-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
444455556666us-east-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
444455556666us-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
444455556666us-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
444455556666us-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666us-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
444455556666us-east-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
444455556666eu-west-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
444455556666eu-west-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
444455556666eu-west-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
444455556666eu-west-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
444455556666eu-west-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
444455556666eu-west-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
444455556666eu-west-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
444455556666eu-west-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
444455556666eu-west-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
444455556666eu-west-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
444455556666eu-west-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
444455556666eu-west-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
444455556666eu-west-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666eu-west-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
444455556666eu-west-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
444455556666eu-west-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
444455556666eu-west-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
444455556666eu-west-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
444455556666eu-west-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
444455556666eu-west-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
444455556666eu-west-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
444455556666eu-west-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
444455556666eu-west-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
444455556666eu-west-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
444455556666eu-west-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
444455556666eu-west-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
444455556666eu-west-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
444455556666eu-west-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
444455556666sa-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
444455556666sa-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
444455556666sa-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
444455556666sa-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
444455556666sa-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
444455556666sa-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
444455556666sa-east-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
444455556666sa-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
444455556666sa-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
444455556666sa-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
444455556666sa-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
444455556666sa-east-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
444455556666sa-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666sa-east-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
444455556666sa-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
444455556666sa-east-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
444455556666sa-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
444455556666sa-east-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
444455556666sa-east-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
444455556666sa-east-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
444455556666sa-east-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
444455556666sa-east-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
444455556666sa-east-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
444455556666sa-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
444455556666sa-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
444455556666sa-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
444455556666sa-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
444455556666sa-east-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
444455556666us-west-2BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
444455556666us-west-2BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
444455556666us-west-2BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
444455556666us-west-2BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
444455556666us-west-2BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
444455556666us-west-2BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
444455556666us-west-2BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
444455556666us-west-2BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
444455556666us-west-2BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
444455556666us-west-2BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
444455556666us-west-2BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
444455556666us-west-2BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
444455556666us-west-2BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666us-west-2BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
444455556666us-west-2BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
444455556666us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
444455556666us-west-2BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
444455556666us-west-2BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
444455556666us-west-2BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
444455556666us-west-2BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
444455556666us-west-2BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
444455556666us-west-2BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
444455556666us-west-2BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
444455556666us-west-2BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
444455556666us-west-2BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
444455556666us-west-2BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
444455556666us-west-2BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
444455556666us-west-2BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
777788889999sa-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
777788889999sa-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
777788889999sa-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
777788889999sa-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
777788889999sa-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
777788889999sa-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
777788889999sa-east-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
777788889999sa-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
777788889999sa-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
777788889999sa-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
777788889999sa-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
777788889999sa-east-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
777788889999sa-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
777788889999sa-east-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
777788889999sa-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
777788889999sa-east-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
777788889999sa-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
777788889999sa-east-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
777788889999sa-east-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
777788889999sa-east-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
777788889999sa-east-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
777788889999sa-east-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
777788889999sa-east-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
777788889999sa-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
777788889999sa-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
777788889999sa-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
777788889999sa-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
777788889999sa-east-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
777788889999eu-west-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
777788889999eu-west-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
777788889999eu-west-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
777788889999eu-west-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
777788889999eu-west-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
777788889999eu-west-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
777788889999eu-west-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
777788889999eu-west-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
777788889999eu-west-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
777788889999eu-west-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
777788889999eu-west-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
777788889999eu-west-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
777788889999eu-west-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
777788889999eu-west-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
777788889999eu-west-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
777788889999eu-west-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
777788889999eu-west-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
777788889999eu-west-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
777788889999eu-west-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
777788889999eu-west-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
777788889999eu-west-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
777788889999eu-west-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
777788889999eu-west-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
777788889999eu-west-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
777788889999eu-west-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
777788889999eu-west-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
777788889999eu-west-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
777788889999eu-west-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
777788889999ap-south-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
777788889999ap-south-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
777788889999ap-south-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
777788889999ap-south-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
777788889999ap-south-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
777788889999ap-south-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
777788889999ap-south-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
777788889999ap-south-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
777788889999ap-south-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
777788889999ap-south-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
777788889999ap-south-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
777788889999ap-south-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
777788889999ap-south-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
777788889999ap-south-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
777788889999ap-south-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
777788889999ap-south-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
777788889999ap-south-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
777788889999ap-south-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
777788889999ap-south-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
777788889999ap-south-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
777788889999ap-south-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
777788889999ap-south-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
777788889999ap-south-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
777788889999ap-south-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
777788889999ap-south-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
777788889999ap-south-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
777788889999ap-south-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
777788889999ap-south-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
777788889999GlobalBR-01AmazonBedrockFullAccess role checkRole 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' has AmazonBedrockFullAccess policy attachedLimit the AmazonBedrockFullAccess policy only to required accessHighFailed
777788889999GlobalBR-03Marketplace Subscription Access CheckRole 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
777788889999GlobalBR-03Marketplace Subscription Access CheckRole 'aiml-sec-test-resources-MarketplaceOverlyPermissive-igL3hGIapee1' has overly permissive marketplace subscription access through policy 'OverlyPermissiveMarketplace'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
777788889999GlobalBR-03Marketplace Subscription Access CheckRole 'ProwlerApp-EC2-Role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
777788889999us-east-1BR-02Amazon Bedrock private connectivityBedrock VPC endpoints found: VPC vpc-089a9d593e34658c6 has endpoint com.amazonaws.us-east-1.bedrock-runtimeNo action requiredHighPassed
777788889999us-east-1BR-04Bedrock Model Invocation Logging CheckModel invocation logging is not enabled. This limits your ability to track and audit model usage.Enable model invocation logging to collect invocation logs, model input data, and model output data. Configure logging to deliver to Amazon S3, CloudWatch Logs, or both for comprehensive monitoring.MediumFailed
777788889999us-east-1BR-05Bedrock Guardrails CheckAmazon Bedrock Guardrails are properly configured with 1 guardrailsNo action required. Continue monitoring and updating guardrails as needed.HighPassed
777788889999us-east-1BR-06Bedrock CloudTrail Logging CheckCloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETENo action required. Continue monitoring CloudTrail logs for Bedrock activity.MediumPassed
777788889999us-east-1BR-07Bedrock Prompt Management CheckPrompt Management is being used with 1 promptsNo action required. Continue using Prompt Management for consistent and optimized prompts.LowPassed
777788889999us-east-1BR-08Bedrock Agent IAM Roles CheckError during check: An error occurred (AccessDeniedException) when calling the GetAgent operation: You do not have sufficient permissions to the key. Check credentials for appropriate permissions to the key (kms:Decrypt, kms:GenerateDataKey) and try again.Investigate error and retry assessmentHighFailed
777788889999us-east-1BR-09Bedrock Knowledge Base Encryption ReviewKnowledge Base 'knowledge-base-prowler-findings' (9K2QZLVCZW) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.1. For OpenSearch Serverless: Verify encryption with CMK at collection level -2. For S3 data sources: Verify CMK-encrypted S3 buckets -3. For RDS: Verify KMS encryption on the database -4. Consider using CMK for transient data during ingestionInformationalN/A
777788889999us-east-1BR-10Bedrock Guardrail IAM Enforcement MissingThe following roles can invoke Bedrock models without enforced guardrails: aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G, aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a, aiml-sec-test-resources-BedrockKnowledgeBaseRole-6NNC1i9FuTbM, AmazonBedrockExecutionRoleForKnowledgeBase_7erx6, ProwlerApp-EC2-RoleAdd IAM policy conditions to enforce guardrail usage: -1. Use 'bedrock:GuardrailIdentifier' condition key -2. Specify required guardrail ARN or ID -3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}HighFailed
777788889999us-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
777788889999us-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
777788889999us-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
777788889999GlobalBR-15Cross-Account Guardrails Enforcement CheckCheck must run in AWS Organizations management account to evaluate organizational policiesRun assessment in management account to check cross-account guardrails enforcementMediumN/A
777788889999us-east-1BR-16Guardrail Tier Validation CheckGuardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.InformationalN/A
777788889999us-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
777788889999us-east-1BR-18Model Evaluation Implementation CheckNo Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.MediumFailed
777788889999us-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
777788889999us-east-1BR-20Knowledge Base Customer-Managed KMS Encryption ReviewKnowledge base 'knowledge-base-prowler-findings' (ID: 9K2QZLVCZW) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key -2. For Amazon RDS/Aurora: verify KMS encryption on the database -3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration -4. Verify the customer-managed KMS key used for transient data during ingestionInformationalN/A
777788889999us-east-1BR-22Model Invocation Throttling Limits Check9 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Continue monitoring quota utilization. Review and adjust quotas as application requirements change.LowPassed
777788889999us-east-1BR-23Guardrail Content Filter Coverage CheckGuardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.InformationalN/A
777788889999us-east-1BR-25RAG Evaluation Jobs CheckKnowledge base 'knowledge-base-prowler-findings' (ID: 9K2QZLVCZW) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.LowFailed
777788889999us-east-1BR-26Guardrail Sensitive Information Filter CheckGuardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.InformationalN/A
777788889999us-east-1BR-27Guardrail Contextual Grounding CheckGuardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.InformationalN/A
777788889999us-east-1BR-28Agent Guardrail Association Check1 agents have an associated guardrailNo action required. Continue associating guardrails with new agents.LowPassed
777788889999us-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
777788889999us-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
777788889999us-east-1BR-32Bedrock CloudWatch Alarm CheckNo CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.MediumFailed
777788889999us-west-2BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
777788889999us-west-2BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
777788889999us-west-2BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
777788889999us-west-2BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
777788889999us-west-2BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
777788889999us-west-2BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
777788889999us-west-2BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
777788889999us-west-2BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
777788889999us-west-2BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
777788889999us-west-2BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
777788889999us-west-2BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
777788889999us-west-2BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
777788889999us-west-2BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
777788889999us-west-2BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
777788889999us-west-2BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
777788889999us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
777788889999us-west-2BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
777788889999us-west-2BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
777788889999us-west-2BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
777788889999us-west-2BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
777788889999us-west-2BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
777788889999us-west-2BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
777788889999us-west-2BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
777788889999us-west-2BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
777788889999us-west-2BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
777788889999us-west-2BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
777788889999us-west-2BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
777788889999us-west-2BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
-
-
-
Amazon SageMaker Findings
-
-
-
-
-
-
- -
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
111122223333ap-south-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
111122223333ap-south-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
111122223333ap-south-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
111122223333ap-south-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
111122223333ap-south-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
111122223333ap-south-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
111122223333ap-south-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
111122223333ap-south-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
111122223333ap-south-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
111122223333ap-south-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
111122223333ap-south-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
111122223333ap-south-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
111122223333ap-south-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
111122223333ap-south-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
111122223333ap-south-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
111122223333ap-south-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
111122223333ap-south-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
111122223333ap-south-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
111122223333ap-south-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
111122223333ap-south-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
111122223333ap-south-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
111122223333ap-south-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
111122223333ap-south-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
111122223333ap-south-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
111122223333ap-south-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
111122223333ap-south-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
111122223333ap-south-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'AmazonSageMaker-ExecutionRole-20231014T200029' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'AmazonSageMaker-ExecutionRole-20250525T153161' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'AmazonSageMakerServiceCatalogProductsExecutionRole' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'EMR_EC2_DefaultRole' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111122223333GlobalSM-02SageMaker Full Access Policy UsedRole 'SageMaker-EMR-ExecutionRole' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
111122223333us-east-1SM-01Non-VPC Only Network AccessSageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is not configured for VPC-only accessConfigure the SageMaker domain to use VPC-only network access typeHighFailed
111122223333us-east-1SM-02SSO Not Properly ConfiguredSageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.MediumFailed
111122223333us-east-1SM-03Missing Encryption ConfigurationDomain 'QuickSetupDomain-20250525T153160' - No KMS key configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHighFailed
111122223333us-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
111122223333us-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
111122223333us-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
111122223333us-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
111122223333us-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
111122223333us-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
111122223333us-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
111122223333us-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
111122223333us-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
111122223333us-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
111122223333us-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
111122223333us-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
111122223333us-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
111122223333us-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
111122223333us-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
111122223333us-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
111122223333us-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
111122223333us-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
111122223333us-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
111122223333us-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
111122223333us-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
111122223333us-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
111122223333us-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
111122223333us-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
111122223333us-west-2SM-01Non-VPC Only Network AccessSageMaker domain 'd-krxh4fmtaxjl' (PromptEvaluationDomain) is not configured for VPC-only accessConfigure the SageMaker domain to use VPC-only network access typeHighFailed
111122223333us-west-2SM-02SSO Not Properly ConfiguredSageMaker domain 'd-krxh4fmtaxjl' (PromptEvaluationDomain) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.MediumFailed
111122223333us-west-2SM-03Missing Encryption ConfigurationDomain 'PromptEvaluationDomain' - No KMS key configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHighFailed
111122223333us-west-2SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
111122223333us-west-2SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
111122223333us-west-2SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
111122223333us-west-2SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
111122223333us-west-2SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
111122223333us-west-2SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
111122223333us-west-2SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
111122223333us-west-2SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
111122223333us-west-2SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
111122223333us-west-2SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
111122223333us-west-2SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
111122223333us-west-2SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
111122223333us-west-2SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
111122223333us-west-2SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
111122223333us-west-2SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
111122223333us-west-2SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
111122223333us-west-2SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
111122223333us-west-2SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
111122223333us-west-2SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
111122223333us-west-2SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
111122223333us-west-2SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
111122223333us-west-2SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
111122223333us-west-2SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
111122223333us-west-2SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
111122223333sa-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
111122223333sa-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
111122223333sa-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
111122223333sa-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
111122223333sa-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
111122223333sa-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
111122223333sa-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
111122223333sa-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
111122223333sa-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
111122223333sa-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
111122223333sa-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
111122223333sa-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
111122223333sa-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
111122223333sa-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
111122223333sa-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
111122223333sa-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
111122223333sa-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
111122223333sa-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
111122223333sa-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
111122223333sa-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
111122223333sa-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
111122223333sa-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
111122223333sa-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
111122223333sa-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
111122223333sa-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
111122223333sa-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
111122223333sa-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
111122223333eu-west-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
111122223333eu-west-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
111122223333eu-west-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
111122223333eu-west-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
111122223333eu-west-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
111122223333eu-west-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
111122223333eu-west-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
111122223333eu-west-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
111122223333eu-west-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
111122223333eu-west-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
111122223333eu-west-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
111122223333eu-west-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
111122223333eu-west-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
111122223333eu-west-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
111122223333eu-west-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
111122223333eu-west-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
111122223333eu-west-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
111122223333eu-west-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
111122223333eu-west-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
111122223333eu-west-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
111122223333eu-west-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
111122223333eu-west-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
111122223333eu-west-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
111122223333eu-west-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
111122223333eu-west-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
111122223333eu-west-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
111122223333eu-west-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
444455556666eu-west-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
444455556666eu-west-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
444455556666eu-west-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
444455556666eu-west-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
444455556666eu-west-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
444455556666eu-west-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
444455556666eu-west-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
444455556666eu-west-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
444455556666eu-west-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
444455556666eu-west-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
444455556666eu-west-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666eu-west-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666eu-west-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
444455556666eu-west-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
444455556666eu-west-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
444455556666eu-west-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
444455556666eu-west-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
444455556666eu-west-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
444455556666eu-west-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
444455556666eu-west-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
444455556666eu-west-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
444455556666eu-west-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
444455556666eu-west-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
444455556666eu-west-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
444455556666eu-west-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
444455556666eu-west-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
444455556666eu-west-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
444455556666GlobalSM-02SageMaker IAM Permissions CheckNo issues found with IAM permissions and no stale access detectedNo action requiredHighPassed
444455556666us-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
444455556666us-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
444455556666us-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
444455556666us-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
444455556666us-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
444455556666us-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
444455556666us-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
444455556666us-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
444455556666us-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
444455556666us-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
444455556666us-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666us-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666us-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
444455556666us-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
444455556666us-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
444455556666us-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
444455556666us-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
444455556666us-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
444455556666us-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
444455556666us-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
444455556666us-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
444455556666us-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
444455556666us-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
444455556666us-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
444455556666us-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
444455556666us-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
444455556666us-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
444455556666ap-south-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
444455556666ap-south-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
444455556666ap-south-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
444455556666ap-south-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
444455556666ap-south-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
444455556666ap-south-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
444455556666ap-south-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
444455556666ap-south-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
444455556666ap-south-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
444455556666ap-south-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
444455556666ap-south-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666ap-south-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666ap-south-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
444455556666ap-south-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
444455556666ap-south-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
444455556666ap-south-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
444455556666ap-south-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
444455556666ap-south-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
444455556666ap-south-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
444455556666ap-south-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
444455556666ap-south-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
444455556666ap-south-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
444455556666ap-south-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
444455556666ap-south-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
444455556666ap-south-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
444455556666ap-south-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
444455556666ap-south-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
444455556666sa-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
444455556666sa-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
444455556666sa-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
444455556666sa-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
444455556666sa-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
444455556666sa-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
444455556666sa-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
444455556666sa-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
444455556666sa-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
444455556666sa-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
444455556666sa-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666sa-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666sa-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
444455556666sa-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
444455556666sa-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
444455556666sa-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
444455556666sa-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
444455556666sa-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
444455556666sa-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
444455556666sa-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
444455556666sa-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
444455556666sa-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
444455556666sa-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
444455556666sa-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
444455556666sa-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
444455556666sa-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
444455556666sa-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
444455556666us-west-2SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
444455556666us-west-2SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
444455556666us-west-2SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
444455556666us-west-2SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
444455556666us-west-2SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
444455556666us-west-2SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
444455556666us-west-2SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
444455556666us-west-2SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
444455556666us-west-2SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
444455556666us-west-2SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
444455556666us-west-2SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666us-west-2SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
444455556666us-west-2SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
444455556666us-west-2SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
444455556666us-west-2SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
444455556666us-west-2SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
444455556666us-west-2SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
444455556666us-west-2SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
444455556666us-west-2SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
444455556666us-west-2SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
444455556666us-west-2SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
444455556666us-west-2SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
444455556666us-west-2SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
444455556666us-west-2SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
444455556666us-west-2SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
444455556666us-west-2SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
444455556666us-west-2SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
777788889999ap-south-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
777788889999ap-south-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
777788889999ap-south-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
777788889999ap-south-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
777788889999ap-south-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
777788889999ap-south-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
777788889999ap-south-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
777788889999ap-south-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
777788889999ap-south-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
777788889999ap-south-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
777788889999ap-south-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999ap-south-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999ap-south-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
777788889999ap-south-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
777788889999ap-south-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
777788889999ap-south-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
777788889999ap-south-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
777788889999ap-south-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
777788889999ap-south-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
777788889999ap-south-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
777788889999ap-south-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
777788889999ap-south-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
777788889999ap-south-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
777788889999ap-south-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
777788889999ap-south-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
777788889999ap-south-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
777788889999ap-south-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
777788889999GlobalSM-02SageMaker Full Access Policy UsedRole 'aiml-sec-test-resources-SageMakerFullAccessRole-ZREdSNCErx2S' has AmazonSageMakerFullAccess policy attachedReplace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilegeHighFailed
777788889999us-east-1SM-01Direct Internet Access EnabledSageMaker notebook instance 'aiml-sec-test-notebook-with-internet' has direct internet access enabledConfigure the notebook instance to use VPC connectivity and disable direct internet accessHighFailed
777788889999us-east-1SM-01Non-VPC Only Network AccessSageMaker domain 'd-ilmtsfeenavc' (aiml-sec-test-domain-fail-028e1010-52cbf970) is not configured for VPC-only accessConfigure the SageMaker domain to use VPC-only network access typeHighFailed
777788889999us-east-1SM-01Non-VPC Only Network AccessSageMaker domain 'd-cmz7ohkxxop3' (aiml-sec-test-domain-fail-fef4e7f0-bb429d11) is not configured for VPC-only accessConfigure the SageMaker domain to use VPC-only network access typeHighFailed
777788889999us-east-1SM-02SSO Not Properly ConfiguredSageMaker domain 'd-7zl8skw96ppk' (aiml-sec-test-domain-pass-028e1010-3dba8b08) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.MediumFailed
777788889999us-east-1SM-02SSO Not Properly ConfiguredSageMaker domain 'd-ilmtsfeenavc' (aiml-sec-test-domain-fail-028e1010-52cbf970) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.MediumFailed
777788889999us-east-1SM-02SSO Not Properly ConfiguredSageMaker domain 'd-uqjoi05f0zzp' (aiml-sec-test-domain-pass-fef4e7f0-51d1e898) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.MediumFailed
777788889999us-east-1SM-02SSO Not Properly ConfiguredSageMaker domain 'd-cmz7ohkxxop3' (aiml-sec-test-domain-fail-fef4e7f0-bb429d11) is using authentication mode: IAMEnable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.MediumFailed
777788889999us-east-1SM-03Missing Encryption ConfigurationNotebook Instance 'aiml-sec-test-notebook-with-internet' - No KMS key configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHighFailed
777788889999us-east-1SM-03Missing Encryption ConfigurationDomain 'aiml-sec-test-domain-fail-028e1010-52cbf970' - No KMS key configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHighFailed
777788889999us-east-1SM-03Missing Encryption ConfigurationDomain 'aiml-sec-test-domain-fail-fef4e7f0-bb429d11' - No KMS key configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHighFailed
777788889999us-east-1SM-03Missing Encryption ConfigurationTraining Job 'aiml-sec-test-training-no-encryption-028e1010-e2fb8765' - No output encryption configuredConfigure encryption using AWS KMS customer managed keys for enhanced securityHighFailed
777788889999us-east-1SM-03Missing VPC EncryptionTraining Job 'aiml-sec-test-training-no-encryption-028e1010-e2fb8765' - Inter-container traffic encryption not enabledEnable encryption for inter-container traffic and VPC communicationMediumFailed
777788889999us-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
777788889999us-east-1SM-05SageMaker Model Registry IssueModel group 'aiml-sec-test-model-package-group' has minimal versioningImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentLowFailed
777788889999us-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
777788889999us-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
777788889999us-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
777788889999us-east-1SM-08Model Registry Empty Model GroupModel group aiml-sec-test-model-package-group has no registered modelsImplement proper model versioning and approval workflowsLowFailed
777788889999us-east-1SM-09SageMaker Notebook Root Access EnabledNotebook instance 'aiml-sec-test-notebook-with-internet' has root access enabled. Root access allows users to install arbitrary software, modify system configurations, and potentially escalate privileges.Disable root access by updating the notebook instance with RootAccess=Disabled. Note: Lifecycle configurations will still run with root access.HighFailed
777788889999us-east-1SM-10SageMaker Notebook Not in VPCNotebook instance 'aiml-sec-test-notebook-with-internet' is not deployed in a custom VPC. This uses SageMaker's service VPC with reduced network isolation.Create the notebook instance within a custom VPC by specifying SubnetId and SecurityGroupIds. This provides network isolation and allows use of VPC endpoints.HighFailed
777788889999us-east-1SM-11SageMaker Model Network Isolation DisabledModel 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' does not have network isolation enabled. Model containers can make outbound network calls, potentially exfiltrating data.Enable network isolation by setting EnableNetworkIsolation=True when creating models. This prevents containers from making outbound network calls.HighFailed
777788889999us-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
777788889999us-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
777788889999us-east-1SM-14SageMaker Model Platform Repository AccessModel 'SageMakerModelWithIsolation-JASFpUHjajdk' uses Platform repository access mode. Container images are pulled from public/external registries, exposing supply chain risks.Configure RepositoryAccessMode=Vpc in ImageConfig to pull images from private ECR repositories through VPC. This provides supply chain security.MediumFailed
777788889999us-east-1SM-14SageMaker Model Platform Repository AccessModel 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' uses Platform repository access mode. Container images are pulled from public/external registries, exposing supply chain risks.Configure RepositoryAccessMode=Vpc in ImageConfig to pull images from private ECR repositories through VPC. This provides supply chain security.MediumFailed
777788889999us-east-1SM-15SageMaker Feature Store Offline Encryption MissingFeature group 'aiml-sec-test-feature-group' offline store does not have KMS encryption configured. Feature data in S3 may not be encrypted with customer-managed keys.Configure KmsKeyId in OfflineStoreConfig.S3StorageConfig when creating feature groups to encrypt offline store data with customer-managed KMS keys.MediumFailed
777788889999us-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
777788889999us-east-1SM-17SageMaker Processing Job Encryption CheckAll 1 processing jobs have volume encryption configuredNo action requiredMediumPassed
777788889999us-east-1SM-18SageMaker Transform Job Encryption CheckAll 1 transform jobs have volume encryption configuredNo action requiredMediumPassed
777788889999us-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
777788889999us-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
777788889999us-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
777788889999us-east-1SM-22Model Approval Workflow CheckChecked 1 model package groups. Approval workflows appear to be properly configured.No action requiredMediumPassed
777788889999us-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
777788889999us-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
777788889999us-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
777788889999eu-west-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
777788889999eu-west-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
777788889999eu-west-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
777788889999eu-west-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
777788889999eu-west-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
777788889999eu-west-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
777788889999eu-west-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
777788889999eu-west-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
777788889999eu-west-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
777788889999eu-west-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
777788889999eu-west-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999eu-west-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999eu-west-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
777788889999eu-west-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
777788889999eu-west-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
777788889999eu-west-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
777788889999eu-west-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
777788889999eu-west-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
777788889999eu-west-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
777788889999eu-west-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
777788889999eu-west-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
777788889999eu-west-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
777788889999eu-west-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
777788889999eu-west-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
777788889999eu-west-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
777788889999eu-west-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
777788889999eu-west-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
777788889999us-west-2SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
777788889999us-west-2SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
777788889999us-west-2SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
777788889999us-west-2SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
777788889999us-west-2SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
777788889999us-west-2SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
777788889999us-west-2SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
777788889999us-west-2SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
777788889999us-west-2SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
777788889999us-west-2SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
777788889999us-west-2SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999us-west-2SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999us-west-2SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
777788889999us-west-2SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
777788889999us-west-2SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
777788889999us-west-2SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
777788889999us-west-2SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
777788889999us-west-2SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
777788889999us-west-2SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
777788889999us-west-2SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
777788889999us-west-2SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
777788889999us-west-2SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
777788889999us-west-2SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
777788889999us-west-2SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
777788889999us-west-2SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
777788889999us-west-2SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
777788889999us-west-2SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
777788889999sa-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
777788889999sa-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
777788889999sa-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
777788889999sa-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
777788889999sa-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
777788889999sa-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
777788889999sa-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
777788889999sa-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
777788889999sa-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
777788889999sa-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
777788889999sa-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999sa-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
777788889999sa-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
777788889999sa-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
777788889999sa-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
777788889999sa-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
777788889999sa-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
777788889999sa-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
777788889999sa-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
777788889999sa-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
777788889999sa-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
777788889999sa-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
777788889999sa-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
777788889999sa-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
777788889999sa-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
777788889999sa-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
777788889999sa-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
-
-
-
Amazon Bedrock AgentCore Findings
-
-
-
-
-
-
- -
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - - + + + - - + + - - - - - - + + + - - - - - - - - + + + + + - - - - - - - - - + + + + + + - - - - - - - - - + + + + + + - - - - - - - - - + + + + + + - - - - - - - - + + + + + - - - - - - - - - + + + + + + - - - - - - - - - + + + + + + - - - - - - - - - + + + + + + - - - - - - - - - + + + + + + - - - - - - - - - + + + + + + - - - - - - - - - + + + + + + - - - - - - - - - + + + + + + - - - - - - - - - + + + + + + - - - - - - - - - + + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - - - - - - - - - - - - + + + + + - - - - - - - - - - - - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - - - - - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - + + + + + + + + + + + + + + + + + + - - - - - + + - - + + - - - - - - - -
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
111122223333ap-south-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333ap-south-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333ap-south-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333ap-south-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
111122223333ap-south-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
111122223333ap-south-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
111122223333ap-south-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333ap-south-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
111122223333ap-south-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
111122223333ap-south-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
111122223333us-west-2AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333us-west-2AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333us-west-2AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333us-west-2AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
111122223333us-west-2AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
111122223333us-west-2AC-13AgentCore Gateway Configuration CheckFound 1 Gateway resourcesNo action requiredMediumPassed
111122223333us-west-2AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333us-west-2AC-10AgentCore Resource-Based Policies MissingThe following AgentCore resources do not have resource-based policies: Gateway 'aws-news-mcp'. Without RBPs, access control relies solely on identity-based policies.Attach resource-based policies to AgentCore resources to: -1. Implement defense-in-depth access control -2. Enable cross-account access control -3. Restrict access based on source VPC or IP -4. Implement hierarchical authorization for Agent RuntimesHighFailed
111122223333us-west-2AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
111122223333us-west-2AC-12AgentCore Gateway Encryption MissingThe following Gateways do not use customer-managed KMS encryption: 'aws-news-mcp'. Gateway configuration data uses AWS-managed keys.1. Create gateways with customer-managed KMS keys for additional control -2. AWS-managed keys are single-tenant and region-specific -3. Consider CMK for enhanced audit capabilities and key rotation controlLowFailed
111122223333GlobalAC-02AgentCore IAM Full Access PolicyThe following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161Replace with least-privilege policies scoped to specific AgentCore resources and actionsHighFailed
111122223333GlobalAC-02AgentCore IAM Wildcard PermissionsThe following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-roleScope permissions to specific AgentCore resources using resource ARNsHighFailed
111122223333GlobalAC-03AgentCore Stale AccessThe following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (199 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (199 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (199 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (82 days)Review and remove unused AgentCore permissions following least privilege principleMediumFailed
111122223333GlobalAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CloudSeerTrustedServiceRole', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW'Review and remove unused AgentCore permissions following least privilege principleInformationalN/A
111122223333GlobalAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.MediumFailed
111122223333us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)HighFailed
111122223333us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)HighFailed
111122223333us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)HighFailed
111122223333us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)HighFailed
111122223333us-east-1AC-01AgentCore Runtime VPC ConfigurationRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)HighFailed
111122223333us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailed
111122223333us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailed
111122223333us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailed
111122223333us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailed
111122223333us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailed
111122223333us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailed
111122223333us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailed
111122223333us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailed
111122223333us-east-1AC-04AgentCore Runtime CloudWatch LogsRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configuredEnable CloudWatch Logs for monitoring and troubleshootingMediumFailed
111122223333us-east-1AC-04AgentCore Runtime X-Ray TracingRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabledEnable X-Ray tracing for distributed tracing and performance analysisMediumFailed
111122223333us-east-1AC-05AgentCore ECR Repository AWS-Managed KeysECR repository 'bedrock-agentcore-customer_support_agent' uses AWS-managed keys instead of customer-managed KMS keysConsider using customer-managed KMS keys for better control and audit capabilitiesLowFailed
111122223333us-east-1AC-05AgentCore ECR Repository AWS-Managed KeysECR repository 'bedrock-agentcore-origami_expeditions' uses AWS-managed keys instead of customer-managed KMS keysConsider using customer-managed KMS keys for better control and audit capabilitiesLowFailed
111122223333us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailed
111122223333us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailed
111122223333us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailed
111122223333us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailed
111122223333us-east-1AC-06AgentCore Runtime Storage ConfigurationRuntime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have storage configuration for browser toolsConfigure S3 storage for browser tool session recordings and artifactsMediumFailed
111122223333us-east-1AC-07AgentCore Memory EncryptionMemory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configuredEnable encryption with customer-managed KMS keysMediumFailed
111122223333us-east-1AC-07AgentCore Memory EncryptionMemory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configuredEnable encryption with customer-managed KMS keysMediumFailed
111122223333us-east-1AC-07AgentCore Memory EncryptionMemory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configuredEnable encryption with customer-managed KMS keysMediumFailed
111122223333us-east-1AC-13AgentCore Gateway Configuration CheckFound 2 Gateway resourcesNo action requiredMediumPassed
111122223333us-east-1AC-08AgentCore VPC Endpoints MissingNo AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.Create VPC interface endpoints for AgentCore services: -1. com.amazonaws.region.bedrock-agentcore -2. com.amazonaws.region.bedrock-agentcore-control -3. com.amazonaws.region.bedrock-agentcore-runtime -This enables private connectivity via AWS PrivateLinkHighFailed
111122223333us-east-1AC-10AgentCore Resource-Based Policies MissingThe following AgentCore resources do not have resource-based policies: Runtime 'origami_expeditions', Runtime 'neoCyan_Agent', Runtime 'customer_support_agent', Runtime 'cdk_agent_core', Runtime 'awsapimcpserver' and 2 more. Without RBPs, access control relies solely on identity-based policies.Attach resource-based policies to AgentCore resources to: -1. Implement defense-in-depth access control -2. Enable cross-account access control -3. Restrict access based on source VPC or IP -4. Implement hierarchical authorization for Agent RuntimesHighFailed
111122223333us-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
111122223333us-east-1AC-12AgentCore Gateway Encryption MissingThe following Gateways do not use customer-managed KMS encryption: 'customersupport-gw', 'wildrydes-gateway-ab3991f6'. Gateway configuration data uses AWS-managed keys.1. Create gateways with customer-managed KMS keys for additional control -2. AWS-managed keys are single-tenant and region-specific -3. Consider CMK for enhanced audit capabilities and key rotation controlLowFailed
111122223333sa-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333sa-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333sa-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333sa-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
111122223333sa-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
111122223333sa-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
111122223333sa-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333sa-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
111122223333sa-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
111122223333sa-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
111122223333eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
111122223333eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
111122223333eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
111122223333eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
111122223333eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
111122223333eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
111122223333eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
444455556666ap-south-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666ap-south-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666ap-south-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666ap-south-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
444455556666ap-south-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
444455556666ap-south-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
444455556666ap-south-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666ap-south-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
444455556666ap-south-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
444455556666ap-south-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
444455556666us-west-2AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-west-2AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-west-2AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-west-2AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
444455556666us-west-2AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
444455556666us-west-2AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
444455556666us-west-2AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-west-2AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
444455556666us-west-2AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
444455556666us-west-2AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
444455556666sa-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666sa-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666sa-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666sa-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
444455556666sa-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
444455556666sa-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
444455556666sa-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666sa-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
444455556666sa-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
444455556666sa-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
444455556666GlobalAC-02AgentCore IAM Full Access CheckNo roles with overly permissive AgentCore access foundNo action requiredHighPassed
444455556666GlobalAC-03AgentCore Stale AccessThe following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (82 days)Review and remove unused AgentCore permissions following least privilege principleMediumFailed
444455556666GlobalAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'Review and remove unused AgentCore permissions following least privilege principleInformationalN/A
444455556666GlobalAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.MediumFailed
444455556666us-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
444455556666us-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
444455556666us-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
444455556666us-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666us-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
444455556666us-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
444455556666us-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
444455556666eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
444455556666eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
444455556666eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
444455556666eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
444455556666eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
444455556666eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
444455556666eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
777788889999ap-south-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999ap-south-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999ap-south-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999ap-south-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
777788889999ap-south-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
777788889999ap-south-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
777788889999ap-south-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999ap-south-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
777788889999ap-south-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
777788889999ap-south-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
777788889999us-west-2AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999us-west-2AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
777788889999 us-west-2AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredBR-08 +
Bedrock Agent IAM Roles Check
+
+ Details and remediation +
+
Details

No Bedrock agents found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999
444455556666 us-west-2AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredBR-09 +
Bedrock Knowledge Base Encryption Check
+
+ Details and remediation +
+
Details

No Knowledge Bases found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999
444455556666 us-west-2AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredBR-10 +
Bedrock Guardrail IAM Enforcement Check
+
+ Details and remediation +
+
Details

No guardrails configured - IAM enforcement check not applicable

+
Resolution

Configure Bedrock Guardrails first, then enforce their use via IAM policies

+
Reference

+
+
+
Informational N/A
777788889999
444455556666 us-west-2AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredBR-11 +
Bedrock Custom Model Encryption Check
+
+ Details and remediation +
+
Details

No custom/fine-tuned models found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999
444455556666 us-west-2AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredBR-12 +
Bedrock Invocation Log Encryption Check
+
+ Details and remediation +
+
Details

Model invocation logging to S3 is not configured

+
Resolution

If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption

+
Reference

+
+
+
Informational N/A
777788889999
444455556666 us-west-2AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredBR-13 +
Bedrock Flows Guardrails Check
+
+ Details and remediation +
+
Details

No Bedrock Flows found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999
444455556666 us-west-2AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalBR-16 +
Guardrail Tier Validation Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create Bedrock guardrails with Standard tier for enhanced content filtering and protection

+
Reference

+
+
+
Medium N/A
777788889999
444455556666 us-west-2AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalBR-17 +
Custom Model Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

No custom (fine-tuned) Bedrock models found in this region

+
Resolution

When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys

+
Reference

+
+
+
High N/A
777788889999sa-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action required
444455556666us-west-2BR-18 +
Model Evaluation Implementation Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to assess with model evaluation jobs

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999sa-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformational
444455556666us-west-2BR-19 +
Prompt Flow Validation Check
+
+ Details and remediation +
+
Details

No Bedrock prompt flows configured in this region

+
Resolution

When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment

+
Reference

+
+
+
Medium N/A
777788889999sa-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformational
444455556666us-west-2BR-20 +
Knowledge Base Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

No Bedrock knowledge bases found in this region

+
Resolution

When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption

+
Reference

+
+
+
High N/A
777788889999sa-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformational
444455556666us-west-2BR-21 +
Agent Action Group IAM Least Privilege Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents with action groups, ensure Lambda execution roles follow least privilege principles

+
Reference

+
+
+
High N/A
777788889999sa-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action required
444455556666us-west-2BR-22 +
Model Invocation Throttling Limits Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to assess model invocation throttling quotas

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999sa-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformational
444455556666us-west-2BR-23 +
Guardrail Content Filter Coverage Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds

+
Reference

+
+
+
High N/A
777788889999sa-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformational
444455556666us-west-2BR-24 +
Automated Reasoning Policy Implementation Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with Automated Reasoning policies for formal verification of model responses

+
Reference

+
+
+
Medium N/A
777788889999sa-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformational
444455556666us-west-2BR-25 +
RAG Evaluation Jobs Check
+
+ Details and remediation +
+
Details

No Bedrock knowledge bases found in this region

+
Resolution

When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations

+
Reference

+
+
+
Low N/A
777788889999sa-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformational
444455556666us-west-2BR-26 +
Guardrail Sensitive Information Filter Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses

+
Reference

+
+
+
High N/A
777788889999sa-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformational
444455556666us-west-2BR-27 +
Guardrail Contextual Grounding Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications

+
Reference

+
+
+
Medium N/A
777788889999eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformational
444455556666us-west-2BR-28 +
Agent Guardrail Association Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics

+
Reference

+
+
+
High N/A
777788889999eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformational
444455556666us-west-2BR-29 +
Agent Idle Session TTL Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable

+
Reference

+
+
+
Low N/A
777788889999eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformational
444455556666us-west-2BR-30 +
Imported Model Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

No imported custom Bedrock models found in this region

+
Resolution

When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys

+
Reference

+
+
+
High N/A
777788889999eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformational
444455556666us-west-2BR-31 +
Batch Inference Output Encryption Check
+
+ Details and remediation +
+
Details

No Bedrock batch inference (model invocation) jobs found in this region

+
Resolution

When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output

+
Reference

+
+
+
Medium N/A
777788889999eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action required
444455556666us-west-2BR-32 +
Bedrock CloudWatch Alarm Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to monitor with CloudWatch alarms

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action required
444455556666us-west-2AG-07 +
Agentic AI Model Invocation Logging
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging

+
Resolution

Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.

