- July 09, 2026 22:34:42 UTC
+ July 10, 2026 03:32:48 UTC3 Accounts
-
Security Checks
161
Evaluated across 5 regions
-
Total Findings
1664
Across 3 accounts · 5 regions
-
Actionable Findings
598
High, Medium, and Low severity
-
High Severity
28/219
12.8% passed · Immediate action required
-
Medium Severity
82/280
29.3% passed · Should be addressed
-
Low Severity
30/99
30.3% passed · Best practices
+
Security Checks
161
Evaluated across 3 regions
+
Total Findings
1124
Across 3 accounts · 3 regions
+
Actionable Findings
260
Failed High, Medium, and Low findings
+
High Severity
28/183
15.3% passed · Immediate action required
+
Medium Severity
64/232
27.6% passed · Should be addressed
+
Low Severity
24/75
32.0% passed · Best practices
Priority Recommendations
-
1
-
-
AgentCore Resource-Based Policies Missing
-
AgentCore
-
-
-
1
+
3
-
Agentic AI Gateway Tool Policy Enforcement Missing
-
Agentic AI
+
AmazonBedrockFullAccess role check
+
Bedrock
1
-
Agentic AI Resource Policy Boundary
-
Agentic AI
+
Marketplace Subscription Access Check
+
Bedrock
1
@@ -281,494 +283,433 @@
Security Assessment Overview
+
+
Risk Distribution
+
Pass Rate by Severity
+
+
HIGH
15.3%
28 of 183 checks passed
+
MEDIUM
27.6%
64 of 232 checks passed
+
LOW
32.0%
24 of 75 checks passed
+
Overall
23.7%
116 of 490 scored checks passed
+
+
Risk by Account
+
111122223333
193
78 High · 95 Med · 20 Low
444455556666
3
0 High · 3 Med · 0 Low
777788889999
64
28 High · 31 Med · 5 Low
+
Risk by Region / Scope
+
eu-west-1
0
0 High · 0 Med · 0 Low
us-east-1
157
52 High · 90 Med · 15 Low
us-west-2
64
22 High · 32 Med · 10 Low
Global
39
32 High · 7 Med · 0 Low
+
Findings by Assessment Area
+
+
Bedrock
293
50 Failed · 18 Passed
+
SageMaker
261
34 Failed · 37 Passed
+
AgentCore
122
39 Failed · 3 Passed
+
Agentic AI Security
244
47 Failed · 18 Passed
+
Financial Services Risk
204
90 Failed · 40 Passed
+
+
All Security Findings
-
+
-
+
-
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
+
Account ID
Region
Check ID
Finding
Severity
Status
111122223333
-
ap-south-1
+
eu-west-1
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
+
+
AgentCore VPC Configuration Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
+
eu-west-1
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
+
+
AgentCore Observability Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
+
eu-west-1
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
+
+
AgentCore Encryption Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
+
eu-west-1
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
+
+
AgentCore Browser Tool Recording Check
+
+ Details and remediation
+
+
Details
No AgentCore Runtimes found to check browser tool configuration
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
+
eu-west-1
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
+
+
AgentCore Memory Configuration Check
+
+ Details and remediation
+
+
Details
No Memory resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
+
eu-west-1
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
+
+
AgentCore Gateway Configuration Check
+
+ Details and remediation
+
+
Details
No Gateway resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
+
eu-west-1
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
+
+
AgentCore VPC Endpoints Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
+
eu-west-1
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
+
+
AgentCore Resource-Based Policies Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found to check for resource-based policies
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
+
eu-west-1
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
+
+
AgentCore Policy Engine Encryption Check
+
+ Details and remediation
+
+
Details
No Policy Engines found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
+
eu-west-1
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
+
+
AgentCore Gateway Encryption Check
+
+ Details and remediation
+
+
Details
No Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
+
eu-west-1
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway Inbound Authorization
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
+
eu-west-1
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway Tool Policy Enforcement
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
+
eu-west-1
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
+
eu-west-1
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway WAF Protection
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
+
eu-west-1
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
+
+
Agentic AI Runtime Network Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Resolution
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
+
eu-west-1
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
+
+
Agentic AI AgentCore Observability
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Resolution
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
+
eu-west-1
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
+
+
Agentic AI Memory Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Resolution
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
+
eu-west-1
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
+
+
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Resolution
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
+
eu-west-1
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
+
+
Agentic AI Resource Policy Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Resolution
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
+
eu-west-1
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
+
+
Agentic AI Policy Engine Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Resolution
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
+
eu-west-1
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
AC-13
-
AgentCore Gateway Configuration Check
-
Found 1 Gateway resources
-
No action required
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-west-2
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
AC-10
-
AgentCore Resource-Based Policies Missing
-
The following AgentCore resources do not have resource-based policies: Gateway 'aws-news-mcp'. Without RBPs, access control relies solely on identity-based policies.
-
Attach resource-based policies to AgentCore resources to:
-1. Implement defense-in-depth access control
-2. Enable cross-account access control
-3. Restrict access based on source VPC or IP
-4. Implement hierarchical authorization for Agent Runtimes
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
AC-12
-
AgentCore Gateway Encryption Missing
-
The following Gateways do not use customer-managed KMS encryption: 'aws-news-mcp'. Gateway configuration data uses AWS-managed keys.
-
1. Create gateways with customer-managed KMS keys for additional control
-2. AWS-managed keys are single-tenant and region-specific
-3. Consider CMK for enhanced audit capabilities and key rotation control
Agentic AI Gateway Tool Policy Enforcement Missing
-
Gateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.
-
Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
Gateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) does not expose DEBUG-level exception detail.
-
No action required
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-west-2
-
AG-27
-
Agentic AI Gateway WAF Protection Missing
-
Gateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) is not associated with an AWS WAF web ACL.
-
Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.
-
-
Low
-
Failed
-
-
-
111122223333
-
us-west-2
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: The following AgentCore resources do not have resource-based policies: Gateway 'aws-news-mcp'. Without RBPs, access control relies solely on identity-based policies.
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
+
+
Agentic AI Gateway Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Resolution
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
us-west-2
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: The following Gateways do not use customer-managed KMS encryption: 'aws-news-mcp'. Gateway configuration data uses AWS-managed keys.
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Low
-
Failed
-
111122223333
Global
BR-01
-
AmazonBedrockFullAccess role check
-
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonBedrockFullAccess policy attached
-
Limit the AmazonBedrockFullAccess policy only to required access
-
+
+
AmazonBedrockFullAccess role check
+
+ Details and remediation
+
+
Details
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonBedrockFullAccess policy attached
+
Resolution
Limit the AmazonBedrockFullAccess policy only to required access
+
Reference
+
+
+
High
Failed
@@ -776,11 +717,18 @@
Security Assessment Overview
111122223333
Global
BR-01
-
AmazonBedrockFullAccess role check
-
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonBedrockFullAccess policy attached
-
Limit the AmazonBedrockFullAccess policy only to required access
-
+
+
AmazonBedrockFullAccess role check
+
+ Details and remediation
+
+
Details
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonBedrockFullAccess policy attached
+
Resolution
Limit the AmazonBedrockFullAccess policy only to required access
+
Reference
+
+
+
High
Failed
@@ -788,11 +736,18 @@
Security Assessment Overview
111122223333
Global
BR-01
-
AmazonBedrockFullAccess role check
-
Role 'myAskMeAnything-role-kmsizqwf' has AmazonBedrockFullAccess policy attached
-
Limit the AmazonBedrockFullAccess policy only to required access
-
+
+
AmazonBedrockFullAccess role check
+
+ Details and remediation
+
+
Details
Role 'myAskMeAnything-role-kmsizqwf' has AmazonBedrockFullAccess policy attached
+
Resolution
Limit the AmazonBedrockFullAccess policy only to required access
+
Reference
+
+
+
High
Failed
@@ -800,10 +755,17 @@
Security Assessment Overview
111122223333
Global
BR-03
-
Marketplace Subscription Access Check
-
Role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-cdk_agent_core'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
+
+
Marketplace Subscription Access Check
+
+ Details and remediation
+
+
Details
Role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-cdk_agent_core'
+
Resolution
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
Reference
+
+
+
High
Failed
@@ -811,10 +773,17 @@
Security Assessment Overview
111122223333
Global
BR-03
-
Marketplace Subscription Access Check
-
Role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-neoCyan_Agent'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
+
+
Marketplace Subscription Access Check
+
+ Details and remediation
+
+
Details
Role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-neoCyan_Agent'
+
Resolution
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
Reference
+
+
+
High
Failed
@@ -822,10 +791,17 @@
Security Assessment Overview
111122223333
Global
BR-03
-
Marketplace Subscription Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_knnc9' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_knnc9'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
+
+
Marketplace Subscription Access Check
+
+ Details and remediation
+
+
Details
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_knnc9' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_knnc9'
+
Resolution
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
Reference
+
+
+
High
Failed
@@ -833,10 +809,17 @@
Security Assessment Overview
111122223333
Global
BR-03
-
Marketplace Subscription Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_qxqw2' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_qxqw2'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
+
+
Marketplace Subscription Access Check
+
+ Details and remediation
+
+
Details
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_qxqw2' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_qxqw2'
+
Resolution
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
Reference
+
+
+
High
Failed
@@ -844,10 +827,17 @@
Security Assessment Overview
111122223333
Global
BR-03
-
Marketplace Subscription Access Check
-
Role 'AmazonSageMaker-ExecutionRole-20250525T153161' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
+
+
Marketplace Subscription Access Check
+
+ Details and remediation
+
+
Details
Role 'AmazonSageMaker-ExecutionRole-20250525T153161' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'
+
Resolution
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
Reference
+
+
+
High
Failed
@@ -855,10 +845,17 @@
Security Assessment Overview
111122223333
Global
BR-03
-
Marketplace Subscription Access Check
-
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
+
+
Marketplace Subscription Access Check
+
+ Details and remediation
+
+
Details
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
+
Resolution
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
Reference
+
+
+
High
Failed
@@ -866,10 +863,17 @@
Security Assessment Overview
111122223333
Global
BR-03
-
Marketplace Subscription Access Check
-
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
+
+
Marketplace Subscription Access Check
+
+ Details and remediation
+
+
Details
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
+
Resolution
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
Reference
+
+
+
High
Failed
@@ -877,10 +881,17 @@
Security Assessment Overview
111122223333
Global
BR-03
-
Marketplace Subscription Access Check
-
Role 'myAskMeAnything-role-kmsizqwf' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
+
+
Marketplace Subscription Access Check
+
+ Details and remediation
+
+
Details
Role 'myAskMeAnything-role-kmsizqwf' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
+
Resolution
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
Reference
+
+
+
High
Failed
@@ -888,10 +899,17 @@
Security Assessment Overview
111122223333
Global
BR-03
-
Marketplace Subscription Access Check
-
User 'BedrockAPIKey-20pp' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
+
+
Marketplace Subscription Access Check
+
+ Details and remediation
+
+
Details
User 'BedrockAPIKey-20pp' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'
+
Resolution
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
Reference
+
+
+
High
Failed
@@ -899,10 +917,17 @@
Security Assessment Overview
111122223333
Global
BR-03
-
Marketplace Subscription Access Check
-
User 'BedrockAPIKey-yhc3' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
+
+
Marketplace Subscription Access Check
+
+ Details and remediation
+
+
Details
User 'BedrockAPIKey-yhc3' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'
+
Resolution
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
Reference
+
+
+
High
Failed
@@ -910,10 +935,17 @@
Security Assessment Overview
111122223333
Global
BR-03
-
Marketplace Subscription Access Check
-
User 'BedrockClientUser' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
+
+
Marketplace Subscription Access Check
+
+ Details and remediation
+
+
Details
User 'BedrockClientUser' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
+
Resolution
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
Reference
+
+
+
High
Failed
@@ -921,14 +953,21 @@
Security Assessment Overview
111122223333
us-east-1
BR-02
-
Amazon Bedrock private connectivity not used
-
No Bedrock service VPC endpoints found in VPCs: vpc-03472be90d65c2f68, vpc-39319f44, vpc-064f3e808e378cbc8, vpc-02d020a365a06c7fe
-
Create a VPC endpoint in your VPC with any of the following Bedrock service endpoints that your application may be using:
+
+
Amazon Bedrock private connectivity not used
+
+ Details and remediation
+
+
Details
No Bedrock service VPC endpoints found in VPCs: vpc-03472be90d65c2f68, vpc-39319f44, vpc-064f3e808e378cbc8, vpc-02d020a365a06c7fe
+
Resolution
Create a VPC endpoint in your VPC with any of the following Bedrock service endpoints that your application may be using:
- com.amazonaws.region.bedrock
- com.amazonaws.region.bedrock-runtime
- com.amazonaws.region.bedrock-agent
-- com.amazonaws.region.bedrock-agent-runtime
-
+- com.amazonaws.region.bedrock-agent-runtime
+
Reference
+
+
+
Medium
Failed
@@ -936,10 +975,17 @@
Security Assessment Overview
111122223333
us-east-1
BR-04
-
Bedrock Model Invocation Logging Check
-
Model invocation logging is properly configured with delivery to: Amazon S3, CloudWatch Logs
-
No action required
-
+
+
Bedrock Model Invocation Logging Check
+
+ Details and remediation
+
+
Details
Model invocation logging is properly configured with delivery to: Amazon S3, CloudWatch Logs
+
Resolution
No action required
+
Reference
+
+
+
Medium
Passed
@@ -947,10 +993,17 @@
Security Assessment Overview
111122223333
us-east-1
BR-05
-
Bedrock Guardrails Check
-
Amazon Bedrock Guardrails are properly configured with 1 guardrails
-
No action required. Continue monitoring and updating guardrails as needed.
-
+
+
Bedrock Guardrails Check
+
+ Details and remediation
+
+
Details
Amazon Bedrock Guardrails are properly configured with 1 guardrails
+
Resolution
No action required. Continue monitoring and updating guardrails as needed.
+
Reference
+
+
+
High
Passed
@@ -958,10 +1011,17 @@
Security Assessment Overview
111122223333
us-east-1
BR-06
-
Bedrock CloudTrail Logging Check
-
CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
-
No action required. Continue monitoring CloudTrail logs for Bedrock activity.
-
+
+
Bedrock CloudTrail Logging Check
+
+ Details and remediation
+
+
Details
CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
+
Resolution
No action required. Continue monitoring CloudTrail logs for Bedrock activity.