+
Reference

+
+
+
Informational N/A
777788889999eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action required
444455556666us-west-2AG-08 +
Agentic AI API Audit Trail
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage

+
Resolution

Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.

+
Reference

+
+
+
Informational N/A
777788889999eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action required
444455556666us-west-2AG-10 +
Agentic AI Adversarial Evaluation Coverage
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs

+
Resolution

Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.

+
Reference

+
+
+
Informational N/A
777788889999eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action required
444455556666us-west-2AG-11 +
Agentic AI Prompt Flow Validation
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region

+
Resolution

Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.

+
Reference

+
+
+
Informational N/A
777788889999eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action required
444455556666us-west-2AG-06 +
Agentic AI Tool Execution Least Privilege
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region

+
Resolution

Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.

+
Reference

+
+
+
Informational N/A
777788889999GlobalAC-02AgentCore IAM Wildcard PermissionsThe following roles have wildcard AgentCore permissions on all resources: aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOVScope permissions to specific AgentCore resources using resource ARNsHighFailed
777788889999GlobalAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV', role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'Review and remove unused AgentCore permissions following least privilege principle
444455556666us-west-2AG-12 +
Agentic AI Invocation Abuse Controls
+
+ Details and remediation +
+
Details

Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas

+
Resolution

Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.

+
Reference

+
+
+
Informational N/A
777788889999GlobalAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.MediumFailed
777788889999us-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action required
444455556666us-west-2AG-02 +
Agentic AI Harmful Content Guardrail Coverage
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region

+
Resolution

Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.

+
Reference

+
+
+
Informational N/A
777788889999us-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action required
444455556666us-west-2AG-04 +
Agentic AI Automated Reasoning Guardrails
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region

+
Resolution

Configure automated reasoning policies on guardrails where formal response validation is required.

+
Reference

+
+
+
Informational N/A
777788889999us-east-1AC-05AgentCore ECR Repository AWS-Managed KeysECR repository 'aiml-sec-test-agentcore-no-encryption' uses AWS-managed keys instead of customer-managed KMS keysConsider using customer-managed KMS keys for better control and audit capabilitiesLowFailed
777788889999us-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action required
444455556666us-west-2AG-03 +
Agentic AI Sensitive Information Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region

+
Resolution

Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.

+
Reference

+
+
+
Informational N/A
777788889999us-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action required
444455556666us-west-2AG-05 +
Agentic AI Grounding Controls
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region

+
Resolution

Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.

+
Reference

+
+
+
Informational N/A
777788889999us-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action required
444455556666us-west-2AG-01 +
Agentic AI Agent Guardrail Association
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region

+
Resolution

Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.

+
Reference

+
+
+
Informational N/A
777788889999us-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action required
444455556666us-west-2AG-13 +
Agentic AI Session Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region

+
Resolution

Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.

+
Reference

+
+
+
Informational N/A
777788889999us-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action required
444455556666us-west-2AG-14 +
Agentic AI Operational Abuse Alarms
+
+ Details and remediation +
+
Details

Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms

+
Resolution

Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.

+
Reference

+
+
+
Informational N/A
777788889999
444455556666GlobalBR-01 +
AmazonBedrockFullAccess role check
+
+ Details and remediation +
+
Details

No roles found with AmazonBedrockFullAccess policy

+
Resolution

No action required

+
Reference

+
+
+
HighPassed
444455556666GlobalBR-03 +
Marketplace Subscription Access Check
+
+ Details and remediation +
+
Details

No identities found with overly permissive marketplace subscription access

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
444455556666 us-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredBR-02 +
Amazon Bedrock private connectivity check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to assess private connectivity

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999
444455556666 us-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
-
-
Agentic AI Security Findings
Scope: API-provable Agentic AI security controls mapped to the AWS Well-Architected Agentic AI Lens security guidance. Human-in-the-loop governance is referenced in methodology but not scored automatically unless an AWS API can prove the control.
- - - - - - - + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + - - - - - - - - + + + + + - - - - - - - - - + + + + + + - - - - - - - - + + + + + - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - + + + + - - + + - - - - - - - - - - - - - - - - + + - - - - - - - - - - - - - + + - - - - - - + + + - - + + - - - - - - + + + - - + + - - - - - + + - + - - + + - - - - - - - + + + + - - + + - - - - - + + - + - - + + - - - - - - - + + + + - - + + - - - - - + + - + - - + + - - - - - - + + + - - + + - - - - - - + + + - - + + - - - - - - - + + + + - - - + + + - - - - + - - - + + + - - - - + - - - + + + + + + + + + + + - - - - + - - - + + + - - - - + - - - + + + - - - - + - - - + + + - - - - + - - - + + + - - - - + - - - + + + - - - - + - - - + + + - - - - + - - - + + + - - - - + - - - + + + - - - - + - - - + + + - - - - + - - - + + + - - - - + - - + + - - - - - - - + + + + - - + + - - - - - + + - - + + - - - - - + + + + + + + + + + - + - - + + - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + - - - - - + + - - + + - - - - - - - + + + + - - + + - - - - - - - + + + + - - + + - - - - - - - + + + + - - + + - - - - - - - + + + + - - + + - - - - - - - + + + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - - - - - - - - - - - - + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - + + - - - - - - - + + + + - - + + - - - - - - - + + + + - - + + - - - - - - - + + + + - - + + - - - - - - - + + + + - - + + - - - - - - + + + - - + + - - - - - - + + + - - + + - - - - - - + + + - - + + - - - - - - - - - - - - - - - - - + + + - - + + - - - - + - + - - + + - - - - + - - + + - - - - + - - + + - - - - - - + + + - - + + - - - - - - - + + + + - - + + - - - - - - - + + + + - - + + - - - - - - - + + + + - - + + - - - - - - - + + + + - - + + - - - - - - - + + + + - - + + - - - - - - - + + + + - - - - - - - - - - + + + + + + + - - - - - - - - + + + + + - + - - - - - - - - - - + + + + + + + - - - - - - - - + + + + + - + - - - - - - - - - - + + + + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - + + + + + + + - - - - - - - - - - + + + + + + + - - - - - - - - - - + + + + + + + - - - - - - - - - - + + + + + + + - - - - - - - - - - + + + + + + + - - - - - - - - - - + + + + + + + - - - - - - - - - - + + + + + + + - - - - - - - - + + + + + - - - - - - - - - - + + + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - - - + + + + + + + - - - - - - - - + + + + + + + + + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - + + + - + - + - - - - + - + - + - - - - - - - - - - - - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - - - - - - - - - - - - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - + - - - - - - + + + - + - - - - - - + + + - - - - - - - - + + + + + + + + + + + + + - - - - - - - - + + + + + + + + + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + + + + + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - + + - - - - + - - + + - - - - + - - + + - - - - + - - + + - - - - + - - + + - - - - + - - - - - - - - - - - - - + + - - - - + - - + + - - - - + - - + + - - - - + - - + + - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - + + - - - - + - - + + - - - - + - - + + - - - - + - - + + - - - - + - - + + - - - - + - - + + - - - - + - - + + - - - - + - - + + - - - - + - - + + - - - - + - - + + - - - - + - - + + - - - - - - - - - - - - - - - + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - - + + - - - - - + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - + + + @@ -34312,10 +16364,17 @@

Agentic AI Model Invocation Logging -

- - + @@ -34323,10 +16382,17 @@

Agentic AI API Audit Trail -

- - + @@ -34334,10 +16400,17 @@

Agentic AI Adversarial Evaluation Coverage -

- - + @@ -34345,10 +16418,17 @@

Agentic AI Prompt Flow Validation -

- - + @@ -34356,10 +16436,17 @@

Agentic AI Tool Execution Least Privilege -

- - + @@ -34367,10 +16454,17 @@

Agentic AI Invocation Abuse Controls -

- - + @@ -34378,10 +16472,17 @@

Agentic AI Harmful Content Guardrail Coverage -

- - + @@ -34389,10 +16490,17 @@

Agentic AI Automated Reasoning Guardrails -

- - + @@ -34400,3690 +16508,4661 @@

Agentic AI Sensitive Information Protection -

- - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - - - - - - - - - - - - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - - - - - - - - - - - - + - - - - - - + + + - + - - - - - - + + + - - - - - - - - - - - - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + + + + + + + + + + + + + + + + + -
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
111122223333ap-south-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredBR-04 +
Bedrock Model Invocation Logging Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to monitor with invocation logging

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action required
444455556666us-east-1BR-05 +
Bedrock Guardrails Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to protect with guardrails

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action required
444455556666us-east-1BR-06 +
Bedrock CloudTrail Logging Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action required
444455556666us-east-1BR-07 +
Bedrock Prompt Management Check
+
+ Details and remediation +
+
Details

Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.

+
Resolution

Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templates

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
444455556666us-east-1BR-08 +
Bedrock Agent IAM Roles Check
+
+ Details and remediation +
+
Details

No Bedrock agents found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
444455556666us-east-1BR-09 +
Bedrock Knowledge Base Encryption Check
+
+ Details and remediation +
+
Details

No Knowledge Bases found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
444455556666us-east-1BR-10 +
Bedrock Guardrail IAM Enforcement Check
+
+ Details and remediation +
+
Details

No guardrails configured - IAM enforcement check not applicable

+
Resolution

Configure Bedrock Guardrails first, then enforce their use via IAM policies

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.
444455556666us-east-1BR-11 +
Bedrock Custom Model Encryption Check
+
+ Details and remediation +
+
Details

No custom/fine-tuned models found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
444455556666us-east-1BR-12 +
Bedrock Invocation Log Encryption Check
+
+ Details and remediation +
+
Details

Model invocation logging to S3 is not configured

+
Resolution

If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.
444455556666us-east-1BR-13 +
Bedrock Flows Guardrails Check
+
+ Details and remediation +
+
Details

No Bedrock Flows found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.Informational
444455556666GlobalBR-15 +
Cross-Account Guardrails Enforcement Check
+
+ Details and remediation +
+
Details

Check must run in AWS Organizations management account to evaluate organizational policies

+
Resolution

Run assessment in management account to check cross-account guardrails enforcement

+
Reference

+
+
+
Medium N/A
111122223333us-west-2AG-24Agentic AI Gateway Inbound AuthorizationGateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) uses authorizerType CUSTOM_JWT.No action requiredHighPassed
111122223333us-west-2AG-25Agentic AI Gateway Tool Policy Enforcement MissingGateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.HighFailed
111122223333us-west-2AG-26Agentic AI Gateway Error Detail ExposureGateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) does not expose DEBUG-level exception detail.No action required
444455556666us-east-1BR-16 +
Guardrail Tier Validation Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create Bedrock guardrails with Standard tier for enhanced content filtering and protection

+
Reference

+
+
+
MediumPassed
111122223333us-west-2AG-27Agentic AI Gateway WAF Protection MissingGateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) is not associated with an AWS WAF web ACL.Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.LowFailed
111122223333us-west-2AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.Informational N/A
111122223333us-west-2AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.Informational
444455556666us-east-1BR-17 +
Custom Model Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

No custom (fine-tuned) Bedrock models found in this region

+
Resolution

When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys

+
Reference

+
+
+
High N/A
111122223333us-west-2AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
444455556666us-east-1BR-18 +
Model Evaluation Implementation Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to assess with model evaluation jobs

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333us-west-2AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.Informational
444455556666us-east-1BR-19 +
Prompt Flow Validation Check
+
+ Details and remediation +
+
Details

No Bedrock prompt flows configured in this region

+
Resolution

When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment

+
Reference

+
+
+
Medium N/A
111122223333us-west-2AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: The following AgentCore resources do not have resource-based policies: Gateway 'aws-news-mcp'. Without RBPs, access control relies solely on identity-based policies.Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
444455556666us-east-1BR-20 +
Knowledge Base Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

No Bedrock knowledge bases found in this region

+
Resolution

When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption

+
Reference

+
+
+
HighFailed
111122223333us-west-2AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.Informational N/A
111122223333us-west-2AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: The following Gateways do not use customer-managed KMS encryption: 'aws-news-mcp'. Gateway configuration data uses AWS-managed keys.Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.LowFailed
111122223333
444455556666 us-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is properly configured with delivery to: Amazon S3, CloudWatch LogsEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.MediumPassedBR-21 +
Agent Action Group IAM Least Privilege Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents with action groups, ensure Lambda execution roles follow least privilege principles

+
Reference

+
+
+
HighN/A
111122223333
444455556666 us-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETEEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.MediumPassed
111122223333GlobalAG-09Agentic AI Guardrail Enforcement BoundaryAgentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policiesUse IAM and organization controls to require approved guardrails for model and agent invocations where supported.BR-22 +
Model Invocation Throttling Limits Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to assess model invocation throttling quotas

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333us-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.MediumFailed
111122223333
444455556666 us-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalBR-23 +
Guardrail Content Filter Coverage Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds

+
Reference

+
+
+
High N/A
111122223333
444455556666 us-east-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalBR-24 +
Automated Reasoning Policy Implementation Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with Automated Reasoning policies for formal verification of model responses

+
Reference

+
+
+
Medium N/A
111122223333
444455556666 us-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 11 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.BR-25 +
RAG Evaluation Jobs Check
+
+ Details and remediation +
+
Details

No Bedrock knowledge bases found in this region

+
Resolution

When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations

+
Reference

+
+
+
LowPassedN/A
111122223333
444455556666 us-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: 1 guardrails have complete content filter coverage (hate, insults, sexual, violence)Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.LowPassedBR-26 +
Guardrail Sensitive Information Filter Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses

+
Reference

+
+
+
HighN/A
111122223333
444455556666 us-east-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: Guardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.Configure automated reasoning policies on guardrails where formal response validation is required.BR-27 +
Guardrail Contextual Grounding Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications

+
Reference

+
+
+
MediumFailedN/A
111122223333
444455556666 us-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: 1 guardrails have sensitive-information (PII) filters configuredConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.LowPassedBR-28 +
Agent Guardrail Association Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics

+
Reference

+
+
+
HighN/A
111122223333
444455556666 us-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: 1 guardrails have contextual grounding checks enabledEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.BR-29 +
Agent Idle Session TTL Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable

+
Reference

+
+
+
LowPassedN/A
111122223333
444455556666 us-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalBR-30 +
Imported Model Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

No imported custom Bedrock models found in this region

+
Resolution

When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys

+
Reference

+
+
+
High N/A
111122223333
444455556666 us-east-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalBR-31 +
Batch Inference Output Encryption Check
+
+ Details and remediation +
+
Details

No Bedrock batch inference (model invocation) jobs found in this region

+
Resolution

When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output

+
Reference

+
+
+
Medium N/A
111122223333
444455556666 us-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.MediumFailedBR-32 +
Bedrock CloudWatch Alarm Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to monitor with CloudWatch alarms

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333ap-south-1
444455556666us-east-1 AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements. +
Agentic AI Model Invocation Logging
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging

+
Resolution

Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1
444455556666us-east-1 AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured. +
Agentic AI API Audit Trail
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage

+
Resolution

Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1
444455556666GlobalAG-09 +
Agentic AI Guardrail Enforcement Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policies

+
Resolution

Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.

+
Reference

+
+
+
InformationalN/A
444455556666us-east-1 AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases. +
Agentic AI Adversarial Evaluation Coverage
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs

+
Resolution

Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1
444455556666us-east-1 AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. +
Agentic AI Prompt Flow Validation
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region

+
Resolution

Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1
444455556666us-east-1 AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. +
Agentic AI Tool Execution Least Privilege
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region

+
Resolution

Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1
444455556666us-east-1 AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns. +
Agentic AI Invocation Abuse Controls
+
+ Details and remediation +
+
Details

Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas

+
Resolution

Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1
444455556666us-east-1 AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads. +
Agentic AI Harmful Content Guardrail Coverage
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region

+
Resolution

Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1
444455556666us-east-1 AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. +
Agentic AI Automated Reasoning Guardrails
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region

+
Resolution

Configure automated reasoning policies on guardrails where formal response validation is required.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1
444455556666us-east-1 AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. +
Agentic AI Sensitive Information Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region

+
Resolution

Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1
444455556666us-east-1 AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. +
Agentic AI Grounding Controls
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region

+
Resolution

Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1
444455556666us-east-1 AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. +
Agentic AI Agent Guardrail Association
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region

+
Resolution

Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1
444455556666us-east-1 AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements. +
Agentic AI Session Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region

+
Resolution

Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.

+
Reference

+
+
+
Informational N/A
111122223333ap-south-1
444455556666us-east-1 AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available. +
Agentic AI Operational Abuse Alarms
+
+ Details and remediation +
+
Details

Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms

+
Resolution

Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 us-west-2AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is not enabled. This limits your ability to track and audit model usage.Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.MediumFailedSM-01 +
SageMaker Internet Access Check
+
+ Details and remediation +
+
Details

No SageMaker notebook instances or domains found to check

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-west-2AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETEEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.SM-02 +
SageMaker SSO Configuration Check
+
+ Details and remediation +
+
Details

No SageMaker domains found, or all domains use SSO with IAM Identity Center configured

+
Resolution

No action required

+
Reference

+
+
+
Medium Passed
111122223333
444455556666 us-west-2AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.SM-03 +
Data Protection Check
+
+ Details and remediation +
+
Details

No SageMaker resources found to check for data protection

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
444455556666us-west-2SM-04 +
GuardDuty Enabled
+
+ Details and remediation +
+
Details

Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.

+
Resolution

No action required

+
Reference

+
+
+
MediumFailedPassed
111122223333
444455556666 us-west-2AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.SM-05 +
SageMaker Model Registry Issue
+
+ Details and remediation +
+
Details

No model package groups found

+
Resolution

Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment

+
Reference

+
+
+
InformationalN/A
444455556666us-west-2SM-05 +
SageMaker Feature Store Issue
+
+ Details and remediation +
+
Details

No feature groups found

+
Resolution

Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production

+
Reference

+
+
+
InformationalN/A
444455556666us-west-2SM-05 +
SageMaker Pipelines Issue
+
+ Details and remediation +
+
Details

No ML pipelines found

+
Resolution

Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment

+
Reference

+
+
+
InformationalN/A
444455556666us-west-2SM-06 +
SageMaker Clarify No Clarify Usage
+
+ Details and remediation +
+
Details

No SageMaker Clarify jobs found

+
Resolution

Implement SageMaker Clarify for model explainability and bias detection

+
Reference

+
+
+
InformationalN/A
444455556666us-west-2SM-07 +
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation +
+
Details

No Model Monitor schedules found

+
Resolution

Configure comprehensive model monitoring schedules

+
Reference

+
+
+
InformationalN/A
444455556666us-west-2SM-08 +
Model Registry Registry Not Used
+
+ Details and remediation +
+
Details

Model Registry is not being utilized

+
Resolution

Implement proper model versioning and approval workflows

+
Reference

+
+
+
InformationalN/A
444455556666us-west-2SM-09 +
SageMaker Notebook Root Access Check
+
+ Details and remediation +
+
Details

No notebook instances found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 us-west-2AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.SM-10 +
SageMaker Notebook VPC Deployment Check
+
+ Details and remediation +
+
Details

No notebook instances found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 us-west-2AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 7 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.LowPassedSM-11 +
SageMaker Model Network Isolation Check
+
+ Details and remediation +
+
Details

No models found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-west-2AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is missing content filters: HATE, VIOLENCE, SEXUAL, INSULTS. Complete content filter coverage is essential for comprehensive content safety.Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.HighFailedSM-12 +
SageMaker Endpoint Instance Count Check
+
+ Details and remediation +
+
Details

No InService endpoints found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-west-2AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.Configure automated reasoning policies on guardrails where formal response validation is required.MediumFailedSM-13 +
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation +
+
Details

No monitoring schedules found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-west-2AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) has no sensitive-information filters configured (no PII entities or regex patterns). Prompts and model responses are not screened for sensitive data such as PII.Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.HighFailedSM-14 +
SageMaker Model Repository Access Check
+
+ Details and remediation +
+
Details

No models found or all use default Platform access

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-west-2AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have contextual grounding checks enabled. Without grounding and relevance checks, the guardrail cannot detect hallucinated (ungrounded) or off-topic model responses.Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.MediumFailedSM-15 +
SageMaker Feature Store Encryption Check
+
+ Details and remediation +
+
Details

No feature groups with offline stores found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-west-2AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.SM-16 +
SageMaker Data Quality Job Encryption Check
+
+ Details and remediation +
+
Details

No data quality job definitions found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 us-west-2AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.SM-17 +
SageMaker Processing Job Encryption Check
+
+ Details and remediation +
+
Details

No processing jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 us-west-2AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.MediumFailed
111122223333sa-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.SM-18 +
SageMaker Transform Job Encryption Check
+
+ Details and remediation +
+
Details

No transform jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
444455556666us-west-2SM-19 +
SageMaker Hyperparameter Tuning Job Encryption Check
+
+ Details and remediation +
+
Details

No hyperparameter tuning jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.
444455556666us-west-2SM-20 +
SageMaker Compilation Job Encryption Check
+
+ Details and remediation +
+
Details

No compilation jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
444455556666us-west-2SM-21 +
SageMaker AutoML Job Network Isolation Check
+
+ Details and remediation +
+
Details

No AutoML jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
444455556666us-west-2SM-22 +
Model Approval Workflow Check
+
+ Details and remediation +
+
Details

No model package groups found. Model Registry is not being used for model governance.

+
Resolution

Implement Model Registry to track model versions and enforce approval workflows before production deployment.

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
444455556666us-west-2SM-23 +
Model Drift Detection Check
+
+ Details and remediation +
+
Details

No InService endpoints found to monitor.

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
444455556666us-west-2SM-24 +
A/B Testing and Shadow Deployment Check
+
+ Details and remediation +
+
Details

No InService endpoints found.

+
Resolution

No action required

+
Reference

+
+
+
LowPassed
444455556666us-west-2SM-25 +
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation +
+
Details

No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.

+
Resolution

Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
444455556666GlobalAC-02 +
AgentCore IAM Full Access Check
+
+ Details and remediation +
+
Details

No roles with overly permissive AgentCore access found

+
Resolution

No action required

+
Reference

+
+
+
HighPassed
444455556666GlobalAC-03 +
AgentCore Stale Access
+
+ Details and remediation +
+
Details

The following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (82 days)

+
Resolution

Review and remove unused AgentCore permissions following least privilege principle

+
Reference

+
+
+
MediumFailed
444455556666GlobalAC-03 +
AgentCore Unused Permissions
+
+ Details and remediation +
+
Details

The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'

+
Resolution

Review and remove unused AgentCore permissions following least privilege principle

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.
444455556666GlobalAC-09 +
AgentCore Service-Linked Role Missing
+
+ Details and remediation +
+
Details

Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.

+
Resolution

The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.

+
Reference

+
+
+
MediumFailed
444455556666us-east-1AC-01 +
AgentCore VPC Configuration Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
444455556666us-east-1AC-04 +
AgentCore Observability Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
444455556666us-east-1AC-05 +
AgentCore Encryption Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
444455556666us-east-1AC-06 +
AgentCore Browser Tool Recording Check
+
+ Details and remediation +
+
Details

No AgentCore Runtimes found to check browser tool configuration

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
444455556666us-east-1AC-07 +
AgentCore Memory Configuration Check
+
+ Details and remediation +
+
Details

No Memory resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
444455556666us-east-1AC-13 +
AgentCore Gateway Configuration Check
+
+ Details and remediation +
+
Details

No Gateway resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 us-east-1AG-24Agentic AI Gateway Inbound AuthorizationGateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) uses authorizerType CUSTOM_JWT.No action requiredHighPassedAC-08 +
AgentCore VPC Endpoints Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-east-1AG-25Agentic AI Gateway Tool Policy Enforcement MissingGateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.HighFailedAC-10 +
AgentCore Resource-Based Policies Check
+
+ Details and remediation +
+
Details

No AgentCore resources found to check for resource-based policies

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-east-1AG-26Agentic AI Gateway Error Detail ExposureGateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) does not expose DEBUG-level exception detail.No action requiredMediumPassedAC-11 +
AgentCore Policy Engine Encryption Check
+
+ Details and remediation +
+
Details

No Policy Engines found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-east-1AG-27Agentic AI Gateway WAF Protection MissingGateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) is not associated with an AWS WAF web ACL.Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.LowFailedAC-12 +
AgentCore Gateway Encryption Check
+
+ Details and remediation +
+
Details

No Gateways found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-east-1 AG-24Agentic AI Gateway Inbound AuthorizationGateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) uses authorizerType CUSTOM_JWT.No action requiredHighPassed +
Agentic AI Gateway Inbound Authorization
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-east-1 AG-25Agentic AI Gateway Tool Policy Enforcement MissingGateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.HighFailed +
Agentic AI Gateway Tool Policy Enforcement
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-east-1 AG-26Agentic AI Gateway Error Detail ExposureGateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) does not expose DEBUG-level exception detail.No action requiredMediumPassed +
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-east-1 AG-27Agentic AI Gateway WAF Protection MissingGateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) is not associated with an AWS WAF web ACL.Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.LowFailed
111122223333GlobalAG-16Agentic AI AgentCore Least PrivilegeAgentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.HighFailed +
Agentic AI Gateway WAF Protection
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 Global AG-16Agentic AI AgentCore Least PrivilegeAgentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-roleReplace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions. +
Agentic AI AgentCore Least Privilege
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: No roles with overly permissive AgentCore access found

+
Resolution

Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.

+
Reference

+
+
+
HighFailedPassed
111122223333
444455556666 Global AG-17Agentic AI Stale AgentCore AccessAgentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (199 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (199 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (199 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (82 days)Remove or restrict stale AgentCore permissions for principals that no longer need access. +
Agentic AI Stale AgentCore Access
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (82 days)

+
Resolution

Remove or restrict stale AgentCore permissions for principals that no longer need access.

+
Reference

+
+
+
Medium Failed
111122223333
444455556666 Global AG-17Agentic AI Stale AgentCore AccessAgentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CloudSeerTrustedServiceRole', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW'Remove or restrict stale AgentCore permissions for principals that no longer need access. +
Agentic AI Stale AgentCore Access
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'

+
Resolution

Remove or restrict stale AgentCore permissions for principals that no longer need access.

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 us-east-1 AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.HighFailed +
Agentic AI Runtime Network Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found

+
Resolution

Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.HighFailedAG-18 +
Agentic AI AgentCore Observability
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found

+
Resolution

Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.HighFailedAG-19 +
Agentic AI Memory Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found

+
Resolution

Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.HighFailedAG-20 +
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found

+
Resolution

Create required VPC endpoints for AgentCore services and validate endpoint availability.

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.HighFailedAG-21 +
Agentic AI Resource Policy Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies

+
Resolution

Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configuredEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailedAG-22 +
Agentic AI Policy Engine Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found

+
Resolution

Configure policy engines with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
InformationalN/A
111122223333
444455556666 us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabledEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailedAG-23 +
Agentic AI Gateway Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found

+
Resolution

Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configuredEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
444455556666eu-west-1SM-01 +
SageMaker Internet Access Check
+
+ Details and remediation +
+
Details

No SageMaker notebook instances or domains found to check

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabledEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
444455556666eu-west-1SM-02 +
SageMaker SSO Configuration Check
+
+ Details and remediation +
+
Details

No SageMaker domains found, or all domains use SSO with IAM Identity Center configured

+
Resolution

No action required

+
Reference

+
+
+
MediumFailedPassed
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configuredEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
444455556666eu-west-1SM-03 +
Data Protection Check
+
+ Details and remediation +
+
Details

No SageMaker resources found to check for data protection

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabledEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
444455556666eu-west-1SM-04 +
GuardDuty Enabled
+
+ Details and remediation +
+
Details

Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.

+
Resolution

No action required

+
Reference

+
+
+
MediumFailedPassed
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configuredEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
444455556666eu-west-1SM-05 +
SageMaker Model Registry Issue
+
+ Details and remediation +
+
Details

No model package groups found

+
Resolution

Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabledEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
444455556666eu-west-1SM-05 +
SageMaker Feature Store Issue
+
+ Details and remediation +
+
Details

No feature groups found

+
Resolution

Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production

+
Reference

+
+
+
InformationalN/A
444455556666eu-west-1SM-05 +
SageMaker Pipelines Issue
+
+ Details and remediation +
+
Details

No ML pipelines found

+
Resolution

Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment

+
Reference

+
+
+
InformationalN/A
444455556666eu-west-1SM-06 +
SageMaker Clarify No Clarify Usage
+
+ Details and remediation +
+
Details

No SageMaker Clarify jobs found

+
Resolution

Implement SageMaker Clarify for model explainability and bias detection

+
Reference

+
+
+
InformationalN/A
444455556666eu-west-1SM-07 +
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation +
+
Details

No Model Monitor schedules found

+
Resolution

Configure comprehensive model monitoring schedules

+
Reference

+
+
+
InformationalN/A
444455556666eu-west-1SM-08 +
Model Registry Registry Not Used
+
+ Details and remediation +
+
Details

Model Registry is not being utilized

+
Resolution

Implement proper model versioning and approval workflows

+
Reference

+
+
+
InformationalN/A
444455556666eu-west-1SM-09 +
SageMaker Notebook Root Access Check
+
+ Details and remediation +
+
Details

No notebook instances found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
444455556666eu-west-1SM-10 +
SageMaker Notebook VPC Deployment Check
+
+ Details and remediation +
+
Details

No notebook instances found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configuredEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
444455556666eu-west-1SM-11 +
SageMaker Model Network Isolation Check
+
+ Details and remediation +
+
Details

No models found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabledEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.MediumFailed
444455556666eu-west-1SM-12 +
SageMaker Endpoint Instance Count Check
+
+ Details and remediation +
+
Details

No InService endpoints found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configuredConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.MediumFailed
444455556666eu-west-1SM-13 +
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation +
+
Details

No monitoring schedules found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configuredConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.MediumFailed
444455556666eu-west-1SM-14 +
SageMaker Model Repository Access Check
+
+ Details and remediation +
+
Details

No models found or all use default Platform access

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configuredConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.MediumFailed
444455556666eu-west-1SM-15 +
SageMaker Feature Store Encryption Check
+
+ Details and remediation +
+
Details

No feature groups with offline stores found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.Create required VPC endpoints for AgentCore services and validate endpoint availability.HighFailed
444455556666eu-west-1SM-16 +
SageMaker Data Quality Job Encryption Check
+
+ Details and remediation +
+
Details

No data quality job definitions found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: The following AgentCore resources do not have resource-based policies: Runtime 'origami_expeditions', Runtime 'neoCyan_Agent', Runtime 'customer_support_agent', Runtime 'cdk_agent_core', Runtime 'awsapimcpserver' and 2 more. Without RBPs, access control relies solely on identity-based policies.Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.HighFailed
444455556666eu-west-1SM-17 +
SageMaker Processing Job Encryption Check
+
+ Details and remediation +
+
Details

No processing jobs found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333us-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.
444455556666eu-west-1SM-18 +
SageMaker Transform Job Encryption Check
+
+ Details and remediation +
+
Details

No transform jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333us-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: The following Gateways do not use customer-managed KMS encryption: 'customersupport-gw', 'wildrydes-gateway-ab3991f6'. Gateway configuration data uses AWS-managed keys.Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.LowFailed
444455556666eu-west-1SM-19 +
SageMaker Hyperparameter Tuning Job Encryption Check
+
+ Details and remediation +
+
Details

No hyperparameter tuning jobs found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
111122223333sa-east-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action required
444455556666eu-west-1SM-20 +
SageMaker Compilation Job Encryption Check
+
+ Details and remediation +
+
Details

No compilation jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action required
444455556666eu-west-1SM-21 +
SageMaker AutoML Job Network Isolation Check
+
+ Details and remediation +
+
Details

No AutoML jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action required
444455556666eu-west-1SM-22 +
Model Approval Workflow Check
+
+ Details and remediation +
+
Details

No model package groups found. Model Registry is not being used for model governance.