+
Reference
+
+
+
Medium
Passed
@@ -969,14 +1029,21 @@
Security Assessment Overview
111122223333
us-east-1
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
+
+
Bedrock Prompt Management Check
+
+ Details and remediation
+
+
Details
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Resolution
Implement Prompt Management to:
1. Create and version your prompts
2. Test different prompt variants
3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
+4. Maintain consistent prompt templates
+
Reference
+
+
+
Informational
N/A
@@ -984,10 +1051,17 @@
Security Assessment Overview
111122223333
us-east-1
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
+
+
Bedrock Agent IAM Roles Check
+
+ Details and remediation
+
+
Details
No Bedrock agents found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -995,13 +1069,20 @@
Security Assessment Overview
111122223333
us-east-1
BR-09
-
Bedrock Knowledge Base Encryption Review
-
Knowledge Base 'knowledge-base-semiconductors' (RQYFDSE1LT) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
-
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+
+
Bedrock Knowledge Base Encryption Review
+
+ Details and remediation
+
+
Details
Knowledge Base 'knowledge-base-semiconductors' (RQYFDSE1LT) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
Resolution
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
2. For S3 data sources: Verify CMK-encrypted S3 buckets
3. For RDS: Verify KMS encryption on the database
-4. Consider using CMK for transient data during ingestion
-
+4. Consider using CMK for transient data during ingestion
+
Reference
+
+
+
Informational
N/A
@@ -1009,13 +1090,20 @@
Security Assessment Overview
111122223333
us-east-1
BR-09
-
Bedrock Knowledge Base Encryption Review
-
Knowledge Base '111122223333-us-east-1-kb' (PAJOKBSIMQ) uses 'S3_VECTORS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
-
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+
+
Bedrock Knowledge Base Encryption Review
+
+ Details and remediation
+
+
Details
Knowledge Base '111122223333-us-east-1-kb' (PAJOKBSIMQ) uses 'S3_VECTORS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
Resolution
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
2. For S3 data sources: Verify CMK-encrypted S3 buckets
3. For RDS: Verify KMS encryption on the database
-4. Consider using CMK for transient data during ingestion
-
+4. Consider using CMK for transient data during ingestion
+
Reference
+
+
+
Informational
N/A
@@ -1023,13 +1111,20 @@
Security Assessment Overview
111122223333
us-east-1
BR-09
-
Bedrock Knowledge Base Encryption Review
-
Knowledge Base 'e2e-rag-knowledgebase' (ESIYAYSYTJ) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
-
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+
+
Bedrock Knowledge Base Encryption Review
+
+ Details and remediation
+
+
Details
Knowledge Base 'e2e-rag-knowledgebase' (ESIYAYSYTJ) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
Resolution
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
2. For S3 data sources: Verify CMK-encrypted S3 buckets
3. For RDS: Verify KMS encryption on the database
-4. Consider using CMK for transient data during ingestion
-
+4. Consider using CMK for transient data during ingestion
+
Reference
+
+
+
Informational
N/A
@@ -1037,13 +1132,20 @@
Security Assessment Overview
111122223333
us-east-1
BR-10
-
Bedrock Guardrail IAM Enforcement Missing
-
The following roles can invoke Bedrock models without enforced guardrails: 111122223333-us-east-1-kb-bedrock-service-role, agentcore-wildrydes_gateway_role_ab3991f6-role, AgentCoreEvalsSDK-us-east-1-d04ba7b68b, AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76, AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b, AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D, AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ, AmazonBedrockExecutionRoleForKnowledgeBase_072pr, AmazonBedrockExecutionRoleForKnowledgeBase_byjin, AmazonBedrockExecutionRoleForKnowledgeBase_h9718...
-
Add IAM policy conditions to enforce guardrail usage:
+
+
Bedrock Guardrail IAM Enforcement Missing
+
+ Details and remediation
+
+
Details
The following roles can invoke Bedrock models without enforced guardrails: 111122223333-us-east-1-kb-bedrock-service-role, agentcore-wildrydes_gateway_role_ab3991f6-role, AgentCoreEvalsSDK-us-east-1-d04ba7b68b, AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76, AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b, AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D, AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ, AmazonBedrockExecutionRoleForKnowledgeBase_072pr, AmazonBedrockExecutionRoleForKnowledgeBase_byjin, AmazonBedrockExecutionRoleForKnowledgeBase_h9718...
+
Resolution
Add IAM policy conditions to enforce guardrail usage:
1. Use 'bedrock:GuardrailIdentifier' condition key
2. Specify required guardrail ARN or ID
-3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}
S3 bucket 'nistairmfguardrail-invocationlogsbucket8fe5371b-wmlsng7pkyhm' for invocation logs uses SSE-S3 encryption instead of customer-managed KMS. Invocation logs may contain sensitive prompts and responses.
-
1. Enable SSE-KMS with a customer-managed key on the S3 bucket
+
+
Bedrock Invocation Log Encryption
+
+ Details and remediation
+
+
Details
S3 bucket 'nistairmfguardrail-invocationlogsbucket8fe5371b-wmlsng7pkyhm' for invocation logs uses SSE-S3 encryption instead of customer-managed KMS. Invocation logs may contain sensitive prompts and responses.
+
Resolution
1. Enable SSE-KMS with a customer-managed key on the S3 bucket
2. Update bucket policy to require encrypted uploads
-3. Consider enabling S3 bucket versioning and MFA delete for log integrity
-
+3. Consider enabling S3 bucket versioning and MFA delete for log integrity
+
Reference
+
+
+
Medium
Failed
@@ -1075,10 +1191,17 @@
Security Assessment Overview
111122223333
us-east-1
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
+
+
Bedrock Flows Guardrails Check
+
+ Details and remediation
+
+
Details
No Bedrock Flows found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -1086,10 +1209,17 @@
Security Assessment Overview
111122223333
Global
BR-15
-
Cross-Account Guardrails Enforcement Check
-
Check must run in AWS Organizations management account to evaluate organizational policies
-
Run assessment in management account to check cross-account guardrails enforcement
-
+
+
Cross-Account Guardrails Enforcement Check
+
+ Details and remediation
+
+
Details
Check must run in AWS Organizations management account to evaluate organizational policies
+
Resolution
Run assessment in management account to check cross-account guardrails enforcement
+
Reference
+
+
+
Medium
N/A
@@ -1097,10 +1227,17 @@
Security Assessment Overview
111122223333
us-east-1
BR-16
-
Guardrail Tier Validation Check
-
Guardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) is using the 'CLASSIC' content-filter tier instead of 'STANDARD'. The STANDARD tier provides more robust content filtering and broader language support than the CLASSIC tier.
-
Update the guardrail to use the STANDARD content-filter tier for improved contextual understanding, better prompt attack filtering (distinguishing jailbreaks from prompt injection), and broader language support. The STANDARD tier requires cross-Region inference. Review pricing implications before upgrading.
-
+
+
Guardrail Tier Validation Check
+
+ Details and remediation
+
+
Details
Guardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) is using the 'CLASSIC' content-filter tier instead of 'STANDARD'. The STANDARD tier provides more robust content filtering and broader language support than the CLASSIC tier.
+
Resolution
Update the guardrail to use the STANDARD content-filter tier for improved contextual understanding, better prompt attack filtering (distinguishing jailbreaks from prompt injection), and broader language support. The STANDARD tier requires cross-Region inference. Review pricing implications before upgrading.
+
Reference
+
+
+
Medium
Failed
@@ -1108,10 +1245,17 @@
Security Assessment Overview
111122223333
us-east-1
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
+
+
Custom Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No custom (fine-tuned) Bedrock models found in this region
+
Resolution
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
Reference
+
+
+
High
N/A
@@ -1119,10 +1263,17 @@
Security Assessment Overview
111122223333
us-east-1
BR-18
-
Model Evaluation Implementation Check
-
No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
-
Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.
-
+
+
Model Evaluation Implementation Check
+
+ Details and remediation
+
+
Details
No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
+
Resolution
Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.
+
Reference
+
+
+
Medium
Failed
@@ -1130,10 +1281,17 @@
Security Assessment Overview
111122223333
us-east-1
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
+
+
Prompt Flow Validation Check
+
+ Details and remediation
+
+
Details
No Bedrock prompt flows configured in this region
+
Resolution
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
Reference
+
+
+
Medium
N/A
@@ -1141,13 +1299,20 @@
Security Assessment Overview
111122223333
us-east-1
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Review
-
Knowledge base 'knowledge-base-semiconductors' (ID: RQYFDSE1LT) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
-
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+
+
Knowledge Base Customer-Managed KMS Encryption Review
+
+ Details and remediation
+
+
Details
Knowledge base 'knowledge-base-semiconductors' (ID: RQYFDSE1LT) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
Resolution
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
2. For Amazon RDS/Aurora: verify KMS encryption on the database
3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
-4. Verify the customer-managed KMS key used for transient data during ingestion
-
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
Reference
+
+
+
Informational
N/A
@@ -1155,13 +1320,20 @@
Security Assessment Overview
111122223333
us-east-1
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Review
-
Knowledge base '111122223333-us-east-1-kb' (ID: PAJOKBSIMQ) uses 'S3_VECTORS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
-
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+
+
Knowledge Base Customer-Managed KMS Encryption Review
+
+ Details and remediation
+
+
Details
Knowledge base '111122223333-us-east-1-kb' (ID: PAJOKBSIMQ) uses 'S3_VECTORS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
Resolution
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
2. For Amazon RDS/Aurora: verify KMS encryption on the database
3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
-4. Verify the customer-managed KMS key used for transient data during ingestion
-
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
Reference
+
+
+
Informational
N/A
@@ -1169,13 +1341,20 @@
Security Assessment Overview
111122223333
us-east-1
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Review
-
Knowledge base 'e2e-rag-knowledgebase' (ID: ESIYAYSYTJ) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
-
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+
+
Knowledge Base Customer-Managed KMS Encryption Review
+
+ Details and remediation
+
+
Details
Knowledge base 'e2e-rag-knowledgebase' (ID: ESIYAYSYTJ) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
Resolution
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
2. For Amazon RDS/Aurora: verify KMS encryption on the database
3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
-4. Verify the customer-managed KMS key used for transient data during ingestion
-
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
Reference
+
+
+
Informational
N/A
@@ -1183,10 +1362,17 @@
Security Assessment Overview
111122223333
us-east-1
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
+
+
Agent Action Group IAM Least Privilege Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
No action required. Continue monitoring filter effectiveness and adjust thresholds as needed.
+
Reference
+
+
+
Low
Passed
@@ -1216,10 +1416,17 @@
Security Assessment Overview
111122223333
us-east-1
BR-24
-
Automated Reasoning Policy Implementation Check
-
Guardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.
-
Configure Automated Reasoning policies on guardrails to mathematically verify model responses. Define policies that specify allowed and disallowed behaviors. Use for high-assurance use cases where formal verification is required.
-
+
+
Automated Reasoning Policy Implementation Check
+
+ Details and remediation
+
+
Details
Guardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.
+
Resolution
Configure Automated Reasoning policies on guardrails to mathematically verify model responses. Define policies that specify allowed and disallowed behaviors. Use for high-assurance use cases where formal verification is required.
+
Reference
+
+
+
Medium
Failed
@@ -1227,10 +1434,17 @@
Security Assessment Overview
111122223333
us-east-1
BR-25
-
RAG Evaluation Jobs Check
-
Knowledge base 'knowledge-base-semiconductors' (ID: RQYFDSE1LT) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
-
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
-
+
+
RAG Evaluation Jobs Check
+
+ Details and remediation
+
+
Details
Knowledge base 'knowledge-base-semiconductors' (ID: RQYFDSE1LT) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Resolution
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
Reference
+
+
+
Low
Failed
@@ -1238,10 +1452,17 @@
Security Assessment Overview
111122223333
us-east-1
BR-25
-
RAG Evaluation Jobs Check
-
Knowledge base '111122223333-us-east-1-kb' (ID: PAJOKBSIMQ) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
-
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
-
+
+
RAG Evaluation Jobs Check
+
+ Details and remediation
+
+
Details
Knowledge base '111122223333-us-east-1-kb' (ID: PAJOKBSIMQ) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Resolution
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
Reference
+
+
+
Low
Failed
@@ -1249,10 +1470,17 @@
Security Assessment Overview
111122223333
us-east-1
BR-25
-
RAG Evaluation Jobs Check
-
Knowledge base 'e2e-rag-knowledgebase' (ID: ESIYAYSYTJ) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
-
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
-
+
+
RAG Evaluation Jobs Check
+
+ Details and remediation
+
+
Details
Knowledge base 'e2e-rag-knowledgebase' (ID: ESIYAYSYTJ) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Resolution
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
Reference
+
+
+
Low
Failed
@@ -1260,10 +1488,17 @@
Security Assessment Overview
111122223333
us-east-1
BR-26
-
Guardrail Sensitive Information Filter Check
-
1 guardrails have sensitive-information (PII) filters configured
-
No action required. Periodically review the PII entity types and regex patterns to ensure coverage matches your data.
-
+
+
Guardrail Sensitive Information Filter Check
+
+ Details and remediation
+
+
Details
1 guardrails have sensitive-information (PII) filters configured
+
Resolution
No action required. Periodically review the PII entity types and regex patterns to ensure coverage matches your data.
+
Reference
+
+
+
Low
Passed
@@ -1271,10 +1506,17 @@
Security Assessment Overview
111122223333
us-east-1
BR-27
-
Guardrail Contextual Grounding Check
-
1 guardrails have contextual grounding checks enabled
-
No action required. Review grounding and relevance thresholds periodically to balance hallucination detection against false positives.
-
+
+
Guardrail Contextual Grounding Check
+
+ Details and remediation
+
+
Details
1 guardrails have contextual grounding checks enabled
+
Resolution
No action required. Review grounding and relevance thresholds periodically to balance hallucination detection against false positives.
+
Reference
+
+
+
Low
Passed
@@ -1282,10 +1524,17 @@
Security Assessment Overview
111122223333
us-east-1
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
+
+
Agent Guardrail Association Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
Reference
+
+
+
High
N/A
@@ -1293,10 +1542,17 @@
Security Assessment Overview
111122223333
us-east-1
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
+
+
Agent Idle Session TTL Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
Reference
+
+
+
Low
N/A
@@ -1304,10 +1560,17 @@
Security Assessment Overview
111122223333
us-east-1
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
No imported custom Bedrock models found in this region
-
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
+
+
Imported Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No imported custom Bedrock models found in this region
+
Resolution
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
Reference
+
+
+
High
N/A
@@ -1315,10 +1578,17 @@
Security Assessment Overview
111122223333
us-east-1
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
+
+
Batch Inference Output Encryption Check
+
+ Details and remediation
+
+
Details
No Bedrock batch inference (model invocation) jobs found in this region
+
Resolution
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
Reference
+
+
+
Medium
N/A
@@ -1326,10 +1596,17 @@
Security Assessment Overview
111122223333
us-east-1
BR-32
-
Bedrock CloudWatch Alarm Check
-
No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
-
Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.
-
+
+
Bedrock CloudWatch Alarm Check
+
+ Details and remediation
+
+
Details
No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
+
Resolution
Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.
+
Reference
+
+
+
Medium
Failed
@@ -1337,10 +1614,17 @@
Security Assessment Overview
111122223333
us-east-1
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is properly configured with delivery to: Amazon S3, CloudWatch Logs
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
+
+
Agentic AI Model Invocation Logging
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is properly configured with delivery to: Amazon S3, CloudWatch Logs
+
Resolution
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Reference
+
+
+
Medium
Passed
@@ -1348,10 +1632,17 @@
Security Assessment Overview
111122223333
us-east-1
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
+
+
Agentic AI API Audit Trail
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
+
Resolution
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Reference
+
+
+
Medium
Passed
@@ -1359,10 +1650,17 @@
Security Assessment Overview
111122223333
Global
AG-09
-
Agentic AI Guardrail Enforcement Boundary
-
Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policies
-
Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.
-
+
+
Agentic AI Guardrail Enforcement Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policies
+
Resolution
Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.
+
Reference
+
+
+
Informational
N/A
@@ -1370,10 +1668,17 @@
Security Assessment Overview
111122223333
us-east-1
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
+
+
Agentic AI Adversarial Evaluation Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
+
Resolution
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Reference
+
+
+
Medium
Failed
@@ -1381,10 +1686,17 @@
Security Assessment Overview
111122223333
us-east-1
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
+
+
Agentic AI Prompt Flow Validation
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Resolution
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Reference
+
+
+
Informational
N/A
@@ -1392,10 +1704,17 @@
Security Assessment Overview
111122223333
us-east-1
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
+
+
Agentic AI Tool Execution Least Privilege
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Resolution
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Reference
+
+
+
Informational
N/A
@@ -1403,10 +1722,17 @@
Security Assessment Overview
111122223333
us-east-1
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 11 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
+
+
Agentic AI Invocation Abuse Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 11 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.
+
Resolution
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Reference
+
+
+
Low
Passed
@@ -1414,10 +1740,17 @@
Security Assessment Overview
111122223333
us-east-1
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: 1 guardrails have complete content filter coverage (hate, insults, sexual, violence)
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
+
+
Agentic AI Harmful Content Guardrail Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: 1 guardrails have complete content filter coverage (hate, insults, sexual, violence)
+
Resolution
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Reference
+
+
+
Low
Passed
@@ -1425,10 +1758,17 @@
Security Assessment Overview
111122223333
us-east-1
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: Guardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
+
Agentic AI Automated Reasoning Guardrails
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: Guardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.