+
Resolution

Implement Model Registry to track model versions and enforce approval workflows before production deployment.

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action required
444455556666eu-west-1SM-23 +
Model Drift Detection Check
+
+ Details and remediation +
+
Details

No InService endpoints found to monitor.

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
444455556666eu-west-1SM-24 +
A/B Testing and Shadow Deployment Check
+
+ Details and remediation +
+
Details

No InService endpoints found.

+
Resolution

No action required

+
Reference

+
+
+
LowPassed
444455556666eu-west-1SM-25 +
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation +
+
Details

No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.

+
Resolution

Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
444455556666GlobalSM-02 +
SageMaker IAM Permissions Check
+
+ Details and remediation +
+
Details

No issues found with IAM permissions and no stale access detected

+
Resolution

No action required

+
Reference

+
+
+
HighPassed
444455556666us-east-1SM-01 +
SageMaker Internet Access Check
+
+ Details and remediation +
+
Details

No SageMaker notebook instances or domains found to check

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
444455556666us-east-1SM-02 +
SageMaker SSO Configuration Check
+
+ Details and remediation +
+
Details

No SageMaker domains found, or all domains use SSO with IAM Identity Center configured

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
444455556666us-east-1SM-03 +
Data Protection Check
+
+ Details and remediation +
+
Details

No SageMaker resources found to check for data protection

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
444455556666us-east-1SM-04 +
GuardDuty Enabled
+
+ Details and remediation +
+
Details

Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
444455556666us-east-1SM-05 +
SageMaker Model Registry Issue
+
+ Details and remediation +
+
Details

No model package groups found

+
Resolution

Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.
444455556666us-east-1SM-05 +
SageMaker Feature Store Issue
+
+ Details and remediation +
+
Details

No feature groups found

+
Resolution

Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
444455556666us-east-1SM-05 +
SageMaker Pipelines Issue
+
+ Details and remediation +
+
Details

No ML pipelines found

+
Resolution

Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.
444455556666us-east-1SM-06 +
SageMaker Clarify No Clarify Usage
+
+ Details and remediation +
+
Details

No SageMaker Clarify jobs found

+
Resolution

Implement SageMaker Clarify for model explainability and bias detection

+
Reference

+
+
+
Informational N/A
111122223333sa-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
444455556666us-east-1SM-07 +
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation +
+
Details

No Model Monitor schedules found

+
Resolution

Configure comprehensive model monitoring schedules

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
444455556666us-east-1SM-08 +
Model Registry Registry Not Used
+
+ Details and remediation +
+
Details

Model Registry is not being utilized

+
Resolution

Implement proper model versioning and approval workflows

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
444455556666us-east-1SM-09 +
SageMaker Notebook Root Access Check
+
+ Details and remediation +
+
Details

No notebook instances found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.
444455556666us-east-1SM-10 +
SageMaker Notebook VPC Deployment Check
+
+ Details and remediation +
+
Details

No notebook instances found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
444455556666us-east-1SM-11 +
SageMaker Model Network Isolation Check
+
+ Details and remediation +
+
Details

No models found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
444455556666us-east-1SM-12 +
SageMaker Endpoint Instance Count Check
+
+ Details and remediation +
+
Details

No InService endpoints found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
444455556666us-east-1SM-13 +
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation +
+
Details

No monitoring schedules found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
444455556666us-east-1SM-14 +
SageMaker Model Repository Access Check
+
+ Details and remediation +
+
Details

No models found or all use default Platform access

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.
444455556666us-east-1SM-15 +
SageMaker Feature Store Encryption Check
+
+ Details and remediation +
+
Details

No feature groups with offline stores found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
444455556666us-east-1SM-16 +
SageMaker Data Quality Job Encryption Check
+
+ Details and remediation +
+
Details

No data quality job definitions found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
444455556666us-east-1SM-17 +
SageMaker Processing Job Encryption Check
+
+ Details and remediation +
+
Details

No processing jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
444455556666us-east-1SM-18 +
SageMaker Transform Job Encryption Check
+
+ Details and remediation +
+
Details

No transform jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
444455556666us-east-1SM-19 +
SageMaker Hyperparameter Tuning Job Encryption Check
+
+ Details and remediation +
+
Details

No hyperparameter tuning jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
444455556666us-east-1SM-20 +
SageMaker Compilation Job Encryption Check
+
+ Details and remediation +
+
Details

No compilation jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action required
444455556666us-east-1SM-21 +
SageMaker AutoML Job Network Isolation Check
+
+ Details and remediation +
+
Details

No AutoML jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action required
444455556666us-east-1SM-22 +
Model Approval Workflow Check
+
+ Details and remediation +
+
Details

No model package groups found. Model Registry is not being used for model governance.

+
Resolution

Implement Model Registry to track model versions and enforce approval workflows before production deployment.

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/A
444455556666us-east-1SM-23 +
Model Drift Detection Check
+
+ Details and remediation +
+
Details

No InService endpoints found to monitor.

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
111122223333eu-west-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action required
444455556666us-east-1SM-24 +
A/B Testing and Shadow Deployment Check
+
+ Details and remediation +
+
Details

No InService endpoints found.

+
Resolution

No action required

+
Reference

+
+
+
LowPassed
444455556666us-east-1SM-25 +
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation +
+
Details

No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.

+
Resolution

Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
444455556666us-east-1FS-00 +
FinServ Regional Scope Not Applicable
+
+ Details and remediation +
+
Details

No regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.

+
Resolution

No action required unless GenAI workloads are expected in this region.

+
Reference

+
+
+
Informational N/A
111122223333eu-west-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
444455556666us-west-2FS-00 +
FinServ Regional Scope Not Applicable
+
+ Details and remediation +
+
Details

No regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.

+
Resolution

No action required unless GenAI workloads are expected in this region.

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 eu-west-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.FS-00 +
FinServ Regional Scope Not Applicable
+
+ Details and remediation +
+
Details

No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.

+
Resolution

No action required unless GenAI workloads are expected in this region.

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 eu-west-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.BR-02 +
Amazon Bedrock private connectivity check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to assess private connectivity

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 eu-west-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.BR-04 +
Bedrock Model Invocation Logging Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to monitor with invocation logging

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 eu-west-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.BR-05 +
Bedrock Guardrails Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to protect with guardrails

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
111122223333
444455556666 eu-west-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.BR-06 +
Bedrock CloudTrail Logging Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666ap-south-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredeu-west-1BR-07 +
Bedrock Prompt Management Check
+
+ Details and remediation +
+
Details

Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.

+
Resolution

Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templates

+
Reference

+
+
+
Informational N/A
444455556666ap-south-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredeu-west-1BR-08 +
Bedrock Agent IAM Roles Check
+
+ Details and remediation +
+
Details

No Bedrock agents found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666ap-south-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredeu-west-1BR-09 +
Bedrock Knowledge Base Encryption Check
+
+ Details and remediation +
+
Details

No Knowledge Bases found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666ap-south-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredeu-west-1BR-10 +
Bedrock Guardrail IAM Enforcement Check
+
+ Details and remediation +
+
Details

No guardrails configured - IAM enforcement check not applicable

+
Resolution

Configure Bedrock Guardrails first, then enforce their use via IAM policies

+
Reference

+
+
+
Informational N/A
444455556666ap-south-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.eu-west-1BR-11 +
Bedrock Custom Model Encryption Check
+
+ Details and remediation +
+
Details

No custom/fine-tuned models found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666ap-south-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.eu-west-1BR-12 +
Bedrock Invocation Log Encryption Check
+
+ Details and remediation +
+
Details

Model invocation logging to S3 is not configured

+
Resolution

If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption

+
Reference

+
+
+
Informational N/A
444455556666ap-south-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.eu-west-1BR-13 +
Bedrock Flows Guardrails Check
+
+ Details and remediation +
+
Details

No Bedrock Flows found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666ap-south-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.Informationaleu-west-1BR-16 +
Guardrail Tier Validation Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create Bedrock guardrails with Standard tier for enhanced content filtering and protection

+
Reference

+
+
+
Medium N/A
444455556666ap-south-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.Informationaleu-west-1BR-17 +
Custom Model Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

No custom (fine-tuned) Bedrock models found in this region

+
Resolution

When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys

+
Reference

+
+
+
High N/A
444455556666ap-south-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.eu-west-1BR-18 +
Model Evaluation Implementation Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to assess with model evaluation jobs

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666ap-south-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.Informationaleu-west-1BR-19 +
Prompt Flow Validation Check
+
+ Details and remediation +
+
Details

No Bedrock prompt flows configured in this region

+
Resolution

When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment

+
Reference

+
+
+
Medium N/A
444455556666ap-south-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.Informationaleu-west-1BR-20 +
Knowledge Base Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

No Bedrock knowledge bases found in this region

+
Resolution

When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption

+
Reference

+
+
+
High N/A
444455556666ap-south-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.Informationaleu-west-1BR-21 +
Agent Action Group IAM Least Privilege Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents with action groups, ensure Lambda execution roles follow least privilege principles

+
Reference

+
+
+
High N/A
444455556666ap-south-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.eu-west-1BR-22 +
Model Invocation Throttling Limits Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to assess model invocation throttling quotas

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666ap-south-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.Informationaleu-west-1BR-23 +
Guardrail Content Filter Coverage Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds

+
Reference

+
+
+
High N/A
444455556666ap-south-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.Informationaleu-west-1BR-24 +
Automated Reasoning Policy Implementation Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with Automated Reasoning policies for formal verification of model responses

+
Reference

+
+
+
Medium N/A
444455556666ap-south-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.Informationaleu-west-1BR-25 +
RAG Evaluation Jobs Check
+
+ Details and remediation +
+
Details

No Bedrock knowledge bases found in this region

+
Resolution

When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations

+
Reference

+
+
+
Low N/A
444455556666ap-south-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.Informationaleu-west-1BR-26 +
Guardrail Sensitive Information Filter Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses

+
Reference

+
+
+
High N/A
444455556666ap-south-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.Informationaleu-west-1BR-27 +
Guardrail Contextual Grounding Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications

+
Reference

+
+
+
Medium N/A
444455556666ap-south-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.Informationaleu-west-1BR-28 +
Agent Guardrail Association Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics

+
Reference

+
+
+
High N/A
444455556666ap-south-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.Informationaleu-west-1BR-29 +
Agent Idle Session TTL Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable

+
Reference

+
+
+
Low N/A
444455556666ap-south-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.Informationaleu-west-1BR-30 +
Imported Model Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.

+
Resolution

Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.

+
Reference

+
+
+
Low N/A
444455556666ap-south-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.Informationaleu-west-1BR-31 +
Batch Inference Output Encryption Check
+
+ Details and remediation +
+
Details

No Bedrock batch inference (model invocation) jobs found in this region

+
Resolution

When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output

+
Reference

+
+
+
Medium N/A
444455556666ap-south-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.eu-west-1BR-32 +
Bedrock CloudWatch Alarm Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to monitor with CloudWatch alarms

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666us-east-1eu-west-1 AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements. +
Agentic AI Model Invocation Logging
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging

+
Resolution

Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.

+
Reference

+
+
+
Informational N/A
444455556666us-east-1eu-west-1 AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/A
444455556666GlobalAG-09Agentic AI Guardrail Enforcement BoundaryAgentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policiesUse IAM and organization controls to require approved guardrails for model and agent invocations where supported. +
Agentic AI API Audit Trail
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage

+
Resolution

Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.

+
Reference

+
+
+
Informational N/A
444455556666us-east-1eu-west-1 AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases. +
Agentic AI Adversarial Evaluation Coverage
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs

+
Resolution

Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.

+
Reference

+
+
+
Informational N/A
444455556666us-east-1eu-west-1 AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. +
Agentic AI Prompt Flow Validation
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region

+
Resolution

Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.

+
Reference

+
+
+
Informational N/A
444455556666us-east-1eu-west-1 AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. +
Agentic AI Tool Execution Least Privilege
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region

+
Resolution

Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.

+
Reference

+
+
+
Informational N/A
444455556666us-east-1eu-west-1 AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns. +
Agentic AI Invocation Abuse Controls
+
+ Details and remediation +
+
Details

Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas

+
Resolution

Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.

+
Reference

+
+
+
Informational N/A
444455556666us-east-1eu-west-1 AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads. +
Agentic AI Harmful Content Guardrail Coverage
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region

+
Resolution

Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.

+
Reference

+
+
+
Informational N/A
444455556666us-east-1eu-west-1 AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. +
Agentic AI Automated Reasoning Guardrails
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region

+
Resolution

Configure automated reasoning policies on guardrails where formal response validation is required.

+
Reference

+
+
+
Informational N/A
444455556666us-east-1eu-west-1 AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. +
Agentic AI Sensitive Information Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region

+
Resolution

Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.

+
Reference

+
+
+
Informational N/A
444455556666us-east-1eu-west-1 AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows. +
Agentic AI Grounding Controls
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region

+
Resolution

Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.

+
Reference

+
+
+
Informational N/A
444455556666us-east-1eu-west-1 AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating. +
Agentic AI Agent Guardrail Association
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region

+
Resolution

Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.

+
Reference

+
+
+
Informational N/A
444455556666us-east-1eu-west-1 AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements. +
Agentic AI Session Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region

+
Resolution

Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.

+
Reference

+
+
+
Informational N/A
444455556666us-east-1eu-west-1 AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available. +
Agentic AI Operational Abuse Alarms
+
+ Details and remediation +
+
Details

Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms

+
Resolution

Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.

+
Reference

+
+
+
Informational N/A
444455556666 us-west-2AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredAC-01 +
AgentCore VPC Configuration Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666 us-west-2AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredAC-04 +
AgentCore Observability Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666 us-west-2AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredAC-05 +
AgentCore Encryption Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666 us-west-2AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredAC-06 +
AgentCore Browser Tool Recording Check
+
+ Details and remediation +
+
Details

No AgentCore Runtimes found to check browser tool configuration

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666 us-west-2AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.AC-07 +
AgentCore Memory Configuration Check
+
+ Details and remediation +
+
Details

No Memory resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666 us-west-2AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.AC-13 +
AgentCore Gateway Configuration Check
+
+ Details and remediation +
+
Details

No Gateway resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666 us-west-2AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.AC-08 +
AgentCore VPC Endpoints Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666 us-west-2AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.AC-10 +
AgentCore Resource-Based Policies Check
+
+ Details and remediation +
+
Details

No AgentCore resources found to check for resource-based policies

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666 us-west-2AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.AC-11 +
AgentCore Policy Engine Encryption Check
+
+ Details and remediation +
+
Details

No Policy Engines found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666 us-west-2AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.AC-12 +
AgentCore Gateway Encryption Check
+
+ Details and remediation +
+
Details

No Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666 us-west-2AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666sa-east-1 AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action required +
Agentic AI Gateway Inbound Authorization
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666sa-east-1us-west-2 AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action required +
Agentic AI Gateway Tool Policy Enforcement
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666sa-east-1us-west-2 AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action required +
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666sa-east-1us-west-2 AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action required +
Agentic AI Gateway WAF Protection
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666sa-east-1us-west-2 AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. +
Agentic AI Runtime Network Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found

+
Resolution

Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.

+
Reference

+
+
+
Informational N/A
444455556666sa-east-1us-west-2 AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. +
Agentic AI AgentCore Observability
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found

+
Resolution

Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.

+
Reference

+
+
+
Informational N/A
444455556666sa-east-1us-west-2 AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions. +
Agentic AI Memory Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found

+
Resolution

Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.

+
Reference

+
+
+
Informational N/A
444455556666sa-east-1us-west-2 AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability. +
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found

+
Resolution

Create required VPC endpoints for AgentCore services and validate endpoint availability.

+
Reference

+
+
+
Informational N/A
444455556666sa-east-1us-west-2 AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.InformationalN/A
444455556666sa-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666sa-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666eu-west-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements. +
Agentic AI Resource Policy Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies

+
Resolution

Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.

+
Reference

+
+
+
Informational N/A
444455556666eu-west-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.us-west-2AG-22 +
Agentic AI Policy Engine Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found

+
Resolution

Configure policy engines with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
Informational N/A
444455556666eu-west-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.us-west-2AG-23 +
Agentic AI Gateway Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found

+
Resolution

Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
Informational N/A
444455556666eu-west-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
777788889999GlobalAC-02 +
AgentCore IAM Wildcard Permissions
+
+ Details and remediation +
+
Details

The following roles have wildcard AgentCore permissions on all resources: aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV

+
Resolution

Scope permissions to specific AgentCore resources using resource ARNs

+
Reference

+
+
+
HighFailed
777788889999GlobalAC-03 +
AgentCore Unused Permissions
+
+ Details and remediation +
+
Details

The following principals have AgentCore permissions but have never accessed the service: role 'aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV', role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'

+
Resolution

Review and remove unused AgentCore permissions following least privilege principle

+
Reference

+
+
+
Informational N/A
444455556666eu-west-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
777788889999GlobalAC-09 +
AgentCore Service-Linked Role Missing
+
+ Details and remediation +
+
Details

Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.

+
Resolution

The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.

+
Reference

+
+
+
MediumFailed
777788889999us-east-1AC-01 +
AgentCore VPC Configuration Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666eu-west-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
777788889999us-east-1AC-04 +
AgentCore Observability Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666eu-west-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
777788889999us-east-1AC-05 +
AgentCore ECR Repository AWS-Managed Keys
+
+ Details and remediation +
+
Details

ECR repository 'aiml-sec-test-agentcore-no-encryption' uses AWS-managed keys instead of customer-managed KMS keys

+
Resolution

Consider using customer-managed KMS keys for better control and audit capabilities

+
Reference

+
+
+
LowFailed
777788889999us-east-1AC-06 +
AgentCore Browser Tool Recording Check
+
+ Details and remediation +
+
Details

No AgentCore Runtimes found to check browser tool configuration

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666eu-west-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.
777788889999us-east-1AC-07 +
AgentCore Memory Configuration Check
+
+ Details and remediation +
+
Details

No Memory resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666eu-west-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
777788889999us-east-1AC-13 +
AgentCore Gateway Configuration Check
+
+ Details and remediation +
+
Details

No Gateway resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666eu-west-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
777788889999us-east-1AC-08 +
AgentCore VPC Endpoints Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666eu-west-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
777788889999us-east-1AC-10 +
AgentCore Resource-Based Policies Check
+
+ Details and remediation +
+
Details

No AgentCore resources found to check for resource-based policies

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666eu-west-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
777788889999us-east-1AC-11 +
AgentCore Policy Engine Encryption Check
+
+ Details and remediation +
+
Details

No Policy Engines found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666eu-west-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
777788889999us-east-1AC-12 +
AgentCore Gateway Encryption Check
+
+ Details and remediation +
+
Details

No Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 us-east-1 AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action required +
Agentic AI Gateway Inbound Authorization
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 us-east-1 AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action required +
Agentic AI Gateway Tool Policy Enforcement
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 us-east-1 AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action required +
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 us-east-1 AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action required +
Agentic AI Gateway WAF Protection
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 Global AG-16Agentic AI AgentCore Least PrivilegeAgentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: No roles with overly permissive AgentCore access foundReplace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions. +
Agentic AI AgentCore Least Privilege
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have wildcard AgentCore permissions on all resources: aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV

+
Resolution

Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.

+
Reference

+
+
+
HighPassed
444455556666GlobalAG-17Agentic AI Stale AgentCore AccessAgentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (82 days)Remove or restrict stale AgentCore permissions for principals that no longer need access.Medium Failed
444455556666
777788889999 Global AG-17Agentic AI Stale AgentCore AccessAgentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'Remove or restrict stale AgentCore permissions for principals that no longer need access. +
Agentic AI Stale AgentCore Access
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV', role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'

+
Resolution

Remove or restrict stale AgentCore permissions for principals that no longer need access.

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 us-east-1 AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. +
Agentic AI Runtime Network Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found

+
Resolution

Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 us-east-1 AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. +
Agentic AI AgentCore Observability
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found

+
Resolution

Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 us-east-1 AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions. +
Agentic AI Memory Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found

+
Resolution

Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.

+
Reference

+
+
+
InformationalN/A
777788889999us-east-1AG-20 +
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found

+
Resolution

Create required VPC endpoints for AgentCore services and validate endpoint availability.

+
Reference

+
+
+
InformationalN/A
777788889999us-east-1AG-21 +
Agentic AI Resource Policy Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies

+
Resolution

Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.

+
Reference

+
+
+
InformationalN/A
777788889999us-east-1AG-22 +
Agentic AI Policy Engine Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found

+
Resolution

Configure policy engines with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
InformationalN/A
777788889999us-east-1AG-23 +
Agentic AI Gateway Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found

+
Resolution

Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
InformationalN/A
777788889999eu-west-1AC-01 +
AgentCore VPC Configuration Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
777788889999eu-west-1AC-04 +
AgentCore Observability Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
777788889999eu-west-1AC-05 +
AgentCore Encryption Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
777788889999eu-west-1AC-06 +
AgentCore Browser Tool Recording Check
+
+ Details and remediation +
+
Details

No AgentCore Runtimes found to check browser tool configuration

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
777788889999eu-west-1AC-07 +
AgentCore Memory Configuration Check
+
+ Details and remediation +
+
Details

No Memory resources found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
777788889999eu-west-1AC-13 +
AgentCore Gateway Configuration Check
+
+ Details and remediation +
+
Details

No Gateway resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666us-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.
777788889999eu-west-1AC-08 +
AgentCore VPC Endpoints Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666us-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
777788889999eu-west-1AC-10 +
AgentCore Resource-Based Policies Check
+
+ Details and remediation +
+
Details

No AgentCore resources found to check for resource-based policies

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666us-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.
777788889999eu-west-1AC-11 +
AgentCore Policy Engine Encryption Check
+
+ Details and remediation +
+
Details

No Policy Engines found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666us-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
777788889999eu-west-1AC-12 +
AgentCore Gateway Encryption Check
+
+ Details and remediation +
+
Details

No Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 eu-west-1 AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action required +
Agentic AI Gateway Inbound Authorization
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 eu-west-1 AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action required +
Agentic AI Gateway Tool Policy Enforcement
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 eu-west-1 AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action required +
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 eu-west-1 AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action required +
Agentic AI Gateway WAF Protection
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 eu-west-1 AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. +
Agentic AI Runtime Network Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found

+
Resolution

Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 eu-west-1 AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. +
Agentic AI AgentCore Observability
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found

+
Resolution

Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 eu-west-1 AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions. +
Agentic AI Memory Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found

+
Resolution

Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 eu-west-1 AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability. +
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found

+
Resolution

Create required VPC endpoints for AgentCore services and validate endpoint availability.

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 eu-west-1 AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources. +
Agentic AI Resource Policy Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies

+
Resolution

Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 eu-west-1 AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required. +
Agentic AI Policy Engine Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found

+
Resolution

Configure policy engines with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 eu-west-1 AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.InformationalN/A
444455556666sa-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements. +
Agentic AI Gateway Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found

+
Resolution

Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
Informational N/A
444455556666sa-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
777788889999us-west-2AC-01 +
AgentCore VPC Configuration Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666sa-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.
777788889999us-west-2AC-04 +
AgentCore Observability Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666sa-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
777788889999us-west-2AC-05 +
AgentCore Encryption Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666sa-east-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
777788889999us-west-2AC-06 +
AgentCore Browser Tool Recording Check
+
+ Details and remediation +
+
Details

No AgentCore Runtimes found to check browser tool configuration

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666sa-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
777788889999us-west-2AC-07 +
AgentCore Memory Configuration Check
+
+ Details and remediation +
+
Details

No Memory resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666sa-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
777788889999us-west-2AC-13 +
AgentCore Gateway Configuration Check
+
+ Details and remediation +
+
Details

No Gateway resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666sa-east-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.
777788889999us-west-2AC-08 +
AgentCore VPC Endpoints Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666sa-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
777788889999us-west-2AC-10 +
AgentCore Resource-Based Policies Check
+
+ Details and remediation +
+
Details

No AgentCore resources found to check for resource-based policies

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666sa-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
777788889999us-west-2AC-11 +
AgentCore Policy Engine Encryption Check
+
+ Details and remediation +
+
Details

No Policy Engines found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666sa-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
777788889999us-west-2AC-12 +
AgentCore Gateway Encryption Check
+
+ Details and remediation +
+
Details

No Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666sa-east-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
777788889999us-west-2AG-24 +
Agentic AI Gateway Inbound Authorization
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666sa-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
777788889999us-west-2AG-25 +
Agentic AI Gateway Tool Policy Enforcement
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 us-west-2AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.AG-26 +
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 us-west-2AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.AG-27 +
Agentic AI Gateway WAF Protection
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 us-west-2AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.AG-15 +
Agentic AI Runtime Network Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found

+
Resolution

Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 us-west-2AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.AG-18 +
Agentic AI AgentCore Observability
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found

+
Resolution

Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 us-west-2AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.AG-19 +
Agentic AI Memory Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found

+
Resolution

Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 us-west-2AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.AG-20 +
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found

+
Resolution

Create required VPC endpoints for AgentCore services and validate endpoint availability.

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 us-west-2AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.AG-21 +
Agentic AI Resource Policy Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies

+
Resolution

Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 us-west-2AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.AG-22 +
Agentic AI Policy Engine Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found

+
Resolution

Configure policy engines with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
Informational N/A
444455556666
777788889999 us-west-2AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.AG-23 +
Agentic AI Gateway Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found

+
Resolution

Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
Informational N/A
444455556666us-west-2AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
777788889999eu-west-1BR-02 +
Amazon Bedrock private connectivity check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to assess private connectivity

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666us-west-2AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
777788889999eu-west-1BR-04 +
Bedrock Model Invocation Logging Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to monitor with invocation logging

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666us-west-2AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
777788889999eu-west-1BR-05 +
Bedrock Guardrails Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to protect with guardrails

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666us-west-2AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
777788889999eu-west-1BR-06 +
Bedrock CloudTrail Logging Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999ap-south-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredeu-west-1BR-07 +
Bedrock Prompt Management Check
+
+ Details and remediation +
+
Details

Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.

+
Resolution

Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templates

+
Reference

+
+
+
Informational N/A
777788889999ap-south-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredeu-west-1BR-08 +
Bedrock Agent IAM Roles Check
+
+ Details and remediation +
+
Details

No Bedrock agents found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999ap-south-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredeu-west-1BR-09 +
Bedrock Knowledge Base Encryption Check
+
+ Details and remediation +
+
Details

No Knowledge Bases found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999ap-south-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredeu-west-1BR-10 +
Bedrock Guardrail IAM Enforcement Check
+
+ Details and remediation +
+
Details

No guardrails configured - IAM enforcement check not applicable

+
Resolution

Configure Bedrock Guardrails first, then enforce their use via IAM policies

+
Reference

+
+
+
Informational N/A
777788889999ap-south-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.eu-west-1BR-11 +
Bedrock Custom Model Encryption Check
+
+ Details and remediation +
+
Details

No custom/fine-tuned models found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999ap-south-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.eu-west-1BR-12 +
Bedrock Invocation Log Encryption Check
+
+ Details and remediation +
+
Details

Model invocation logging to S3 is not configured

+
Resolution

If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption

+
Reference

+
+
+
Informational N/A
777788889999ap-south-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.eu-west-1BR-13 +
Bedrock Flows Guardrails Check
+
+ Details and remediation +
+
Details

No Bedrock Flows found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999ap-south-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.Informationaleu-west-1BR-16 +
Guardrail Tier Validation Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create Bedrock guardrails with Standard tier for enhanced content filtering and protection

+
Reference

+
+
+
Medium N/A
777788889999ap-south-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.Informationaleu-west-1BR-17 +
Custom Model Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

No custom (fine-tuned) Bedrock models found in this region

+
Resolution

When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys

+
Reference

+
+
+
High N/A
777788889999ap-south-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.eu-west-1BR-18 +
Model Evaluation Implementation Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to assess with model evaluation jobs

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999ap-south-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.Informationaleu-west-1BR-19 +
Prompt Flow Validation Check
+
+ Details and remediation +
+
Details

No Bedrock prompt flows configured in this region

+
Resolution

When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment

+
Reference

+
+
+
Medium N/A
777788889999sa-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.Informationaleu-west-1BR-20 +
Knowledge Base Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

No Bedrock knowledge bases found in this region

+
Resolution

When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption

+
Reference

+
+
+
High N/A
777788889999sa-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.Informationaleu-west-1BR-21 +
Agent Action Group IAM Least Privilege Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents with action groups, ensure Lambda execution roles follow least privilege principles

+
Reference

+
+
+
High N/A
777788889999sa-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.eu-west-1BR-22 +
Model Invocation Throttling Limits Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to assess model invocation throttling quotas

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999sa-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.Informationaleu-west-1BR-23 +
Guardrail Content Filter Coverage Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds

+
Reference

+
+
+
High N/A
777788889999sa-east-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.Informationaleu-west-1BR-24 +
Automated Reasoning Policy Implementation Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with Automated Reasoning policies for formal verification of model responses

+
Reference

+
+
+
Medium N/A
777788889999sa-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.Informationaleu-west-1BR-25 +
RAG Evaluation Jobs Check
+
+ Details and remediation +
+
Details

No Bedrock knowledge bases found in this region

+
Resolution

When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations

+
Reference

+
+
+
Low N/A
777788889999sa-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.Informationaleu-west-1BR-26 +
Guardrail Sensitive Information Filter Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses

+
Reference

+
+
+
High N/A
777788889999sa-east-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.Informationaleu-west-1BR-27 +
Guardrail Contextual Grounding Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications

+
Reference

+
+
+
Medium N/A
777788889999sa-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.Informationaleu-west-1BR-28 +
Agent Guardrail Association Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics

+
Reference

+
+
+
High N/A
777788889999sa-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.Informationaleu-west-1BR-29 +
Agent Idle Session TTL Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable

+
Reference

+
+
+
Low N/A
777788889999sa-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.Informationaleu-west-1BR-30 +
Imported Model Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.

+
Resolution

Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.

+
Reference

+
+
+
Low N/A
777788889999sa-east-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.Informationaleu-west-1BR-31 +
Batch Inference Output Encryption Check
+
+ Details and remediation +
+
Details

No Bedrock batch inference (model invocation) jobs found in this region

+
Resolution

When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output

+
Reference

+
+
+
Medium N/A
777788889999sa-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.eu-west-1BR-32 +
Bedrock CloudWatch Alarm Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to monitor with CloudWatch alarms

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements. +
Agentic AI Model Invocation Logging
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging

+
Resolution

Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured. +
Agentic AI API Audit Trail
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage

+
Resolution

Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases. +
Agentic AI Adversarial Evaluation Coverage
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs

+
Resolution

Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions. +
Agentic AI Prompt Flow Validation
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region

+
Resolution

Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required. +
Agentic AI Tool Execution Least Privilege
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region

+
Resolution

Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns. +
Agentic AI Invocation Abuse Controls
+
+ Details and remediation +
+
Details

Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas

+
Resolution

Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads. +
Agentic AI Harmful Content Guardrail Coverage
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region

+
Resolution

Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required. +
Agentic AI Automated Reasoning Guardrails
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region

+
Resolution

Configure automated reasoning policies on guardrails where formal response validation is required.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns. +
Agentic AI Sensitive Information Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region

+
Resolution

Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.

+
Reference

+
+
+
InformationalN/A
777788889999eu-west-1AG-05 +
Agentic AI Grounding Controls
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region

+
Resolution

Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.

+
Reference

+
+
+
InformationalN/A
777788889999eu-west-1AG-01 +
Agentic AI Agent Guardrail Association
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region

+
Resolution

Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.

+
Reference

+
+
+
InformationalN/A
777788889999eu-west-1AG-13 +
Agentic AI Session Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region

+
Resolution

Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.

+
Reference

+
+
+
InformationalN/A
777788889999eu-west-1AG-14 +
Agentic AI Operational Abuse Alarms
+
+ Details and remediation +
+
Details

Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms

+
Resolution

Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.

+
Reference

+
+
+
Informational N/A
777788889999GlobalSM-02 +
SageMaker Full Access Policy Used
+
+ Details and remediation +
+
Details

Role 'aiml-sec-test-resources-SageMakerFullAccessRole-ZREdSNCErx2S' has AmazonSageMakerFullAccess policy attached

+
Resolution

Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege

+
Reference

+
+
+
HighFailed
777788889999us-east-1SM-01 +
Direct Internet Access Enabled
+
+ Details and remediation +
+
Details

SageMaker notebook instance 'aiml-sec-test-notebook-with-internet' has direct internet access enabled

+
Resolution

Configure the notebook instance to use VPC connectivity and disable direct internet access

+
Reference

+
+
+
HighFailed
777788889999us-east-1SM-01 +
Non-VPC Only Network Access
+
+ Details and remediation +
+
Details

SageMaker domain 'd-ilmtsfeenavc' (aiml-sec-test-domain-fail-028e1010-52cbf970) is not configured for VPC-only access

+
Resolution

Configure the SageMaker domain to use VPC-only network access type

+
Reference

+
+
+
HighFailed
777788889999us-east-1SM-01 +
Non-VPC Only Network Access
+
+ Details and remediation +
+
Details

SageMaker domain 'd-cmz7ohkxxop3' (aiml-sec-test-domain-fail-fef4e7f0-bb429d11) is not configured for VPC-only access

+
Resolution

Configure the SageMaker domain to use VPC-only network access type

+
Reference

+
+
+
HighFailed
777788889999us-east-1SM-02 +
SSO Not Properly Configured
+
+ Details and remediation +
+
Details

SageMaker domain 'd-7zl8skw96ppk' (aiml-sec-test-domain-pass-028e1010-3dba8b08) is using authentication mode: IAM

+
Resolution

Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.