+
Resolution
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Reference
+
+
+
Medium
Failed
@@ -1436,10 +1776,17 @@
Security Assessment Overview
111122223333
us-east-1
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: 1 guardrails have sensitive-information (PII) filters configured
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
+
+
Agentic AI Sensitive Information Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: 1 guardrails have sensitive-information (PII) filters configured
+
Resolution
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Reference
+
+
+
Low
Passed
@@ -1447,10 +1794,17 @@
Security Assessment Overview
111122223333
us-east-1
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: 1 guardrails have contextual grounding checks enabled
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
+
+
Agentic AI Grounding Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: 1 guardrails have contextual grounding checks enabled
+
Resolution
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Reference
+
+
+
Low
Passed
@@ -1458,10 +1812,17 @@
Security Assessment Overview
111122223333
us-east-1
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
+
+
Agentic AI Agent Guardrail Association
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Resolution
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Reference
+
+
+
Informational
N/A
@@ -1469,10 +1830,17 @@
Security Assessment Overview
111122223333
us-east-1
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
+
+
Agentic AI Session Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Resolution
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Reference
+
+
+
Informational
N/A
@@ -1480,3265 +1848,5301 @@
Security Assessment Overview
111122223333
us-east-1
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
+
+
Agentic AI Operational Abuse Alarms
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
+
Resolution
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Reference
+
+
+
Medium
Failed
-
+
111122223333
-
ap-south-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
FS-01
+
+
AWS Shield Advanced Not Enabled
+
+ Details and remediation
+
+
Details
AWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.
+
Resolution
1. Subscribe to AWS Shield Advanced for DDoS protection.
+2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection.
+3. Enable Shield Response Team (SRT) access and configure proactive engagement.
+4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.
+
Reference
+
+
+
+
Low
+
Failed
-
+
111122223333
-
ap-south-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
+
us-west-2
+
FS-01
+
+
AWS Shield Advanced Not Enabled
+
+ Details and remediation
+
+
Details
AWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.
+
Resolution
1. Subscribe to AWS Shield Advanced for DDoS protection.
+2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection.
+3. Enable Shield Response Team (SRT) access and configure proactive engagement.
+4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.
+
Reference
+
+
+
+
Low
+
Failed
-
+
111122223333
-
ap-south-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
FS-01
+
+
No Regional WAF Web ACLs Found
+
+ Details and remediation
+
+
Details
No AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.
+
Resolution
1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP).
+2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock.
+3. Add AWS Managed Rules for known bad inputs.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
ap-south-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
+
us-west-2
+
FS-01
+
+
No Regional WAF Web ACLs Found
+
+ Details and remediation
+
+
Details
No AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.
+
Resolution
1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP).
+2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock.
+3. Add AWS Managed Rules for known bad inputs.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
ap-south-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
+
us-east-1
+
FS-02
+
+
API Gateway Usage Plans Missing Throttle
+
+ Details and remediation
+
+
Details
Usage plans without throttling: myAskMeAnything-UsagePlan. Unbounded API calls can exhaust Bedrock token quotas and inflate costs.
+
Resolution
Set rateLimit and burstLimit on all usage plans associated with GenAI API stages. Consider per-consumer API keys with individual quotas.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
ap-south-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
+
us-west-2
+
FS-02
+
+
API Gateway Usage Plans Missing Throttle
+
+ Details and remediation
+
+
Details
Usage plans without throttling: myAskMeAnything-UsagePlan. Unbounded API calls can exhaust Bedrock token quotas and inflate costs.
+
Resolution
Set rateLimit and burstLimit on all usage plans associated with GenAI API stages. Consider per-consumer API keys with individual quotas.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
ap-south-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
FS-03
+
+
Bedrock Token Quotas Customized
+
+ Details and remediation
+
+
Details
Found 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.
+
Resolution
No action required. Periodically re-review quotas against expected peak load.
+
Reference
+
+
+
+
Medium
+
Passed
-
+
111122223333
-
ap-south-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
+
us-west-2
+
FS-03
+
+
Bedrock Token Quotas Customized
+
+ Details and remediation
+
+
Details
Found 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.
+
Resolution
No action required. Periodically re-review quotas against expected peak load.
+
Reference
+
+
+
+
Medium
+
Passed
-
+
111122223333
-
ap-south-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
FS-04
+
+
No Cost Anomaly Detection Monitors
+
+ Details and remediation
+
+
Details
No AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.
+
Resolution
1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker.
+2. Configure alert subscriptions (SNS/email) for anomalies above threshold.
+3. Set daily spend budgets with AWS Budgets as a secondary control.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
ap-south-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
+
us-west-2
+
FS-04
+
+
No Cost Anomaly Detection Monitors
+
+ Details and remediation
+
+
Details
No AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.
+
Resolution
1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker.
+2. Configure alert subscriptions (SNS/email) for anomalies above threshold.
+3. Set daily spend budgets with AWS Budgets as a secondary control.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
ap-south-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
FS-05
+
+
No Bedrock CloudWatch Alarms Found
+
+ Details and remediation
+
+
Details
No CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.
+
Resolution
Create CloudWatch alarms for:
+- AWS/Bedrock InvocationThrottles (threshold > 0)
+- AWS/Bedrock TokensProcessed (threshold based on quota)
+- Custom application-level token counters via EMF
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
ap-south-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
+
us-west-2
+
FS-05
+
+
No Bedrock CloudWatch Alarms Found
+
+ Details and remediation
+
+
Details
No CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.
+
Resolution
Create CloudWatch alarms for:
+- AWS/Bedrock InvocationThrottles (threshold > 0)
+- AWS/Bedrock TokensProcessed (threshold based on quota)
+- Custom application-level token counters via EMF
+
Reference
+
+
+
Medium
-
N/A
+
Failed
-
+
111122223333
-
ap-south-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
+
us-east-1
+
FS-06
+
+
No AI/ML Service Budgets Configured
+
+ Details and remediation
+
+
Details
No AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.
+
Resolution
1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds.
+2. Add SNS notifications to on-call channels.
+3. Consider budget actions to apply IAM deny policies when thresholds are breached.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
ap-south-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
+
us-west-2
+
FS-06
+
+
No AI/ML Service Budgets Configured
+
+ Details and remediation
+
+
Details
No AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.
+
Resolution
1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds.
+2. Add SNS notifications to on-call channels.
+3. Consider budget actions to apply IAM deny policies when thresholds are breached.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
ap-south-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
+
us-east-1
+
FS-07
+
+
Agent Action Boundary Check
+
+ Details and remediation
+
+
Details
No Bedrock agents found.
+
Resolution
No action required.
+
Reference
+
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
+
us-west-2
+
FS-07
+
+
Agent Action Boundary Check
+
+ Details and remediation
+
+
Details
No Bedrock agents found.
+
Resolution
No action required.
+
Reference
+
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
+
us-east-1
+
FS-08
+
+
AgentCore Runtimes Missing Policy Engine
+
+ Details and remediation
+
+
Details
Runtimes without authorizer configuration: origami_expeditions, neoCyan_Agent, customer_support_agent, cdk_agent_core, awsapimcpserver. Without a policy engine, agents can invoke any registered tool without authorization checks.
+
Resolution
Configure an authorizer (Lambda or Cedar policy store) on each AgentCore runtime to enforce fine-grained tool-call authorization.
+
Reference
+
+
+
High
-
N/A
+
Failed
-
+
111122223333
-
ap-south-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
+
us-west-2
+
FS-08
+
+
AgentCore Runtimes Missing Policy Engine
+
+ Details and remediation
+
+
Details
Runtimes without authorizer configuration: origami_expeditions, neoCyan_Agent, customer_support_agent, cdk_agent_core, awsapimcpserver. Without a policy engine, agents can invoke any registered tool without authorization checks.
+
Resolution
Configure an authorizer (Lambda or Cedar policy store) on each AgentCore runtime to enforce fine-grained tool-call authorization.
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
ap-south-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
1. Set reserved concurrency on agent Lambda functions.
+2. Implement maximum iteration counts in agent orchestration logic.
+3. Use Step Functions with MaxConcurrency and timeout states.
+4. Add circuit-breaker patterns to agent tool invocations.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
ap-south-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
1. Set reserved concurrency on agent Lambda functions.
+2. Implement maximum iteration counts in agent orchestration logic.
+3. Use Step Functions with MaxConcurrency and timeout states.
+4. Add circuit-breaker patterns to agent tool invocations.
+
Reference
+
+
+
Medium
-
N/A
+
Failed
-
+
111122223333
-
ap-south-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
+
us-east-1
+
FS-10
+
+
Human-in-the-Loop Check — No Agent Workflows Found
+
+ Details and remediation
+
+
Details
No Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.
+
Resolution
Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.
+
Reference
+
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
+
us-west-2
+
FS-10
+
+
Human-in-the-Loop Check — No Agent Workflows Found
+
+ Details and remediation
+
+
Details
No Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.
+
Resolution
Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.
+
Reference
+
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
+
us-east-1
+
FS-11
+
+
No Agent Rate Alarms Found
+
+ Details and remediation
+
+
Details
No CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.
+
Resolution
Create CloudWatch alarms on:
+- Bedrock agent invocation counts (threshold based on expected max)
+- Lambda invocation errors for agent functions
+- Step Functions execution failures and timeouts
+
Reference
+
+
+
Medium
-
N/A
+
Failed
-
+
111122223333
-
ap-south-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
+
us-west-2
+
FS-11
+
+
No Agent Rate Alarms Found
+
+ Details and remediation
+
+
Details
No CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.
+
Resolution
Create CloudWatch alarms on:
+- Bedrock agent invocation counts (threshold based on expected max)
+- Lambda invocation errors for agent functions
+- Step Functions execution failures and timeouts
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
ap-south-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
+
us-east-1
+
FS-12
+
+
No Bedrock-Scoped SCPs Found
+
+ Details and remediation
+
+
Details
No Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.
+
Resolution
1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list.
+2. Use bedrock:ModelId condition key to allowlist approved models.
+3. Maintain a model inventory and update the SCP when models are approved/retired.
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
ap-south-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
-
N/A
+
us-west-2
+
FS-12
+
+
No Bedrock-Scoped SCPs Found
+
+ Details and remediation
+
+
Details
No Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.
+
Resolution
1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list.
+2. Use bedrock:ModelId condition key to allowlist approved models.
+3. Maintain a model inventory and update the SCP when models are approved/retired.
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
ap-south-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
+
us-east-1
+
FS-13
+
+
Model Provenance Tags Present
+
+ Details and remediation
+
+
Details
All reviewed models have required provenance tags.
+
Resolution
No action required.
+
Reference
+
+
+
Medium
-
N/A
+
Passed
-
+
111122223333
-
ap-south-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
+
us-west-2
+
FS-13
+
+
Model Provenance Tags Present
+
+ Details and remediation
+
+
Details
All reviewed models have required provenance tags.
+
Resolution
No action required.
+
Reference
+
+
+
+
Medium
+
Passed
-
+
111122223333
-
ap-south-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
-
Informational
-
N/A
+
us-east-1
+
FS-14
+
+
Model Governance Config Rules Present
+
+ Details and remediation
+
+
Details
Found 11 model-related Config rule(s).
+
Resolution
No action required.
+
Reference
+
+
+
+
Medium
+
Passed
-
+
111122223333
-
ap-south-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
-
Informational
-
N/A
+
us-west-2
+
FS-14
+
+
Model Governance Config Rules Present
+
+ Details and remediation
+
+
Details
Found 11 model-related Config rule(s).
+
Resolution
No action required.
+
Reference
+
+
+
+
Medium
+
Passed
-
+
111122223333
-
ap-south-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
-
Informational
-
N/A
+
us-east-1
+
FS-15
+
+
No Bedrock Evaluation Jobs Found
+
+ Details and remediation
+
+
Details
No Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.
+
Resolution
1. Run Bedrock Model Evaluation with adversarial/red-team datasets.
+2. Use FMEval library for automated robustness testing.
+3. Schedule periodic re-evaluation after model updates.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
ap-south-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
-
Informational
-
N/A
+
us-west-2
+
FS-15
+
+
No Bedrock Evaluation Jobs Found
+
+ Details and remediation
+
+
Details
No Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.
+
Resolution
1. Run Bedrock Model Evaluation with adversarial/red-team datasets.
+2. Use FMEval library for automated robustness testing.
+3. Schedule periodic re-evaluation after model updates.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
ap-south-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
-
Informational
-
N/A
+
us-east-1
+
FS-16
+
+
ECR Repositories Without Image Scanning
+
+ Details and remediation
+
+
Details
4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111122223333-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.
+
Resolution
Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
ap-south-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
-
Informational
-
N/A
+
us-west-2
+
FS-16
+
+
ECR Repositories Without Image Scanning
+
+ Details and remediation
+
+
Details
4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111122223333-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.
+
Resolution
Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
ap-south-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
+
us-east-1
+
FS-20
+
+
No SageMaker Feature Groups Found
+
+ Details and remediation
+
+
Details
No SageMaker Feature Store groups found.
+
Resolution
No action required.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
us-west-2
+
FS-20
+
+
No SageMaker Feature Groups Found
+
+ Details and remediation
+
+
Details
No SageMaker Feature Store groups found.
+
Resolution
No action required.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
-
Informational
-
N/A
+
us-east-1
+
FS-21
+
+
Training Data Buckets Without Versioning
+
+ Details and remediation
+
+
Details
13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111122223333-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111122223333-huo1mvme4t.
+
Resolution
Enable S3 versioning on all training data buckets. Consider enabling MFA Delete for additional protection against poisoning.
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
ap-south-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
-
Informational
-
N/A
+
us-west-2
+
FS-21
+
+
Training Data Buckets Without Versioning
+
+ Details and remediation
+
+
Details
13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111122223333-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111122223333-huo1mvme4t.
+
Resolution
Enable S3 versioning on all training data buckets. Consider enabling MFA Delete for additional protection against poisoning.
+
Reference
+
+
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-22
+
+
Overly Permissive Knowledge Base IAM Roles
+
+ Details and remediation
+
+
Details
827 role(s) with wildcard KB permissions:
+- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'Admin' allows '*'
+- Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' allows 'bedrock:*'
+- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'Agentic-AI-MCP-Strands-SDK-Works-VSCodeInstanceRole-NCTUnlnRBFO6' allows '*'
+- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+
Resolution
Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
ap-south-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
-
Informational
-
N/A
+
us-west-2
+
FS-22
+
+
Overly Permissive Knowledge Base IAM Roles
+
+ Details and remediation
+
+
Details
827 role(s) with wildcard KB permissions:
+- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'Admin' allows '*'
+- Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' allows 'bedrock:*'
+- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'Agentic-AI-MCP-Strands-SDK-Works-VSCodeInstanceRole-NCTUnlnRBFO6' allows '*'
+- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+
Resolution
Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
ap-south-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
+
us-east-1
+
FS-24
+
+
ADVISORY: Knowledge Base Metadata Filtering — Manual Review Required
+
+ Details and remediation
+
+
Details
Found 3 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.
+
Resolution
1. Add metadata fields (tenantId, dataClassification) to KB data sources.
+2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls.
+3. Validate filters in integration tests to prevent cross-tenant data leakage.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
+
us-west-2
+
FS-24
+
+
ADVISORY: Knowledge Base Metadata Filtering — Manual Review Required
+
+ Details and remediation
+
+
Details
Found 3 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.
+
Resolution
1. Add metadata fields (tenantId, dataClassification) to KB data sources.
+2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls.
+3. Validate filters in integration tests to prevent cross-tenant data leakage.
+
Reference
+
+
+
Informational
N/A
-
+
+
111122223333
+
us-east-1
+
FS-25
+
+
OpenSearch Serverless Encryption Policies Present
+
+ Details and remediation
+
+
Details
Found 5 encryption policy(ies); 5 use a customer-managed KMS key.
+
Resolution
Verify all vector store collections use customer-managed KMS keys.
+
Reference
+
+
+
+
High
+
Passed
+
+
111122223333
us-west-2
-
BR-02
-
Amazon Bedrock private connectivity not used
-
No Bedrock service VPC endpoints found in VPCs: vpc-0f85a6754ab37efb7, vpc-5c3b6524, vpc-03bcafcb58a3029fc
-
Create a VPC endpoint in your VPC with any of the following Bedrock service endpoints that your application may be using:
-- com.amazonaws.region.bedrock
-- com.amazonaws.region.bedrock-runtime
-- com.amazonaws.region.bedrock-agent
-- com.amazonaws.region.bedrock-agent-runtime
-
-
Medium
+
FS-25
+
+
OpenSearch Serverless Encryption Policies Present
+
+ Details and remediation
+
+
Details
Found 5 encryption policy(ies); 5 use a customer-managed KMS key.
+
Resolution
Verify all vector store collections use customer-managed KMS keys.
+
Reference
+
+
+
+
High
+
Passed
+
+
+
111122223333
+
us-east-1
+
FS-26
+
+
OpenSearch Serverless Collections Not VPC-Restricted
+
+ Details and remediation
+
+
Details
Found 5 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.
+
Resolution
Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.
+
Reference
+
+
+
+
High
Failed
-
+
111122223333
us-west-2
-
BR-04
-
Bedrock Model Invocation Logging Check
-
Model invocation logging is not enabled. This limits your ability to track and audit model usage.
-
Enable model invocation logging to collect invocation logs, model input data, and model output data. Configure logging to deliver to Amazon S3, CloudWatch Logs, or both for comprehensive monitoring.
-
-
Medium
+
FS-26
+
+
OpenSearch Serverless Collections Not VPC-Restricted
+
+ Details and remediation
+
+
Details
Found 5 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.
+
Resolution
Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.
+
Reference
+
+
+
+
High
Failed
-
+
111122223333
-
us-west-2
-
BR-05
-
Bedrock Guardrails Check
-
Amazon Bedrock Guardrails are properly configured with 1 guardrails
-
No action required. Continue monitoring and updating guardrails as needed.
-
+
us-east-1
+
FS-27
+
+
Contextual Grounding Enabled on Guardrails
+
+ Details and remediation
+
+
Details
Guardrails with contextual grounding: nist-ai-rmf-guardrail.
+
Resolution
No action required for contextual grounding. Also consider enabling Automated Reasoning checks for formal policy verification.
+
Reference
+
+
+
High
Passed
-
+
111122223333
us-west-2
-
BR-06
-
Bedrock CloudTrail Logging Check
-
CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
-
No action required. Continue monitoring CloudTrail logs for Bedrock activity.
-
-
Medium
+
FS-27
+
+
Contextual Grounding Enabled on Guardrails
+
+ Details and remediation
+
+
Details
Guardrails with contextual grounding: nist-ai-rmf-guardrail.
+
Resolution
No action required for contextual grounding. Also consider enabling Automated Reasoning checks for formal policy verification.
+
Reference
+
+
+
+
High
Passed
-
+
111122223333
-
us-west-2
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
+
us-east-1
+
FS-27
+
+
No Automated Reasoning Policies Found
+
+ Details and remediation
+
+
Details
No Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.
+
Resolution
1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds).
+2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail).
+3. Set confidenceThreshold on the policy to control strictness.
+4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response).
+5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
us-west-2
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
+
FS-27
+
+
No Automated Reasoning Policies Found
+
+ Details and remediation
+
+
Details
No Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.
+
Resolution
1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds).
+2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail).
+3. Set confidenceThreshold on the policy to control strictness.
+4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response).
+5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
us-west-2
-
BR-09
-
Bedrock Knowledge Base Encryption Review
-
Knowledge Base 'knowledge-base-bedrock-agent' (XSPYLN4FQL) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
-
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
-2. For S3 data sources: Verify CMK-encrypted S3 buckets
-3. For RDS: Verify KMS encryption on the database
-4. Consider using CMK for transient data during ingestion
-
-
Informational
-
N/A
+
us-east-1
+
FS-28
+
+
Denied Topics Configured on CLASSIC Tier
+
+ Details and remediation
+
+
Details
Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides broader language support and improved detection for denied topics.
+
Resolution
Verify topics cover regulated financial advice categories. For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (set topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile on the guardrail). When authoring denied-topic policies, use existing compliance materials as the source: employee policies, training materials, procedure documents, and incident reports (PDF §1.2.1 Practical guidance).
+
Reference
+
+
+
+
High
+
Passed
-
+
111122223333
us-west-2
-
BR-09
-
Bedrock Knowledge Base Encryption Review
-
Knowledge Base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (SUGAG7RGYD) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
-
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
-2. For S3 data sources: Verify CMK-encrypted S3 buckets
-3. For RDS: Verify KMS encryption on the database
-4. Consider using CMK for transient data during ingestion
-
-
Informational
-
N/A
+
FS-28
+
+
Denied Topics Configured on CLASSIC Tier
+
+ Details and remediation
+
+
Details
Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides broader language support and improved detection for denied topics.
+
Resolution
Verify topics cover regulated financial advice categories. For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (set topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile on the guardrail). When authoring denied-topic policies, use existing compliance materials as the source: employee policies, training materials, procedure documents, and incident reports (PDF §1.2.1 Practical guidance).
+
Reference
+
+
+
+
High
+
Passed
-
+
111122223333
-
us-west-2
-
BR-09
-
Bedrock Knowledge Base Encryption Review
-
Knowledge Base 'promptfoo-rag-workshop-111122223333-kb' (N74ZIKTUFL) uses 'RDS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
-
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
-2. For S3 data sources: Verify CMK-encrypted S3 buckets
-3. For RDS: Verify KMS encryption on the database
-4. Consider using CMK for transient data during ingestion
Application-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.
+
Resolution
1. Implement post-processing to append required disclaimers to GenAI outputs.
+2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures.
+3. Document disclaimer requirements in the AI use case register.
+4. Test disclaimer presence in QA/UAT before production deployment.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
us-west-2
-
BR-09
-
Bedrock Knowledge Base Encryption Review
-
Knowledge Base 'InvestmentResearchKB' (M1GMUG3BP0) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
-
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
-2. For S3 data sources: Verify CMK-encrypted S3 buckets
-3. For RDS: Verify KMS encryption on the database
-4. Consider using CMK for transient data during ingestion
Application-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.
+
Resolution
1. Implement post-processing to append required disclaimers to GenAI outputs.
+2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures.
+3. Document disclaimer requirements in the AI use case register.
+4. Test disclaimer presence in QA/UAT before production deployment.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
us-west-2
-
BR-09
-
Bedrock Knowledge Base Encryption Review
-
Knowledge Base 'knowledge-base-quick-start-xtwwd' (ENFHSBBLMV) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
-
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
-2. For S3 data sources: Verify CMK-encrypted S3 buckets
-3. For RDS: Verify KMS encryption on the database
-4. Consider using CMK for transient data during ingestion
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.
+
Resolution
Run Bedrock Model Evaluation with compliance-specific datasets:
+- Fair lending test cases (ECOA, Fair Housing Act)
+- UDAP/UDAAP unfair/deceptive practice scenarios
+- AML/KYC edge cases
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
us-west-2
-
BR-09
-
Bedrock Knowledge Base Encryption Review
-
Knowledge Base 'kb-s3-vector-store' (116IXQU5VP) uses 'S3_VECTORS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
-
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
-2. For S3 data sources: Verify CMK-encrypted S3 buckets
-3. For RDS: Verify KMS encryption on the database
-4. Consider using CMK for transient data during ingestion
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.
+
Resolution
Run Bedrock Model Evaluation with compliance-specific datasets:
+- Fair lending test cases (ECOA, Fair Housing Act)
+- UDAP/UDAAP unfair/deceptive practice scenarios
+- AML/KYC edge cases
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
us-west-2
-
BR-10
-
Bedrock Guardrail IAM Enforcement Missing
-
The following roles can invoke Bedrock models without enforced guardrails: 111122223333-us-east-1-kb-bedrock-service-role, agentcore-wildrydes_gateway_role_ab3991f6-role, AgentCoreEvalsSDK-us-east-1-d04ba7b68b, AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76, AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b, AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D, AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ, AmazonBedrockExecutionRoleForKnowledgeBase_072pr, AmazonBedrockExecutionRoleForKnowledgeBase_byjin, AmazonBedrockExecutionRoleForKnowledgeBase_h9718...
-
Add IAM policy conditions to enforce guardrail usage:
-1. Use 'bedrock:GuardrailIdentifier' condition key
-2. Specify required guardrail ARN or ID
-3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}
-
-
High
+
us-east-1
+
FS-31
+
+
Knowledge Base Data Sources Past Review Threshold
+
+ Details and remediation
+
+
Details
2 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit):
+- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 722 days ago
+- KB '111122223333-us-east-1-kb' source '111122223333-us-east-1-kb-datasource' last synced 200 days ago
+Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.
+
Resolution
1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match.
+2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61.
+3. Set CloudWatch alarms on sync job failures.
+
Reference
+
+
+
+
Medium
Failed
-
+
111122223333
us-west-2
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
+
FS-31
+
+
Knowledge Base Data Sources Past Review Threshold
+
+ Details and remediation
+
+
Details
2 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit):
+- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 722 days ago
+- KB '111122223333-us-east-1-kb' source '111122223333-us-east-1-kb-datasource' last synced 200 days ago
+Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.
+
Resolution
1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match.
+2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61.
+3. Set CloudWatch alarms on sync job failures.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
us-west-2
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
Source attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.
+
Resolution
1. Use Bedrock RetrieveAndGenerate with citations enabled.
+2. Include source document references in response post-processing.
+3. Test citation accuracy in QA before production deployment.
+4. Consider Bedrock Guardrails grounding checks to validate response accuracy.
Source attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.
+
Resolution
1. Use Bedrock RetrieveAndGenerate with citations enabled.
+2. Include source document references in response post-processing.
+3. Test citation accuracy in QA before production deployment.
+4. Consider Bedrock Guardrails grounding checks to validate response accuracy.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
us-west-2
-
BR-16
-
Guardrail Tier Validation Check
-
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is using the 'CLASSIC' content-filter tier instead of 'STANDARD'. The STANDARD tier provides more robust content filtering and broader language support than the CLASSIC tier.
-
Update the guardrail to use the STANDARD content-filter tier for improved contextual understanding, better prompt attack filtering (distinguishing jailbreaks from prompt injection), and broader language support. The STANDARD tier requires cross-Region inference. Review pricing implications before upgrading.
-
+
us-east-1
+
FS-33
+
+
KB Data Source Buckets Without Versioning
+
+ Details and remediation
+
+
Details
KB data source S3 buckets without versioning: 111122223333-us-east-1-kb-data-bucket.
+
Resolution
Enable S3 versioning on all KB data source buckets. Enable S3 Object Integrity (checksum) for tamper detection.
+
Reference
+
+
+
Medium
Failed
-
-
111122223333
-
us-west-2
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
+
111122223333
us-west-2
-
BR-18
-
Model Evaluation Implementation Check
-
No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
-
Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.
-
+
FS-33
+
+
KB Data Source Buckets Without Versioning
+
+ Details and remediation
+
+
Details
KB data source S3 buckets without versioning: 111122223333-us-east-1-kb-data-bucket.
+
Resolution
Enable S3 versioning on all KB data source buckets. Enable S3 Object Integrity (checksum) for tamper detection.
+
Reference
+
+
+
Medium
Failed
-
+
111122223333
-
us-west-2
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
+
us-east-1
+
FS-34
+
+
Legacy Foundation Models Available in Region
+
+ Details and remediation
+
+
Details
Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.
+
Resolution
1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config).
+2. Migrate active usage to current model versions.
+3. Document training-data cutoff dates for all models in use.
+4. Add data-currency disclaimers to outputs from models with old cutoffs.
+
Reference
+
+
+
+
Informational
N/A
-
+
111122223333
us-west-2
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Review
-
Knowledge base 'knowledge-base-bedrock-agent' (ID: XSPYLN4FQL) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
-
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
-2. For Amazon RDS/Aurora: verify KMS encryption on the database
-3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
-4. Verify the customer-managed KMS key used for transient data during ingestion
-
+
FS-34
+
+
Legacy Foundation Models Available in Region
+
+ Details and remediation
+
+
Details
Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.
+
Resolution
1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config).
+2. Migrate active usage to current model versions.
+3. Document training-data cutoff dates for all models in use.
+4. Add data-currency disclaimers to outputs from models with old cutoffs.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
us-west-2
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Review
-
Knowledge base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (ID: SUGAG7RGYD) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
-
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
-2. For Amazon RDS/Aurora: verify KMS encryption on the database
-3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
-4. Verify the customer-managed KMS key used for transient data during ingestion
-
+
us-east-1
+
FS-35
+
+
ADVISORY: Harmful-Content Test Coverage — Manual Review Required
+
+ Details and remediation
+
+
Details
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.
+
Resolution
Run Bedrock Model Evaluation or FMEval with harmful content datasets:
+- Toxicity detection
+- Hate speech classification
+- Violence/self-harm content
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
us-west-2
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Review
-
Knowledge base 'promptfoo-rag-workshop-111122223333-kb' (ID: N74ZIKTUFL) uses 'RDS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
-
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
-2. For Amazon RDS/Aurora: verify KMS encryption on the database
-3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
-4. Verify the customer-managed KMS key used for transient data during ingestion
-
+
FS-35
+
+
ADVISORY: Harmful-Content Test Coverage — Manual Review Required
+
+ Details and remediation
+
+
Details
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.
+
Resolution
Run Bedrock Model Evaluation or FMEval with harmful content datasets:
+- Toxicity detection
+- Hate speech classification
+- Violence/self-harm content
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
us-west-2
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Review
-
Knowledge base 'InvestmentResearchKB' (ID: M1GMUG3BP0) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
-
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
-2. For Amazon RDS/Aurora: verify KMS encryption on the database
-3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
-4. Verify the customer-managed KMS key used for transient data during ingestion
-
-
Informational
-
N/A
+
us-east-1
+
FS-36
+
+
Guardrail Content Filters on CLASSIC Tier
+
+ Details and remediation
+
+
Details
Guardrails with content filters: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides improved contextual understanding, typographical error detection, 60+ language support, and better prompt-attack classification (distinguishes jailbreaks from prompt injection).
+
Resolution
Consider upgrading to STANDARD tier content filters for FinServ workloads that handle multiple languages or require higher detection accuracy. STANDARD tier requires cross-region inference (crossRegionDetails.guardrailProfileArn on the guardrail). To upgrade: update the guardrail's contentPolicy.filtersConfig.contentFiltersTierConfig with tierName=STANDARD and configure a guardrail cross-region profile.
+
Reference
+
+
+
+
High
+
Passed
-
+
111122223333
us-west-2
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Review
-
Knowledge base 'knowledge-base-quick-start-xtwwd' (ID: ENFHSBBLMV) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
-
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
-2. For Amazon RDS/Aurora: verify KMS encryption on the database
-3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
-4. Verify the customer-managed KMS key used for transient data during ingestion
-
-
Informational
-
N/A
+
FS-36
+
+
Guardrail Content Filters on CLASSIC Tier
+
+ Details and remediation
+
+
Details
Guardrails with content filters: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides improved contextual understanding, typographical error detection, 60+ language support, and better prompt-attack classification (distinguishes jailbreaks from prompt injection).
+
Resolution
Consider upgrading to STANDARD tier content filters for FinServ workloads that handle multiple languages or require higher detection accuracy. STANDARD tier requires cross-region inference (crossRegionDetails.guardrailProfileArn on the guardrail). To upgrade: update the guardrail's contentPolicy.filtersConfig.contentFiltersTierConfig with tierName=STANDARD and configure a guardrail cross-region profile.
+
Reference
+
+
+
+
High
+
Passed
-
+
111122223333
-
us-west-2
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Review
-
Knowledge base 'kb-s3-vector-store' (ID: 116IXQU5VP) uses 'S3_VECTORS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
-
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
-2. For Amazon RDS/Aurora: verify KMS encryption on the database
-3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
-4. Verify the customer-managed KMS key used for transient data during ingestion
-
+
us-east-1
+
FS-37
+
+
ADVISORY: User Feedback Mechanism — Manual Review Required
+
+ Details and remediation
+
+
Details
User feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.