+
Reference

+
+
+
MediumFailed
777788889999eu-west-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/Aus-east-1SM-02 +
SSO Not Properly Configured
+
+ Details and remediation +
+
Details

SageMaker domain 'd-ilmtsfeenavc' (aiml-sec-test-domain-fail-028e1010-52cbf970) is using authentication mode: IAM

+
Resolution

Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.

+
Reference

+
+
+
MediumFailed
777788889999eu-west-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/Aus-east-1SM-02 +
SSO Not Properly Configured
+
+ Details and remediation +
+
Details

SageMaker domain 'd-uqjoi05f0zzp' (aiml-sec-test-domain-pass-fef4e7f0-51d1e898) is using authentication mode: IAM

+
Resolution

Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.

+
Reference

+
+
+
MediumFailed
777788889999eu-west-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/Aus-east-1SM-02 +
SSO Not Properly Configured
+
+ Details and remediation +
+
Details

SageMaker domain 'd-cmz7ohkxxop3' (aiml-sec-test-domain-fail-fef4e7f0-bb429d11) is using authentication mode: IAM

+
Resolution

Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.

+
Reference

+
+
+
MediumFailed
777788889999eu-west-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/Aus-east-1SM-03 +
Missing Encryption Configuration
+
+ Details and remediation +
+
Details

Notebook Instance 'aiml-sec-test-notebook-with-internet' - No KMS key configured

+
Resolution

Configure encryption using AWS KMS customer managed keys for enhanced security

+
Reference

+
+
+
HighFailed
777788889999ap-south-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.InformationalN/Aus-east-1SM-03 +
Missing Encryption Configuration
+
+ Details and remediation +
+
Details

Domain 'aiml-sec-test-domain-fail-028e1010-52cbf970' - No KMS key configured

+
Resolution

Configure encryption using AWS KMS customer managed keys for enhanced security

+
Reference

+
+
+
HighFailed
777788889999ap-south-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.InformationalN/Aus-east-1SM-03 +
Missing Encryption Configuration
+
+ Details and remediation +
+
Details

Domain 'aiml-sec-test-domain-fail-fef4e7f0-bb429d11' - No KMS key configured

+
Resolution

Configure encryption using AWS KMS customer managed keys for enhanced security

+
Reference

+
+
+
HighFailed
777788889999ap-south-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/Aus-east-1SM-03 +
Missing Encryption Configuration
+
+ Details and remediation +
+
Details

Training Job 'aiml-sec-test-training-no-encryption-028e1010-e2fb8765' - No output encryption configured

+
Resolution

Configure encryption using AWS KMS customer managed keys for enhanced security

+
Reference

+
+
+
HighFailed
777788889999ap-south-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/Aus-east-1SM-03 +
Missing VPC Encryption
+
+ Details and remediation +
+
Details

Training Job 'aiml-sec-test-training-no-encryption-028e1010-e2fb8765' - Inter-container traffic encryption not enabled

+
Resolution

Enable encryption for inter-container traffic and VPC communication

+
Reference

+
+
+
MediumFailed
777788889999ap-south-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/Aus-east-1SM-04 +
GuardDuty Enabled
+
+ Details and remediation +
+
Details

Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
777788889999ap-south-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.InformationalN/Aus-east-1SM-05 +
SageMaker Model Registry Issue
+
+ Details and remediation +
+
Details

Model group 'aiml-sec-test-model-package-group' has minimal versioning

+
Resolution

Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment

+
Reference

+
+
+
LowFailed
777788889999ap-south-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.us-east-1SM-05 +
SageMaker Pipelines Issue
+
+ Details and remediation +
+
Details

No ML pipelines found

+
Resolution

Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment

+
Reference

+
+
+
Informational N/A
777788889999ap-south-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.us-east-1SM-06 +
SageMaker Clarify No Clarify Usage
+
+ Details and remediation +
+
Details

No SageMaker Clarify jobs found

+
Resolution

Implement SageMaker Clarify for model explainability and bias detection

+
Reference

+
+
+
Informational N/A
777788889999ap-south-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.us-east-1SM-07 +
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation +
+
Details

No Model Monitor schedules found

+
Resolution

Configure comprehensive model monitoring schedules

+
Reference

+
+
+
Informational N/A
777788889999ap-south-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.InformationalN/Aus-east-1SM-08 +
Model Registry Empty Model Group
+
+ Details and remediation +
+
Details

Model group aiml-sec-test-model-package-group has no registered models

+
Resolution

Implement proper model versioning and approval workflows

+
Reference

+
+
+
LowFailed
777788889999ap-south-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.InformationalN/Aus-east-1SM-09 +
SageMaker Notebook Root Access Enabled
+
+ Details and remediation +
+
Details

Notebook instance 'aiml-sec-test-notebook-with-internet' has root access enabled. Root access allows users to install arbitrary software, modify system configurations, and potentially escalate privileges.

+
Resolution

Disable root access by updating the notebook instance with RootAccess=Disabled. Note: Lifecycle configurations will still run with root access.

+
Reference

+
+
+
HighFailed
777788889999ap-south-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.InformationalN/Aus-east-1SM-10 +
SageMaker Notebook Not in VPC
+
+ Details and remediation +
+
Details

Notebook instance 'aiml-sec-test-notebook-with-internet' is not deployed in a custom VPC. This uses SageMaker's service VPC with reduced network isolation.

+
Resolution

Create the notebook instance within a custom VPC by specifying SubnetId and SecurityGroupIds. This provides network isolation and allows use of VPC endpoints.

+
Reference

+
+
+
HighFailed
777788889999ap-south-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.InformationalN/Aus-east-1SM-11 +
SageMaker Model Network Isolation Disabled
+
+ Details and remediation +
+
Details

Model 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' does not have network isolation enabled. Model containers can make outbound network calls, potentially exfiltrating data.

+
Resolution

Enable network isolation by setting EnableNetworkIsolation=True when creating models. This prevents containers from making outbound network calls.

+
Reference

+
+
+
HighFailed
777788889999us-west-2AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredus-east-1SM-12 +
SageMaker Endpoint Instance Count Check
+
+ Details and remediation +
+
Details

No InService endpoints found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-west-2AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredus-east-1SM-13 +
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation +
+
Details

No monitoring schedules found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-west-2AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/Aus-east-1SM-14 +
SageMaker Model Platform Repository Access
+
+ Details and remediation +
+
Details

Model 'SageMakerModelWithIsolation-JASFpUHjajdk' uses Platform repository access mode. Container images are pulled from public/external registries, exposing supply chain risks.

+
Resolution

Configure RepositoryAccessMode=Vpc in ImageConfig to pull images from private ECR repositories through VPC. This provides supply chain security.

+
Reference

+
+
+
MediumFailed
777788889999us-west-2AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredInformationalN/Aus-east-1SM-14 +
SageMaker Model Platform Repository Access
+
+ Details and remediation +
+
Details

Model 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' uses Platform repository access mode. Container images are pulled from public/external registries, exposing supply chain risks.

+
Resolution

Configure RepositoryAccessMode=Vpc in ImageConfig to pull images from private ECR repositories through VPC. This provides supply chain security.

+
Reference

+
+
+
MediumFailed
777788889999us-west-2AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.InformationalN/Aus-east-1SM-15 +
SageMaker Feature Store Offline Encryption Missing
+
+ Details and remediation +
+
Details

Feature group 'aiml-sec-test-feature-group' offline store does not have KMS encryption configured. Feature data in S3 may not be encrypted with customer-managed keys.

+
Resolution

Configure KmsKeyId in OfflineStoreConfig.S3StorageConfig when creating feature groups to encrypt offline store data with customer-managed KMS keys.

+
Reference

+
+
+
MediumFailed
777788889999us-west-2AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.us-east-1SM-16 +
SageMaker Data Quality Job Encryption Check
+
+ Details and remediation +
+
Details

No data quality job definitions found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-west-2AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/Aus-east-1SM-17 +
SageMaker Processing Job Encryption Check
+
+ Details and remediation +
+
Details

All 1 processing jobs have volume encryption configured

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
777788889999us-west-2AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/Aus-east-1SM-18 +
SageMaker Transform Job Encryption Check
+
+ Details and remediation +
+
Details

All 1 transform jobs have volume encryption configured

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
777788889999us-west-2AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.us-east-1SM-19 +
SageMaker Hyperparameter Tuning Job Encryption Check
+
+ Details and remediation +
+
Details

No hyperparameter tuning jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-west-2AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.us-east-1SM-20 +
SageMaker Compilation Job Encryption Check
+
+ Details and remediation +
+
Details

No compilation jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-west-2AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.us-east-1SM-21 +
SageMaker AutoML Job Network Isolation Check
+
+ Details and remediation +
+
Details

No AutoML jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999sa-east-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredInformationalN/Aus-east-1SM-22 +
Model Approval Workflow Check
+
+ Details and remediation +
+
Details

Checked 1 model package groups. Approval workflows appear to be properly configured.

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
777788889999sa-east-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredInformationalN/Aus-east-1SM-23 +
Model Drift Detection Check
+
+ Details and remediation +
+
Details

No InService endpoints found to monitor.

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
777788889999sa-east-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredInformationalN/Aus-east-1SM-24 +
A/B Testing and Shadow Deployment Check
+
+ Details and remediation +
+
Details

No InService endpoints found.

+
Resolution

No action required

+
Reference

+
+
+
LowPassed
777788889999sa-east-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredus-east-1SM-25 +
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation +
+
Details

No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.

+
Resolution

Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.

+
Reference

+
+
+
Informational N/A
777788889999sa-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.us-west-2SM-01 +
SageMaker Internet Access Check
+
+ Details and remediation +
+
Details

No SageMaker notebook instances or domains found to check

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999sa-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/Aus-west-2SM-02 +
SageMaker SSO Configuration Check
+
+ Details and remediation +
+
Details

No SageMaker domains found, or all domains use SSO with IAM Identity Center configured

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
777788889999sa-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.us-west-2SM-03 +
Data Protection Check
+
+ Details and remediation +
+
Details

No SageMaker resources found to check for data protection

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999sa-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.InformationalN/Aus-west-2SM-04 +
GuardDuty Enabled
+
+ Details and remediation +
+
Details

Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
777788889999sa-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.us-west-2SM-05 +
SageMaker Model Registry Issue
+
+ Details and remediation +
+
Details

No model package groups found

+
Resolution

Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment

+
Reference

+
+
+
Informational N/A
777788889999sa-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.us-west-2SM-05 +
SageMaker Feature Store Issue
+
+ Details and remediation +
+
Details

No feature groups found

+
Resolution

Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production

+
Reference

+
+
+
Informational N/A
777788889999sa-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.us-west-2SM-05 +
SageMaker Pipelines Issue
+
+ Details and remediation +
+
Details

No ML pipelines found

+
Resolution

Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment

+
Reference

+
+
+
Informational N/A
777788889999eu-west-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredus-west-2SM-06 +
SageMaker Clarify No Clarify Usage
+
+ Details and remediation +
+
Details

No SageMaker Clarify jobs found

+
Resolution

Implement SageMaker Clarify for model explainability and bias detection

+
Reference

+
+
+
Informational N/A
777788889999eu-west-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredus-west-2SM-07 +
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation +
+
Details

No Model Monitor schedules found

+
Resolution

Configure comprehensive model monitoring schedules

+
Reference

+
+
+
Informational N/A
777788889999eu-west-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredus-west-2SM-08 +
Model Registry Registry Not Used
+
+ Details and remediation +
+
Details

Model Registry is not being utilized

+
Resolution

Implement proper model versioning and approval workflows

+
Reference

+
+
+
Informational N/A
777788889999eu-west-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredus-west-2SM-09 +
SageMaker Notebook Root Access Check
+
+ Details and remediation +
+
Details

No notebook instances found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999eu-west-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.us-west-2SM-10 +
SageMaker Notebook VPC Deployment Check
+
+ Details and remediation +
+
Details

No notebook instances found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999eu-west-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.us-west-2SM-11 +
SageMaker Model Network Isolation Check
+
+ Details and remediation +
+
Details

No models found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999eu-west-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.us-west-2SM-12 +
SageMaker Endpoint Instance Count Check
+
+ Details and remediation +
+
Details

No InService endpoints found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999eu-west-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.us-west-2SM-13 +
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation +
+
Details

No monitoring schedules found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999eu-west-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.us-west-2SM-14 +
SageMaker Model Repository Access Check
+
+ Details and remediation +
+
Details

No models found or all use default Platform access

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999eu-west-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.us-west-2SM-15 +
SageMaker Feature Store Encryption Check
+
+ Details and remediation +
+
Details

No feature groups with offline stores found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999eu-west-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.us-west-2SM-16 +
SageMaker Data Quality Job Encryption Check
+
+ Details and remediation +
+
Details

No data quality job definitions found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-east-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredus-west-2SM-17 +
SageMaker Processing Job Encryption Check
+
+ Details and remediation +
+
Details

No processing jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-east-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredus-west-2SM-18 +
SageMaker Transform Job Encryption Check
+
+ Details and remediation +
+
Details

No transform jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-east-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredus-west-2SM-19 +
SageMaker Hyperparameter Tuning Job Encryption Check
+
+ Details and remediation +
+
Details

No hyperparameter tuning jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-east-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredus-west-2SM-20 +
SageMaker Compilation Job Encryption Check
+
+ Details and remediation +
+
Details

No compilation jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999GlobalAG-16Agentic AI AgentCore Least PrivilegeAgentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have wildcard AgentCore permissions on all resources: aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOVReplace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.HighFailed
777788889999GlobalAG-17Agentic AI Stale AgentCore AccessAgentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV', role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'Remove or restrict stale AgentCore permissions for principals that no longer need access.us-west-2SM-21 +
SageMaker AutoML Job Network Isolation Check
+
+ Details and remediation +
+
Details

No AutoML jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.us-west-2SM-22 +
Model Approval Workflow Check
+
+ Details and remediation +
+
Details

No model package groups found. Model Registry is not being used for model governance.

+
Resolution

Implement Model Registry to track model versions and enforce approval workflows before production deployment.

+
Reference

+
+
+
Informational N/A
777788889999us-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.InformationalN/Aus-west-2SM-23 +
Model Drift Detection Check
+
+ Details and remediation +
+
Details

No InService endpoints found to monitor.

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
777788889999us-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.InformationalN/Aus-west-2SM-24 +
A/B Testing and Shadow Deployment Check
+
+ Details and remediation +
+
Details

No InService endpoints found.

+
Resolution

No action required

+
Reference

+
+
+
LowPassed
777788889999us-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.us-west-2SM-25 +
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation +
+
Details

No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.

+
Resolution

Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.

+
Reference

+
+
+
Informational N/A
777788889999us-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.eu-west-1SM-01 +
SageMaker Internet Access Check
+
+ Details and remediation +
+
Details

No SageMaker notebook instances or domains found to check

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.InformationalN/Aeu-west-1SM-02 +
SageMaker SSO Configuration Check
+
+ Details and remediation +
+
Details

No SageMaker domains found, or all domains use SSO with IAM Identity Center configured

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
777788889999us-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.eu-west-1SM-03 +
Data Protection Check
+
+ Details and remediation +
+
Details

No SageMaker resources found to check for data protection

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is not enabled. This limits your ability to track and audit model usage.Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.MediumFailed
777788889999us-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETEEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.eu-west-1SM-04 +
GuardDuty Enabled
+
+ Details and remediation +
+
Details

Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.

+
Resolution

No action required

+
Reference

+
+
+
Medium Passed
777788889999GlobalAG-09Agentic AI Guardrail Enforcement BoundaryAgentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policiesUse IAM and organization controls to require approved guardrails for model and agent invocations where supported.eu-west-1SM-05 +
SageMaker Model Registry Issue
+
+ Details and remediation +
+
Details

No model package groups found

+
Resolution

Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment

+
Reference

+
+
+
Informational N/A
777788889999us-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.MediumFailed
777788889999us-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.eu-west-1SM-05 +
SageMaker Feature Store Issue
+
+ Details and remediation +
+
Details

No feature groups found

+
Resolution

Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production

+
Reference

+
+
+
Informational N/A
777788889999us-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 9 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.LowPassedeu-west-1SM-05 +
SageMaker Pipelines Issue
+
+ Details and remediation +
+
Details

No ML pipelines found

+
Resolution

Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment

+
Reference

+
+
+
InformationalN/A
777788889999us-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.eu-west-1SM-06 +
SageMaker Clarify No Clarify Usage
+
+ Details and remediation +
+
Details

No SageMaker Clarify jobs found

+
Resolution

Implement SageMaker Clarify for model explainability and bias detection

+
Reference

+
+
+
Informational N/A
777788889999us-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.eu-west-1SM-07 +
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation +
+
Details

No Model Monitor schedules found

+
Resolution

Configure comprehensive model monitoring schedules

+
Reference

+
+
+
Informational N/A
777788889999us-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.eu-west-1SM-08 +
Model Registry Registry Not Used
+
+ Details and remediation +
+
Details

Model Registry is not being utilized

+
Resolution

Implement proper model versioning and approval workflows

+
Reference

+
+
+
Informational N/A
777788889999us-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: 1 agents have an associated guardrailAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.LowPassedeu-west-1SM-09 +
SageMaker Notebook Root Access Check
+
+ Details and remediation +
+
Details

No notebook instances found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
777788889999us-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.MediumFailedeu-west-1SM-10 +
SageMaker Notebook VPC Deployment Check
+
+ Details and remediation +
+
Details

No notebook instances found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
777788889999us-west-2AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.eu-west-1SM-11 +
SageMaker Model Network Isolation Check
+
+ Details and remediation +
+
Details

No models found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-west-2AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.eu-west-1SM-12 +
SageMaker Endpoint Instance Count Check
+
+ Details and remediation +
+
Details

No InService endpoints found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-west-2AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.eu-west-1SM-13 +
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation +
+
Details

No monitoring schedules found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-west-2AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.eu-west-1SM-14 +
SageMaker Model Repository Access Check
+
+ Details and remediation +
+
Details

No models found or all use default Platform access

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-west-2AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.eu-west-1SM-15 +
SageMaker Feature Store Encryption Check
+
+ Details and remediation +
+
Details

No feature groups with offline stores found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-west-2AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.eu-west-1SM-16 +
SageMaker Data Quality Job Encryption Check
+
+ Details and remediation +
+
Details

No data quality job definitions found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-west-2AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.eu-west-1SM-17 +
SageMaker Processing Job Encryption Check
+
+ Details and remediation +
+
Details

No processing jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-west-2AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.eu-west-1SM-18 +
SageMaker Transform Job Encryption Check
+
+ Details and remediation +
+
Details

No transform jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-west-2AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.eu-west-1SM-19 +
SageMaker Hyperparameter Tuning Job Encryption Check
+
+ Details and remediation +
+
Details

No hyperparameter tuning jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-west-2AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.eu-west-1SM-20 +
SageMaker Compilation Job Encryption Check
+
+ Details and remediation +
+
Details

No compilation jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-west-2AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.eu-west-1SM-21 +
SageMaker AutoML Job Network Isolation Check
+
+ Details and remediation +
+
Details

No AutoML jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-west-2AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.eu-west-1SM-22 +
Model Approval Workflow Check
+
+ Details and remediation +
+
Details

No model package groups found. Model Registry is not being used for model governance.

+
Resolution

Implement Model Registry to track model versions and enforce approval workflows before production deployment.

+
Reference

+
+
+
Informational N/A
777788889999us-west-2AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.eu-west-1SM-23 +
Model Drift Detection Check
+
+ Details and remediation +
+
Details

No InService endpoints found to monitor.

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
777788889999eu-west-1SM-24 +
A/B Testing and Shadow Deployment Check
+
+ Details and remediation +
+
Details

No InService endpoints found.

+
Resolution

No action required

+
Reference

+
+
+
LowPassed
777788889999eu-west-1SM-25 +
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation +
+
Details

No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.

+
Resolution

Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.

+
Reference

+
+
+
Informational N/A
-
Financial Services GenAI Risk Findings
Scope: this assessment records findings against each resolved CloudFormation TargetRegions entry. These checks are based on the AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption. Severities follow a documented Likelihood × Impact methodology (see docs).
- - - - - - - - - - - - + + + - - - - +4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - +3. Add AWS Managed Rules for known bad inputs.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - - - + + + - - + + - - - - - - - - - - - - - - - + - - - - - - - - - - - - - - + + + - - - - +3. Set daily spend budgets with AWS Budgets as a secondary control.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - +- Custom application-level token counters via EMF

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - +3. Consider budget actions to apply IAM deny policies when thresholds are breached.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - + - + - - - + + + - - - - - - + + + - - + + - - - - - - - - - - - - - - - +4. Add circuit-breaker patterns to agent tool invocations.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - + - - + + - - - - - - - - - - - - - - - +- Step Functions execution failures and timeouts

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - +3. Maintain a model inventory and update the SCP when models are approved/retired.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - + - + - - + + - - - - - - - - - - - - - - - + - - + + - - - - - - - - - - - - - - - +3. Schedule periodic re-evaluation after model updates.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - + - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - + + + - - - - + - + - - + + - - - - - - - - - - - - - - - +- Role 'aiml-sec-test-resources-BedrockAgentRole-RScmoTZfp2sC' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-sec-test-resources-BedrockAgentRole-RScmoTZfp2sC' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' allows 'bedrock:*' +- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases) +- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:GetModelInvocationLoggingConfiguration' on Resource '*' (no ARN scoping to specific Knowledge Bases)

+
Resolution

Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + - - - + + + - - - - + - - + + - - - - - - - - - - - - - - - + - - + + - - - - - - - - - - - - - - - - - + + + - - + + - - - - - - - - - - - - - - - +5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - + + + - - - - +4. Test disclaimer presence in QA/UAT before production deployment.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - +- AML/KYC edge cases

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - +3. Set CloudWatch alarms on sync job failures.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - +4. Consider Bedrock Guardrails grounding checks to validate response accuracy.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - + - + - - + + - - - - - - - - - - - - - - - +4. Add data-currency disclaimers to outputs from models with old cutoffs.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - +- Violence/self-harm content

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - + + + - - - - +4. Define SLAs for reviewing flagged content.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - - - + + + - - + + - - - - - - - - - - - - - - - +4. Document bias testing results for regulatory examination.

+
Reference

+ + + - - - - - - - - - - - - - - + + + - - - - +- Counterfactual fairness tests

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - +4. Store explanations for regulatory examination.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - +4. Review and update cards at each model version release.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - +4. Test masking with synthetic PII before production deployment.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - + - + - - + + - - - - - - - - - - - - - - - - - + + + - - + + - - - - - - - - - - - - - - - + - - + + - - - - - - - - - - - - - - - - - + + + - - + + - - - - - - - - - - - - - - - + - - + + - - - - - - - - - - - - - - - +3. Test disclaimer presence in QA before production.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - - - + + + - - + + - - - - - - - - - - - - - - - - - + + + - - + + - - - - - - - - - - - - - - - + - + - - + + - - - - - - - - - - - - - - - + - - + + - - - - - - - - - - - - - - - +5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - +4. Encode outputs appropriately for the target context (HTML, SQL, JSON).

+
Reference

+ + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + - - - + + + - - - - +4. Validate output length and format before passing to downstream APIs.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - +4. Log schema validation failures to CloudWatch for monitoring.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - + + + - - - - +3. Test with off-topic prompts in QA to verify rejection behavior.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - +4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - +3. Alert users when KB data is older than defined threshold.

+
Reference

+ + + - - + + - - - - - - - - - - - - - - - + - - + + - - - - - - - - - - - - - - - +3. Integrate alerts into your security incident response workflow.

+
Reference

+ + + - - + + - - - - + + + + + + + + + - - + + + + + + + + + + + + + + + + + + - - - - - + + + + + + + + + + + + + + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - - - - - - - - - + + + + + + - - - - - - - - + + + + + + + + + + + + + - - + + - - - - - + + + + + + + + + + - - - - - - - - - + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - + + + + - - - - - - - - + + + + + - - - - - - - - - - + + + + + + + - - - - - - - - + + + + + - - - - - - - - + + + + + - + - - - - - - - + + + + - + - - - - - - + + + - + - + - - - - - + + - + - - - - - - - + + + + - + - - - - - + + - + - - - - - + + - + - + - - - - - - - + + + + - + - - - - - - + + + - + - - - - - + + - + - - - - - - + + + - + - - - - - + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - + + - + - + - - - - - + + - + - - - - - - + + + - + - - - - - + + - + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - + + - + - - - - - - + + + - + - - - - - - - + + + + - + - - - - - - + + + - + - - - - - - - + + + + - + - - - - - + + - + - + - - - - - + + + + + + + + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - - + + + + - + - - - - - - + + + - + - - - - - - - + + + + - + - - - - - - - - + + + + + - + - - - - - - - + + + + - + - - - - - - + + + - + - + - - - - - - + + + + + + + + + + + - + - + - - - - - - + + + - + - + - - - - - - + + + - + - + - - - - - - - + + + + - + + + + + + + + + - - - - - - + + + - + - + - - - - - - + + + - + - - - - - - + + + + + + + + + + + - + - + - - - - - - - + + + + - + - - - - - - + + + - + - - - - - - - + + + + - + - - - - - - + + + - + - + - - - - - - + + + - + - - - - - - + + + - - - - - - - - - - - - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - - + + + + - + - - - - - - + + + - - - - - - - - - - - - + - - - - - - + + + - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - + + + - - - - - - - - - - - - + - - - - - - + + + - - - - - - - - - - - - + - - - - - + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + -
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
111122223333us-east-1FS-01AWS Shield Advanced Not EnabledAWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.1. Subscribe to AWS Shield Advanced for DDoS protection. -2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection. -3. Enable Shield Response Team (SRT) access and configure proactive engagement. -4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.LowFailed
111122223333us-west-2
777788889999us-east-1 FS-01AWS Shield Advanced Not EnabledAWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.1. Subscribe to AWS Shield Advanced for DDoS protection. + +
AWS Shield Advanced Not Enabled
+
+ Details and remediation +
+
Details

AWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.

+
Resolution

1. Subscribe to AWS Shield Advanced for DDoS protection. 2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection. 3. Enable Shield Response Team (SRT) access and configure proactive engagement. -4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.

Low Failed
111122223333
777788889999 us-east-1 FS-01No Regional WAF Web ACLs FoundNo AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP). -2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock. -3. Add AWS Managed Rules for known bad inputs.MediumFailed
111122223333us-west-2FS-01No Regional WAF Web ACLs FoundNo AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP). + +
No Regional WAF Web ACLs Found
+
+ Details and remediation +
+
Details

No AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.

+
Resolution

1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP). 2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock. -3. Add AWS Managed Rules for known bad inputs.

Medium Failed
111122223333
777788889999 us-east-1 FS-02API Gateway Usage Plans Missing ThrottleUsage plans without throttling: myAskMeAnything-UsagePlan. Unbounded API calls can exhaust Bedrock token quotas and inflate costs.Set rateLimit and burstLimit on all usage plans associated with GenAI API stages. Consider per-consumer API keys with individual quotas.MediumFailed
111122223333us-west-2FS-02API Gateway Usage Plans Missing ThrottleUsage plans without throttling: myAskMeAnything-UsagePlan. Unbounded API calls can exhaust Bedrock token quotas and inflate costs.Set rateLimit and burstLimit on all usage plans associated with GenAI API stages. Consider per-consumer API keys with individual quotas.MediumFailed +
No API Gateway Usage Plans Found
+
+ Details and remediation +
+
Details

No usage plans configured. GenAI API endpoints may have no rate limits.

+
Resolution

Create API Gateway usage plans with throttle settings (rateLimit and burstLimit) for all Bedrock-facing APIs.

+
Reference

+
+
+
InformationalN/A
111122223333
777788889999 us-east-1 FS-03Bedrock Token Quotas CustomizedFound 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.No action required. Periodically re-review quotas against expected peak load.MediumPassed
111122223333us-west-2FS-03Bedrock Token Quotas CustomizedFound 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.No action required. Periodically re-review quotas against expected peak load. +
Bedrock Token Quotas Customized
+
+ Details and remediation +
+
Details

Found 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.

+
Resolution

No action required. Periodically re-review quotas against expected peak load.

+
Reference

+
+
+
Medium Passed
111122223333us-east-1FS-04No Cost Anomaly Detection MonitorsNo AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker. -2. Configure alert subscriptions (SNS/email) for anomalies above threshold. -3. Set daily spend budgets with AWS Budgets as a secondary control.MediumFailed
111122223333us-west-2
777788889999us-east-1 FS-04No Cost Anomaly Detection MonitorsNo AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker. + +
No Cost Anomaly Detection Monitors
+
+ Details and remediation +
+
Details

No AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.

+
Resolution

1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker. 2. Configure alert subscriptions (SNS/email) for anomalies above threshold. -3. Set daily spend budgets with AWS Budgets as a secondary control.

Medium Failed
111122223333
777788889999 us-east-1 FS-05No Bedrock CloudWatch Alarms FoundNo CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.Create CloudWatch alarms for: -- AWS/Bedrock InvocationThrottles (threshold > 0) -- AWS/Bedrock TokensProcessed (threshold based on quota) -- Custom application-level token counters via EMFMediumFailed
111122223333us-west-2FS-05No Bedrock CloudWatch Alarms FoundNo CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.Create CloudWatch alarms for: + +
No Bedrock CloudWatch Alarms Found
+
+ Details and remediation +
+
Details

No CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.

+
Resolution

Create CloudWatch alarms for: - AWS/Bedrock InvocationThrottles (threshold > 0) - AWS/Bedrock TokensProcessed (threshold based on quota) -- Custom application-level token counters via EMF

Medium Failed
111122223333
777788889999 us-east-1 FS-06No AI/ML Service Budgets ConfiguredNo AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds. -2. Add SNS notifications to on-call channels. -3. Consider budget actions to apply IAM deny policies when thresholds are breached.MediumFailed
111122223333us-west-2FS-06No AI/ML Service Budgets ConfiguredNo AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds. + +
No AI/ML Service Budgets Configured
+
+ Details and remediation +
+
Details

No AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.

+
Resolution

1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds. 2. Add SNS notifications to on-call channels. -3. Consider budget actions to apply IAM deny policies when thresholds are breached.

Medium Failed
111122223333
777788889999 us-east-1 FS-07Agent Action Boundary CheckNo Bedrock agents found.No action required.InformationalN/A
111122223333us-west-2FS-07Agent Action Boundary CheckNo Bedrock agents found.No action required.InformationalN/A
111122223333us-east-1FS-08AgentCore Runtimes Missing Policy EngineRuntimes without authorizer configuration: origami_expeditions, neoCyan_Agent, customer_support_agent, cdk_agent_core, awsapimcpserver. Without a policy engine, agents can invoke any registered tool without authorization checks.Configure an authorizer (Lambda or Cedar policy store) on each AgentCore runtime to enforce fine-grained tool-call authorization. +
Agent Action Boundaries Look Appropriate
+
+ Details and remediation +
+
Details

Reviewed 1 agent(s); no wildcard sensitive actions found.

+
Resolution

No action required.

+
Reference

+
+
+
HighFailedPassed
111122223333us-west-2
777788889999us-east-1 FS-08AgentCore Runtimes Missing Policy EngineRuntimes without authorizer configuration: origami_expeditions, neoCyan_Agent, customer_support_agent, cdk_agent_core, awsapimcpserver. Without a policy engine, agents can invoke any registered tool without authorization checks.Configure an authorizer (Lambda or Cedar policy store) on each AgentCore runtime to enforce fine-grained tool-call authorization.HighFailed +
No AgentCore Runtimes Found
+
+ Details and remediation +
+
Details

No AgentCore runtimes found; policy engine check not applicable.

+
Resolution

If using AgentCore, configure the Policy Engine to authorize tool calls.

+
Reference

+
+
+
InformationalN/A
111122223333
777788889999 us-east-1 FS-09Agent Lambda Functions Without Concurrency LimitsAgent-related Lambda functions without reserved concurrency: aiml-security-aiml-security-111122223333-FinServAssessment, resco-aiml-IAMPermissionCaching, aiml-security-aiml-security-111122223333-SagemakerAssessment, resco-aiml-CleanupBucket, aiml-security-aiml-security-111122223333-BedrockAssessment, resco-aiml-BedrockAssessment, aiml-security-aiml-security-111122223333-CleanupBucket, aiml-security-aiml-security-111122223333-AgentCoreAssessment, e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Unlimited concurrency allows runaway agent loops to exhaust account limits.1. Set reserved concurrency on agent Lambda functions. -2. Implement maximum iteration counts in agent orchestration logic. -3. Use Step Functions with MaxConcurrency and timeout states. -4. Add circuit-breaker patterns to agent tool invocations.MediumFailed
111122223333us-west-2FS-09Agent Lambda Functions Without Concurrency LimitsAgent-related Lambda functions without reserved concurrency: aiml-security-aiml-security-111122223333-FinServAssessment, resco-aiml-IAMPermissionCaching, aiml-security-aiml-security-111122223333-SagemakerAssessment, resco-aiml-CleanupBucket, aiml-security-aiml-security-111122223333-BedrockAssessment, resco-aiml-BedrockAssessment, aiml-security-aiml-security-111122223333-CleanupBucket, aiml-security-aiml-security-111122223333-AgentCoreAssessment, e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Unlimited concurrency allows runaway agent loops to exhaust account limits.1. Set reserved concurrency on agent Lambda functions. + +
Agent Lambda Functions Without Concurrency Limits
+
+ Details and remediation +
+
Details

Agent-related Lambda functions without reserved concurrency: aiml-security-aiml-security-mgmt-FinServAssessment, aiml-sec-test-resources-SageMakerJobCustomResource-ZA5QCAi0pN3d, AIMLSecurityAssessment-CodeBuildStartBuildLambda-VYOqtzWoNo3m, aiml-security-aiml-security-mgmt-CleanupBucket, aiml-security-aiml-security-mgmt-SagemakerAssessment, aiml-security-aiml-security-mgmt-GenerateReport, aiml-security-aiml-security-mgmt-IAMPermissionCaching, aiml-security-aiml-security-mgmt-AgentCoreAssessment, aiml-security-aiml-security-mgmt-BedrockAssessment, aiml-security-aiml-security-mgmt-ResolveRegions. Unlimited concurrency allows runaway agent loops to exhaust account limits.

+
Resolution

1. Set reserved concurrency on agent Lambda functions. 2. Implement maximum iteration counts in agent orchestration logic. 3. Use Step Functions with MaxConcurrency and timeout states. -4. Add circuit-breaker patterns to agent tool invocations.

Medium Failed
111122223333
777788889999 us-east-1 FS-10Human-in-the-Loop Check — No Agent Workflows FoundNo Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.InformationalN/A
111122223333us-west-2FS-10Human-in-the-Loop Check — No Agent Workflows FoundNo Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack. +
Human-in-the-Loop Check — No Agent Workflows Found
+
+ Details and remediation +
+
Details

No Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.

+
Resolution

Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.

+
Reference

+
+
+
Informational N/A
111122223333
777788889999 us-east-1 FS-11No Agent Rate Alarms FoundNo CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.Create CloudWatch alarms on: -- Bedrock agent invocation counts (threshold based on expected max) -- Lambda invocation errors for agent functions -- Step Functions execution failures and timeoutsMediumFailed
111122223333us-west-2FS-11No Agent Rate Alarms FoundNo CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.Create CloudWatch alarms on: + +
No Agent Rate Alarms Found
+
+ Details and remediation +
+
Details

No CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.

+
Resolution

Create CloudWatch alarms on: - Bedrock agent invocation counts (threshold based on expected max) - Lambda invocation errors for agent functions -- Step Functions execution failures and timeouts

Medium Failed
111122223333
777788889999 us-east-1 FS-12No Bedrock-Scoped SCPs FoundNo Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list. -2. Use bedrock:ModelId condition key to allowlist approved models. -3. Maintain a model inventory and update the SCP when models are approved/retired.HighFailed
111122223333us-west-2FS-12No Bedrock-Scoped SCPs FoundNo Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list. + +
No Bedrock-Scoped SCPs Found
+
+ Details and remediation +
+
Details

No Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.

+
Resolution

1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list. 2. Use bedrock:ModelId condition key to allowlist approved models. -3. Maintain a model inventory and update the SCP when models are approved/retired.

High Failed
111122223333
777788889999 us-east-1 FS-13Model Provenance Tags PresentAll reviewed models have required provenance tags.No action required.MediumPassed
111122223333us-west-2FS-13Model Provenance Tags PresentAll reviewed models have required provenance tags.No action required. +
Models Missing Provenance Tags
+
+ Details and remediation +
+
Details

2 model(s) missing required provenance tags: +- SageMaker model 'SageMakerModelWithIsolation-JASFpUHjajdk' missing tags: {'source', 'approval-date', 'version'} +- SageMaker model 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' missing tags: {'source', 'approval-date', 'version'}

+
Resolution

Tag all models with: source (e.g., 'aws-marketplace', 'internal'), version, and approval-date. Enforce tagging via SCP or AWS Config rule.

+
Reference

+
+
+
MediumPassedFailed
111122223333
777788889999 us-east-1 FS-14Model Governance Config Rules PresentFound 11 model-related Config rule(s).No action required.MediumPassed
111122223333us-west-2FS-14Model Governance Config Rules PresentFound 11 model-related Config rule(s).No action required. +
Model Governance Config Rules Present
+
+ Details and remediation +
+
Details

Found 13 model-related Config rule(s).

+
Resolution

No action required.

+
Reference

+
+
+
Medium Passed
111122223333
777788889999 us-east-1 FS-15No Bedrock Evaluation Jobs FoundNo Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.1. Run Bedrock Model Evaluation with adversarial/red-team datasets. -2. Use FMEval library for automated robustness testing. -3. Schedule periodic re-evaluation after model updates.MediumFailed
111122223333us-west-2FS-15No Bedrock Evaluation Jobs FoundNo Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.1. Run Bedrock Model Evaluation with adversarial/red-team datasets. + +
No Bedrock Evaluation Jobs Found
+
+ Details and remediation +
+
Details

No Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.

+
Resolution

1. Run Bedrock Model Evaluation with adversarial/red-team datasets. 2. Use FMEval library for automated robustness testing. -3. Schedule periodic re-evaluation after model updates.

Medium Failed
111122223333
777788889999 us-east-1 FS-16ECR Repositories Without Image Scanning4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111122223333-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.HighFailed
111122223333us-west-2FS-16ECR Repositories Without Image Scanning4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111122223333-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection. +
ECR Repositories Without Image Scanning
+
+ Details and remediation +
+
Details

2 ECR repo(s) without scan-on-push: cdk-hnb659fds-container-assets-777788889999-us-east-1, aiml-sec-test-agentcore-no-encryption.

+
Resolution

Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.

+
Reference

+
+
+
High Failed
111122223333
777788889999 us-east-1 FS-20No SageMaker Feature Groups FoundNo SageMaker Feature Store groups found.No action required.InformationalN/A
111122223333us-west-2FS-20No SageMaker Feature Groups FoundNo SageMaker Feature Store groups found.No action required.InformationalN/A
111122223333us-east-1FS-21Training Data Buckets Without Versioning13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111122223333-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111122223333-huo1mvme4t.Enable S3 versioning on all training data buckets. Consider enabling MFA Delete for additional protection against poisoning.High +
Feature Groups Without Offline Store
+
+ Details and remediation +
+
Details

1 feature group(s) lack an active offline store: aiml-sec-test-feature-group. Without offline store, historical feature data cannot be used for rollback.

+
Resolution

1. Enable offline store (S3-backed) for all production feature groups. +2. Enable S3 versioning on the offline store bucket. +3. Document rollback procedures for poisoned feature data.

+
Reference

+
+
+
Medium Failed
111122223333us-west-2
777788889999us-east-1 FS-21Training Data Buckets Without Versioning13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111122223333-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111122223333-huo1mvme4t.Enable S3 versioning on all training data buckets. Consider enabling MFA Delete for additional protection against poisoning. +
Training Data Buckets Have Versioning
+
+ Details and remediation +
+
Details

All 2 training bucket(s) have versioning enabled.

+
Resolution

No action required.

+
Reference

+
+
+
HighFailedPassed
111122223333
777788889999 us-east-1 FS-22Overly Permissive Knowledge Base IAM Roles827 role(s) with wildcard KB permissions: -- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'Admin' allows '*' -- Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' allows 'bedrock:*' -- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'Agentic-AI-MCP-Strands-SDK-Works-VSCodeInstanceRole-NCTUnlnRBFO6' allows '*' -- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.HighFailed
111122223333us-west-2FS-22Overly Permissive Knowledge Base IAM Roles827 role(s) with wildcard KB permissions: -- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases) + +
Overly Permissive Knowledge Base IAM Roles
+
+ Details and remediation +
+
Details

823 role(s) with wildcard KB permissions: - Role 'Admin' allows '*' -- Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' allows 'bedrock:*' -- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'Agentic-AI-MCP-Strands-SDK-Works-VSCodeInstanceRole-NCTUnlnRBFO6' allows '*' -- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)

Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs. High Failed
111122223333
777788889999 us-east-1 FS-24ADVISORY: Knowledge Base Metadata Filtering — Manual Review RequiredFound 3 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.1. Add metadata fields (tenantId, dataClassification) to KB data sources. -2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls. -3. Validate filters in integration tests to prevent cross-tenant data leakage.InformationalN/A
111122223333us-west-2FS-24ADVISORY: Knowledge Base Metadata Filtering — Manual Review RequiredFound 3 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.1. Add metadata fields (tenantId, dataClassification) to KB data sources. -2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls. -3. Validate filters in integration tests to prevent cross-tenant data leakage.InformationalN/A
111122223333us-east-1FS-25OpenSearch Serverless Encryption Policies PresentFound 5 encryption policy(ies); 5 use a customer-managed KMS key.Verify all vector store collections use customer-managed KMS keys.HighPassed +
ADVISORY: Knowledge Base Metadata Filtering — Manual Review Required
+
+ Details and remediation +
+
Details

Found 1 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.

+
Resolution

1. Add metadata fields (tenantId, dataClassification) to KB data sources. +2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls. +3. Validate filters in integration tests to prevent cross-tenant data leakage.

+
Reference

+
+
+
InformationalN/A
111122223333us-west-2
777788889999us-east-1 FS-25OpenSearch Serverless Encryption Policies PresentFound 5 encryption policy(ies); 5 use a customer-managed KMS key.Verify all vector store collections use customer-managed KMS keys. +
OpenSearch Serverless Encryption Policies Present
+
+ Details and remediation +
+
Details

Found 1 encryption policy(ies); 1 use a customer-managed KMS key.

+
Resolution

Verify all vector store collections use customer-managed KMS keys.

+
Reference

+
+
+
High Passed
111122223333
777788889999 us-east-1 FS-26OpenSearch Serverless Collections Not VPC-RestrictedFound 5 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.HighFailed
111122223333us-west-2FS-26OpenSearch Serverless Collections Not VPC-RestrictedFound 5 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC. +
OpenSearch Serverless Collections Not VPC-Restricted
+
+ Details and remediation +
+
Details

Found 1 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.

+
Resolution

Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.

+
Reference

+
+
+
High Failed
111122223333
777788889999 us-east-1 FS-27Contextual Grounding Enabled on GuardrailsGuardrails with contextual grounding: nist-ai-rmf-guardrail.No action required for contextual grounding. Also consider enabling Automated Reasoning checks for formal policy verification.HighPassed
111122223333us-west-2FS-27Contextual Grounding Enabled on GuardrailsGuardrails with contextual grounding: nist-ai-rmf-guardrail.No action required for contextual grounding. Also consider enabling Automated Reasoning checks for formal policy verification.HighPassed +
COULD NOT ASSESS: Guardrail Contextual Grounding Check
+
+ Details and remediation +
+
Details

This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.

+
Resolution

1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.

+
Reference

+
+
+
LowN/A
111122223333
777788889999 us-east-1 FS-27No Automated Reasoning Policies FoundNo Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds). -2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail). -3. Set confidenceThreshold on the policy to control strictness. -4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response). -5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).MediumFailed
111122223333us-west-2FS-27No Automated Reasoning Policies FoundNo Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds). + +
No Automated Reasoning Policies Found
+
+ Details and remediation +
+
Details

No Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.

+
Resolution

1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds). 2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail). 3. Set confidenceThreshold on the policy to control strictness. 4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response). -5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).

Medium Failed
111122223333
777788889999 us-east-1 FS-28Denied Topics Configured on CLASSIC TierGuardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides broader language support and improved detection for denied topics.Verify topics cover regulated financial advice categories. For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (set topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile on the guardrail). When authoring denied-topic policies, use existing compliance materials as the source: employee policies, training materials, procedure documents, and incident reports (PDF §1.2.1 Practical guidance).HighPassed
111122223333us-west-2FS-28Denied Topics Configured on CLASSIC TierGuardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides broader language support and improved detection for denied topics.Verify topics cover regulated financial advice categories. For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (set topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile on the guardrail). When authoring denied-topic policies, use existing compliance materials as the source: employee policies, training materials, procedure documents, and incident reports (PDF §1.2.1 Practical guidance).HighPassed
111122223333us-east-1FS-29ADVISORY: Compliance Disclaimer — Manual Review RequiredApplication-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.1. Implement post-processing to append required disclaimers to GenAI outputs. -2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures. -3. Document disclaimer requirements in the AI use case register. -4. Test disclaimer presence in QA/UAT before production deployment.Informational +
COULD NOT ASSESS: Financial Denied Topics Check
+
+ Details and remediation +
+
Details

This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.

+
Resolution

1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.

+
Reference

+
+
+
Low N/A
111122223333us-west-2
777788889999us-east-1 FS-29ADVISORY: Compliance Disclaimer — Manual Review RequiredApplication-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.1. Implement post-processing to append required disclaimers to GenAI outputs. + +
ADVISORY: Compliance Disclaimer — Manual Review Required
+
+ Details and remediation +
+
Details

Application-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.

+
Resolution

1. Implement post-processing to append required disclaimers to GenAI outputs. 2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures. 3. Document disclaimer requirements in the AI use case register. -4. Test disclaimer presence in QA/UAT before production deployment.

Informational N/A
111122223333
777788889999 us-east-1 FS-30ADVISORY: Compliance Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with compliance-specific datasets: -- Fair lending test cases (ECOA, Fair Housing Act) -- UDAP/UDAAP unfair/deceptive practice scenarios -- AML/KYC edge casesInformationalN/A
111122223333us-west-2FS-30ADVISORY: Compliance Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with compliance-specific datasets: + +
ADVISORY: Compliance Dataset Coverage — Manual Review Required
+
+ Details and remediation +
+
Details

Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.

+
Resolution

Run Bedrock Model Evaluation with compliance-specific datasets: - Fair lending test cases (ECOA, Fair Housing Act) - UDAP/UDAAP unfair/deceptive practice scenarios -- AML/KYC edge cases

Informational N/A
111122223333
777788889999 us-east-1 FS-31Knowledge Base Data Sources Past Review Threshold2 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit): -- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 722 days ago -- KB '111122223333-us-east-1-kb' source '111122223333-us-east-1-kb-datasource' last synced 199 days ago -Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match. -2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61. -3. Set CloudWatch alarms on sync job failures.MediumFailed
111122223333us-west-2FS-31Knowledge Base Data Sources Past Review Threshold2 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit): -- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 722 days ago -- KB '111122223333-us-east-1-kb' source '111122223333-us-east-1-kb-datasource' last synced 199 days ago -Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match. + +
Knowledge Base Data Sources Past Review Threshold
+
+ Details and remediation +
+
Details

1 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit): +- KB 'knowledge-base-prowler-findings' source 'knowledge-base-quick-start-9lb68-data-source' last synced 423 days ago +Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.

+
Resolution

1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match. 2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61. -3. Set CloudWatch alarms on sync job failures.

Medium Failed
111122223333
777788889999 us-east-1 FS-32ADVISORY: Source Attribution — Manual Review RequiredSource attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.1. Use Bedrock RetrieveAndGenerate with citations enabled. -2. Include source document references in response post-processing. -3. Test citation accuracy in QA before production deployment. -4. Consider Bedrock Guardrails grounding checks to validate response accuracy.InformationalN/A
111122223333us-west-2FS-32ADVISORY: Source Attribution — Manual Review RequiredSource attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.1. Use Bedrock RetrieveAndGenerate with citations enabled. + +
ADVISORY: Source Attribution — Manual Review Required
+
+ Details and remediation +
+
Details

Source attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.

+
Resolution

1. Use Bedrock RetrieveAndGenerate with citations enabled. 2. Include source document references in response post-processing. 3. Test citation accuracy in QA before production deployment. -4. Consider Bedrock Guardrails grounding checks to validate response accuracy.

Informational N/A
111122223333
777788889999 us-east-1 FS-33KB Data Source Buckets Without VersioningKB data source S3 buckets without versioning: 111122223333-us-east-1-kb-data-bucket.Enable S3 versioning on all KB data source buckets. Enable S3 Object Integrity (checksum) for tamper detection.MediumFailed
111122223333us-west-2FS-33KB Data Source Buckets Without VersioningKB data source S3 buckets without versioning: 111122223333-us-east-1-kb-data-bucket.Enable S3 versioning on all KB data source buckets. Enable S3 Object Integrity (checksum) for tamper detection. +
KB Data Source Buckets Have Versioning
+
+ Details and remediation +
+
Details

All reviewed KB data source buckets have versioning enabled.

+
Resolution

No action required.

+
Reference

+
+
+
MediumFailedPassed
111122223333
777788889999 us-east-1 FS-34Legacy Foundation Models Available in RegionLegacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config). -2. Migrate active usage to current model versions. -3. Document training-data cutoff dates for all models in use. -4. Add data-currency disclaimers to outputs from models with old cutoffs.InformationalN/A
111122223333us-west-2FS-34Legacy Foundation Models Available in RegionLegacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config). + +
Legacy Foundation Models Available in Region
+
+ Details and remediation +
+
Details

Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.

+
Resolution

1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config). 2. Migrate active usage to current model versions. 3. Document training-data cutoff dates for all models in use. -4. Add data-currency disclaimers to outputs from models with old cutoffs.

Informational N/A
111122223333
777788889999 us-east-1 FS-35ADVISORY: Harmful-Content Test Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation or FMEval with harmful content datasets: -- Toxicity detection -- Hate speech classification -- Violence/self-harm contentInformationalN/A
111122223333us-west-2FS-35ADVISORY: Harmful-Content Test Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation or FMEval with harmful content datasets: + +
ADVISORY: Harmful-Content Test Coverage — Manual Review Required
+
+ Details and remediation +
+
Details

Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.

+
Resolution

Run Bedrock Model Evaluation or FMEval with harmful content datasets: - Toxicity detection - Hate speech classification -- Violence/self-harm content

Informational N/A
111122223333
777788889999 us-east-1 FS-36Guardrail Content Filters on CLASSIC TierGuardrails with content filters: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides improved contextual understanding, typographical error detection, 60+ language support, and better prompt-attack classification (distinguishes jailbreaks from prompt injection).Consider upgrading to STANDARD tier content filters for FinServ workloads that handle multiple languages or require higher detection accuracy. STANDARD tier requires cross-region inference (crossRegionDetails.guardrailProfileArn on the guardrail). To upgrade: update the guardrail's contentPolicy.filtersConfig.contentFiltersTierConfig with tierName=STANDARD and configure a guardrail cross-region profile.HighPassed
111122223333us-west-2FS-36Guardrail Content Filters on CLASSIC TierGuardrails with content filters: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides improved contextual understanding, typographical error detection, 60+ language support, and better prompt-attack classification (distinguishes jailbreaks from prompt injection).Consider upgrading to STANDARD tier content filters for FinServ workloads that handle multiple languages or require higher detection accuracy. STANDARD tier requires cross-region inference (crossRegionDetails.guardrailProfileArn on the guardrail). To upgrade: update the guardrail's contentPolicy.filtersConfig.contentFiltersTierConfig with tierName=STANDARD and configure a guardrail cross-region profile.HighPassed
111122223333us-east-1FS-37ADVISORY: User Feedback Mechanism — Manual Review RequiredUser feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.1. Implement thumbs-up/down or flag-for-review UI in GenAI applications. -2. Route flagged outputs to human reviewers via SQS/SNS. -3. Log feedback to DynamoDB/S3 for model improvement. -4. Define SLAs for reviewing flagged content.Informational +
COULD NOT ASSESS: Guardrail Content Filters Check
+
+ Details and remediation +
+
Details

This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.

+
Resolution

1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.

+
Reference

+
+
+
Low N/A
111122223333us-west-2
777788889999us-east-1 FS-37ADVISORY: User Feedback Mechanism — Manual Review RequiredUser feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.1. Implement thumbs-up/down or flag-for-review UI in GenAI applications. + +
ADVISORY: User Feedback Mechanism — Manual Review Required
+
+ Details and remediation +
+
Details

User feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.

+
Resolution

1. Implement thumbs-up/down or flag-for-review UI in GenAI applications. 2. Route flagged outputs to human reviewers via SQS/SNS. 3. Log feedback to DynamoDB/S3 for model improvement. -4. Define SLAs for reviewing flagged content.

Informational N/A
111122223333
777788889999 us-east-1 FS-38No Guardrails With Word FiltersFound 1 guardrail(s) but none have word/phrase filters. Profanity and prohibited financial terms may appear in outputs.Add word filters to guardrails: -- Enable AWS managed profanity list -- Add custom denylist for prohibited financial terms -- Add allowlist for required regulatory languageMediumFailed
111122223333us-west-2FS-38No Guardrails With Word FiltersFound 1 guardrail(s) but none have word/phrase filters. Profanity and prohibited financial terms may appear in outputs.Add word filters to guardrails: -- Enable AWS managed profanity list -- Add custom denylist for prohibited financial terms -- Add allowlist for required regulatory languageMediumFailed +
COULD NOT ASSESS: Guardrail Word Filters Check
+
+ Details and remediation +
+
Details

This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.

+
Resolution

1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.

+
Reference

+
+
+
LowN/A
111122223333
777788889999 us-east-1 FS-39No SageMaker Clarify Bias MonitoringNo SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions. -2. Define protected attributes (age, gender, race proxies). -3. Set bias metric thresholds and alert on violations. -4. Document bias testing results for regulatory examination.HighFailed
111122223333us-west-2FS-39No SageMaker Clarify Bias MonitoringNo SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions. + +
No SageMaker Clarify Bias Monitoring
+
+ Details and remediation +
+
Details

No SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.

+
Resolution

1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions. 2. Define protected attributes (age, gender, race proxies). 3. Set bias metric thresholds and alert on violations. -4. Document bias testing results for regulatory examination.

High Failed
111122223333us-east-1FS-40ADVISORY: Bias Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with bias test datasets: -- Demographic parity test cases -- Equal opportunity scenarios -- Counterfactual fairness testsInformationalN/A
111122223333us-west-2
777788889999us-east-1 FS-40ADVISORY: Bias Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with bias test datasets: + +
ADVISORY: Bias Dataset Coverage — Manual Review Required
+
+ Details and remediation +
+
Details

Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.

+
Resolution

Run Bedrock Model Evaluation with bias test datasets: - Demographic parity test cases - Equal opportunity scenarios -- Counterfactual fairness tests

Informational N/A
111122223333
777788889999 us-east-1 FS-41No SageMaker Clarify Explainability MonitoringNo SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).1. Configure SageMaker Clarify explainability for credit/lending models. -2. Generate SHAP values for feature importance. -3. Map top features to human-readable adverse action reason codes. -4. Store explanations for regulatory examination.HighFailed
111122223333us-west-2FS-41No SageMaker Clarify Explainability MonitoringNo SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).1. Configure SageMaker Clarify explainability for credit/lending models. + +
No SageMaker Clarify Explainability Monitoring
+
+ Details and remediation +
+
Details

No SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).

+
Resolution

1. Configure SageMaker Clarify explainability for credit/lending models. 2. Generate SHAP values for feature importance. 3. Map top features to human-readable adverse action reason codes. -4. Store explanations for regulatory examination.

High Failed
111122223333
777788889999 us-east-1 FS-42No SageMaker Model Cards FoundNo SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.1. Create SageMaker Model Cards for all production models. -2. Document: intended use, out-of-scope uses, training data, bias evaluations. -3. Include regulatory compliance attestations. -4. Review and update cards at each model version release.MediumFailed
111122223333us-west-2FS-42No SageMaker Model Cards FoundNo SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.1. Create SageMaker Model Cards for all production models. + +
No SageMaker Model Cards Found
+
+ Details and remediation +
+
Details

No SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.

+
Resolution

1. Create SageMaker Model Cards for all production models. 2. Document: intended use, out-of-scope uses, training data, bias evaluations. 3. Include regulatory compliance attestations. -4. Review and update cards at each model version release.

Medium Failed
111122223333
777788889999 us-east-1 FS-43No CloudWatch Logs Data Protection PoliciesNo CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.1. Create CloudWatch Logs data protection policies to mask PII. -2. Enable masking for: SSN, credit card numbers, bank account numbers, email. -3. Apply policies to Bedrock invocation log groups. -4. Test masking with synthetic PII before production deployment.HighFailed
111122223333us-west-2FS-43No CloudWatch Logs Data Protection PoliciesNo CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.1. Create CloudWatch Logs data protection policies to mask PII. + +
No CloudWatch Logs Data Protection Policies
+
+ Details and remediation +
+
Details

No CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.

+
Resolution

1. Create CloudWatch Logs data protection policies to mask PII. 2. Enable masking for: SSN, credit card numbers, bank account numbers, email. 3. Apply policies to Bedrock invocation log groups. -4. Test masking with synthetic PII before production deployment.

High Failed
111122223333
777788889999 us-east-1 FS-44Amazon Macie EnabledAmazon Macie is enabled and scanning S3 buckets.Verify Macie jobs cover training data and KB data source buckets.HighPassed
111122223333us-west-2FS-44Amazon Macie EnabledAmazon Macie is enabled and scanning S3 buckets.Verify Macie jobs cover training data and KB data source buckets. +
Amazon Macie Not Enabled
+
+ Details and remediation +
+
Details

Amazon Macie is not enabled. S3 buckets containing training data and KB data sources are not being scanned for PII/sensitive data.

+
Resolution

1. Enable Amazon Macie in all regions where AI/ML data is stored. +2. Create Macie classification jobs for training data and KB buckets. +3. Configure Macie findings to route to Security Hub and SNS. +4. Remediate PII findings before using data for model training.

+
Reference

+
+
+
HighPassedFailed
111122223333
777788889999 us-east-1 FS-45Guardrail PII Filters ConfiguredGuardrails with PII filters: nist-ai-rmf-guardrail.No action required.HighPassed
111122223333us-west-2FS-45Guardrail PII Filters ConfiguredGuardrails with PII filters: nist-ai-rmf-guardrail.No action required.HighPassed +
COULD NOT ASSESS: Guardrail PII Filters Check
+
+ Details and remediation +
+
Details

This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.

+
Resolution

1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.

+
Reference

+
+
+
LowN/A
111122223333
777788889999 us-east-1 FS-46AI/ML Buckets Without Data Classification Tags18 AI/ML bucket(s) without data-classification tags: 111122223333-us-east-1-kb-data-bucket, ancbedrocklogging, ancknowledgebase, aws-streaming-data-solut-outputaccesslogsbucket8b-1o7m0kb4bafm4, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, create-customer-resources-kb-bucket-111122223333.Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule.MediumFailed
111122223333us-west-2FS-46AI/ML Buckets Without Data Classification Tags18 AI/ML bucket(s) without data-classification tags: 111122223333-us-east-1-kb-data-bucket, ancbedrocklogging, ancknowledgebase, aws-streaming-data-solut-outputaccesslogsbucket8b-1o7m0kb4bafm4, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, create-customer-resources-kb-bucket-111122223333.Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule. +
AI/ML Buckets Without Data Classification Tags
+
+ Details and remediation +
+
Details

3 AI/ML bucket(s) without data-classification tags: aiml-sec-test-resources-bedrockloggingbucket-wtuvpinrlpmd, aiml-sec-test-resources-sagemakerbucket-6zzmxxaxco6g, aiml-security-mgmt-aimlassessmentbucket-kbitsdgexylv.

+
Resolution

Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule.

+
Reference

+
+
+
Medium Failed
111122223333
777788889999 us-east-1 FS-47Guardrail Grounding Thresholds AppropriateAll 1 guardrail(s) with a GROUNDING filter have thresholds ≥0.7.No action required.HighPassed
111122223333us-west-2FS-47Guardrail Grounding Thresholds AppropriateAll 1 guardrail(s) with a GROUNDING filter have thresholds ≥0.7.No action required.HighPassed +
COULD NOT ASSESS: Guardrail Grounding Threshold Check
+
+ Details and remediation +
+
Details

This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.

+
Resolution

1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.

+
Reference

+
+
+
LowN/A
111122223333
777788889999 us-east-1 FS-48Active Knowledge Bases for RAG PresentFound 3 active Knowledge Base(s) for RAG grounding.No action required.MediumPassed
111122223333us-west-2FS-48Active Knowledge Bases for RAG PresentFound 3 active Knowledge Base(s) for RAG grounding.No action required. +
Active Knowledge Bases for RAG Present
+
+ Details and remediation +
+
Details

Found 1 active Knowledge Base(s) for RAG grounding.

+
Resolution

No action required.

+
Reference

+
+
+
Medium Passed
111122223333
777788889999 us-east-1 FS-49ADVISORY: Hallucination Disclaimer — Manual Review RequiredApplication-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.' -2. Implement post-processing to append disclaimers. -3. Test disclaimer presence in QA before production.InformationalN/A
111122223333us-west-2FS-49ADVISORY: Hallucination Disclaimer — Manual Review RequiredApplication-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.' + +
ADVISORY: Hallucination Disclaimer — Manual Review Required
+
+ Details and remediation +
+
Details

Application-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.

+
Resolution

1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.' 2. Implement post-processing to append disclaimers. -3. Test disclaimer presence in QA before production.

Informational N/A
111122223333
777788889999 us-east-1 FS-50Relevance Grounding Filters PresentGuardrails with RELEVANCE grounding filters: nist-ai-rmf-guardrail.No action required.MediumPassed
111122223333us-west-2FS-50Relevance Grounding Filters PresentGuardrails with RELEVANCE grounding filters: nist-ai-rmf-guardrail.No action required.MediumPassed +
COULD NOT ASSESS: Guardrail Relevance Grounding Check
+
+ Details and remediation +
+
Details

This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.

+
Resolution

1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.

+
Reference

+
+
+
LowN/A
111122223333
777788889999 us-east-1 FS-51No Guardrails With Prompt Attack FiltersFound 1 guardrail(s) but none have PROMPT_ATTACK filters. Prompt injection attacks may bypass system prompts and access controls.1. Enable PROMPT_ATTACK content filter in Bedrock Guardrails. -2. Set input filter strength to HIGH. -3. Use input tags () to differentiate user inputs from developer-provided prompts — required for PROMPT_ATTACK filters to work correctly with InvokeModel/InvokeModelWithResponseStream. -4. Consider STANDARD tier (GA June 2025) for better jailbreak vs. injection classification and broader language support. -5. Implement application-level input sanitization as defense-in-depth.HighFailed
111122223333us-west-2FS-51No Guardrails With Prompt Attack FiltersFound 1 guardrail(s) but none have PROMPT_ATTACK filters. Prompt injection attacks may bypass system prompts and access controls.1. Enable PROMPT_ATTACK content filter in Bedrock Guardrails. -2. Set input filter strength to HIGH. -3. Use input tags () to differentiate user inputs from developer-provided prompts — required for PROMPT_ATTACK filters to work correctly with InvokeModel/InvokeModelWithResponseStream. -4. Consider STANDARD tier (GA June 2025) for better jailbreak vs. injection classification and broader language support. -5. Implement application-level input sanitization as defense-in-depth.HighFailed +
COULD NOT ASSESS: Prompt Injection Input Validation Check
+
+ Details and remediation +
+
Details

This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.

+
Resolution

1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.

+
Reference

+
+
+
LowN/A
111122223333
777788889999 us-east-1 FS-52Bedrock Lambda Functions on Deprecated RuntimesFunctions on deprecated runtimes: e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Deprecated runtimes may use outdated boto3/SDK versions lacking security patches.1. Upgrade Lambda functions to a supported runtime — Python 3.12+, Node.js 22.x or 24.x, Java 21+, or .NET 8+. -2. Update boto3 to the latest version in Lambda layers (pin the version in requirements.txt and redeploy). -3. Enable Lambda runtime management controls for automatic minor-version updates (runtimeManagementConfig.updateRuntimeOn = 'Auto'). -4. Refer to https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html for the authoritative list of supported and deprecated runtimes.MediumFailed
111122223333us-west-2FS-52Bedrock Lambda Functions on Deprecated RuntimesFunctions on deprecated runtimes: e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Deprecated runtimes may use outdated boto3/SDK versions lacking security patches.1. Upgrade Lambda functions to a supported runtime — Python 3.12+, Node.js 22.x or 24.x, Java 21+, or .NET 8+. -2. Update boto3 to the latest version in Lambda layers (pin the version in requirements.txt and redeploy). -3. Enable Lambda runtime management controls for automatic minor-version updates (runtimeManagementConfig.updateRuntimeOn = 'Auto'). -4. Refer to https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html for the authoritative list of supported and deprecated runtimes. +
Bedrock Lambda Functions on Current Runtimes
+
+ Details and remediation +
+
Details

All 10 Bedrock Lambda function(s) use current runtimes.

+
Resolution

No action required.

+
Reference

+
+
+
MediumFailedPassed
111122223333
777788889999 us-east-1 FS-53No WAF Web ACLs — Injection Rules Not ApplicableNo regional WAF Web ACLs found.Create WAF Web ACLs with injection protection rules (see FS-01).InformationalN/A
111122223333us-west-2FS-53No WAF Web ACLs — Injection Rules Not ApplicableNo regional WAF Web ACLs found.Create WAF Web ACLs with injection protection rules (see FS-01). +
No WAF Web ACLs — Injection Rules Not Applicable
+
+ Details and remediation +
+
Details

No regional WAF Web ACLs found.

+
Resolution

Create WAF Web ACLs with injection protection rules (see FS-01).

+
Reference

+
+
+
Informational N/A
111122223333
777788889999 us-east-1 FS-54ADVISORY: Penetration Testing — Manual Review RequiredPenetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.1. Conduct penetration testing of GenAI applications at least annually and before major releases. -2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts. -3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it. -4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail. -5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.InformationalN/A
111122223333us-west-2FS-54ADVISORY: Penetration Testing — Manual Review RequiredPenetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.1. Conduct penetration testing of GenAI applications at least annually and before major releases. + +
ADVISORY: Penetration Testing — Manual Review Required
+
+ Details and remediation +
+
Details

Penetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.

+
Resolution

1. Conduct penetration testing of GenAI applications at least annually and before major releases. 2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts. 3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it. 4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail. -5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.

Informational N/A
111122223333
777788889999 us-east-1 FS-55No Output Validation Functions FoundNo Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.1. Implement output validation Lambda functions in GenAI pipelines. + +
No Output Validation Functions Found
+
+ Details and remediation +
+
Details

No Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.

+
Resolution

1. Implement output validation Lambda functions in GenAI pipelines. 2. Validate output schema, length, and content before downstream use. 3. Sanitize outputs before rendering in web UIs (XSS prevention). -4. Encode outputs appropriately for the target context (HTML, SQL, JSON).

MediumFailed
111122223333us-west-2FS-55No Output Validation Functions FoundNo Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.1. Implement output validation Lambda functions in GenAI pipelines. -2. Validate output schema, length, and content before downstream use. -3. Sanitize outputs before rendering in web UIs (XSS prevention). -4. Encode outputs appropriately for the target context (HTML, SQL, JSON). Medium Failed
111122223333us-east-1FS-56No WAF ACLs — XSS Prevention Not ApplicableNo regional WAF Web ACLs found.Create WAF ACLs with XSS prevention rules.InformationalN/A
111122223333us-west-2FS-56No WAF ACLs — XSS Prevention Not ApplicableNo regional WAF Web ACLs found.Create WAF ACLs with XSS prevention rules.InformationalN/A
111122223333us-east-1FS-57ADVISORY: Output Encoding — Manual Review RequiredOutput encoding practices cannot be verified via AWS APIs. Manual code review required.1. HTML-encode GenAI outputs before rendering in web UIs. -2. Use parameterized queries when GenAI output is used in database operations. -3. JSON-encode outputs before embedding in JavaScript contexts. -4. Validate output length and format before passing to downstream APIs.
777788889999us-east-1FS-56 +
No WAF ACLs — XSS Prevention Not Applicable
+
+ Details and remediation +
+
Details

No regional WAF Web ACLs found.