+
Resolution
1. Implement thumbs-up/down or flag-for-review UI in GenAI applications.
+2. Route flagged outputs to human reviewers via SQS/SNS.
+3. Log feedback to DynamoDB/S3 for model improvement.
+4. Define SLAs for reviewing flagged content.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
us-west-2
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
+
FS-37
+
+
ADVISORY: User Feedback Mechanism — Manual Review Required
+
+ Details and remediation
+
+
Details
User feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.
+
Resolution
1. Implement thumbs-up/down or flag-for-review UI in GenAI applications.
+2. Route flagged outputs to human reviewers via SQS/SNS.
+3. Log feedback to DynamoDB/S3 for model improvement.
+4. Define SLAs for reviewing flagged content.
Continue monitoring quota utilization. Review and adjust quotas as application requirements change.
-
-
Low
-
Passed
-
-
-
111122223333
-
us-west-2
-
BR-23
-
Guardrail Content Filter Coverage Check
-
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is missing content filters: HATE, VIOLENCE, SEXUAL, INSULTS. Complete content filter coverage is essential for comprehensive content safety.
-
Update guardrail to enable all content filters (HATE, INSULTS, SEXUAL, VIOLENCE). Configure appropriate threshold levels (LOW, MEDIUM, HIGH) for both input and output filtering based on your use case. Review AWS documentation for threshold guidance.
-
-
High
-
Failed
-
-
+
111122223333
-
us-west-2
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.
-
Configure Automated Reasoning policies on guardrails to mathematically verify model responses. Define policies that specify allowed and disallowed behaviors. Use for high-assurance use cases where formal verification is required.
-
+
us-east-1
+
FS-38
+
+
No Guardrails With Word Filters
+
+ Details and remediation
+
+
Details
Found 1 guardrail(s) but none have word/phrase filters. Profanity and prohibited financial terms may appear in outputs.
+
Resolution
Add word filters to guardrails:
+- Enable AWS managed profanity list
+- Add custom denylist for prohibited financial terms
+- Add allowlist for required regulatory language
+
Reference
+
+
+
Medium
Failed
-
+
111122223333
us-west-2
-
BR-25
-
RAG Evaluation Jobs Check
-
Knowledge base 'knowledge-base-bedrock-agent' (ID: XSPYLN4FQL) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
-
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
-
-
Low
+
FS-38
+
+
No Guardrails With Word Filters
+
+ Details and remediation
+
+
Details
Found 1 guardrail(s) but none have word/phrase filters. Profanity and prohibited financial terms may appear in outputs.
+
Resolution
Add word filters to guardrails:
+- Enable AWS managed profanity list
+- Add custom denylist for prohibited financial terms
+- Add allowlist for required regulatory language
+
Reference
+
+
+
+
Medium
Failed
-
+
111122223333
-
us-west-2
-
BR-25
-
RAG Evaluation Jobs Check
-
Knowledge base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (ID: SUGAG7RGYD) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
-
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
-
-
Low
+
us-east-1
+
FS-39
+
+
No SageMaker Clarify Bias Monitoring
+
+ Details and remediation
+
+
Details
No SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.
+
Resolution
1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions.
+2. Define protected attributes (age, gender, race proxies).
+3. Set bias metric thresholds and alert on violations.
+4. Document bias testing results for regulatory examination.
+
Reference
+
+
+
+
High
Failed
-
+
111122223333
us-west-2
-
BR-25
-
RAG Evaluation Jobs Check
-
Knowledge base 'promptfoo-rag-workshop-111122223333-kb' (ID: N74ZIKTUFL) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
-
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
-
-
Low
+
FS-39
+
+
No SageMaker Clarify Bias Monitoring
+
+ Details and remediation
+
+
Details
No SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.
+
Resolution
1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions.
+2. Define protected attributes (age, gender, race proxies).
+3. Set bias metric thresholds and alert on violations.
+4. Document bias testing results for regulatory examination.
+
Reference
+
+
+
+
High
Failed
-
+
111122223333
-
us-west-2
-
BR-25
-
RAG Evaluation Jobs Check
-
Knowledge base 'InvestmentResearchKB' (ID: M1GMUG3BP0) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
-
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.
+
Resolution
Run Bedrock Model Evaluation with bias test datasets:
+- Demographic parity test cases
+- Equal opportunity scenarios
+- Counterfactual fairness tests
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
us-west-2
-
BR-25
-
RAG Evaluation Jobs Check
-
Knowledge base 'knowledge-base-quick-start-xtwwd' (ID: ENFHSBBLMV) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
-
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.
+
Resolution
Run Bedrock Model Evaluation with bias test datasets:
+- Demographic parity test cases
+- Equal opportunity scenarios
+- Counterfactual fairness tests
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
-
us-west-2
-
BR-25
-
RAG Evaluation Jobs Check
-
Knowledge base 'kb-s3-vector-store' (ID: 116IXQU5VP) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
-
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
-
-
Low
+
us-east-1
+
FS-41
+
+
No SageMaker Clarify Explainability Monitoring
+
+ Details and remediation
+
+
Details
No SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).
+
Resolution
1. Configure SageMaker Clarify explainability for credit/lending models.
+2. Generate SHAP values for feature importance.
+3. Map top features to human-readable adverse action reason codes.
+4. Store explanations for regulatory examination.
+
Reference
+
+
+
+
High
Failed
-
+
111122223333
us-west-2
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) has no sensitive-information filters configured (no PII entities or regex patterns). Prompts and model responses are not screened for sensitive data such as PII.
-
Configure sensitive-information filters on the guardrail: add PII entity types (e.g. NAME, EMAIL, SSN, CREDIT_DEBIT_CARD_NUMBER) and/or custom regex patterns, and set the appropriate BLOCK or ANONYMIZE action for input and output.
-
+
FS-41
+
+
No SageMaker Clarify Explainability Monitoring
+
+ Details and remediation
+
+
Details
No SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).
+
Resolution
1. Configure SageMaker Clarify explainability for credit/lending models.
+2. Generate SHAP values for feature importance.
+3. Map top features to human-readable adverse action reason codes.
+4. Store explanations for regulatory examination.
+
Reference
+
+
+
High
Failed
-
+
111122223333
-
us-west-2
-
BR-27
-
Guardrail Contextual Grounding Check
-
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have contextual grounding checks enabled. Without grounding and relevance checks, the guardrail cannot detect hallucinated (ungrounded) or off-topic model responses.
-
Enable contextual grounding checks (GROUNDING and RELEVANCE filter types) on the guardrail with appropriate thresholds. This is especially important for RAG applications to ensure responses are grounded in the retrieved source material.
-
+
us-east-1
+
FS-42
+
+
No SageMaker Model Cards Found
+
+ Details and remediation
+
+
Details
No SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.
+
Resolution
1. Create SageMaker Model Cards for all production models.
+2. Document: intended use, out-of-scope uses, training data, bias evaluations.
+3. Include regulatory compliance attestations.
+4. Review and update cards at each model version release.
+
Reference
+
+
+
Medium
Failed
-
+
111122223333
us-west-2
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
+
FS-42
+
+
No SageMaker Model Cards Found
+
+ Details and remediation
+
+
Details
No SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.
+
Resolution
1. Create SageMaker Model Cards for all production models.
+2. Document: intended use, out-of-scope uses, training data, bias evaluations.
+3. Include regulatory compliance attestations.
+4. Review and update cards at each model version release.
+
Reference
+
+
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-43
+
+
No CloudWatch Logs Data Protection Policies
+
+ Details and remediation
+
+
Details
No CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.
+
Resolution
1. Create CloudWatch Logs data protection policies to mask PII.
+2. Enable masking for: SSN, credit card numbers, bank account numbers, email.
+3. Apply policies to Bedrock invocation log groups.
+4. Test masking with synthetic PII before production deployment.
+
Reference
+
+
+
High
-
N/A
+
Failed
-
+
111122223333
us-west-2
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
+
FS-43
+
+
No CloudWatch Logs Data Protection Policies
+
+ Details and remediation
+
+
Details
No CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.
+
Resolution
1. Create CloudWatch Logs data protection policies to mask PII.
+2. Enable masking for: SSN, credit card numbers, bank account numbers, email.
+3. Apply policies to Bedrock invocation log groups.
+4. Test masking with synthetic PII before production deployment.
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
us-west-2
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
No imported custom Bedrock models found in this region
-
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
+
us-east-1
+
FS-44
+
+
Amazon Macie Enabled
+
+ Details and remediation
+
+
Details
Amazon Macie is enabled and scanning S3 buckets.
+
Resolution
Verify Macie jobs cover training data and KB data source buckets.
+
Reference
+
+
+
High
-
N/A
+
Passed
-
+
111122223333
us-west-2
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
+
FS-44
+
+
Amazon Macie Enabled
+
+ Details and remediation
+
+
Details
Amazon Macie is enabled and scanning S3 buckets.
+
Resolution
Verify Macie jobs cover training data and KB data source buckets.
+
Reference
+
+
+
+
High
+
Passed
-
+
+
111122223333
+
us-east-1
+
FS-45
+
+
Guardrail PII Filters Configured
+
+ Details and remediation
+
+
Details
Guardrails with PII filters: nist-ai-rmf-guardrail.
+
Resolution
No action required.
+
Reference
+
+
+
+
High
+
Passed
+
+
111122223333
us-west-2
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
-
Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.
-
+
FS-45
+
+
Guardrail PII Filters Configured
+
+ Details and remediation
+
+
Details
Guardrails with PII filters: nist-ai-rmf-guardrail.
Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule.
+
Reference
+
+
+
Medium
Failed
-
+
111122223333
us-west-2
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is not enabled. This limits your ability to track and audit model usage.
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule.
+
Reference
+
+
+
Medium
Failed
-
+
+
111122223333
+
us-east-1
+
FS-47
+
+
Guardrail Grounding Thresholds Appropriate
+
+ Details and remediation
+
+
Details
All 1 guardrail(s) with a GROUNDING filter have thresholds ≥0.7.
+
Resolution
No action required.
+
Reference
+
+
+
+
High
+
Passed
+
+
111122223333
us-west-2
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
+
FS-47
+
+
Guardrail Grounding Thresholds Appropriate
+
+ Details and remediation
+
+
Details
All 1 guardrail(s) with a GROUNDING filter have thresholds ≥0.7.
+
Resolution
No action required.
+
Reference
+
+
+
+
High
+
Passed
+
+
+
111122223333
+
us-east-1
+
FS-48
+
+
Active Knowledge Bases for RAG Present
+
+ Details and remediation
+
+
Details
Found 3 active Knowledge Base(s) for RAG grounding.
+
Resolution
No action required.
+
Reference
+
+
+
Medium
Passed
-
+
111122223333
us-west-2
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
+
FS-48
+
+
Active Knowledge Bases for RAG Present
+
+ Details and remediation
+
+
Details
Found 3 active Knowledge Base(s) for RAG grounding.
+
Resolution
No action required.
+
Reference
+
+
+
Medium
-
Failed
+
Passed
-
+
111122223333
-
us-west-2
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
Application-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.
+
Resolution
1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.'
+2. Implement post-processing to append disclaimers.
+3. Test disclaimer presence in QA before production.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
us-west-2
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
Application-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.
+
Resolution
1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.'
+2. Implement post-processing to append disclaimers.
+3. Test disclaimer presence in QA before production.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
us-west-2
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 7 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
-
Low
+
us-east-1
+
FS-50
+
+
Relevance Grounding Filters Present
+
+ Details and remediation
+
+
Details
Guardrails with RELEVANCE grounding filters: nist-ai-rmf-guardrail.
+
Resolution
No action required.
+
Reference
+
+
+
+
Medium
Passed
-
+
111122223333
us-west-2
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is missing content filters: HATE, VIOLENCE, SEXUAL, INSULTS. Complete content filter coverage is essential for comprehensive content safety.
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
-
High
-
Failed
+
FS-50
+
+
Relevance Grounding Filters Present
+
+ Details and remediation
+
+
Details
Guardrails with RELEVANCE grounding filters: nist-ai-rmf-guardrail.
+
Resolution
No action required.
+
Reference
+
+
+
+
Medium
+
Passed
-
+
111122223333
-
us-west-2
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
-
Medium
+
us-east-1
+
FS-51
+
+
No Guardrails With Prompt Attack Filters
+
+ Details and remediation
+
+
Details
Found 1 guardrail(s) but none have PROMPT_ATTACK filters. Prompt injection attacks may bypass system prompts and access controls.
+
Resolution
1. Enable PROMPT_ATTACK content filter in Bedrock Guardrails.
+2. Set input filter strength to HIGH.
+3. Use input tags () to differentiate user inputs from developer-provided prompts — required for PROMPT_ATTACK filters to work correctly with InvokeModel/InvokeModelWithResponseStream.
+4. Consider STANDARD tier (GA June 2025) for better jailbreak vs. injection classification and broader language support.
+5. Implement application-level input sanitization as defense-in-depth.
+
Reference
+
+
+
+
High
Failed
-
+
111122223333
us-west-2
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) has no sensitive-information filters configured (no PII entities or regex patterns). Prompts and model responses are not screened for sensitive data such as PII.
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
+
FS-51
+
+
No Guardrails With Prompt Attack Filters
+
+ Details and remediation
+
+
Details
Found 1 guardrail(s) but none have PROMPT_ATTACK filters. Prompt injection attacks may bypass system prompts and access controls.
+
Resolution
1. Enable PROMPT_ATTACK content filter in Bedrock Guardrails.
+2. Set input filter strength to HIGH.
+3. Use input tags () to differentiate user inputs from developer-provided prompts — required for PROMPT_ATTACK filters to work correctly with InvokeModel/InvokeModelWithResponseStream.
+4. Consider STANDARD tier (GA June 2025) for better jailbreak vs. injection classification and broader language support.
+5. Implement application-level input sanitization as defense-in-depth.
+
Reference
+
+
+
High
Failed
-
+
111122223333
-
us-west-2
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have contextual grounding checks enabled. Without grounding and relevance checks, the guardrail cannot detect hallucinated (ungrounded) or off-topic model responses.
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
+
us-east-1
+
FS-52
+
+
Bedrock Lambda Functions on Deprecated Runtimes
+
+ Details and remediation
+
+
Details
Functions on deprecated runtimes: e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Deprecated runtimes may use outdated boto3/SDK versions lacking security patches.
+
Resolution
1. Upgrade Lambda functions to a supported runtime — Python 3.12+, Node.js 22.x or 24.x, Java 21+, or .NET 8+.
+2. Update boto3 to the latest version in Lambda layers (pin the version in requirements.txt and redeploy).
+3. Enable Lambda runtime management controls for automatic minor-version updates (runtimeManagementConfig.updateRuntimeOn = 'Auto').
+4. Refer to https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html for the authoritative list of supported and deprecated runtimes.
+
Reference
+
+
+
Medium
Failed
-
+
111122223333
us-west-2
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
-
Informational
-
N/A
+
FS-52
+
+
Bedrock Lambda Functions on Deprecated Runtimes
+
+ Details and remediation
+
+
Details
Functions on deprecated runtimes: e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Deprecated runtimes may use outdated boto3/SDK versions lacking security patches.
+
Resolution
1. Upgrade Lambda functions to a supported runtime — Python 3.12+, Node.js 22.x or 24.x, Java 21+, or .NET 8+.
+2. Update boto3 to the latest version in Lambda layers (pin the version in requirements.txt and redeploy).
+3. Enable Lambda runtime management controls for automatic minor-version updates (runtimeManagementConfig.updateRuntimeOn = 'Auto').
+4. Refer to https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html for the authoritative list of supported and deprecated runtimes.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
us-west-2
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
+
us-east-1
+
FS-53
+
+
No WAF Web ACLs — Injection Rules Not Applicable
+
+ Details and remediation
+
+
Details
No regional WAF Web ACLs found.