+
Resolution

Create WAF ACLs with XSS prevention rules.

+
Reference

+
+
+
Informational N/A
111122223333us-west-2
777788889999us-east-1 FS-57ADVISORY: Output Encoding — Manual Review RequiredOutput encoding practices cannot be verified via AWS APIs. Manual code review required.1. HTML-encode GenAI outputs before rendering in web UIs. + +
ADVISORY: Output Encoding — Manual Review Required
+
+ Details and remediation +
+
Details

Output encoding practices cannot be verified via AWS APIs. Manual code review required.

+
Resolution

1. HTML-encode GenAI outputs before rendering in web UIs. 2. Use parameterized queries when GenAI output is used in database operations. 3. JSON-encode outputs before embedding in JavaScript contexts. -4. Validate output length and format before passing to downstream APIs.

Informational N/A
111122223333
777788889999 us-east-1 FS-58ADVISORY: Output Schema Validation — Manual Review RequiredFound 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.1. Use Bedrock structured output (response schemas) where supported. -2. Implement JSON schema validation on Lambda output processors. -3. Reject malformed outputs and return safe error responses. -4. Log schema validation failures to CloudWatch for monitoring.InformationalN/A
111122223333us-west-2FS-58ADVISORY: Output Schema Validation — Manual Review RequiredFound 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.1. Use Bedrock structured output (response schemas) where supported. + +
ADVISORY: Output Schema Validation — Manual Review Required
+
+ Details and remediation +
+
Details

Found 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.

+
Resolution

1. Use Bedrock structured output (response schemas) where supported. 2. Implement JSON schema validation on Lambda output processors. 3. Reject malformed outputs and return safe error responses. -4. Log schema validation failures to CloudWatch for monitoring.

Informational N/A
111122223333
777788889999 us-east-1 FS-59Topic Restrictions Configured on CLASSIC TierGuardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only; the STANDARD tier (GA June 2025) adds broader language support for off-topic detection.For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile).MediumPassed
111122223333us-west-2FS-59Topic Restrictions Configured on CLASSIC TierGuardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only; the STANDARD tier (GA June 2025) adds broader language support for off-topic detection.For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile).MediumPassed
111122223333us-east-1FS-60ADVISORY: Contextual Grounding for Off-Topic PreventionContextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.1. Include explicit scope instructions in system prompts. -2. Use Bedrock Guardrails relevance grounding filter. -3. Test with off-topic prompts in QA to verify rejection behavior.Informational +
COULD NOT ASSESS: Guardrail Topic Allowlist Check
+
+ Details and remediation +
+
Details

This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.

+
Resolution

1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). +2. Confirm the service/feature is supported in the assessed region. +3. Ensure botocore meets the version floor in requirements.txt. +4. Re-run the assessment; assess this control manually until it succeeds.

+
Reference

+
+
+
Low N/A
111122223333us-west-2
777788889999us-east-1 FS-60ADVISORY: Contextual Grounding for Off-Topic PreventionContextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.1. Include explicit scope instructions in system prompts. + +
ADVISORY: Contextual Grounding for Off-Topic Prevention
+
+ Details and remediation +
+
Details

Contextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.

+
Resolution

1. Include explicit scope instructions in system prompts. 2. Use Bedrock Guardrails relevance grounding filter. -3. Test with off-topic prompts in QA to verify rejection behavior.

Informational N/A
111122223333
777788889999 us-east-1 FS-61No Automated KB Sync Schedules DetectedFound 3 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature. -2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync. -3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance). -4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.MediumFailed
111122223333us-west-2FS-61No Automated KB Sync Schedules DetectedFound 3 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature. + +
No Automated KB Sync Schedules Detected
+
+ Details and remediation +
+
Details

Found 1 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.

+
Resolution

1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature. 2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync. 3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance). -4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.

Medium Failed
111122223333
777788889999 us-east-1 FS-62ADVISORY: Data Currency Disclaimer — Manual Review RequiredData currency disclaimers cannot be verified via AWS APIs. Manual review required.1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].' -2. Expose KB last sync timestamp in application responses. -3. Alert users when KB data is older than defined threshold.InformationalN/A
111122223333us-west-2FS-62ADVISORY: Data Currency Disclaimer — Manual Review RequiredData currency disclaimers cannot be verified via AWS APIs. Manual review required.1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].' + +
ADVISORY: Data Currency Disclaimer — Manual Review Required
+
+ Details and remediation +
+
Details

Data currency disclaimers cannot be verified via AWS APIs. Manual review required.

+
Resolution

1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].' 2. Expose KB last sync timestamp in application responses. -3. Alert users when KB data is older than defined threshold.

Informational N/A
111122223333
777788889999 us-east-1 FS-63Foundation Model Lifecycle ManagementNo legacy models detected. 10 lifecycle-related Config rule(s) found.No action required.MediumPassed
111122223333us-west-2FS-63Foundation Model Lifecycle ManagementNo legacy models detected. 10 lifecycle-related Config rule(s) found.No action required. +
Foundation Model Lifecycle Management
+
+ Details and remediation +
+
Details

No legacy models detected. 11 lifecycle-related Config rule(s) found.

+
Resolution

No action required.

+
Reference

+
+
+
Medium Passed
111122223333
777788889999 us-east-1 FS-65KB Data Source Buckets Missing S3 Event NotificationsThe following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time: -- semiconductor-demo-9999 -- 111122223333-us-east-1-kb-data-bucket1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket. -2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting. -3. Integrate alerts into your security incident response workflow.MediumFailed
111122223333us-west-2FS-65KB Data Source Buckets Missing S3 Event NotificationsThe following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time: -- semiconductor-demo-9999 -- 111122223333-us-east-1-kb-data-bucket1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket. + +
KB Data Source Buckets Missing S3 Event Notifications
+
+ Details and remediation +
+
Details

The following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time: +- sat2-prowler-2025-prowlerfindingsbucket-wc1k0mza7lpk

+
Resolution

1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket. 2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting. -3. Integrate alerts into your security incident response workflow.

Medium Failed
111122223333
777788889999 us-east-1 FS-66AgentCore Runtimes Missing End-User Identity PropagationThe following runtimes have no JWT or IAM authorizer configured for end-user identity propagation. Tool calls are authorized only by the agent execution role, not the originating user: -- origami_expeditions -- neoCyan_Agent -- customer_support_agent -- cdk_agent_core -- awsapimcpserver1. Configure a custom JWT authorizer or IAM authorizer on each AgentCore runtime. -2. Propagate the end-user's identity token to downstream tool services. -3. Ensure tool services validate the propagated identity before executing actions. -4. Do not expose propagated identity tokens to unauthorized third parties. +
No AgentCore Runtimes Found
+
+ Details and remediation +
+
Details

No AgentCore runtimes found; identity propagation check not applicable.

+
Resolution

If using AgentCore, configure token propagation so end-user identities are forwarded to tool services.

+
Reference

+
+
+
InformationalN/A
777788889999us-east-1FS-67 +
Agent Action-Group Lambdas May Lack Transaction Thresholds
+
+ Details and remediation +
+
Details

The following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions: +- aiml-security-aiml-security-mgmt-FinServAssessment +- aiml-security-aiml-security-mgmt-AgentCoreAssessment +- aiml-security-aiml-security-mgmt-BedrockAssessment

+
Resolution

1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda. +2. Implement threshold enforcement logic in the Lambda handler. +3. Configure AgentCore Policy Engine rules to cap financial transaction amounts. +4. Route transactions exceeding thresholds to a human-in-the-loop approval step.

+
Reference

+
+
+
High Failed
111122223333
777788889999us-east-1FS-68 +
API Gateway Request Body Size Limits — Not Applicable
+
+ Details and remediation +
+
Details

No API Gateway REST APIs and no regional WAF Web ACLs were found in this region. There is no input-payload surface to assess for body-size limits.

+
Resolution

If GenAI endpoints are fronted by API Gateway or WAF in another region, run the assessment there. Otherwise no action is required.

+
Reference

+
+
+
InformationalN/A
777788889999us-east-1FS-69 +
Prompt Input Validation Functions Present
+
+ Details and remediation +
+
Details

Found 1 Lambda function(s) with input validation/sanitization naming patterns: aiml-security-aiml-security-mgmt-CleanupBucket.

+
Resolution

Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.

+
Reference

+
+
+
MediumPassed
777788889999 us-west-2FS-66AgentCore Runtimes Missing End-User Identity PropagationThe following runtimes have no JWT or IAM authorizer configured for end-user identity propagation. Tool calls are authorized only by the agent execution role, not the originating user: -- origami_expeditions -- neoCyan_Agent -- customer_support_agent -- cdk_agent_core -- awsapimcpserver1. Configure a custom JWT authorizer or IAM authorizer on each AgentCore runtime. -2. Propagate the end-user's identity token to downstream tool services. -3. Ensure tool services validate the propagated identity before executing actions. -4. Do not expose propagated identity tokens to unauthorized third parties.FS-00 +
FinServ Regional Scope Not Applicable
+
+ Details and remediation +
+
Details

No regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.

+
Resolution

No action required unless GenAI workloads are expected in this region.

+
Reference

+
+
+
InformationalN/A
777788889999eu-west-1FS-00 +
FinServ Regional Scope Not Applicable
+
+ Details and remediation +
+
Details

No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.

+
Resolution

No action required unless GenAI workloads are expected in this region.

+
Reference

+
+
+
InformationalN/A
777788889999GlobalBR-01 +
AmazonBedrockFullAccess role check
+
+ Details and remediation +
+
Details

Role 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' has AmazonBedrockFullAccess policy attached

+
Resolution

Limit the AmazonBedrockFullAccess policy only to required access

+
Reference

+
+
+
High Failed
111122223333us-east-1FS-67Agent Action-Group Lambdas May Lack Transaction ThresholdsThe following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions: -- aiml-security-aiml-security-111122223333-FinServAssessment -- aiml-security-aiml-security-111122223333-BedrockAssessment -- resco-aiml-BedrockAssessment -- aiml-security-aiml-security-111122223333-AgentCoreAssessment -- e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk -- e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII -- resco-aiml-AgentCoreAssessment1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda. -2. Implement threshold enforcement logic in the Lambda handler. -3. Configure AgentCore Policy Engine rules to cap financial transaction amounts. -4. Route transactions exceeding thresholds to a human-in-the-loop approval step.
777788889999GlobalBR-03 +
Marketplace Subscription Access Check
+
+ Details and remediation +
+
Details

Role 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'

+
Resolution

Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.

+
Reference

+
+
+
High Failed
111122223333us-west-2FS-67Agent Action-Group Lambdas May Lack Transaction ThresholdsThe following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions: -- aiml-security-aiml-security-111122223333-FinServAssessment -- aiml-security-aiml-security-111122223333-BedrockAssessment -- resco-aiml-BedrockAssessment -- aiml-security-aiml-security-111122223333-AgentCoreAssessment -- e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk -- e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII -- resco-aiml-AgentCoreAssessment1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda. -2. Implement threshold enforcement logic in the Lambda handler. -3. Configure AgentCore Policy Engine rules to cap financial transaction amounts. -4. Route transactions exceeding thresholds to a human-in-the-loop approval step.
777788889999GlobalBR-03 +
Marketplace Subscription Access Check
+
+ Details and remediation +
+
Details

Role 'aiml-sec-test-resources-MarketplaceOverlyPermissive-igL3hGIapee1' has overly permissive marketplace subscription access through policy 'OverlyPermissiveMarketplace'

+
Resolution

Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.

+
Reference

+
+
+
High Failed
111122223333us-east-1FS-68API Gateway Request Body Size Limits Not EnforcedFound 3 REST API(s) and 0 regional WAF Web ACL(s), but none enforce a maximum request-body size. Note: an API Gateway request validator does NOT cap body size (it validates the schema and required params; the REST limit is a fixed 10 MB), and a WAF body SizeConstraint only inspects the first ~16 KB of the body by default. Oversized prompts can exhaust Bedrock token quotas and inflate costs.1. Add a maxLength (or maxItems/maxProperties) bound to the request-body JSON-Schema model used by your request validator, so oversized prompts are rejected with a 400. -2. Add a WAF SizeConstraintStatement on the request Body sized within WAF's body-inspection window (default 16 KB; raise via the web ACL AssociationConfig, or set OversizeHandling=MATCH to block bodies beyond the window), and associate the ACL with the API stage. -3. Set the max_tokens parameter in Bedrock API calls to cap output length. -4. Implement client-side token counting before submitting requests.Medium
777788889999GlobalBR-03 +
Marketplace Subscription Access Check
+
+ Details and remediation +
+
Details

Role 'ProwlerApp-EC2-Role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'

+
Resolution

Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.

+
Reference

+
+
+
High Failed
111122223333us-west-2FS-68API Gateway Request Body Size Limits Not EnforcedFound 3 REST API(s) and 0 regional WAF Web ACL(s), but none enforce a maximum request-body size. Note: an API Gateway request validator does NOT cap body size (it validates the schema and required params; the REST limit is a fixed 10 MB), and a WAF body SizeConstraint only inspects the first ~16 KB of the body by default. Oversized prompts can exhaust Bedrock token quotas and inflate costs.1. Add a maxLength (or maxItems/maxProperties) bound to the request-body JSON-Schema model used by your request validator, so oversized prompts are rejected with a 400. -2. Add a WAF SizeConstraintStatement on the request Body sized within WAF's body-inspection window (default 16 KB; raise via the web ACL AssociationConfig, or set OversizeHandling=MATCH to block bodies beyond the window), and associate the ACL with the API stage. -3. Set the max_tokens parameter in Bedrock API calls to cap output length. -4. Implement client-side token counting before submitting requests.
777788889999us-east-1BR-02 +
Amazon Bedrock private connectivity
+
+ Details and remediation +
+
Details

Bedrock VPC endpoints found: VPC vpc-089a9d593e34658c6 has endpoint com.amazonaws.us-east-1.bedrock-runtime

+
Resolution

No action required

+
Reference

+
+
+
HighPassed
777788889999us-east-1BR-04 +
Bedrock Model Invocation Logging Check
+
+ Details and remediation +
+
Details

Model invocation logging is not enabled. This limits your ability to track and audit model usage.

+
Resolution

Enable model invocation logging to collect invocation logs, model input data, and model output data. Configure logging to deliver to Amazon S3, CloudWatch Logs, or both for comprehensive monitoring.

+
Reference

+
+
+
Medium Failed
111122223333
777788889999 us-east-1FS-69Prompt Input Validation Functions PresentFound 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111122223333-CleanupBucket.Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.BR-05 +
Bedrock Guardrails Check
+
+ Details and remediation +
+
Details

Amazon Bedrock Guardrails are properly configured with 1 guardrails

+
Resolution

No action required. Continue monitoring and updating guardrails as needed.

+
Reference

+
+
+
HighPassed
777788889999us-east-1BR-06 +
Bedrock CloudTrail Logging Check
+
+ Details and remediation +
+
Details

CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE

+
Resolution

No action required. Continue monitoring CloudTrail logs for Bedrock activity.

+
Reference

+
+
+
Medium Passed
111122223333us-west-2FS-69Prompt Input Validation Functions PresentFound 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111122223333-CleanupBucket.Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.Medium
777788889999us-east-1BR-07 +
Bedrock Prompt Management Check
+
+ Details and remediation +
+
Details

Prompt Management is being used with 1 prompts

+
Resolution

No action required. Continue using Prompt Management for consistent and optimized prompts.

+
Reference

+
+
+
Low Passed
111122223333eu-west-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
111122223333ap-south-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
111122223333sa-east-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
444455556666
777788889999 us-east-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/ABR-08 +
Bedrock Agent IAM Roles Check
+
+ Details and remediation +
+
Details

Error during check: An error occurred (AccessDeniedException) when calling the GetAgent operation: You do not have sufficient permissions to the key. Check credentials for appropriate permissions to the key (kms:Decrypt, kms:GenerateDataKey) and try again.

+
Resolution

Investigate error and retry assessment

+
Reference

+
+
+
HighFailed
444455556666us-west-2FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.
777788889999us-east-1BR-09 +
Bedrock Knowledge Base Encryption Review
+
+ Details and remediation +
+
Details

Knowledge Base 'knowledge-base-prowler-findings' (9K2QZLVCZW) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.

+
Resolution

1. For OpenSearch Serverless: Verify encryption with CMK at collection level +2. For S3 data sources: Verify CMK-encrypted S3 buckets +3. For RDS: Verify KMS encryption on the database +4. Consider using CMK for transient data during ingestion

+
Reference

+
+
+
Informational N/A
444455556666eu-west-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
777788889999us-east-1BR-10 +
Bedrock Guardrail IAM Enforcement Missing
+
+ Details and remediation +
+
Details

The following roles can invoke Bedrock models without enforced guardrails: aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G, aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a, aiml-sec-test-resources-BedrockKnowledgeBaseRole-6NNC1i9FuTbM, AmazonBedrockExecutionRoleForKnowledgeBase_7erx6, ProwlerApp-EC2-Role

+
Resolution

Add IAM policy conditions to enforce guardrail usage: +1. Use 'bedrock:GuardrailIdentifier' condition key +2. Specify required guardrail ARN or ID +3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}

+
Reference

+
+
+
HighFailed
444455556666ap-south-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.
777788889999us-east-1BR-11 +
Bedrock Custom Model Encryption Check
+
+ Details and remediation +
+
Details

No custom/fine-tuned models found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
444455556666sa-east-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.
777788889999us-east-1BR-12 +
Bedrock Invocation Log Encryption Check
+
+ Details and remediation +
+
Details

Model invocation logging to S3 is not configured

+
Resolution

If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption

+
Reference

+
+
+
Informational N/A
777788889999 us-east-1FS-01AWS Shield Advanced Not EnabledAWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.1. Subscribe to AWS Shield Advanced for DDoS protection. -2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection. -3. Enable Shield Response Team (SRT) access and configure proactive engagement. -4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.LowFailedBR-13 +
Bedrock Flows Guardrails Check
+
+ Details and remediation +
+
Details

No Bedrock Flows found in the account

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
777788889999us-east-1FS-01No Regional WAF Web ACLs FoundNo AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP). -2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock. -3. Add AWS Managed Rules for known bad inputs.GlobalBR-15 +
Cross-Account Guardrails Enforcement Check
+
+ Details and remediation +
+
Details

Check must run in AWS Organizations management account to evaluate organizational policies

+
Resolution

Run assessment in management account to check cross-account guardrails enforcement

+
Reference

+
+
+
MediumFailedN/A
777788889999 us-east-1FS-02No API Gateway Usage Plans FoundNo usage plans configured. GenAI API endpoints may have no rate limits.Create API Gateway usage plans with throttle settings (rateLimit and burstLimit) for all Bedrock-facing APIs.BR-16 +
Guardrail Tier Validation Check
+
+ Details and remediation +
+
Details

Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.

+
Resolution

Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.

+
Reference

+
+
+
Informational N/A
777788889999 us-east-1FS-03Bedrock Token Quotas CustomizedFound 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.No action required. Periodically re-review quotas against expected peak load.MediumPassedBR-17 +
Custom Model Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

No custom (fine-tuned) Bedrock models found in this region

+
Resolution

When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys

+
Reference

+
+
+
HighN/A
777788889999 us-east-1FS-04No Cost Anomaly Detection MonitorsNo AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker. -2. Configure alert subscriptions (SNS/email) for anomalies above threshold. -3. Set daily spend budgets with AWS Budgets as a secondary control.BR-18 +
Model Evaluation Implementation Check
+
+ Details and remediation +
+
Details

No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.

+
Resolution

Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.

+
Reference

+
+
+
Medium Failed
777788889999 us-east-1FS-05No Bedrock CloudWatch Alarms FoundNo CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.Create CloudWatch alarms for: -- AWS/Bedrock InvocationThrottles (threshold > 0) -- AWS/Bedrock TokensProcessed (threshold based on quota) -- Custom application-level token counters via EMFBR-19 +
Prompt Flow Validation Check
+
+ Details and remediation +
+
Details

No Bedrock prompt flows configured in this region

+
Resolution

When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment

+
Reference

+
+
+
MediumFailedN/A
777788889999 us-east-1FS-06No AI/ML Service Budgets ConfiguredNo AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds. -2. Add SNS notifications to on-call channels. -3. Consider budget actions to apply IAM deny policies when thresholds are breached.MediumFailedBR-20 +
Knowledge Base Customer-Managed KMS Encryption Review
+
+ Details and remediation +
+
Details

Knowledge base 'knowledge-base-prowler-findings' (ID: 9K2QZLVCZW) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.

+
Resolution

1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key +2. For Amazon RDS/Aurora: verify KMS encryption on the database +3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration +4. Verify the customer-managed KMS key used for transient data during ingestion

+
Reference

+
+
+
InformationalN/A
777788889999 us-east-1FS-07Agent Action Boundaries Look AppropriateReviewed 1 agent(s); no wildcard sensitive actions found.No action required.HighBR-22 +
Model Invocation Throttling Limits Check
+
+ Details and remediation +
+
Details

9 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.

+
Resolution

Continue monitoring quota utilization. Review and adjust quotas as application requirements change.

+
Reference

+
+
+
Low Passed
777788889999 us-east-1FS-08No AgentCore Runtimes FoundNo AgentCore runtimes found; policy engine check not applicable.If using AgentCore, configure the Policy Engine to authorize tool calls.BR-23 +
Guardrail Content Filter Coverage Check
+
+ Details and remediation +
+
Details

Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.

+
Resolution

Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.

+
Reference

+
+
+
Informational N/A
777788889999 us-east-1FS-09Agent Lambda Functions Without Concurrency LimitsAgent-related Lambda functions without reserved concurrency: aiml-security-aiml-security-mgmt-FinServAssessment, aiml-sec-test-resources-SageMakerJobCustomResource-ZA5QCAi0pN3d, AIMLSecurityAssessment-CodeBuildStartBuildLambda-VYOqtzWoNo3m, aiml-security-aiml-security-mgmt-CleanupBucket, aiml-security-aiml-security-mgmt-SagemakerAssessment, aiml-security-aiml-security-mgmt-GenerateReport, aiml-security-aiml-security-mgmt-IAMPermissionCaching, aiml-security-aiml-security-mgmt-AgentCoreAssessment, aiml-security-aiml-security-mgmt-BedrockAssessment, aiml-security-aiml-security-mgmt-ResolveRegions. Unlimited concurrency allows runaway agent loops to exhaust account limits.1. Set reserved concurrency on agent Lambda functions. -2. Implement maximum iteration counts in agent orchestration logic. -3. Use Step Functions with MaxConcurrency and timeout states. -4. Add circuit-breaker patterns to agent tool invocations.MediumBR-25 +
RAG Evaluation Jobs Check
+
+ Details and remediation +
+
Details

Knowledge base 'knowledge-base-prowler-findings' (ID: 9K2QZLVCZW) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.

+
Resolution

Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.

+
Reference

+
+
+
Low Failed
777788889999 us-east-1FS-10Human-in-the-Loop Check — No Agent Workflows FoundNo Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.BR-26 +
Guardrail Sensitive Information Filter Check
+
+ Details and remediation +
+
Details

Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.

+
Resolution

Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.

+
Reference

+
+
+
Informational N/A
777788889999 us-east-1FS-11No Agent Rate Alarms FoundNo CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.Create CloudWatch alarms on: -- Bedrock agent invocation counts (threshold based on expected max) -- Lambda invocation errors for agent functions -- Step Functions execution failures and timeoutsMediumFailedBR-27 +
Guardrail Contextual Grounding Check
+
+ Details and remediation +
+
Details

Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.

+
Resolution

Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.

+
Reference

+
+
+
InformationalN/A
777788889999 us-east-1FS-12No Bedrock-Scoped SCPs FoundNo Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list. -2. Use bedrock:ModelId condition key to allowlist approved models. -3. Maintain a model inventory and update the SCP when models are approved/retired.HighFailedBR-28 +
Agent Guardrail Association Check
+
+ Details and remediation +
+
Details

1 agents have an associated guardrail

+
Resolution

No action required. Continue associating guardrails with new agents.

+
Reference

+
+
+
LowPassed
777788889999 us-east-1FS-13Models Missing Provenance Tags2 model(s) missing required provenance tags: -- SageMaker model 'SageMakerModelWithIsolation-JASFpUHjajdk' missing tags: {'version', 'approval-date', 'source'} -- SageMaker model 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' missing tags: {'version', 'approval-date', 'source'}Tag all models with: source (e.g., 'aws-marketplace', 'internal'), version, and approval-date. Enforce tagging via SCP or AWS Config rule.MediumFailedBR-30 +
Imported Model Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

No imported custom Bedrock models found in this region

+
Resolution

When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys

+
Reference

+
+
+
HighN/A
777788889999 us-east-1FS-14Model Governance Config Rules PresentFound 13 model-related Config rule(s).No action required.BR-31 +
Batch Inference Output Encryption Check
+
+ Details and remediation +
+
Details

No Bedrock batch inference (model invocation) jobs found in this region

+
Resolution

When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output

+
Reference

+
+
+
MediumPassedN/A
777788889999 us-east-1FS-15No Bedrock Evaluation Jobs FoundNo Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.1. Run Bedrock Model Evaluation with adversarial/red-team datasets. -2. Use FMEval library for automated robustness testing. -3. Schedule periodic re-evaluation after model updates.BR-32 +
Bedrock CloudWatch Alarm Check
+
+ Details and remediation +
+
Details

No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.

+
Resolution

Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.

+
Reference

+
+
+
Medium Failed
777788889999 us-east-1FS-16ECR Repositories Without Image Scanning2 ECR repo(s) without scan-on-push: cdk-hnb659fds-container-assets-777788889999-us-east-1, aiml-sec-test-agentcore-no-encryption.Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.HighAG-07 +
Agentic AI Model Invocation Logging
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is not enabled. This limits your ability to track and audit model usage.

+
Resolution

Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.

+
Reference

+
+
+
Medium Failed
777788889999 us-east-1FS-20Feature Groups Without Offline Store1 feature group(s) lack an active offline store: aiml-sec-test-feature-group. Without offline store, historical feature data cannot be used for rollback.1. Enable offline store (S3-backed) for all production feature groups. -2. Enable S3 versioning on the offline store bucket. -3. Document rollback procedures for poisoned feature data.AG-08 +
Agentic AI API Audit Trail
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE

+
Resolution

Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.

+
Reference

+
+
+
MediumFailedPassed
777788889999us-east-1FS-21Training Data Buckets Have VersioningAll 2 training bucket(s) have versioning enabled.No action required.HighPassedGlobalAG-09 +
Agentic AI Guardrail Enforcement Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policies

+
Resolution

Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.

+
Reference

+
+
+
InformationalN/A
777788889999 us-east-1FS-22Overly Permissive Knowledge Base IAM Roles823 role(s) with wildcard KB permissions: -- Role 'Admin' allows '*' -- Role 'aiml-sec-test-resources-BedrockAgentRole-RScmoTZfp2sC' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-sec-test-resources-BedrockAgentRole-RScmoTZfp2sC' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' allows 'bedrock:*' -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases) -- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:GetModelInvocationLoggingConfiguration' on Resource '*' (no ARN scoping to specific Knowledge Bases)Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.HighAG-10 +
Agentic AI Adversarial Evaluation Coverage
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.

+
Resolution

Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.

+
Reference

+
+
+
Medium Failed
777788889999 us-east-1FS-24ADVISORY: Knowledge Base Metadata Filtering — Manual Review RequiredFound 1 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.1. Add metadata fields (tenantId, dataClassification) to KB data sources. -2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls. -3. Validate filters in integration tests to prevent cross-tenant data leakage.AG-11 +
Agentic AI Prompt Flow Validation
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region

+
Resolution

Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.

+
Reference

+
+
+
Informational N/A
777788889999 us-east-1FS-25OpenSearch Serverless Encryption Policies PresentFound 1 encryption policy(ies); 1 use a customer-managed KMS key.Verify all vector store collections use customer-managed KMS keys.HighAG-12 +
Agentic AI Invocation Abuse Controls
+
+ Details and remediation +
+
Details

Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 9 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.

+
Resolution

Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.

+
Reference

+
+
+
Low Passed
777788889999 us-east-1FS-26OpenSearch Serverless Collections Not VPC-RestrictedFound 1 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.HighFailedAG-02 +
Agentic AI Harmful Content Guardrail Coverage
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.

+
Resolution

Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.

+
Reference

+
+
+
InformationalN/A
777788889999 us-east-1FS-27COULD NOT ASSESS: Guardrail Contextual Grounding CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). -2. Confirm the service/feature is supported in the assessed region. -3. Ensure botocore meets the version floor in requirements.txt. -4. Re-run the assessment; assess this control manually until it succeeds.LowAG-03 +
Agentic AI Sensitive Information Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.

+
Resolution

Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.

+
Reference

+
+
+
Informational N/A
777788889999 us-east-1FS-27No Automated Reasoning Policies FoundNo Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds). -2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail). -3. Set confidenceThreshold on the policy to control strictness. -4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response). -5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).MediumFailedAG-05 +
Agentic AI Grounding Controls
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.

+
Resolution

Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.

+
Reference

+
+
+
InformationalN/A
777788889999 us-east-1FS-28COULD NOT ASSESS: Financial Denied Topics CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). -2. Confirm the service/feature is supported in the assessed region. -3. Ensure botocore meets the version floor in requirements.txt. -4. Re-run the assessment; assess this control manually until it succeeds.AG-01 +
Agentic AI Agent Guardrail Association
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: 1 agents have an associated guardrail

+
Resolution

Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.

+
Reference

+
+
+
LowN/APassed
777788889999 us-east-1FS-29ADVISORY: Compliance Disclaimer — Manual Review RequiredApplication-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.1. Implement post-processing to append required disclaimers to GenAI outputs. -2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures. -3. Document disclaimer requirements in the AI use case register. -4. Test disclaimer presence in QA/UAT before production deployment.AG-14 +
Agentic AI Operational Abuse Alarms
+
+ Details and remediation +
+
Details

Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.

+
Resolution

Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.

+
Reference

+
+
+
MediumFailed
777788889999us-west-2BR-02 +
Amazon Bedrock private connectivity check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to assess private connectivity

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-east-1FS-30ADVISORY: Compliance Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with compliance-specific datasets: -- Fair lending test cases (ECOA, Fair Housing Act) -- UDAP/UDAAP unfair/deceptive practice scenarios -- AML/KYC edge casesus-west-2BR-04 +
Bedrock Model Invocation Logging Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to monitor with invocation logging

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-east-1FS-31Knowledge Base Data Sources Past Review Threshold1 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit): -- KB 'knowledge-base-prowler-findings' source 'knowledge-base-quick-start-9lb68-data-source' last synced 423 days ago -Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match. -2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61. -3. Set CloudWatch alarms on sync job failures.MediumFailedus-west-2BR-05 +
Bedrock Guardrails Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to protect with guardrails

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
777788889999us-east-1FS-32ADVISORY: Source Attribution — Manual Review RequiredSource attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.1. Use Bedrock RetrieveAndGenerate with citations enabled. -2. Include source document references in response post-processing. -3. Test citation accuracy in QA before production deployment. -4. Consider Bedrock Guardrails grounding checks to validate response accuracy.us-west-2BR-06 +
Bedrock CloudTrail Logging Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-east-1FS-33KB Data Source Buckets Have VersioningAll reviewed KB data source buckets have versioning enabled.No action required.MediumPassedus-west-2BR-07 +
Bedrock Prompt Management Check
+
+ Details and remediation +
+
Details

Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.

+
Resolution

Implement Prompt Management to: +1. Create and version your prompts +2. Test different prompt variants +3. Share prompts across your organization +4. Maintain consistent prompt templates

+
Reference

+
+
+
InformationalN/A
777788889999us-east-1FS-34Legacy Foundation Models Available in RegionLegacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config). -2. Migrate active usage to current model versions. -3. Document training-data cutoff dates for all models in use. -4. Add data-currency disclaimers to outputs from models with old cutoffs.us-west-2BR-08 +
Bedrock Agent IAM Roles Check
+
+ Details and remediation +
+
Details

No Bedrock agents found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-east-1FS-35ADVISORY: Harmful-Content Test Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation or FMEval with harmful content datasets: -- Toxicity detection -- Hate speech classification -- Violence/self-harm contentus-west-2BR-09 +
Bedrock Knowledge Base Encryption Check
+
+ Details and remediation +
+
Details

No Knowledge Bases found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-east-1FS-36COULD NOT ASSESS: Guardrail Content Filters CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). -2. Confirm the service/feature is supported in the assessed region. -3. Ensure botocore meets the version floor in requirements.txt. -4. Re-run the assessment; assess this control manually until it succeeds.Lowus-west-2BR-10 +
Bedrock Guardrail IAM Enforcement Check
+
+ Details and remediation +
+
Details

No guardrails configured - IAM enforcement check not applicable

+
Resolution

Configure Bedrock Guardrails first, then enforce their use via IAM policies

+
Reference

+
+
+
Informational N/A
777788889999us-east-1FS-37ADVISORY: User Feedback Mechanism — Manual Review RequiredUser feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.1. Implement thumbs-up/down or flag-for-review UI in GenAI applications. -2. Route flagged outputs to human reviewers via SQS/SNS. -3. Log feedback to DynamoDB/S3 for model improvement. -4. Define SLAs for reviewing flagged content.us-west-2BR-11 +
Bedrock Custom Model Encryption Check
+
+ Details and remediation +
+
Details

No custom/fine-tuned models found in the account

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-east-1FS-38COULD NOT ASSESS: Guardrail Word Filters CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). -2. Confirm the service/feature is supported in the assessed region. -3. Ensure botocore meets the version floor in requirements.txt. -4. Re-run the assessment; assess this control manually until it succeeds.Lowus-west-2BR-12 +
Bedrock Invocation Log Encryption Check
+
+ Details and remediation +
+
Details

Model invocation logging to S3 is not configured

+
Resolution

If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption

+
Reference

+
+
+
Informational N/A
777788889999us-east-1FS-39No SageMaker Clarify Bias MonitoringNo SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions. -2. Define protected attributes (age, gender, race proxies). -3. Set bias metric thresholds and alert on violations. -4. Document bias testing results for regulatory examination.HighFailedus-west-2BR-13 +
Bedrock Flows Guardrails Check
+
+ Details and remediation +
+
Details

No Bedrock Flows found in the account

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
777788889999us-east-1FS-40ADVISORY: Bias Dataset Coverage — Manual Review RequiredBedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.Run Bedrock Model Evaluation with bias test datasets: -- Demographic parity test cases -- Equal opportunity scenarios -- Counterfactual fairness testsInformationalus-west-2BR-16 +
Guardrail Tier Validation Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create Bedrock guardrails with Standard tier for enhanced content filtering and protection

+
Reference

+
+
+
Medium N/A
777788889999us-east-1FS-41No SageMaker Clarify Explainability MonitoringNo SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).1. Configure SageMaker Clarify explainability for credit/lending models. -2. Generate SHAP values for feature importance. -3. Map top features to human-readable adverse action reason codes. -4. Store explanations for regulatory examination.us-west-2BR-17 +
Custom Model Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

No custom (fine-tuned) Bedrock models found in this region

+
Resolution

When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys

+
Reference

+
+
+
HighFailedN/A
777788889999us-east-1FS-42No SageMaker Model Cards FoundNo SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.1. Create SageMaker Model Cards for all production models. -2. Document: intended use, out-of-scope uses, training data, bias evaluations. -3. Include regulatory compliance attestations. -4. Review and update cards at each model version release.us-west-2BR-18 +
Model Evaluation Implementation Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to assess with model evaluation jobs

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
777788889999us-west-2BR-19 +
Prompt Flow Validation Check
+
+ Details and remediation +
+
Details

No Bedrock prompt flows configured in this region

+
Resolution

When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment

+
Reference

+
+
+
MediumFailedN/A
777788889999us-east-1FS-43No CloudWatch Logs Data Protection PoliciesNo CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.1. Create CloudWatch Logs data protection policies to mask PII. -2. Enable masking for: SSN, credit card numbers, bank account numbers, email. -3. Apply policies to Bedrock invocation log groups. -4. Test masking with synthetic PII before production deployment.us-west-2BR-20 +
Knowledge Base Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

No Bedrock knowledge bases found in this region

+
Resolution

When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption

+
Reference

+
+
+
HighFailedN/A
777788889999us-east-1FS-44Amazon Macie Not EnabledAmazon Macie is not enabled. S3 buckets containing training data and KB data sources are not being scanned for PII/sensitive data.1. Enable Amazon Macie in all regions where AI/ML data is stored. -2. Create Macie classification jobs for training data and KB buckets. -3. Configure Macie findings to route to Security Hub and SNS. -4. Remediate PII findings before using data for model training.us-west-2BR-21 +
Agent Action Group IAM Least Privilege Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents with action groups, ensure Lambda execution roles follow least privilege principles

+
Reference

+
+
+
HighFailedN/A
777788889999us-east-1FS-45COULD NOT ASSESS: Guardrail PII Filters CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). -2. Confirm the service/feature is supported in the assessed region. -3. Ensure botocore meets the version floor in requirements.txt. -4. Re-run the assessment; assess this control manually until it succeeds.Lowus-west-2BR-22 +
Model Invocation Throttling Limits Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to assess model invocation throttling quotas

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-west-2BR-23 +
Guardrail Content Filter Coverage Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds

+
Reference

+
+
+
HighN/A
777788889999us-east-1FS-46AI/ML Buckets Without Data Classification Tags3 AI/ML bucket(s) without data-classification tags: aiml-sec-test-resources-bedrockloggingbucket-wtuvpinrlpmd, aiml-sec-test-resources-sagemakerbucket-6zzmxxaxco6g, aiml-security-mgmt-aimlassessmentbucket-kbitsdgexylv.Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule.us-west-2BR-24 +
Automated Reasoning Policy Implementation Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with Automated Reasoning policies for formal verification of model responses

+
Reference

+
+
+
MediumFailedN/A
777788889999us-east-1FS-47COULD NOT ASSESS: Guardrail Grounding Threshold CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). -2. Confirm the service/feature is supported in the assessed region. -3. Ensure botocore meets the version floor in requirements.txt. -4. Re-run the assessment; assess this control manually until it succeeds.us-west-2BR-25 +
RAG Evaluation Jobs Check
+
+ Details and remediation +
+
Details

No Bedrock knowledge bases found in this region

+
Resolution

When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations

+
Reference

+
+
+
Low N/A
777788889999us-east-1FS-48Active Knowledge Bases for RAG PresentFound 1 active Knowledge Base(s) for RAG grounding.No action required.us-west-2BR-26 +
Guardrail Sensitive Information Filter Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses

+
Reference

+
+
+
HighN/A
777788889999us-west-2BR-27 +
Guardrail Contextual Grounding Check
+
+ Details and remediation +
+
Details

No Bedrock guardrails configured in this region

+
Resolution

Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications

+
Reference

+
+
+
MediumPassedN/A
777788889999us-east-1FS-49ADVISORY: Hallucination Disclaimer — Manual Review RequiredApplication-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.' -2. Implement post-processing to append disclaimers. -3. Test disclaimer presence in QA before production.Informationalus-west-2BR-28 +
Agent Guardrail Association Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics

+
Reference

+
+
+
High N/A
777788889999us-east-1FS-50COULD NOT ASSESS: Guardrail Relevance Grounding CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). -2. Confirm the service/feature is supported in the assessed region. -3. Ensure botocore meets the version floor in requirements.txt. -4. Re-run the assessment; assess this control manually until it succeeds.us-west-2BR-29 +
Agent Idle Session TTL Check
+
+ Details and remediation +
+
Details

No Bedrock agents configured in this region

+
Resolution

When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable

+
Reference

+
+
+
Low N/A
777788889999us-east-1FS-51COULD NOT ASSESS: Prompt Injection Input Validation CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). -2. Confirm the service/feature is supported in the assessed region. -3. Ensure botocore meets the version floor in requirements.txt. -4. Re-run the assessment; assess this control manually until it succeeds.Lowus-west-2BR-30 +
Imported Model Customer-Managed KMS Encryption Check
+
+ Details and remediation +
+
Details

No imported custom Bedrock models found in this region

+
Resolution

When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys

+
Reference

+
+
+
High N/A
777788889999us-east-1FS-52Bedrock Lambda Functions on Current RuntimesAll 10 Bedrock Lambda function(s) use current runtimes.No action required.us-west-2BR-31 +
Batch Inference Output Encryption Check
+
+ Details and remediation +
+
Details

No Bedrock batch inference (model invocation) jobs found in this region

+
Resolution

When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output

+
Reference

+
+
+
MediumPassedN/A
777788889999us-east-1FS-53No WAF Web ACLs — Injection Rules Not ApplicableNo regional WAF Web ACLs found.Create WAF Web ACLs with injection protection rules (see FS-01).us-west-2BR-32 +
Bedrock CloudWatch Alarm Check
+
+ Details and remediation +
+
Details

No regional Bedrock resources found to monitor with CloudWatch alarms

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
777788889999us-east-1FS-54ADVISORY: Penetration Testing — Manual Review RequiredPenetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.1. Conduct penetration testing of GenAI applications at least annually and before major releases. -2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts. -3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it. -4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail. -5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.us-west-2AG-07 +
Agentic AI Model Invocation Logging
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging

+
Resolution

Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.

+
Reference

+
+
+
Informational N/A
777788889999us-east-1FS-55No Output Validation Functions FoundNo Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.1. Implement output validation Lambda functions in GenAI pipelines. -2. Validate output schema, length, and content before downstream use. -3. Sanitize outputs before rendering in web UIs (XSS prevention). -4. Encode outputs appropriately for the target context (HTML, SQL, JSON).MediumFailed
777788889999us-east-1FS-56No WAF ACLs — XSS Prevention Not ApplicableNo regional WAF Web ACLs found.Create WAF ACLs with XSS prevention rules.us-west-2AG-08 +
Agentic AI API Audit Trail
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage

+
Resolution

Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.

+
Reference

+
+
+
Informational N/A
777788889999us-east-1FS-57ADVISORY: Output Encoding — Manual Review RequiredOutput encoding practices cannot be verified via AWS APIs. Manual code review required.1. HTML-encode GenAI outputs before rendering in web UIs. -2. Use parameterized queries when GenAI output is used in database operations. -3. JSON-encode outputs before embedding in JavaScript contexts. -4. Validate output length and format before passing to downstream APIs.us-west-2AG-10 +
Agentic AI Adversarial Evaluation Coverage
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs

+
Resolution

Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.

+
Reference

+
+
+
Informational N/A
777788889999us-east-1FS-58ADVISORY: Output Schema Validation — Manual Review RequiredFound 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.1. Use Bedrock structured output (response schemas) where supported. -2. Implement JSON schema validation on Lambda output processors. -3. Reject malformed outputs and return safe error responses. -4. Log schema validation failures to CloudWatch for monitoring.us-west-2AG-11 +
Agentic AI Prompt Flow Validation
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region

+
Resolution

Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.

+
Reference

+
+
+
Informational N/A
777788889999us-east-1FS-59COULD NOT ASSESS: Guardrail Topic Allowlist CheckThis check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README). -2. Confirm the service/feature is supported in the assessed region. -3. Ensure botocore meets the version floor in requirements.txt. -4. Re-run the assessment; assess this control manually until it succeeds.Lowus-west-2AG-06 +
Agentic AI Tool Execution Least Privilege
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region

+
Resolution

Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.

+
Reference

+
+
+
Informational N/A
777788889999us-east-1FS-60ADVISORY: Contextual Grounding for Off-Topic PreventionContextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.1. Include explicit scope instructions in system prompts. -2. Use Bedrock Guardrails relevance grounding filter. -3. Test with off-topic prompts in QA to verify rejection behavior.us-west-2AG-12 +
Agentic AI Invocation Abuse Controls
+
+ Details and remediation +
+
Details

Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas

+
Resolution

Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.

+
Reference

+
+
+
Informational N/A
777788889999us-east-1FS-61No Automated KB Sync Schedules DetectedFound 1 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature. -2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync. -3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance). -4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.MediumFailed
777788889999us-east-1FS-62ADVISORY: Data Currency Disclaimer — Manual Review RequiredData currency disclaimers cannot be verified via AWS APIs. Manual review required.1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].' -2. Expose KB last sync timestamp in application responses. -3. Alert users when KB data is older than defined threshold.us-west-2AG-02 +
Agentic AI Harmful Content Guardrail Coverage
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region

+
Resolution

Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.

+
Reference

+
+
+
Informational N/A
777788889999us-east-1FS-63Foundation Model Lifecycle ManagementNo legacy models detected. 11 lifecycle-related Config rule(s) found.No action required.MediumPassed
777788889999us-east-1FS-65KB Data Source Buckets Missing S3 Event NotificationsThe following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time: -- sat2-prowler-2025-prowlerfindingsbucket-wc1k0mza7lpk1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket. -2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting. -3. Integrate alerts into your security incident response workflow.MediumFailed
777788889999us-east-1FS-66No AgentCore Runtimes FoundNo AgentCore runtimes found; identity propagation check not applicable.If using AgentCore, configure token propagation so end-user identities are forwarded to tool services.us-west-2AG-04 +
Agentic AI Automated Reasoning Guardrails
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region

+
Resolution

Configure automated reasoning policies on guardrails where formal response validation is required.

+
Reference

+
+
+
Informational N/A
777788889999us-east-1FS-67Agent Action-Group Lambdas May Lack Transaction ThresholdsThe following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions: -- aiml-security-aiml-security-mgmt-FinServAssessment -- aiml-security-aiml-security-mgmt-AgentCoreAssessment -- aiml-security-aiml-security-mgmt-BedrockAssessment1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda. -2. Implement threshold enforcement logic in the Lambda handler. -3. Configure AgentCore Policy Engine rules to cap financial transaction amounts. -4. Route transactions exceeding thresholds to a human-in-the-loop approval step.HighFailed
777788889999us-east-1FS-68API Gateway Request Body Size Limits — Not ApplicableNo API Gateway REST APIs and no regional WAF Web ACLs were found in this region. There is no input-payload surface to assess for body-size limits.If GenAI endpoints are fronted by API Gateway or WAF in another region, run the assessment there. Otherwise no action is required.us-west-2AG-03 +
Agentic AI Sensitive Information Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region

+
Resolution

Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.

+
Reference

+
+
+
Informational N/A
777788889999us-east-1FS-69Prompt Input Validation Functions PresentFound 1 Lambda function(s) with input validation/sanitization naming patterns: aiml-security-aiml-security-mgmt-CleanupBucket.Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.MediumPassed
777788889999 us-west-2FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.AG-05 +
Agentic AI Grounding Controls
+
+ Details and remediation +
+
Details

Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region

+
Resolution

Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.

+
Reference

+
+
+
Informational N/A
777788889999eu-west-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.us-west-2AG-01 +
Agentic AI Agent Guardrail Association
+
+ Details and remediation +
+
Details

Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region

+
Resolution

Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.

+
Reference

+
+
+
Informational N/A
777788889999ap-south-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.us-west-2AG-13 +
Agentic AI Session Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region

+
Resolution

Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.

+
Reference

+
+
+
Informational N/A
777788889999sa-east-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.us-west-2AG-14 +
Agentic AI Operational Abuse Alarms
+
+ Details and remediation +
+
Details

Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms

+
Resolution

Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.

+
Reference

+
+
+
Informational N/A
+
+ +
+
Amazon Bedrock Findings
+
+ +
+
Failed
50
Open findings
+
Passed
18
Controls met
+
N/A
225
Not applicable
+
Total
293
Rows in report
+
+
+ + +
+
+
+
+
Amazon SageMaker Findings
+
+ +
+
Failed
34
Open findings
+
Passed
37
Controls met
+
N/A
190
Not applicable
+
Total
261
Rows in report
+
+
+ + +
+
+
+
+
Amazon Bedrock AgentCore Findings
+
+ +
+
Failed
39
Open findings
+
Passed
3
Controls met
+
N/A
80
Not applicable
+
Total
122
Rows in report
+
+
+ + +
+
+
+
Agentic AI Security Findings
+

Scope: API-provable Agentic AI security controls mapped to the AWS Well-Architected Agentic AI Lens security guidance. Human-in-the-loop governance is referenced in methodology but not scored automatically unless an AWS API can prove the control.

+
+
Failed
47
Open findings
+
Passed
18
Controls met
+
N/A
179
Not applicable
+
Total
244
Rows in report
+
+
+ + +
+
+
Financial Services GenAI Risk Findings
+

Scope: this assessment records findings against each resolved CloudFormation TargetRegions entry. These checks are based on the AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption. Severities follow a documented Likelihood × Impact methodology.

+
+
Failed
90
Open findings
+
Passed
40
Controls met
+
N/A
74
Not applicable
+
Total
204
Rows in report
+
+
+ + +
+
Assessment Methodology
-

Severity Levels & Status Values

HighDirect security riskFailedRemediation needed
MediumDefense-in-depth gapPassedMeets requirements
LowBest practiceN/ANot applicable
InformationalNo action required
-

Remediation Guidance

High7 daysAddress immediately; block deployment if unresolved
Medium30 daysSchedule in next sprint; may require change window
Low90 daysInclude in backlog; address during regular maintenance

Assessment Notes

Point-in-time: Security posture changes as resources are modified. Scope limited: Passed checks verify tested controls only. Context matters: Adjust severity for compliance requirements and environment type.

Assessment Scope

Amazon Bedrock
Amazon SageMaker
Amazon Bedrock AgentCore
Agentic AI Security
Agentic AI Security Lens Mapping
Industry
Financial Services GenAI Risk

Bedrock, SageMaker, and AgentCore checks are based on the AWS Well-Architected Framework Generative AI Lens. Agentic AI Security references the AWS Well-Architected Agentic AI Lens. Controls that cannot be proven using AWS APIs, including semantic human-in-the-loop workflow quality, are not automatically scored. Financial Services GenAI Risk checks are based on the AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption.

@@ -38142,7 +21221,7 @@

{ + button.addEventListener('click', function() { + const status = this.hasAttribute('data-filter-status') ? this.dataset.filterStatus : 'failed'; + filterFindings(this.dataset.filterService, status); + }); + }); window.addEventListener('scroll', () => { const sections = document.querySelectorAll('.section'); let current = ''; @@ -38216,58 +21307,6 @@

By Service

-
Security Checks
97
Evaluated across 5 regions
-
Total Findings
462
Across 5 regions
-
Actionable Findings
100
High, Medium, and Low severity
-
High Severity
4/41
9.8% passed · Immediate action required
-
Medium Severity
15/41
36.6% passed · Should be addressed
-
Low Severity
5/18
27.8% passed · Best practices
+
Security Checks
97
Evaluated across 3 regions
+
Total Findings
282
Across 3 regions
+
Actionable Findings
6
Failed High, Medium, and Low findings
+
High Severity
4/29
13.8% passed · Immediate action required
+
Medium Severity
9/25
36.0% passed · Should be addressed
+
Low Severity
3/10
30.0% passed · Best practices

Priority Recommendations

3
@@ -275,9714 +283,4026 @@

Security Assessment Overview

+
+
Risk Distribution
+

Pass Rate by Severity

+
+
HIGH
13.8%
4 of 29 checks passed
+
MEDIUM
36.0%
9 of 25 checks passed
+
LOW
30.0%
3 of 10 checks passed
+
Overall
25.0%
16 of 64 scored checks passed
+
+ +

Risk by Region / Scope

+
eu-west-1
0
0 High · 0 Med · 0 Low
us-east-1
0
0 High · 0 Med · 0 Low
us-west-2
0
0 High · 0 Med · 0 Low
Global
6
5 High · 1 Med · 0 Low
+

Findings by Assessment Area

+
+
Bedrock
89
4 Failed · 1 Passed
+
SageMaker
82
0 Failed · 13 Passed
+
AgentCore
33
1 Failed · 1 Passed
+
Agentic AI Security
75
1 Failed · 1 Passed
+
Financial Services Risk
3
0 Failed · 0 Passed
+
+
All Security Findings
-
+
-
+
-
+
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
- + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - +4. Maintain consistent prompt templates

+
Reference

+ + + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - +4. Maintain consistent prompt templates

+
Reference

+ + + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + + + + + + + + + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - - + + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + + + + + + + + + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - +4. Maintain consistent prompt templates

+
Reference

+ + + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - - + + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - + - + - - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-
-
Risk Distribution
-

Pass Rate by Severity

-
-
HIGH
9.8%
4 of 41 checks passed
-
MEDIUM
36.6%
15 of 41 checks passed
-
LOW
27.8%
5 of 18 checks passed
-
Overall
24.0%
24 of 100 actionable checks
-
- -

Risk by Region

-
ap-south-1
0
0 High · 0 Med · 0 Low
eu-west-1
0
0 High · 0 Med · 0 Low
sa-east-1
0
0 High · 0 Med · 0 Low
us-east-1
0
0 High · 0 Med · 0 Low
us-west-2
0
0 High · 0 Med · 0 Low
-

Findings by Assessment Area

-
-
Bedrock
145
4 Failed · 1 Passed
-
SageMaker
136
0 Failed · 21 Passed
-
AgentCore
53
1 Failed · 1 Passed
-
Agentic AI Security
123
1 Failed · 1 Passed
-
Financial Services Risk
5
0 Failed · 0 Passed
-
-
-
-
Amazon Bedrock Findings
-
-
- -
-
-
- -
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
123456789012ap-south-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
123456789012ap-south-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
123456789012ap-south-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
123456789012ap-south-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
123456789012ap-south-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
123456789012ap-south-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
123456789012ap-south-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
123456789012ap-south-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
123456789012ap-south-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
123456789012ap-south-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
123456789012ap-south-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
123456789012ap-south-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
123456789012ap-south-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
123456789012ap-south-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
123456789012ap-south-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
123456789012ap-south-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
123456789012ap-south-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
123456789012ap-south-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
123456789012ap-south-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
123456789012ap-south-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
123456789012ap-south-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
123456789012ap-south-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
123456789012ap-south-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
123456789012ap-south-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
123456789012ap-south-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
123456789012ap-south-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
123456789012ap-south-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
123456789012ap-south-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
123456789012eu-west-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
123456789012eu-west-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
123456789012eu-west-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
123456789012eu-west-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
123456789012eu-west-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
123456789012eu-west-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
123456789012eu-west-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
123456789012eu-west-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
123456789012eu-west-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
123456789012eu-west-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
123456789012eu-west-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
123456789012eu-west-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
123456789012eu-west-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
123456789012eu-west-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
123456789012eu-west-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
123456789012eu-west-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
123456789012eu-west-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
123456789012eu-west-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
123456789012eu-west-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
123456789012eu-west-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
123456789012eu-west-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
123456789012eu-west-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
123456789012eu-west-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
123456789012eu-west-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
123456789012eu-west-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
123456789012eu-west-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
123456789012eu-west-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
123456789012eu-west-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
123456789012sa-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
123456789012sa-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
123456789012sa-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
123456789012sa-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
123456789012sa-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
123456789012sa-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
123456789012sa-east-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
123456789012sa-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
123456789012sa-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
123456789012sa-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
123456789012sa-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
123456789012sa-east-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
123456789012sa-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
123456789012sa-east-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
123456789012sa-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
123456789012sa-east-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
123456789012sa-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
123456789012sa-east-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
123456789012sa-east-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
123456789012sa-east-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
123456789012sa-east-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
123456789012sa-east-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
123456789012sa-east-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
123456789012sa-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
123456789012sa-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
123456789012sa-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckUnable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.LowN/A
123456789012sa-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
123456789012sa-east-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
123456789012GlobalBR-01AmazonBedrockFullAccess role checkNo roles found with AmazonBedrockFullAccess policyNo action requiredHighPassed
123456789012GlobalBR-03Marketplace Subscription Access CheckRole 'aws-elasticbeanstalk-ec2-role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
123456789012GlobalBR-03Marketplace Subscription Access CheckRole 'RescoAppStack-Ec2Role2FD9A272-UB7xzDXt03Lg' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
123456789012GlobalBR-03Marketplace Subscription Access CheckRole 'xray-sample-SampleInstanceProfileRole-1WB21O2X8T7ZV' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.HighFailed
123456789012us-east-1BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
123456789012us-east-1BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
123456789012us-east-1BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
123456789012us-east-1BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
123456789012us-east-1BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
123456789012us-east-1BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
123456789012us-east-1BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
123456789012us-east-1BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
123456789012us-east-1BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
123456789012us-east-1BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
123456789012us-east-1BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
123456789012GlobalBR-15Cross-Account Guardrails Enforcement CheckBedrock Guardrails policy type is not enabled at the organization level. Cross-account guardrails cannot be enforced without enabling this policy type.Enable Bedrock Guardrails policy type in AWS Organizations to enforce consistent safety controls across all accounts. Use AWS Organizations console or CLI to enable the policy type.HighFailed
123456789012us-east-1BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
123456789012us-east-1BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
123456789012us-east-1BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
123456789012us-east-1BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
123456789012us-east-1BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
123456789012us-east-1BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
123456789012us-east-1BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
123456789012us-east-1BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
123456789012us-east-1BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
123456789012us-east-1BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
123456789012us-east-1BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
123456789012us-east-1BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
123456789012us-east-1BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
123456789012us-east-1BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
123456789012us-east-1BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
123456789012us-east-1BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
123456789012us-east-1BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
123456789012us-west-2BR-02Amazon Bedrock private connectivity checkNo regional Bedrock resources found to assess private connectivityNo action requiredInformationalN/A
123456789012us-west-2BR-04Bedrock Model Invocation Logging CheckNo regional Bedrock resources found to monitor with invocation loggingNo action requiredInformationalN/A
123456789012us-west-2BR-05Bedrock Guardrails CheckNo regional Bedrock resources found to protect with guardrailsNo action requiredInformationalN/A
123456789012us-west-2BR-06Bedrock CloudTrail Logging CheckNo regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageNo action requiredInformationalN/A
123456789012us-west-2BR-07Bedrock Prompt Management CheckPrompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.Implement Prompt Management to: -1. Create and version your prompts -2. Test different prompt variants -3. Share prompts across your organization -4. Maintain consistent prompt templatesInformationalN/A
123456789012us-west-2BR-08Bedrock Agent IAM Roles CheckNo Bedrock agents found in the accountNo action requiredInformationalN/A
123456789012us-west-2BR-09Bedrock Knowledge Base Encryption CheckNo Knowledge Bases found in the accountNo action requiredInformationalN/A
123456789012us-west-2BR-10Bedrock Guardrail IAM Enforcement CheckNo guardrails configured - IAM enforcement check not applicableConfigure Bedrock Guardrails first, then enforce their use via IAM policiesInformationalN/A
123456789012us-west-2BR-11Bedrock Custom Model Encryption CheckNo custom/fine-tuned models found in the accountNo action requiredInformationalN/A
123456789012us-west-2BR-12Bedrock Invocation Log Encryption CheckModel invocation logging to S3 is not configuredIf logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryptionInformationalN/A
123456789012us-west-2BR-13Bedrock Flows Guardrails CheckNo Bedrock Flows found in the accountNo action requiredInformationalN/A
123456789012us-west-2BR-16Guardrail Tier Validation CheckNo Bedrock guardrails configured in this regionCreate Bedrock guardrails with Standard tier for enhanced content filtering and protectionMediumN/A
123456789012us-west-2BR-17Custom Model Customer-Managed KMS Encryption CheckNo custom (fine-tuned) Bedrock models found in this regionWhen creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
123456789012us-west-2BR-18Model Evaluation Implementation CheckNo regional Bedrock resources found to assess with model evaluation jobsNo action requiredInformationalN/A
123456789012us-west-2BR-19Prompt Flow Validation CheckNo Bedrock prompt flows configured in this regionWhen creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deploymentMediumN/A
123456789012us-west-2BR-20Knowledge Base Customer-Managed KMS Encryption CheckNo Bedrock knowledge bases found in this regionWhen creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryptionHighN/A
123456789012us-west-2BR-21Agent Action Group IAM Least Privilege CheckNo Bedrock agents configured in this regionWhen creating agents with action groups, ensure Lambda execution roles follow least privilege principlesHighN/A
123456789012us-west-2BR-22Model Invocation Throttling Limits CheckNo regional Bedrock resources found to assess model invocation throttling quotasNo action requiredInformationalN/A
123456789012us-west-2BR-23Guardrail Content Filter Coverage CheckNo Bedrock guardrails configured in this regionCreate guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholdsHighN/A
123456789012us-west-2BR-24Automated Reasoning Policy Implementation CheckNo Bedrock guardrails configured in this regionCreate guardrails with Automated Reasoning policies for formal verification of model responsesMediumN/A
123456789012us-west-2BR-25RAG Evaluation Jobs CheckNo Bedrock knowledge bases found in this regionWhen implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinationsLowN/A
123456789012us-west-2BR-26Guardrail Sensitive Information Filter CheckNo Bedrock guardrails configured in this regionCreate guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responsesHighN/A
123456789012us-west-2BR-27Guardrail Contextual Grounding CheckNo Bedrock guardrails configured in this regionCreate guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applicationsMediumN/A
123456789012us-west-2BR-28Agent Guardrail Association CheckNo Bedrock agents configured in this regionWhen creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topicsHighN/A
123456789012us-west-2BR-29Agent Idle Session TTL CheckNo Bedrock agents configured in this regionWhen creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumableLowN/A
123456789012us-west-2BR-30Imported Model Customer-Managed KMS Encryption CheckNo imported custom Bedrock models found in this regionWhen importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keysHighN/A
123456789012us-west-2BR-31Batch Inference Output Encryption CheckNo Bedrock batch inference (model invocation) jobs found in this regionWhen creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job outputMediumN/A
123456789012us-west-2BR-32Bedrock CloudWatch Alarm CheckNo regional Bedrock resources found to monitor with CloudWatch alarmsNo action requiredInformationalN/A
-
-
-
Amazon SageMaker Findings
-
-
- -
-
-
- -
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
123456789012ap-south-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
123456789012ap-south-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
123456789012ap-south-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
123456789012ap-south-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
123456789012ap-south-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
123456789012ap-south-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
123456789012ap-south-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
123456789012ap-south-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
123456789012ap-south-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
123456789012ap-south-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
123456789012ap-south-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012ap-south-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012ap-south-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
123456789012ap-south-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
123456789012ap-south-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
123456789012ap-south-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
123456789012ap-south-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
123456789012ap-south-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
123456789012ap-south-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
123456789012ap-south-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
123456789012ap-south-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
123456789012ap-south-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
123456789012ap-south-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
123456789012ap-south-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
123456789012ap-south-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
123456789012ap-south-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
123456789012ap-south-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
123456789012eu-west-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
123456789012eu-west-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
123456789012eu-west-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
123456789012eu-west-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
123456789012eu-west-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
123456789012eu-west-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
123456789012eu-west-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
123456789012eu-west-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
123456789012eu-west-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
123456789012eu-west-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
123456789012eu-west-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012eu-west-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012eu-west-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
123456789012eu-west-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
123456789012eu-west-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
123456789012eu-west-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
123456789012eu-west-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
123456789012eu-west-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
123456789012eu-west-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
123456789012eu-west-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
123456789012eu-west-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
123456789012eu-west-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
123456789012eu-west-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
123456789012eu-west-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
123456789012eu-west-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
123456789012eu-west-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
123456789012eu-west-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
123456789012sa-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
123456789012sa-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
123456789012sa-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
123456789012sa-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
123456789012sa-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
123456789012sa-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
123456789012sa-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
123456789012sa-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
123456789012sa-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
123456789012sa-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
123456789012sa-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012sa-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012sa-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
123456789012sa-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
123456789012sa-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
123456789012sa-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
123456789012sa-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
123456789012sa-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
123456789012sa-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
123456789012sa-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
123456789012sa-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
123456789012sa-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
123456789012sa-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
123456789012sa-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
123456789012sa-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
123456789012sa-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
123456789012sa-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
123456789012GlobalSM-02SageMaker IAM Permissions CheckNo issues found with IAM permissions and no stale access detectedNo action requiredHighPassed
123456789012us-east-1SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
123456789012us-east-1SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
123456789012us-east-1SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
123456789012us-east-1SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
123456789012us-east-1SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
123456789012us-east-1SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
123456789012us-east-1SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
123456789012us-east-1SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
123456789012us-east-1SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
123456789012us-east-1SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
123456789012us-east-1SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012us-east-1SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012us-east-1SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
123456789012us-east-1SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
123456789012us-east-1SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
123456789012us-east-1SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
123456789012us-east-1SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
123456789012us-east-1SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
123456789012us-east-1SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
123456789012us-east-1SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
123456789012us-east-1SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
123456789012us-east-1SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
123456789012us-east-1SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
123456789012us-east-1SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
123456789012us-east-1SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
123456789012us-east-1SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
123456789012us-east-1SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
123456789012us-west-2SM-01SageMaker Internet Access CheckNo SageMaker notebook instances or domains found to checkNo action requiredInformationalN/A
123456789012us-west-2SM-02SageMaker SSO Configuration CheckNo SageMaker domains found, or all domains use SSO with IAM Identity Center configuredNo action requiredMediumPassed
123456789012us-west-2SM-03Data Protection CheckNo SageMaker resources found to check for data protectionNo action requiredInformationalN/A
123456789012us-west-2SM-04GuardDuty EnabledAmazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.No action requiredMediumPassed
123456789012us-west-2SM-05SageMaker Model Registry IssueNo model package groups foundImplement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deploymentInformationalN/A
123456789012us-west-2SM-05SageMaker Feature Store IssueNo feature groups foundUtilize SageMaker Feature Store to create, share, and manage features for machine learning development and productionInformationalN/A
123456789012us-west-2SM-05SageMaker Pipelines IssueNo ML pipelines foundImplement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deploymentInformationalN/A
123456789012us-west-2SM-06SageMaker Clarify No Clarify UsageNo SageMaker Clarify jobs foundImplement SageMaker Clarify for model explainability and bias detectionInformationalN/A
123456789012us-west-2SM-07SageMaker Model Monitor No Model MonitoringNo Model Monitor schedules foundConfigure comprehensive model monitoring schedulesInformationalN/A
123456789012us-west-2SM-08Model Registry Registry Not UsedModel Registry is not being utilizedImplement proper model versioning and approval workflowsInformationalN/A
123456789012us-west-2SM-09SageMaker Notebook Root Access CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012us-west-2SM-10SageMaker Notebook VPC Deployment CheckNo notebook instances foundNo action requiredInformationalN/A
123456789012us-west-2SM-11SageMaker Model Network Isolation CheckNo models foundNo action requiredInformationalN/A
123456789012us-west-2SM-12SageMaker Endpoint Instance Count CheckNo InService endpoints foundNo action requiredInformationalN/A
123456789012us-west-2SM-13SageMaker Monitoring Network Isolation CheckNo monitoring schedules foundNo action requiredInformationalN/A
123456789012us-west-2SM-14SageMaker Model Repository Access CheckNo models found or all use default Platform accessNo action requiredInformationalN/A
123456789012us-west-2SM-15SageMaker Feature Store Encryption CheckNo feature groups with offline stores foundNo action requiredInformationalN/A
123456789012us-west-2SM-16SageMaker Data Quality Job Encryption CheckNo data quality job definitions foundNo action requiredInformationalN/A
123456789012us-west-2SM-17SageMaker Processing Job Encryption CheckNo processing jobs foundNo action requiredInformationalN/A
123456789012us-west-2SM-18SageMaker Transform Job Encryption CheckNo transform jobs foundNo action requiredInformationalN/A
123456789012us-west-2SM-19SageMaker Hyperparameter Tuning Job Encryption CheckNo hyperparameter tuning jobs foundNo action requiredInformationalN/A
123456789012us-west-2SM-20SageMaker Compilation Job Encryption CheckNo compilation jobs foundNo action requiredInformationalN/A
123456789012us-west-2SM-21SageMaker AutoML Job Network Isolation CheckNo AutoML jobs foundNo action requiredInformationalN/A
123456789012us-west-2SM-22Model Approval Workflow CheckNo model package groups found. Model Registry is not being used for model governance.Implement Model Registry to track model versions and enforce approval workflows before production deployment.InformationalN/A
123456789012us-west-2SM-23Model Drift Detection CheckNo InService endpoints found to monitor.No action requiredMediumPassed
123456789012us-west-2SM-24A/B Testing and Shadow Deployment CheckNo InService endpoints found.No action requiredLowPassed
123456789012us-west-2SM-25ML Lineage Tracking - Experiments Not UsedNo SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.InformationalN/A
-
-
-
Amazon Bedrock AgentCore Findings
-
-
- -
-
-
- -
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - + + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - + - - - - - - + + + - + - - - - - - - - + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + -
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
123456789012ap-south-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012ap-south-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012ap-south-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012ap-south-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
123456789012ap-south-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
123456789012ap-south-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
123456789012ap-south-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012ap-south-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
123456789012ap-south-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
123456789012ap-south-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
123456789012eu-west-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012eu-west-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012eu-west-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012eu-west-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
123456789012eu-west-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
123456789012eu-west-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
123456789012eu-west-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012eu-west-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
123456789012 eu-west-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredSM-01 +
SageMaker Internet Access Check
+
+ Details and remediation +
+
Details