+
Resolution
Create WAF Web ACLs with injection protection rules (see FS-01).
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
us-west-2
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
-
Medium
-
Failed
-
-
-
111122223333
-
sa-east-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
+
FS-53
+
+
No WAF Web ACLs — Injection Rules Not Applicable
+
+ Details and remediation
+
+
Details
No regional WAF Web ACLs found.
+
Resolution
Create WAF Web ACLs with injection protection rules (see FS-01).
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
Penetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.
+
Resolution
1. Conduct penetration testing of GenAI applications at least annually and before major releases.
+2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts.
+3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it.
+4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail.
+5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
Penetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.
+
Resolution
1. Conduct penetration testing of GenAI applications at least annually and before major releases.
+2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts.
+3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it.
+4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail.
+5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
FS-55
+
+
No Output Validation Functions Found
+
+ Details and remediation
+
+
Details
No Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.
+
Resolution
1. Implement output validation Lambda functions in GenAI pipelines.
+2. Validate output schema, length, and content before downstream use.
+3. Sanitize outputs before rendering in web UIs (XSS prevention).
+4. Encode outputs appropriately for the target context (HTML, SQL, JSON).
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
sa-east-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
+
us-west-2
+
FS-55
+
+
No Output Validation Functions Found
+
+ Details and remediation
+
+
Details
No Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.
+
Resolution
1. Implement output validation Lambda functions in GenAI pipelines.
+2. Validate output schema, length, and content before downstream use.
+3. Sanitize outputs before rendering in web UIs (XSS prevention).
+4. Encode outputs appropriately for the target context (HTML, SQL, JSON).
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
sa-east-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
+
us-east-1
+
FS-56
+
+
No WAF ACLs — XSS Prevention Not Applicable
+
+ Details and remediation
+
+
Details
No regional WAF Web ACLs found.
+
Resolution
Create WAF ACLs with XSS prevention rules.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
+
us-west-2
+
FS-56
+
+
No WAF ACLs — XSS Prevention Not Applicable
+
+ Details and remediation
+
+
Details
No regional WAF Web ACLs found.
+
Resolution
Create WAF ACLs with XSS prevention rules.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
Output encoding practices cannot be verified via AWS APIs. Manual code review required.
+
Resolution
1. HTML-encode GenAI outputs before rendering in web UIs.
+2. Use parameterized queries when GenAI output is used in database operations.
+3. JSON-encode outputs before embedding in JavaScript contexts.
+4. Validate output length and format before passing to downstream APIs.
Output encoding practices cannot be verified via AWS APIs. Manual code review required.
+
Resolution
1. HTML-encode GenAI outputs before rendering in web UIs.
+2. Use parameterized queries when GenAI output is used in database operations.
+3. JSON-encode outputs before embedding in JavaScript contexts.
+4. Validate output length and format before passing to downstream APIs.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
Found 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.
+
Resolution
1. Use Bedrock structured output (response schemas) where supported.
+2. Implement JSON schema validation on Lambda output processors.
+3. Reject malformed outputs and return safe error responses.
+4. Log schema validation failures to CloudWatch for monitoring.
Found 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.
+
Resolution
1. Use Bedrock structured output (response schemas) where supported.
+2. Implement JSON schema validation on Lambda output processors.
+3. Reject malformed outputs and return safe error responses.
+4. Log schema validation failures to CloudWatch for monitoring.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
+
us-east-1
+
FS-59
+
+
Topic Restrictions Configured on CLASSIC Tier
+
+ Details and remediation
+
+
Details
Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only; the STANDARD tier (GA June 2025) adds broader language support for off-topic detection.
+
Resolution
For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile).
+
Reference
+
+
+
Medium
-
N/A
+
Passed
-
+
111122223333
-
sa-east-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
+
us-west-2
+
FS-59
+
+
Topic Restrictions Configured on CLASSIC Tier
+
+ Details and remediation
+
+
Details
Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only; the STANDARD tier (GA June 2025) adds broader language support for off-topic detection.
+
Resolution
For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile).
+
Reference
+
+
+
+
Medium
+
Passed
-
+
111122223333
-
sa-east-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
+
us-east-1
+
FS-60
+
+
ADVISORY: Contextual Grounding for Off-Topic Prevention
+
+ Details and remediation
+
+
Details
Contextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.
+
Resolution
1. Include explicit scope instructions in system prompts.
+2. Use Bedrock Guardrails relevance grounding filter.
+3. Test with off-topic prompts in QA to verify rejection behavior.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
+
us-west-2
+
FS-60
+
+
ADVISORY: Contextual Grounding for Off-Topic Prevention
+
+ Details and remediation
+
+
Details
Contextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.
+
Resolution
1. Include explicit scope instructions in system prompts.
+2. Use Bedrock Guardrails relevance grounding filter.
+3. Test with off-topic prompts in QA to verify rejection behavior.
+
Reference
+
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
+
us-east-1
+
FS-61
+
+
No Automated KB Sync Schedules Detected
+
+ Details and remediation
+
+
Details
Found 3 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.
+
Resolution
1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature.
+2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync.
+3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance).
+4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
sa-east-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
+
us-west-2
+
FS-61
+
+
No Automated KB Sync Schedules Detected
+
+ Details and remediation
+
+
Details
Found 3 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.
+
Resolution
1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature.
+2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync.
+3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance).
+4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
sa-east-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
+
us-east-1
+
FS-62
+
+
ADVISORY: Data Currency Disclaimer — Manual Review Required
+
+ Details and remediation
+
+
Details
Data currency disclaimers cannot be verified via AWS APIs. Manual review required.
+
Resolution
1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].'
+2. Expose KB last sync timestamp in application responses.
+3. Alert users when KB data is older than defined threshold.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
+
us-west-2
+
FS-62
+
+
ADVISORY: Data Currency Disclaimer — Manual Review Required
+
+ Details and remediation
+
+
Details
Data currency disclaimers cannot be verified via AWS APIs. Manual review required.
+
Resolution
1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].'
+2. Expose KB last sync timestamp in application responses.
+3. Alert users when KB data is older than defined threshold.
+
Reference
+
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
+
us-east-1
+
FS-63
+
+
Foundation Model Lifecycle Management
+
+ Details and remediation
+
+
Details
No legacy models detected. 10 lifecycle-related Config rule(s) found.
+
Resolution
No action required.
+
Reference
+
+
+
Medium
-
N/A
+
Passed
-
+
111122223333
-
sa-east-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
+
us-west-2
+
FS-63
+
+
Foundation Model Lifecycle Management
+
+ Details and remediation
+
+
Details
No legacy models detected. 10 lifecycle-related Config rule(s) found.
+
Resolution
No action required.
+
Reference
+
+
+
+
Medium
+
Passed
-
+
111122223333
-
sa-east-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
+
us-east-1
+
FS-65
+
+
KB Data Source Buckets Missing S3 Event Notifications
+
+ Details and remediation
+
+
Details
The following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time:
+- semiconductor-demo-9999
+- 111122223333-us-east-1-kb-data-bucket
+
Resolution
1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket.
+2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting.
+3. Integrate alerts into your security incident response workflow.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
sa-east-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
+
us-west-2
+
FS-65
+
+
KB Data Source Buckets Missing S3 Event Notifications
+
+ Details and remediation
+
+
Details
The following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time:
+- semiconductor-demo-9999
+- 111122223333-us-east-1-kb-data-bucket
+
Resolution
1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket.
+2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting.
+3. Integrate alerts into your security incident response workflow.
+
Reference
+
+
+
Medium
-
N/A
+
Failed
-
+
111122223333
-
sa-east-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
The following runtimes have no JWT or IAM authorizer configured for end-user identity propagation. Tool calls are authorized only by the agent execution role, not the originating user:
+- origami_expeditions
+- neoCyan_Agent
+- customer_support_agent
+- cdk_agent_core
+- awsapimcpserver
+
Resolution
1. Configure a custom JWT authorizer or IAM authorizer on each AgentCore runtime.
+2. Propagate the end-user's identity token to downstream tool services.
+3. Ensure tool services validate the propagated identity before executing actions.
+4. Do not expose propagated identity tokens to unauthorized third parties.
+
Reference
+
+
+
High
-
N/A
+
Failed
-
+
111122223333
-
sa-east-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
The following runtimes have no JWT or IAM authorizer configured for end-user identity propagation. Tool calls are authorized only by the agent execution role, not the originating user:
+- origami_expeditions
+- neoCyan_Agent
+- customer_support_agent
+- cdk_agent_core
+- awsapimcpserver
+
Resolution
1. Configure a custom JWT authorizer or IAM authorizer on each AgentCore runtime.
+2. Propagate the end-user's identity token to downstream tool services.
+3. Ensure tool services validate the propagated identity before executing actions.
+4. Do not expose propagated identity tokens to unauthorized third parties.
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
sa-east-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
-
N/A
+
us-east-1
+
FS-67
+
+
Agent Action-Group Lambdas May Lack Transaction Thresholds
+
+ Details and remediation
+
+
Details
The following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions:
+- aiml-security-aiml-security-111122223333-FinServAssessment
+- aiml-security-aiml-security-111122223333-BedrockAssessment
+- resco-aiml-BedrockAssessment
+- aiml-security-aiml-security-111122223333-AgentCoreAssessment
+- e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk
+- e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII
+- resco-aiml-AgentCoreAssessment
+
Resolution
1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda.
+2. Implement threshold enforcement logic in the Lambda handler.
+3. Configure AgentCore Policy Engine rules to cap financial transaction amounts.
+4. Route transactions exceeding thresholds to a human-in-the-loop approval step.
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
sa-east-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
+
us-west-2
+
FS-67
+
+
Agent Action-Group Lambdas May Lack Transaction Thresholds
+
+ Details and remediation
+
+
Details
The following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions:
+- aiml-security-aiml-security-111122223333-FinServAssessment
+- aiml-security-aiml-security-111122223333-BedrockAssessment
+- resco-aiml-BedrockAssessment
+- aiml-security-aiml-security-111122223333-AgentCoreAssessment
+- e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk
+- e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII
+- resco-aiml-AgentCoreAssessment
+
Resolution
1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda.
+2. Implement threshold enforcement logic in the Lambda handler.
+3. Configure AgentCore Policy Engine rules to cap financial transaction amounts.
+4. Route transactions exceeding thresholds to a human-in-the-loop approval step.
+
Reference
+
+
+
+
High
+
Failed
+
+
+
111122223333
+
us-east-1
+
FS-68
+
+
API Gateway Request Body Size Limits Not Enforced
+
+ Details and remediation
+
+
Details
Found 3 REST API(s) and 0 regional WAF Web ACL(s), but none enforce a maximum request-body size. Note: an API Gateway request validator does NOT cap body size (it validates the schema and required params; the REST limit is a fixed 10 MB), and a WAF body SizeConstraint only inspects the first ~16 KB of the body by default. Oversized prompts can exhaust Bedrock token quotas and inflate costs.
+
Resolution
1. Add a maxLength (or maxItems/maxProperties) bound to the request-body JSON-Schema model used by your request validator, so oversized prompts are rejected with a 400.
+2. Add a WAF SizeConstraintStatement on the request Body sized within WAF's body-inspection window (default 16 KB; raise via the web ACL AssociationConfig, or set OversizeHandling=MATCH to block bodies beyond the window), and associate the ACL with the API stage.
+3. Set the max_tokens parameter in Bedrock API calls to cap output length.
+4. Implement client-side token counting before submitting requests.
+
Reference
+
+
+
Medium
-
N/A
+
Failed
-
+
111122223333
-
sa-east-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
+
us-west-2
+
FS-68
+
+
API Gateway Request Body Size Limits Not Enforced
+
+ Details and remediation
+
+
Details
Found 3 REST API(s) and 0 regional WAF Web ACL(s), but none enforce a maximum request-body size. Note: an API Gateway request validator does NOT cap body size (it validates the schema and required params; the REST limit is a fixed 10 MB), and a WAF body SizeConstraint only inspects the first ~16 KB of the body by default. Oversized prompts can exhaust Bedrock token quotas and inflate costs.
+
Resolution
1. Add a maxLength (or maxItems/maxProperties) bound to the request-body JSON-Schema model used by your request validator, so oversized prompts are rejected with a 400.
+2. Add a WAF SizeConstraintStatement on the request Body sized within WAF's body-inspection window (default 16 KB; raise via the web ACL AssociationConfig, or set OversizeHandling=MATCH to block bodies beyond the window), and associate the ACL with the API stage.
+3. Set the max_tokens parameter in Bedrock API calls to cap output length.
+4. Implement client-side token counting before submitting requests.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
sa-east-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
-
Informational
-
N/A
+
us-east-1
+
FS-69
+
+
Prompt Input Validation Functions Present
+
+ Details and remediation
+
+
Details
Found 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111122223333-CleanupBucket.
+
Resolution
Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.
+
Reference
+
+
+
+
Medium
+
Passed
-
+
111122223333
-
sa-east-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
+
us-west-2
+
FS-69
+
+
Prompt Input Validation Functions Present
+
+ Details and remediation
+
+
Details
Found 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111122223333-CleanupBucket.
+
Resolution
Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.
+
Reference
+
+
+
+
Medium
+
Passed
+
+
+
111122223333
+
eu-west-1
+
FS-00
+
+
FinServ Regional Scope Not Applicable
+
+ Details and remediation
+
+
Details
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
+
Resolution
No action required unless GenAI workloads are expected in this region.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
+
eu-west-1
+
BR-02
+
+
Amazon Bedrock private connectivity check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess private connectivity
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
+
eu-west-1
+
BR-04
+
+
Bedrock Model Invocation Logging Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to monitor with invocation logging
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
+
eu-west-1
+
BR-05
+
+
Bedrock Guardrails Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to protect with guardrails
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
+
eu-west-1
+
BR-06
+
+
Bedrock CloudTrail Logging Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
+
eu-west-1
+
BR-07
+
+
Bedrock Prompt Management Check
+
+ Details and remediation
+
+
Details
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Resolution
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
eu-west-1
+
BR-08
+
+
Bedrock Agent IAM Roles Check
+
+ Details and remediation
+
+
Details
No Bedrock agents found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
+
eu-west-1
+
BR-09
+
+
Bedrock Knowledge Base Encryption Check
+
+ Details and remediation
+
+
Details
No Knowledge Bases found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
+
eu-west-1
+
BR-10
+
+
Bedrock Guardrail IAM Enforcement Check
+
+ Details and remediation
+
+
Details
No guardrails configured - IAM enforcement check not applicable
+
Resolution
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
+
eu-west-1
+
BR-11
+
+
Bedrock Custom Model Encryption Check
+
+ Details and remediation
+
+
Details
No custom/fine-tuned models found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
+
eu-west-1
+
BR-12
+
+
Bedrock Invocation Log Encryption Check
+
+ Details and remediation
+
+
Details
Model invocation logging to S3 is not configured
+
Resolution
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
+
eu-west-1
+
BR-13
+
+
Bedrock Flows Guardrails Check
+
+ Details and remediation
+
+
Details
No Bedrock Flows found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
Global
-
AC-02
-
AgentCore IAM Full Access Policy
-
The following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161
-
Replace with least-privilege policies scoped to specific AgentCore resources and actions
-
-
High
-
Failed
+
eu-west-1
+
BR-16
+
+
Guardrail Tier Validation Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
Reference
+
+
+
+
Medium
+
N/A
-
+
111122223333
-
Global
-
AC-02
-
AgentCore IAM Wildcard Permissions
-
The following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-role
-
Scope permissions to specific AgentCore resources using resource ARNs
-
+
eu-west-1
+
BR-17
+
+
Custom Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No custom (fine-tuned) Bedrock models found in this region
+
Resolution
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
Reference
+
+
+
High
-
Failed
-
-
-
111122223333
-
Global
-
AC-03
-
AgentCore Stale Access
-
The following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (199 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (199 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (199 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (82 days)
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Medium
-
Failed
+
N/A
-
+
111122223333
-
Global
-
AC-03
-
AgentCore Unused Permissions
-
The following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CloudSeerTrustedServiceRole', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW'
-
Review and remove unused AgentCore permissions following least privilege principle
-
+
eu-west-1
+
BR-18
+
+
Model Evaluation Implementation Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess with model evaluation jobs
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
Global
-
AC-09
-
AgentCore Service-Linked Role Missing
-
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
-
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
-
+
eu-west-1
+
BR-19
+
+
Prompt Flow Validation Check
+
+ Details and remediation
+
+
Details
No Bedrock prompt flows configured in this region
+
Resolution
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
Reference
+
+
+
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-01
-
AgentCore Runtime VPC Configuration
-
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.
-
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
-
-
High
-
Failed
+
N/A
-
+
111122223333
-
us-east-1
-
AC-01
-
AgentCore Runtime VPC Configuration
-
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.
-
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
-
+
eu-west-1
+
BR-20
+
+
Knowledge Base Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No Bedrock knowledge bases found in this region
+
Resolution
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
Reference
+
+
+
High
-
Failed
+
N/A
-
+
111122223333
-
us-east-1
-
AC-01
-
AgentCore Runtime VPC Configuration
-
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.
-
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
-
+
eu-west-1
+
BR-21
+
+
Agent Action Group IAM Least Privilege Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
Reference
+
+
+
High
-
Failed
+
N/A
-
+
111122223333
-
us-east-1
-
AC-01
-
AgentCore Runtime VPC Configuration
-
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.
-
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
-
-
High
-
Failed
+
eu-west-1
+
BR-22
+
+
Model Invocation Throttling Limits Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess model invocation throttling quotas
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
-
us-east-1
-
AC-01
-
AgentCore Runtime VPC Configuration
-
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.
-
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
-
+
eu-west-1
+
BR-23
+
+
Guardrail Content Filter Coverage Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
Reference
+
+
+
High
-
Failed
+
N/A
-
+
111122223333
-
us-east-1
-
AC-04
-
AgentCore Runtime CloudWatch Logs
-
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs for monitoring and troubleshooting
-
+
eu-west-1
+
BR-24
+
+
Automated Reasoning Policy Implementation Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
Reference
+
+
+
Medium
-
Failed
+
N/A
-
+
111122223333
-
us-east-1
-
AC-04
-
AgentCore Runtime X-Ray Tracing
-
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabled
-
Enable X-Ray tracing for distributed tracing and performance analysis
-
-
Medium
-
Failed
+
eu-west-1
+
BR-25
+
+
RAG Evaluation Jobs Check
+
+ Details and remediation
+
+
Details
No Bedrock knowledge bases found in this region
+
Resolution
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
Reference
+
+
+
+
Low
+
N/A
-
+
111122223333
-
us-east-1
-
AC-04
-
AgentCore Runtime CloudWatch Logs
-
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs for monitoring and troubleshooting
-
-
Medium
-
Failed
+
eu-west-1
+
BR-26
+
+
Guardrail Sensitive Information Filter Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
Reference
+
+
+
+
High
+
N/A
-
+
111122223333
-
us-east-1
-
AC-04
-
AgentCore Runtime X-Ray Tracing
-
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabled
-
Enable X-Ray tracing for distributed tracing and performance analysis
-
+
eu-west-1
+
BR-27
+
+
Guardrail Contextual Grounding Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
Reference
+
+
+
Medium
-
Failed
+
N/A
-
+
111122223333
-
us-east-1
-
AC-04
-
AgentCore Runtime CloudWatch Logs
-
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs for monitoring and troubleshooting
-
-
Medium
-
Failed
+
eu-west-1
+
BR-28
+
+
Agent Guardrail Association Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
Reference
+
+
+
+
High
+
N/A
-
+
111122223333
-
us-east-1
-
AC-04
-
AgentCore Runtime X-Ray Tracing
-
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabled
-
Enable X-Ray tracing for distributed tracing and performance analysis
-
-
Medium
-
Failed
+
eu-west-1
+
BR-29
+
+
Agent Idle Session TTL Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
Reference
+
+
+
+
Low
+
N/A
-
+
111122223333
-
us-east-1
-
AC-04
-
AgentCore Runtime CloudWatch Logs
-
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs for monitoring and troubleshooting
-
-
Medium
-
Failed
+
eu-west-1
+
BR-30
+
+
Imported Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Resolution
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
Reference
+
+
+
+
Low
+
N/A
-
+
111122223333
-
us-east-1
-
AC-04
-
AgentCore Runtime X-Ray Tracing
-
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabled
-
Enable X-Ray tracing for distributed tracing and performance analysis
-
+
eu-west-1
+
BR-31
+
+
Batch Inference Output Encryption Check
+
+ Details and remediation
+
+
Details
No Bedrock batch inference (model invocation) jobs found in this region
+
Resolution
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
Reference
+
+
+
Medium
-
Failed
+
N/A
-
+
111122223333
-
us-east-1
-
AC-04
-
AgentCore Runtime CloudWatch Logs
-
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs for monitoring and troubleshooting
-
-
Medium
-
Failed
+
eu-west-1
+
BR-32
+
+
Bedrock CloudWatch Alarm Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to monitor with CloudWatch alarms
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
-
us-east-1
-
AC-04
-
AgentCore Runtime X-Ray Tracing
-
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabled
-
Enable X-Ray tracing for distributed tracing and performance analysis
-
-
Medium
-
Failed
+
eu-west-1
+
AG-07
+
+
Agentic AI Model Invocation Logging
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Resolution
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
Consider using customer-managed KMS keys for better control and audit capabilities
-
-
Low
-
Failed
+
eu-west-1
+
AG-08
+
+
Agentic AI API Audit Trail
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Resolution
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
Consider using customer-managed KMS keys for better control and audit capabilities
-
-
Low
-
Failed
+
eu-west-1
+
AG-10
+
+
Agentic AI Adversarial Evaluation Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Resolution
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
-
us-east-1
-
AC-06
-
AgentCore Runtime Storage Configuration
-
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have storage configuration for browser tools
-
Configure S3 storage for browser tool session recordings and artifacts
-
-
Medium
-
Failed
+
eu-west-1
+
AG-11
+
+
Agentic AI Prompt Flow Validation
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Resolution
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
-
us-east-1
-
AC-06
-
AgentCore Runtime Storage Configuration
-
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have storage configuration for browser tools
-
Configure S3 storage for browser tool session recordings and artifacts
-
-
Medium
-
Failed
+
eu-west-1
+
AG-06
+
+
Agentic AI Tool Execution Least Privilege
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Resolution
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
-
us-east-1
-
AC-06
-
AgentCore Runtime Storage Configuration
-
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have storage configuration for browser tools
-
Configure S3 storage for browser tool session recordings and artifacts
-
-
Medium
-
Failed
+
eu-west-1
+
AG-12
+
+
Agentic AI Invocation Abuse Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Resolution
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
-
us-east-1
-
AC-06
-
AgentCore Runtime Storage Configuration
-
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have storage configuration for browser tools
-
Configure S3 storage for browser tool session recordings and artifacts
-
-
Medium
-
Failed
+
eu-west-1
+
AG-02
+
+
Agentic AI Harmful Content Guardrail Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Resolution
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
-
us-east-1
-
AC-06
-
AgentCore Runtime Storage Configuration
-
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have storage configuration for browser tools
-
Configure S3 storage for browser tool session recordings and artifacts
-
-
Medium
-
Failed
+
eu-west-1
+
AG-04
+
+
Agentic AI Automated Reasoning Guardrails
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Resolution
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
-
us-east-1
-
AC-07
-
AgentCore Memory Encryption
-
Memory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configured
-
Enable encryption with customer-managed KMS keys
-
-
Medium
-
Failed
+
eu-west-1
+
AG-03
+
+
Agentic AI Sensitive Information Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Resolution
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
-
us-east-1
-
AC-07
-
AgentCore Memory Encryption
-
Memory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configured
-
Enable encryption with customer-managed KMS keys
-
-
Medium
-
Failed
+
eu-west-1
+
AG-05
+
+
Agentic AI Grounding Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Resolution
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
-
us-east-1
-
AC-07
-
AgentCore Memory Encryption
-
Memory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configured
-
Enable encryption with customer-managed KMS keys
-
-
Medium
-
Failed
+
eu-west-1
+
AG-01
+
+
Agentic AI Agent Guardrail Association
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Resolution
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
-
us-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
Found 2 Gateway resources
-
No action required
-
-
Medium
-
Passed
+
eu-west-1
+
AG-13
+
+
Agentic AI Session Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Resolution
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
-
us-east-1
-
AC-08
-
AgentCore VPC Endpoints Missing
-
No AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.
-
Create VPC interface endpoints for AgentCore services:
-1. com.amazonaws.region.bedrock-agentcore
-2. com.amazonaws.region.bedrock-agentcore-control
-3. com.amazonaws.region.bedrock-agentcore-runtime
-This enables private connectivity via AWS PrivateLink
-
+
eu-west-1
+
AG-14
+
+
Agentic AI Operational Abuse Alarms
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Resolution
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
111122223333
+
Global
+
SM-02
+
+
SageMaker Full Access Policy Used
+
+ Details and remediation
+
+
Details
Role 'AmazonSageMaker-ExecutionRole-20231014T200029' has AmazonSageMakerFullAccess policy attached
+
Resolution
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
+
Reference
+
+
+
High
Failed
-
+
111122223333
-
us-east-1
-
AC-10
-
AgentCore Resource-Based Policies Missing
-
The following AgentCore resources do not have resource-based policies: Runtime 'origami_expeditions', Runtime 'neoCyan_Agent', Runtime 'customer_support_agent', Runtime 'cdk_agent_core', Runtime 'awsapimcpserver' and 2 more. Without RBPs, access control relies solely on identity-based policies.
-
Attach resource-based policies to AgentCore resources to:
-1. Implement defense-in-depth access control
-2. Enable cross-account access control
-3. Restrict access based on source VPC or IP
-4. Implement hierarchical authorization for Agent Runtimes
-
+
Global
+
SM-02
+
+
SageMaker Full Access Policy Used
+
+ Details and remediation
+
+
Details
Role 'AmazonSageMaker-ExecutionRole-20250525T153161' has AmazonSageMakerFullAccess policy attached
+
Resolution
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
+
Reference
+
+
+
High
Failed
-
+
111122223333
-
us-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
+
Global
+
SM-02
+
+
SageMaker Full Access Policy Used
+
+ Details and remediation
+
+
Details
Role 'AmazonSageMakerServiceCatalogProductsExecutionRole' has AmazonSageMakerFullAccess policy attached
+
Resolution
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
us-east-1
-
AC-12
-
AgentCore Gateway Encryption Missing
-
The following Gateways do not use customer-managed KMS encryption: 'customersupport-gw', 'wildrydes-gateway-ab3991f6'. Gateway configuration data uses AWS-managed keys.
-
1. Create gateways with customer-managed KMS keys for additional control
-2. AWS-managed keys are single-tenant and region-specific
-3. Consider CMK for enhanced audit capabilities and key rotation control
-
-
Low
+
Global
+
SM-02
+
+
SageMaker Full Access Policy Used
+
+ Details and remediation
+
+
Details
Role 'EMR_EC2_DefaultRole' has AmazonSageMakerFullAccess policy attached
+
Resolution
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonSageMakerFullAccess policy attached
+
Resolution
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
+
Reference
+
+
+
High
-
Passed
+
Failed
-
+
111122223333
-
us-east-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement Missing
-
Gateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.
-
Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.
-
+
Global
+
SM-02
+
+
SageMaker Full Access Policy Used
+
+ Details and remediation
+
+
Details
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonSageMakerFullAccess policy attached
+
Resolution
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
+
Reference
+
+
+
High
Failed
-
+
111122223333
-
us-east-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
Gateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) does not expose DEBUG-level exception detail.
-
No action required
-
-
Medium
-
Passed
+
Global
+
SM-02
+
+
SageMaker Full Access Policy Used
+
+ Details and remediation
+
+
Details
Role 'SageMaker-EMR-ExecutionRole' has AmazonSageMakerFullAccess policy attached
+
Resolution
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
us-east-1
-
AG-27
-
Agentic AI Gateway WAF Protection Missing
-
Gateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) is not associated with an AWS WAF web ACL.
-
Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.
-
-
Low
+
SM-01
+
+
Non-VPC Only Network Access
+
+ Details and remediation
+
+
Details
SageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is not configured for VPC-only access
+
Resolution
Configure the SageMaker domain to use VPC-only network access type
SageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is using authentication mode: IAM
+
Resolution
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
us-east-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement Missing
-
Gateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.
-
Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.
-
+
SM-03
+
+
Missing Encryption Configuration
+
+ Details and remediation
+
+
Details
Domain 'QuickSetupDomain-20250525T153160' - No KMS key configured
+
Resolution
Configure encryption using AWS KMS customer managed keys for enhanced security
+
Reference
+
+
+
High
Failed
-
+
111122223333
us-east-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
Gateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) does not expose DEBUG-level exception detail.
-
No action required
-
+
SM-04
+
+
GuardDuty Enabled
+
+ Details and remediation
+
+
Details
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
Resolution
No action required
+
Reference
+
+
+
Medium
Passed
-
+
111122223333
us-east-1
-
AG-27
-
Agentic AI Gateway WAF Protection Missing
-
Gateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) is not associated with an AWS WAF web ACL.
-
Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.
-
-
Low
-
Failed
+
SM-05
+
+
SageMaker Model Registry Issue
+
+ Details and remediation
+
+
Details
No model package groups found
+
Resolution
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
-
Global
-
AG-16
-
Agentic AI AgentCore Least Privilege
-
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161
-
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
-
-
High
-
Failed
+
us-east-1
+
SM-05
+
+
SageMaker Feature Store Issue
+
+ Details and remediation
+
+
Details
No feature groups found
+
Resolution
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
-
Global
-
AG-16
-
Agentic AI AgentCore Least Privilege
-
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-role
-
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
-
-
High
-
Failed
-
-
-
111122223333
-
Global
-
AG-17
-
Agentic AI Stale AgentCore Access
-
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (199 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (199 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (199 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (82 days)
-
Remove or restrict stale AgentCore permissions for principals that no longer need access.
-
-
Medium
-
Failed
+
us-east-1
+
SM-05
+
+
SageMaker Pipelines Issue
+
+ Details and remediation
+
+
Details
No ML pipelines found
+
Resolution
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
-
Global
-
AG-17
-
Agentic AI Stale AgentCore Access
-
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CloudSeerTrustedServiceRole', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW'
-
Remove or restrict stale AgentCore permissions for principals that no longer need access.
-
+
us-east-1
+
SM-06
+
+
SageMaker Clarify No Clarify Usage
+
+ Details and remediation
+
+
Details
No SageMaker Clarify jobs found
+
Resolution
Implement SageMaker Clarify for model explainability and bias detection
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
us-east-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
High
-
Failed
+
SM-07
+
+
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation
+
+
Details
No Model Monitor schedules found
+
Resolution
Configure comprehensive model monitoring schedules
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
us-east-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
High
-
Failed
+
SM-08
+
+
Model Registry Registry Not Used
+
+ Details and remediation
+
+
Details
Model Registry is not being utilized
+
Resolution
Implement proper model versioning and approval workflows
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
us-east-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
High
-
Failed
+
SM-09
+
+
SageMaker Notebook Root Access Check
+
+ Details and remediation
+
+
Details
No notebook instances found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
us-east-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
High
-
Failed
+
SM-10
+
+
SageMaker Notebook VPC Deployment Check
+
+ Details and remediation
+
+
Details
No notebook instances found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
us-east-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
High
-
Failed
+
SM-11
+
+
SageMaker Model Network Isolation Check
+
+ Details and remediation
+
+
Details
No models found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Medium
-
Failed
+
SM-12
+
+
SageMaker Endpoint Instance Count Check
+
+ Details and remediation
+
+
Details
No InService endpoints found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabled
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Medium
-
Failed
+
SM-13
+
+
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation
+
+
Details
No monitoring schedules found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Medium
-
Failed
+
SM-14
+
+
SageMaker Model Repository Access Check
+
+ Details and remediation
+
+
Details
No models found or all use default Platform access
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabled
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Medium
-
Failed
+
SM-15
+
+
SageMaker Feature Store Encryption Check
+
+ Details and remediation
+
+
Details
No feature groups with offline stores found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Medium
-
Failed
+
SM-16
+
+
SageMaker Data Quality Job Encryption Check
+
+ Details and remediation
+
+
Details
No data quality job definitions found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabled
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Medium
-
Failed
+
SM-17
+
+
SageMaker Processing Job Encryption Check
+
+ Details and remediation
+
+
Details
No processing jobs found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Medium
-
Failed
+
SM-18
+
+
SageMaker Transform Job Encryption Check
+
+ Details and remediation
+
+
Details
No transform jobs found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabled
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Medium
-
Failed
+
SM-20
+
+
SageMaker Compilation Job Encryption Check
+
+ Details and remediation
+
+
Details
No compilation jobs found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabled
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Medium
-
Failed
+
SM-21
+
+
SageMaker AutoML Job Network Isolation Check
+
+ Details and remediation
+
+
Details
No AutoML jobs found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
us-east-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configured
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Medium
-
Failed
+
SM-22
+
+
Model Approval Workflow Check
+
+ Details and remediation
+
+
Details
No model package groups found. Model Registry is not being used for model governance.