No SageMaker notebook instances or domains found to check

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012 eu-west-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
123456789012sa-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012sa-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012sa-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012sa-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
123456789012sa-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
123456789012sa-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
123456789012sa-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012sa-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
123456789012sa-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
123456789012sa-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
123456789012GlobalAC-02AgentCore IAM Full Access CheckNo roles with overly permissive AgentCore access foundNo action requiredHighPassed
123456789012GlobalAC-03AgentCore Unused PermissionsThe following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'Review and remove unused AgentCore permissions following least privilege principleInformationalN/A
123456789012GlobalAC-09AgentCore Service-Linked Role MissingService-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.SM-02 +
SageMaker SSO Configuration Check
+
+ Details and remediation +
+
Details

No SageMaker domains found, or all domains use SSO with IAM Identity Center configured

+
Resolution

No action required

+
Reference

+
+
+
MediumFailed
123456789012us-east-1AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012us-east-1AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012us-east-1AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012us-east-1AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/A
123456789012us-east-1AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredInformationalN/A
123456789012us-east-1AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/A
123456789012us-east-1AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012us-east-1AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredInformationalN/A
123456789012us-east-1AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredInformationalN/A
123456789012us-east-1AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredInformationalN/A
123456789012us-west-2AC-01AgentCore VPC Configuration CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012us-west-2AC-04AgentCore Observability CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012us-west-2AC-05AgentCore Encryption CheckNo AgentCore resources foundNo action requiredInformationalN/A
123456789012us-west-2AC-06AgentCore Browser Tool Recording CheckNo AgentCore Runtimes found to check browser tool configurationNo action requiredInformationalN/APassed
123456789012us-west-2AC-07AgentCore Memory Configuration CheckNo Memory resources foundNo action requiredeu-west-1SM-03 +
Data Protection Check
+
+ Details and remediation +
+
Details

No SageMaker resources found to check for data protection

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012us-west-2AC-13AgentCore Gateway Configuration CheckNo Gateway resources foundNo action requiredInformationalN/Aeu-west-1SM-04 +
GuardDuty Enabled
+
+ Details and remediation +
+
Details

Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
123456789012us-west-2AC-08AgentCore VPC Endpoints CheckNo AgentCore resources foundNo action requiredeu-west-1SM-05 +
SageMaker Model Registry Issue
+
+ Details and remediation +
+
Details

No model package groups found

+
Resolution

Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment

+
Reference

+
+
+
Informational N/A
123456789012us-west-2AC-10AgentCore Resource-Based Policies CheckNo AgentCore resources found to check for resource-based policiesNo action requiredeu-west-1SM-05 +
SageMaker Feature Store Issue
+
+ Details and remediation +
+
Details

No feature groups found

+
Resolution

Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production

+
Reference

+
+
+
Informational N/A
123456789012us-west-2AC-11AgentCore Policy Engine Encryption CheckNo Policy Engines foundNo action requiredeu-west-1SM-05 +
SageMaker Pipelines Issue
+
+ Details and remediation +
+
Details

No ML pipelines found

+
Resolution

Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment

+
Reference

+
+
+
Informational N/A
123456789012us-west-2AC-12AgentCore Gateway Encryption CheckNo Gateways foundNo action requiredeu-west-1SM-06 +
SageMaker Clarify No Clarify Usage
+
+ Details and remediation +
+
Details

No SageMaker Clarify jobs found

+
Resolution

Implement SageMaker Clarify for model explainability and bias detection

+
Reference

+
+
+
Informational N/A
-
-
Agentic AI Security Findings
Scope: API-provable Agentic AI security controls mapped to the AWS Well-Architected Agentic AI Lens security guidance. Human-in-the-loop governance is referenced in methodology but not scored automatically unless an AWS API can prove the control.
+ + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - - - + + + + - + - - - - - - - + + + + - + - - - - - + + - + - - - - - - + + + + + + + + + + + - + - - - - - - + + + + + + + + + + + - + - - - - - - + + + + + + + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - + + - + - - - - - + + - + - - - - - - - - + + + + + - + - - - - - - - + + + + - + - - - - - + + - + - - - - - - + + + - + - - - - - - + + + + + + + + + + + - + - - - - - - + + + + + + + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - + + - + - - - - - - + + + + + + + + + + + + + + + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + @@ -9990,10 +4310,17 @@

Agentic AI Gateway Inbound Authorization -

- - + @@ -10001,10 +4328,17 @@

Agentic AI Gateway Tool Policy Enforcement -

- - + @@ -10012,10 +4346,17 @@

Agentic AI Gateway Error Detail Exposure -

- - + @@ -10023,10 +4364,17 @@

Agentic AI Gateway WAF Protection -

- - + @@ -10034,10 +4382,17 @@

Agentic AI Runtime Network Boundary -

- - + @@ -10045,10 +4400,17 @@

Agentic AI AgentCore Observability -

- - + @@ -10056,10 +4418,17 @@

Agentic AI Memory Data Protection -

- - + @@ -10067,10 +4436,17 @@

Agentic AI Private AgentCore Connectivity -

- - + @@ -10078,10 +4454,17 @@

Agentic AI Resource Policy Boundary -

- - + @@ -10089,10 +4472,17 @@

Agentic AI Policy Engine Data Protection -

- - + @@ -10100,131 +4490,251 @@

Agentic AI Gateway Data Protection -

- - + - + - - - - - - + + + + + + + + + + + - + - - - - - - + + + + + + + + + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + - + - - - - - - + + + @@ -10232,10 +4742,17 @@

Agentic AI Gateway Inbound Authorization -

- - + @@ -10243,10 +4760,17 @@

Agentic AI Gateway Tool Policy Enforcement -

- - + @@ -10254,10 +4778,17 @@

Agentic AI Gateway Error Detail Exposure -

- - + @@ -10265,10 +4796,17 @@

Agentic AI Gateway WAF Protection -

- - + @@ -10276,10 +4814,17 @@

Agentic AI AgentCore Least Privilege -

- - + @@ -10287,10 +4832,17 @@

Agentic AI Stale AgentCore Access -

- - + @@ -10298,10 +4850,17 @@

Agentic AI Runtime Network Boundary -

- - + @@ -10309,10 +4868,17 @@

Agentic AI AgentCore Observability -

- - + @@ -10320,10 +4886,17 @@

Agentic AI Memory Data Protection -

- - + @@ -10331,10 +4904,17 @@

Agentic AI Private AgentCore Connectivity -

- - + @@ -10342,10 +4922,17 @@

Agentic AI Resource Policy Boundary -

- - + @@ -10353,10 +4940,17 @@

Agentic AI Policy Engine Data Protection -

- - + @@ -10364,10 +4958,197 @@

Agentic AI Gateway Data Protection -

- - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -10375,10 +5156,17 @@

Agentic AI Gateway Inbound Authorization -

- - + @@ -10386,10 +5174,17 @@

Agentic AI Gateway Tool Policy Enforcement -

- - + @@ -10397,10 +5192,17 @@

Agentic AI Gateway Error Detail Exposure -

- - + @@ -10408,10 +5210,17 @@

Agentic AI Gateway WAF Protection -

- - + @@ -10419,10 +5228,17 @@

Agentic AI Runtime Network Boundary -

- - + @@ -10430,10 +5246,17 @@

Agentic AI AgentCore Observability -

- - + @@ -10441,10 +5264,17 @@

Agentic AI Memory Data Protection -

- - + @@ -10452,10 +5282,17 @@

Agentic AI Private AgentCore Connectivity -

- - + @@ -10463,10 +5300,17 @@

Agentic AI Resource Policy Boundary -

- - + @@ -10474,10 +5318,17 @@

Agentic AI Policy Engine Data Protection -

- - + @@ -10485,21 +5336,35 @@

Agentic AI Gateway Data Protection -

- - + -
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
123456789012ap-south-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.eu-west-1SM-07 +
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation +
+
Details

No Model Monitor schedules found

+
Resolution

Configure comprehensive model monitoring schedules

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.eu-west-1SM-08 +
Model Registry Registry Not Used
+
+ Details and remediation +
+
Details

Model Registry is not being utilized

+
Resolution

Implement proper model versioning and approval workflows

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.eu-west-1SM-09 +
SageMaker Notebook Root Access Check
+
+ Details and remediation +
+
Details

No notebook instances found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.eu-west-1SM-10 +
SageMaker Notebook VPC Deployment Check
+
+ Details and remediation +
+
Details

No notebook instances found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.eu-west-1SM-11 +
SageMaker Model Network Isolation Check
+
+ Details and remediation +
+
Details

No models found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.eu-west-1SM-12 +
SageMaker Endpoint Instance Count Check
+
+ Details and remediation +
+
Details

No InService endpoints found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.eu-west-1SM-13 +
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation +
+
Details

No monitoring schedules found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.eu-west-1SM-14 +
SageMaker Model Repository Access Check
+
+ Details and remediation +
+
Details

No models found or all use default Platform access

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.eu-west-1SM-15 +
SageMaker Feature Store Encryption Check
+
+ Details and remediation +
+
Details

No feature groups with offline stores found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.eu-west-1SM-16 +
SageMaker Data Quality Job Encryption Check
+
+ Details and remediation +
+
Details

No data quality job definitions found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.eu-west-1SM-17 +
SageMaker Processing Job Encryption Check
+
+ Details and remediation +
+
Details

No processing jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.eu-west-1SM-18 +
SageMaker Transform Job Encryption Check
+
+ Details and remediation +
+
Details

No transform jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.eu-west-1SM-19 +
SageMaker Hyperparameter Tuning Job Encryption Check
+
+ Details and remediation +
+
Details

No hyperparameter tuning jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012 eu-west-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.SM-20 +
SageMaker Compilation Job Encryption Check
+
+ Details and remediation +
+
Details

No compilation jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012 eu-west-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.SM-21 +
SageMaker AutoML Job Network Isolation Check
+
+ Details and remediation +
+
Details

No AutoML jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012 eu-west-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.SM-22 +
Model Approval Workflow Check
+
+ Details and remediation +
+
Details

No model package groups found. Model Registry is not being used for model governance.

+
Resolution

Implement Model Registry to track model versions and enforce approval workflows before production deployment.

+
Reference

+
+
+
Informational N/A
123456789012 eu-west-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.InformationalN/ASM-23 +
Model Drift Detection Check
+
+ Details and remediation +
+
Details

No InService endpoints found to monitor.

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
123456789012 eu-west-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.InformationalN/ASM-24 +
A/B Testing and Shadow Deployment Check
+
+ Details and remediation +
+
Details

No InService endpoints found.

+
Resolution

No action required

+
Reference

+
+
+
LowPassed
123456789012 eu-west-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.SM-25 +
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation +
+
Details

No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.

+
Resolution

Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.

+
Reference

+
+
+
Informational N/A
123456789012eu-west-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.GlobalSM-02 +
SageMaker IAM Permissions Check
+
+ Details and remediation +
+
Details

No issues found with IAM permissions and no stale access detected

+
Resolution

No action required

+
Reference

+
+
+
HighPassed
123456789012us-east-1SM-01 +
SageMaker Internet Access Check
+
+ Details and remediation +
+
Details

No SageMaker notebook instances or domains found to check

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012eu-west-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.us-east-1SM-02 +
SageMaker SSO Configuration Check
+
+ Details and remediation +
+
Details

No SageMaker domains found, or all domains use SSO with IAM Identity Center configured

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
123456789012us-east-1SM-03 +
Data Protection Check
+
+ Details and remediation +
+
Details

No SageMaker resources found to check for data protection

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012eu-west-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.us-east-1SM-04 +
GuardDuty Enabled
+
+ Details and remediation +
+
Details

Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
123456789012us-east-1SM-05 +
SageMaker Model Registry Issue
+
+ Details and remediation +
+
Details

No model package groups found

+
Resolution

Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment

+
Reference

+
+
+
Informational N/A
123456789012eu-west-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.us-east-1SM-05 +
SageMaker Feature Store Issue
+
+ Details and remediation +
+
Details

No feature groups found

+
Resolution

Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production

+
Reference

+
+
+
Informational N/A
123456789012eu-west-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.us-east-1SM-05 +
SageMaker Pipelines Issue
+
+ Details and remediation +
+
Details

No ML pipelines found

+
Resolution

Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment

+
Reference

+
+
+
Informational N/A
123456789012eu-west-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.us-east-1SM-06 +
SageMaker Clarify No Clarify Usage
+
+ Details and remediation +
+
Details

No SageMaker Clarify jobs found

+
Resolution

Implement SageMaker Clarify for model explainability and bias detection

+
Reference

+
+
+
Informational N/A
123456789012eu-west-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.us-east-1SM-07 +
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation +
+
Details

No Model Monitor schedules found

+
Resolution

Configure comprehensive model monitoring schedules

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.us-east-1SM-08 +
Model Registry Registry Not Used
+
+ Details and remediation +
+
Details

Model Registry is not being utilized

+
Resolution

Implement proper model versioning and approval workflows

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.us-east-1SM-09 +
SageMaker Notebook Root Access Check
+
+ Details and remediation +
+
Details

No notebook instances found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.us-east-1SM-10 +
SageMaker Notebook VPC Deployment Check
+
+ Details and remediation +
+
Details

No notebook instances found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.us-east-1SM-11 +
SageMaker Model Network Isolation Check
+
+ Details and remediation +
+
Details

No models found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.us-east-1SM-12 +
SageMaker Endpoint Instance Count Check
+
+ Details and remediation +
+
Details

No InService endpoints found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.us-east-1SM-13 +
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation +
+
Details

No monitoring schedules found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.us-east-1SM-14 +
SageMaker Model Repository Access Check
+
+ Details and remediation +
+
Details

No models found or all use default Platform access

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.us-east-1SM-15 +
SageMaker Feature Store Encryption Check
+
+ Details and remediation +
+
Details

No feature groups with offline stores found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.us-east-1SM-16 +
SageMaker Data Quality Job Encryption Check
+
+ Details and remediation +
+
Details

No data quality job definitions found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.us-east-1SM-17 +
SageMaker Processing Job Encryption Check
+
+ Details and remediation +
+
Details

No processing jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.us-east-1SM-18 +
SageMaker Transform Job Encryption Check
+
+ Details and remediation +
+
Details

No transform jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.us-east-1SM-19 +
SageMaker Hyperparameter Tuning Job Encryption Check
+
+ Details and remediation +
+
Details

No hyperparameter tuning jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.us-east-1SM-20 +
SageMaker Compilation Job Encryption Check
+
+ Details and remediation +
+
Details

No compilation jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012 us-east-1AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.SM-21 +
SageMaker AutoML Job Network Isolation Check
+
+ Details and remediation +
+
Details

No AutoML jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012 us-east-1AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.SM-22 +
Model Approval Workflow Check
+
+ Details and remediation +
+
Details

No model package groups found. Model Registry is not being used for model governance.

+
Resolution

Implement Model Registry to track model versions and enforce approval workflows before production deployment.

+
Reference

+
+
+
Informational N/A
123456789012GlobalAG-09Agentic AI Guardrail Enforcement BoundaryAgentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Bedrock Guardrails policy type is not enabled at the organization level. Cross-account guardrails cannot be enforced without enabling this policy type.Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.HighFailedus-east-1SM-23 +
Model Drift Detection Check
+
+ Details and remediation +
+
Details

No InService endpoints found to monitor.

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
123456789012 us-east-1AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.InformationalN/ASM-24 +
A/B Testing and Shadow Deployment Check
+
+ Details and remediation +
+
Details

No InService endpoints found.

+
Resolution

No action required

+
Reference

+
+
+
LowPassed
123456789012 us-east-1AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.SM-25 +
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation +
+
Details

No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.

+
Resolution

Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.

+
Reference

+
+
+
Informational N/A
123456789012us-east-1AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.us-west-2SM-01 +
SageMaker Internet Access Check
+
+ Details and remediation +
+
Details

No SageMaker notebook instances or domains found to check

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012us-east-1AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.us-west-2SM-02 +
SageMaker SSO Configuration Check
+
+ Details and remediation +
+
Details

No SageMaker domains found, or all domains use SSO with IAM Identity Center configured

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
123456789012us-west-2SM-03 +
Data Protection Check
+
+ Details and remediation +
+
Details

No SageMaker resources found to check for data protection

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012us-east-1AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.us-west-2SM-04 +
GuardDuty Enabled
+
+ Details and remediation +
+
Details

Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
123456789012us-west-2SM-05 +
SageMaker Model Registry Issue
+
+ Details and remediation +
+
Details

No model package groups found

+
Resolution

Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment

+
Reference

+
+
+
Informational N/A
123456789012us-east-1AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.us-west-2SM-05 +
SageMaker Feature Store Issue
+
+ Details and remediation +
+
Details

No feature groups found

+
Resolution

Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production

+
Reference

+
+
+
Informational N/A
123456789012us-east-1AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.us-west-2SM-05 +
SageMaker Pipelines Issue
+
+ Details and remediation +
+
Details

No ML pipelines found

+
Resolution

Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment

+
Reference

+
+
+
Informational N/A
123456789012us-east-1AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.us-west-2SM-06 +
SageMaker Clarify No Clarify Usage
+
+ Details and remediation +
+
Details

No SageMaker Clarify jobs found

+
Resolution

Implement SageMaker Clarify for model explainability and bias detection

+
Reference

+
+
+
Informational N/A
123456789012us-east-1AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.us-west-2SM-07 +
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation +
+
Details

No Model Monitor schedules found

+
Resolution

Configure comprehensive model monitoring schedules

+
Reference

+
+
+
Informational N/A
123456789012us-east-1AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.us-west-2SM-08 +
Model Registry Registry Not Used
+
+ Details and remediation +
+
Details

Model Registry is not being utilized

+
Resolution

Implement proper model versioning and approval workflows

+
Reference

+
+
+
Informational N/A
123456789012us-east-1AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.us-west-2SM-09 +
SageMaker Notebook Root Access Check
+
+ Details and remediation +
+
Details

No notebook instances found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012 us-west-2AG-07Agentic AI Model Invocation LoggingAgentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation loggingEnable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.SM-10 +
SageMaker Notebook VPC Deployment Check
+
+ Details and remediation +
+
Details

No notebook instances found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012 us-west-2AG-08Agentic AI API Audit TrailAgentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverageEnable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.SM-11 +
SageMaker Model Network Isolation Check
+
+ Details and remediation +
+
Details

No models found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012 us-west-2AG-10Agentic AI Adversarial Evaluation CoverageAgentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobsConfigure model or application evaluations that include adversarial, safety, and security-relevant test cases.SM-12 +
SageMaker Endpoint Instance Count Check
+
+ Details and remediation +
+
Details

No InService endpoints found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012 us-west-2AG-11Agentic AI Prompt Flow ValidationAgentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this regionValidate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.SM-13 +
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation +
+
Details

No monitoring schedules found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012 us-west-2AG-06Agentic AI Tool Execution Least PrivilegeAgentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this regionRestrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.SM-14 +
SageMaker Model Repository Access Check
+
+ Details and remediation +
+
Details

No models found or all use default Platform access

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012 us-west-2AG-12Agentic AI Invocation Abuse ControlsAgentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotasConfigure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.SM-15 +
SageMaker Feature Store Encryption Check
+
+ Details and remediation +
+
Details

No feature groups with offline stores found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012 us-west-2AG-02Agentic AI Harmful Content Guardrail CoverageAgentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this regionConfigure guardrails with appropriate content filters and thresholds for all agent-facing workloads.SM-16 +
SageMaker Data Quality Job Encryption Check
+
+ Details and remediation +
+
Details

No data quality job definitions found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012 us-west-2AG-04Agentic AI Automated Reasoning GuardrailsAgentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this regionConfigure automated reasoning policies on guardrails where formal response validation is required.SM-17 +
SageMaker Processing Job Encryption Check
+
+ Details and remediation +
+
Details

No processing jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012 us-west-2AG-03Agentic AI Sensitive Information ProtectionAgentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this regionConfigure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.SM-18 +
SageMaker Transform Job Encryption Check
+
+ Details and remediation +
+
Details

No transform jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012 us-west-2AG-05Agentic AI Grounding ControlsAgentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this regionEnable contextual grounding checks on guardrails for RAG and tool-using agent workflows.SM-19 +
SageMaker Hyperparameter Tuning Job Encryption Check
+
+ Details and remediation +
+
Details

No hyperparameter tuning jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012 us-west-2AG-01Agentic AI Agent Guardrail AssociationAgentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this regionAssociate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.SM-20 +
SageMaker Compilation Job Encryption Check
+
+ Details and remediation +
+
Details

No compilation jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012 us-west-2AG-13Agentic AI Session BoundaryAgentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this regionSet a conservative idleSessionTTLInSeconds value for agents based on application session requirements.SM-21 +
SageMaker AutoML Job Network Isolation Check
+
+ Details and remediation +
+
Details

No AutoML jobs found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012 us-west-2AG-14Agentic AI Operational Abuse AlarmsAgentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarmsConfigure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.SM-22 +
Model Approval Workflow Check
+
+ Details and remediation +
+
Details

No model package groups found. Model Registry is not being used for model governance.

+
Resolution

Implement Model Registry to track model versions and enforce approval workflows before production deployment.

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredus-west-2SM-23 +
Model Drift Detection Check
+
+ Details and remediation +
+
Details

No InService endpoints found to monitor.

+
Resolution

No action required

+
Reference

+
+
+
MediumPassed
123456789012us-west-2SM-24 +
A/B Testing and Shadow Deployment Check
+
+ Details and remediation +
+
Details

No InService endpoints found.

+
Resolution

No action required

+
Reference

+
+
+
LowPassed
123456789012us-west-2SM-25 +
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation +
+
Details

No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.

+
Resolution

Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredeu-west-1AC-01 +
AgentCore VPC Configuration Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredeu-west-1AC-04 +
AgentCore Observability Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredeu-west-1AC-05 +
AgentCore Encryption Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.eu-west-1AC-06 +
AgentCore Browser Tool Recording Check
+
+ Details and remediation +
+
Details

No AgentCore Runtimes found to check browser tool configuration

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.eu-west-1AC-07 +
AgentCore Memory Configuration Check
+
+ Details and remediation +
+
Details

No Memory resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.eu-west-1AC-13 +
AgentCore Gateway Configuration Check
+
+ Details and remediation +
+
Details

No Gateway resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.eu-west-1AC-08 +
AgentCore VPC Endpoints Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.eu-west-1AC-10 +
AgentCore Resource-Based Policies Check
+
+ Details and remediation +
+
Details

No AgentCore resources found to check for resource-based policies

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.eu-west-1AC-11 +
AgentCore Policy Engine Encryption Check
+
+ Details and remediation +
+
Details

No Policy Engines found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012ap-south-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.eu-west-1AC-12 +
AgentCore Gateway Encryption Check
+
+ Details and remediation +
+
Details

No Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
No AgentCore Gateways foundNo action required +
Agentic AI Gateway Inbound Authorization
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
No AgentCore Gateways foundNo action required +
Agentic AI Gateway Tool Policy Enforcement
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
No AgentCore Gateways foundNo action required +
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
No AgentCore Gateways foundNo action required +
Agentic AI Gateway WAF Protection
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. +
Agentic AI Runtime Network Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found

+
Resolution

Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. +
Agentic AI AgentCore Observability
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found

+
Resolution

Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions. +
Agentic AI Memory Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found

+
Resolution

Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability. +
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found

+
Resolution

Create required VPC endpoints for AgentCore services and validate endpoint availability.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources. +
Agentic AI Resource Policy Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies

+
Resolution

Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required. +
Agentic AI Policy Engine Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found

+
Resolution

Configure policy engines with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required. +
Agentic AI Gateway Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found

+
Resolution

Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-24Agentic AI Gateway Inbound AuthorizationNo AgentCore Gateways foundNo action requiredGlobalAC-02 +
AgentCore IAM Full Access Check
+
+ Details and remediation +
+
Details

No roles with overly permissive AgentCore access found

+
Resolution

No action required

+
Reference

+
+
+
HighPassed
123456789012GlobalAC-03 +
AgentCore Unused Permissions
+
+ Details and remediation +
+
Details

The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'

+
Resolution

Review and remove unused AgentCore permissions following least privilege principle

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-25Agentic AI Gateway Tool Policy EnforcementNo AgentCore Gateways foundNo action requiredGlobalAC-09 +
AgentCore Service-Linked Role Missing
+
+ Details and remediation +
+
Details

Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.

+
Resolution

The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.

+
Reference

+
+
+
MediumFailed
123456789012us-east-1AC-01 +
AgentCore VPC Configuration Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-26Agentic AI Gateway Error Detail ExposureNo AgentCore Gateways foundNo action requiredus-east-1AC-04 +
AgentCore Observability Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-27Agentic AI Gateway WAF ProtectionNo AgentCore Gateways foundNo action requiredus-east-1AC-05 +
AgentCore Encryption Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-15Agentic AI Runtime Network BoundaryAgentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.us-east-1AC-06 +
AgentCore Browser Tool Recording Check
+
+ Details and remediation +
+
Details

No AgentCore Runtimes found to check browser tool configuration

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-18Agentic AI AgentCore ObservabilityAgentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.us-east-1AC-07 +
AgentCore Memory Configuration Check
+
+ Details and remediation +
+
Details

No Memory resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-19Agentic AI Memory Data ProtectionAgentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.us-east-1AC-13 +
AgentCore Gateway Configuration Check
+
+ Details and remediation +
+
Details

No Gateway resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-20Agentic AI Private AgentCore ConnectivityAgentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability.us-east-1AC-08 +
AgentCore VPC Endpoints Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-21Agentic AI Resource Policy BoundaryAgentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.us-east-1AC-10 +
AgentCore Resource-Based Policies Check
+
+ Details and remediation +
+
Details

No AgentCore resources found to check for resource-based policies

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-22Agentic AI Policy Engine Data ProtectionAgentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required.us-east-1AC-11 +
AgentCore Policy Engine Encryption Check
+
+ Details and remediation +
+
Details

No Policy Engines found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
123456789012sa-east-1AG-23Agentic AI Gateway Data ProtectionAgentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.us-east-1AC-12 +
AgentCore Gateway Encryption Check
+
+ Details and remediation +
+
Details

No Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
No AgentCore Gateways foundNo action required +
Agentic AI Gateway Inbound Authorization
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
No AgentCore Gateways foundNo action required +
Agentic AI Gateway Tool Policy Enforcement
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
No AgentCore Gateways foundNo action required +
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
No AgentCore Gateways foundNo action required +
Agentic AI Gateway WAF Protection
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: No roles with overly permissive AgentCore access foundReplace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions. +
Agentic AI AgentCore Least Privilege
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: No roles with overly permissive AgentCore access found

+
Resolution

Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.

+
Reference

+
+
+
High Passed
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'Remove or restrict stale AgentCore permissions for principals that no longer need access. +
Agentic AI Stale AgentCore Access
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'

+
Resolution

Remove or restrict stale AgentCore permissions for principals that no longer need access.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. +
Agentic AI Runtime Network Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found

+
Resolution

Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. +
Agentic AI AgentCore Observability
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found

+
Resolution

Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions. +
Agentic AI Memory Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found

+
Resolution

Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability. +
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found

+
Resolution

Create required VPC endpoints for AgentCore services and validate endpoint availability.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources. +
Agentic AI Resource Policy Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies

+
Resolution

Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required. +
Agentic AI Policy Engine Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found

+
Resolution

Configure policy engines with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required. +
Agentic AI Gateway Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found

+
Resolution

Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
InformationalN/A
123456789012us-west-2AC-01 +
AgentCore VPC Configuration Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
123456789012us-west-2AC-04 +
AgentCore Observability Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
123456789012us-west-2AC-05 +
AgentCore Encryption Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
123456789012us-west-2AC-06 +
AgentCore Browser Tool Recording Check
+
+ Details and remediation +
+
Details

No AgentCore Runtimes found to check browser tool configuration

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
123456789012us-west-2AC-07 +
AgentCore Memory Configuration Check
+
+ Details and remediation +
+
Details

No Memory resources found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
123456789012us-west-2AC-13 +
AgentCore Gateway Configuration Check
+
+ Details and remediation +
+
Details

No Gateway resources found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
123456789012us-west-2AC-08 +
AgentCore VPC Endpoints Check
+
+ Details and remediation +
+
Details

No AgentCore resources found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
123456789012us-west-2AC-10 +
AgentCore Resource-Based Policies Check
+
+ Details and remediation +
+
Details

No AgentCore resources found to check for resource-based policies

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
123456789012us-west-2AC-11 +
AgentCore Policy Engine Encryption Check
+
+ Details and remediation +
+
Details

No Policy Engines found

+
Resolution

No action required

+
Reference

+
+
+
InformationalN/A
123456789012us-west-2AC-12 +
AgentCore Gateway Encryption Check
+
+ Details and remediation +
+
Details

No Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
No AgentCore Gateways foundNo action required +
Agentic AI Gateway Inbound Authorization
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
No AgentCore Gateways foundNo action required +
Agentic AI Gateway Tool Policy Enforcement
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
No AgentCore Gateways foundNo action required +
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
No AgentCore Gateways foundNo action required +
Agentic AI Gateway WAF Protection
+
+ Details and remediation +
+
Details

No AgentCore Gateways found

+
Resolution

No action required

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources foundConfigure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services. +
Agentic AI Runtime Network Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found

+
Resolution

Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources foundEnable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported. +
Agentic AI AgentCore Observability
+
+ Details and remediation +
+
Details

Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found

+
Resolution

Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources foundConfigure AgentCore memory resources with customer-managed KMS keys and review memory access permissions. +
Agentic AI Memory Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found

+
Resolution

Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources foundCreate required VPC endpoints for AgentCore services and validate endpoint availability. +
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation +
+
Details

Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found

+
Resolution

Create required VPC endpoints for AgentCore services and validate endpoint availability.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policiesAttach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources. +
Agentic AI Resource Policy Boundary
+
+ Details and remediation +
+
Details

Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies

+
Resolution

Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines foundConfigure policy engines with customer-managed KMS keys where enhanced key control is required. +
Agentic AI Policy Engine Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found

+
Resolution

Configure policy engines with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
Informational N/A
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways foundConfigure AgentCore gateways with customer-managed KMS keys where enhanced key control is required. +
Agentic AI Gateway Data Protection
+
+ Details and remediation +
+
Details

Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found

+
Resolution

Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.

+
Reference

+
+
+
Informational N/A
-
Financial Services GenAI Risk Findings
Scope: this assessment records findings against each resolved CloudFormation TargetRegions entry. These checks are based on the AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption. Severities follow a documented Likelihood × Impact methodology (see docs).
+ + - - - - + @@ -10507,10 +5372,17 @@

FinServ Regional Scope Not Applicable -

- - + @@ -10518,39 +5390,97 @@

FinServ Regional Scope Not Applicable -

- - - - - - - - - - - - - - - - - - - - - - - - + -
Account IDRegionCheck IDFindingDetailsResolutionReferenceSeverityStatus
123456789012 us-east-1 FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region. +
FinServ Regional Scope Not Applicable
+
+ Details and remediation +
+
Details

No regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.

+
Resolution

No action required unless GenAI workloads are expected in this region.

+
Reference

+
+
+
Informational N/A
No regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region. +
FinServ Regional Scope Not Applicable
+
+ Details and remediation +
+
Details

No regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.

+
Resolution

No action required unless GenAI workloads are expected in this region.

+
Reference

+
+
+
Informational N/A
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
123456789012ap-south-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region.InformationalN/A
123456789012sa-east-1FS-00FinServ Regional Scope Not ApplicableNo regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.No action required unless GenAI workloads are expected in this region. +
FinServ Regional Scope Not Applicable
+
+ Details and remediation +
+
Details

No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.

+
Resolution

No action required unless GenAI workloads are expected in this region.

+
Reference

+
+
+
Informational N/A
+
+ +
+
Amazon Bedrock Findings
+
+ +
+
Failed
4
Open findings
+
Passed
1
Controls met
+
N/A
84
Not applicable
+
Total
89
Rows in report
+
+
+ + +
+
+
+
+
Amazon SageMaker Findings
+
+ +
+
Failed
0
Open findings
+
Passed
13
Controls met
+
N/A
69
Not applicable
+
Total
82
Rows in report
+
+
+ + +
+
+
+
+
Amazon Bedrock AgentCore Findings
+
+ +
+
Failed
1
Open findings
+
Passed
1
Controls met
+
N/A
31
Not applicable
+
Total
33
Rows in report
+
+
+ + +
+
+
+
Agentic AI Security Findings
+

Scope: API-provable Agentic AI security controls mapped to the AWS Well-Architected Agentic AI Lens security guidance. Human-in-the-loop governance is referenced in methodology but not scored automatically unless an AWS API can prove the control.

+
+
Failed
1
Open findings
+
Passed
1
Controls met
+
N/A
73
Not applicable
+
Total
75
Rows in report
+
+
+ + +
+
+
Financial Services GenAI Risk Findings
+

Scope: this assessment records findings against each resolved CloudFormation TargetRegions entry. These checks are based on the AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption. Severities follow a documented Likelihood × Impact methodology.

+
+
Failed
0
Open findings
+
Passed
0
Controls met
+
N/A
3
Not applicable
+
Total
3
Rows in report
+
+
+ + +
+
Assessment Methodology
-

Severity Levels & Status Values

HighDirect security riskFailedRemediation needed
MediumDefense-in-depth gapPassedMeets requirements
LowBest practiceN/ANot applicable
InformationalNo action required
-

Remediation Guidance

High7 daysAddress immediately; block deployment if unresolved
Medium30 daysSchedule in next sprint; may require change window
Low90 daysInclude in backlog; address during regular maintenance

Assessment Notes

Point-in-time: Security posture changes as resources are modified. Scope limited: Passed checks verify tested controls only. Context matters: Adjust severity for compliance requirements and environment type.

Assessment Scope

Amazon Bedrock
Amazon SageMaker
Amazon Bedrock AgentCore
Agentic AI Security
Agentic AI Security Lens Mapping
Industry
Financial Services GenAI Risk

Bedrock, SageMaker, and AgentCore checks are based on the AWS Well-Architected Framework Generative AI Lens. Agentic AI Security references the AWS Well-Architected Agentic AI Lens. Controls that cannot be proven using AWS APIs, including semantic human-in-the-loop workflow quality, are not automatically scored. Financial Services GenAI Risk checks are based on the AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption.

@@ -10609,7 +5539,7 @@

{ + button.addEventListener('click', function() { + const status = this.hasAttribute('data-filter-status') ? this.dataset.filterStatus : 'failed'; + filterFindings(this.dataset.filterService, status); + }); + }); window.addEventListener('scroll', () => { const sections = document.querySelectorAll('.section'); let current = ''; @@ -10683,58 +5625,6 @@