+
Resolution
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
Reference
+
+
+
+
Informational
+
N/A
-
+
111122223333
us-east-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configured
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
+
SM-23
+
+
Model Drift Detection Check
+
+ Details and remediation
+
+
Details
No InService endpoints found to monitor.
+
Resolution
No action required
+
Reference
+
+
+
Medium
-
Failed
+
Passed
-
+
111122223333
us-east-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configured
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Medium
-
Failed
+
SM-24
+
+
A/B Testing and Shadow Deployment Check
+
+ Details and remediation
+
+
Details
No InService endpoints found.
+
Resolution
No action required
+
Reference
+
+
+
+
Low
+
Passed
-
+
111122223333
us-east-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
+
SM-25
+
+
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation
+
+
Details
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Resolution
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
111122223333
+
Global
+
AC-02
+
+
AgentCore IAM Full Access Policy
+
+ Details and remediation
+
+
Details
The following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161
+
Resolution
Replace with least-privilege policies scoped to specific AgentCore resources and actions
+
Reference
+
+
+
High
Failed
-
+
111122223333
-
us-east-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: The following AgentCore resources do not have resource-based policies: Runtime 'origami_expeditions', Runtime 'neoCyan_Agent', Runtime 'customer_support_agent', Runtime 'cdk_agent_core', Runtime 'awsapimcpserver' and 2 more. Without RBPs, access control relies solely on identity-based policies.
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
+
Global
+
AC-02
+
+
AgentCore IAM Wildcard Permissions
+
+ Details and remediation
+
+
Details
The following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-role
+
Resolution
Scope permissions to specific AgentCore resources using resource ARNs
+
Reference
+
+
+
High
Failed
-
+
111122223333
-
us-east-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
+
Global
+
AC-03
+
+
AgentCore Stale Access
+
+ Details and remediation
+
+
Details
The following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (200 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (200 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (200 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (82 days)
+
Resolution
Review and remove unused AgentCore permissions following least privilege principle
+
Reference
+
+
+
+
Medium
+
Failed
+
+
+
111122223333
+
Global
+
AC-03
+
+
AgentCore Unused Permissions
+
+ Details and remediation
+
+
Details
The following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CloudSeerTrustedServiceRole', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW'
+
Resolution
Review and remove unused AgentCore permissions following least privilege principle
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
us-east-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: The following Gateways do not use customer-managed KMS encryption: 'customersupport-gw', 'wildrydes-gateway-ab3991f6'. Gateway configuration data uses AWS-managed keys.
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Low
+
Global
+
AC-09
+
+
AgentCore Service-Linked Role Missing
+
+ Details and remediation
+
+
Details
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
+
Resolution
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
+
Reference
+
+
+
+
Medium
Failed
-
+
111122223333
-
sa-east-1
+
us-east-1
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
+
+
AgentCore Runtime VPC Configuration
+
+ Details and remediation
+
+
Details
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.
+
Resolution
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
sa-east-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
AC-01
+
+
AgentCore Runtime VPC Configuration
+
+ Details and remediation
+
+
Details
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.
+
Resolution
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
sa-east-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
AC-01
+
+
AgentCore Runtime VPC Configuration
+
+ Details and remediation
+
+
Details
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.
+
Resolution
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
sa-east-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
AC-01
+
+
AgentCore Runtime VPC Configuration
+
+ Details and remediation
+
+
Details
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.
+
Resolution
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
sa-east-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
AC-01
+
+
AgentCore Runtime VPC Configuration
+
+ Details and remediation
+
+
Details
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.
+
Resolution
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
sa-east-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
AC-04
+
+
AgentCore Runtime CloudWatch Logs
+
+ Details and remediation
+
+
Details
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configured
+
Resolution
Enable CloudWatch Logs for monitoring and troubleshooting
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
sa-east-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
AC-04
+
+
AgentCore Runtime X-Ray Tracing
+
+ Details and remediation
+
+
Details
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabled
+
Resolution
Enable X-Ray tracing for distributed tracing and performance analysis
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
sa-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
AC-04
+
+
AgentCore Runtime CloudWatch Logs
+
+ Details and remediation
+
+
Details
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configured
+
Resolution
Enable CloudWatch Logs for monitoring and troubleshooting
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
sa-east-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
AC-04
+
+
AgentCore Runtime X-Ray Tracing
+
+ Details and remediation
+
+
Details
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabled
+
Resolution
Enable X-Ray tracing for distributed tracing and performance analysis
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
sa-east-1
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
AC-04
+
+
AgentCore Runtime CloudWatch Logs
+
+ Details and remediation
+
+
Details
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configured
+
Resolution
Enable CloudWatch Logs for monitoring and troubleshooting
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
sa-east-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
AC-04
+
+
AgentCore Runtime X-Ray Tracing
+
+ Details and remediation
+
+
Details
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabled
+
Resolution
Enable X-Ray tracing for distributed tracing and performance analysis
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
sa-east-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
AC-04
+
+
AgentCore Runtime CloudWatch Logs
+
+ Details and remediation
+
+
Details
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configured
+
Resolution
Enable CloudWatch Logs for monitoring and troubleshooting
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
sa-east-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
AC-04
+
+
AgentCore Runtime X-Ray Tracing
+
+ Details and remediation
+
+
Details
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabled
+
Resolution
Enable X-Ray tracing for distributed tracing and performance analysis
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
sa-east-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
Informational
-
N/A
+
us-east-1
+
AC-04
+
+
AgentCore Runtime CloudWatch Logs
+
+ Details and remediation
+
+
Details
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configured
+
Resolution
Enable CloudWatch Logs for monitoring and troubleshooting
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
sa-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Informational
-
N/A
+
us-east-1
+
AC-04
+
+
AgentCore Runtime X-Ray Tracing
+
+ Details and remediation
+
+
Details
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabled
+
Resolution
Enable X-Ray tracing for distributed tracing and performance analysis
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
sa-east-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
Consider using customer-managed KMS keys for better control and audit capabilities
+
Reference
+
+
+
+
Low
+
Failed
-
+
111122223333
-
sa-east-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
Consider using customer-managed KMS keys for better control and audit capabilities
+
Reference
+
+
+
+
Low
+
Failed
-
+
111122223333
-
sa-east-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
-
Informational
-
N/A
+
us-east-1
+
AC-06
+
+
AgentCore Runtime Storage Configuration
+
+ Details and remediation
+
+
Details
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have storage configuration for browser tools
+
Resolution
Configure S3 storage for browser tool session recordings and artifacts
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
sa-east-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
+
us-east-1
+
AC-06
+
+
AgentCore Runtime Storage Configuration
+
+ Details and remediation
+
+
Details
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have storage configuration for browser tools
+
Resolution
Configure S3 storage for browser tool session recordings and artifacts
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
sa-east-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
+
us-east-1
+
AC-06
+
+
AgentCore Runtime Storage Configuration
+
+ Details and remediation
+
+
Details
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have storage configuration for browser tools
+
Resolution
Configure S3 storage for browser tool session recordings and artifacts
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
ap-south-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
AC-06
+
+
AgentCore Runtime Storage Configuration
+
+ Details and remediation
+
+
Details
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have storage configuration for browser tools
+
Resolution
Configure S3 storage for browser tool session recordings and artifacts
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
ap-south-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
+
us-east-1
+
AC-06
+
+
AgentCore Runtime Storage Configuration
+
+ Details and remediation
+
+
Details
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have storage configuration for browser tools
+
Resolution
Configure S3 storage for browser tool session recordings and artifacts
+
Reference
+
+
+
Medium
-
Passed
+
Failed
-
+
111122223333
-
ap-south-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
AC-07
+
+
AgentCore Memory Encryption
+
+ Details and remediation
+
+
Details
Memory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configured
+
Resolution
Enable encryption with customer-managed KMS keys
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
ap-south-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
+
us-east-1
+
AC-07
+
+
AgentCore Memory Encryption
+
+ Details and remediation
+
+
Details
Memory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configured
+
Resolution
Enable encryption with customer-managed KMS keys
+
Reference
+
+
+
Medium
-
Passed
+
Failed
-
+
111122223333
-
ap-south-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
+
us-east-1
+
AC-07
+
+
AgentCore Memory Encryption
+
+ Details and remediation
+
+
Details
Memory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configured
+
Resolution
Enable encryption with customer-managed KMS keys
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
ap-south-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
+
us-east-1
+
AC-13
+
+
AgentCore Gateway Configuration Check
+
+ Details and remediation
+
+
Details
Found 2 Gateway resources
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
-
+
111122223333
-
ap-south-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
+
us-east-1
+
AC-08
+
+
AgentCore VPC Endpoints Missing
+
+ Details and remediation
+
+
Details
No AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.
+
Resolution
Create VPC interface endpoints for AgentCore services:
+1. com.amazonaws.region.bedrock-agentcore
+2. com.amazonaws.region.bedrock-agentcore-control
+3. com.amazonaws.region.bedrock-agentcore-runtime
+This enables private connectivity via AWS PrivateLink
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
ap-south-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
+
us-east-1
+
AC-10
+
+
AgentCore Resource-Based Policies Missing
+
+ Details and remediation
+
+
Details
The following AgentCore resources do not have resource-based policies: Runtime 'origami_expeditions', Runtime 'neoCyan_Agent', Runtime 'customer_support_agent', Runtime 'cdk_agent_core', Runtime 'awsapimcpserver' and 2 more. Without RBPs, access control relies solely on identity-based policies.
+
Resolution
Attach resource-based policies to AgentCore resources to:
+1. Implement defense-in-depth access control
+2. Enable cross-account access control
+3. Restrict access based on source VPC or IP
+4. Implement hierarchical authorization for Agent Runtimes
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
ap-south-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
+
us-east-1
+
AC-11
+
+
AgentCore Policy Engine Encryption Check
+
+ Details and remediation
+
+
Details
No Policy Engines found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
ap-south-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
+
us-east-1
+
AC-12
+
+
AgentCore Gateway Encryption Missing
+
+ Details and remediation
+
+
Details
The following Gateways do not use customer-managed KMS encryption: 'customersupport-gw', 'wildrydes-gateway-ab3991f6'. Gateway configuration data uses AWS-managed keys.
+
Resolution
1. Create gateways with customer-managed KMS keys for additional control
+2. AWS-managed keys are single-tenant and region-specific
+3. Consider CMK for enhanced audit capabilities and key rotation control
Agentic AI Gateway Tool Policy Enforcement Missing
+
+ Details and remediation
+
+
Details
Gateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.
+
Resolution
Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
ap-south-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
+
us-east-1
+
AG-25
+
+
Agentic AI Gateway Tool Policy Enforcement Missing
+
+ Details and remediation
+
+
Details
Gateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.
+
Resolution
Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
ap-south-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
+
us-east-1
+
AG-26
+
+
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation
+
+
Details
Gateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) does not expose DEBUG-level exception detail.
+
Resolution
No action required
+
Reference
+
+
+
Medium
Passed
-
+
111122223333
-
ap-south-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
+
us-east-1
+
AG-27
+
+
Agentic AI Gateway WAF Protection Missing
+
+ Details and remediation
+
+
Details
Gateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) is not associated with an AWS WAF web ACL.
+
Resolution
Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.
+
Reference
+
+
+
Low
-
Passed
-
-
-
111122223333
-
ap-south-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
+
Failed
-
+
111122223333
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'AmazonSageMaker-ExecutionRole-20231014T200029' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
+
AG-16
+
+
Agentic AI AgentCore Least Privilege
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161
+
Resolution
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
+
Reference
+
+
+
High
Failed
-
+
111122223333
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'AmazonSageMaker-ExecutionRole-20250525T153161' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
+
AG-16
+
+
Agentic AI AgentCore Least Privilege
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-role
+
Resolution
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
+
Reference
+
+
+
High
Failed
-
+
111122223333
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'AmazonSageMakerServiceCatalogProductsExecutionRole' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
-
High
+
AG-17
+
+
Agentic AI Stale AgentCore Access
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (200 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (200 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (200 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (82 days)
+
Resolution
Remove or restrict stale AgentCore permissions for principals that no longer need access.
+
Reference
+
+
+
+
Medium
Failed
-
+
111122223333
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'EMR_EC2_DefaultRole' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
+
AG-17
+
+
Agentic AI Stale AgentCore Access
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CloudSeerTrustedServiceRole', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW'
+
Resolution
Remove or restrict stale AgentCore permissions for principals that no longer need access.
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
111122223333
+
us-east-1
+
AG-15
+
+
Agentic AI Runtime Network Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.
+
Resolution
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Reference
+
+
+
High
Failed
-
+
111122223333
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
+
us-east-1
+
AG-15
+
+
Agentic AI Runtime Network Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.
+
Resolution
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Reference
+
+
+
High
Failed
-
+
111122223333
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
+
us-east-1
+
AG-15
+
+
Agentic AI Runtime Network Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.
+
Resolution
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Reference
+
+
+
High
Failed
-
+
111122223333
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'SageMaker-EMR-ExecutionRole' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
+
us-east-1
+
AG-15
+
+
Agentic AI Runtime Network Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.
+
Resolution
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Reference
+
+
+
High
Failed
-
+
111122223333
us-east-1
-
SM-01
-
Non-VPC Only Network Access
-
SageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is not configured for VPC-only access
-
Configure the SageMaker domain to use VPC-only network access type
-
+
AG-15
+
+
Agentic AI Runtime Network Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.
+
Resolution
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Reference
+
+
+
High
Failed
-
+
111122223333
us-east-1
-
SM-02
-
SSO Not Properly Configured
-
SageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is using authentication mode: IAM
-
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
-
+
AG-18
+
+
Agentic AI AgentCore Observability
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configured
+
Resolution
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Reference
+
+
+
Medium
Failed
-
+
111122223333
us-east-1
-
SM-03
-
Missing Encryption Configuration
-
Domain 'QuickSetupDomain-20250525T153160' - No KMS key configured
-
Configure encryption using AWS KMS customer managed keys for enhanced security
-
-
High
+
AG-18
+
+
Agentic AI AgentCore Observability
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabled
+
Resolution
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Reference
+
+
+
+
Medium
Failed
-
+
111122223333
us-east-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
+
AG-18
+
+
Agentic AI AgentCore Observability
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configured
+
Resolution
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Reference
+
+
+
Medium
-
Passed
+
Failed
-
+
111122223333
us-east-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
+
AG-18
+
+
Agentic AI AgentCore Observability
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabled
+
Resolution
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
us-east-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
+
AG-18
+
+
Agentic AI AgentCore Observability
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configured
+
Resolution
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
us-east-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
+
AG-18
+
+
Agentic AI AgentCore Observability
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabled
+
Resolution
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
us-east-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
+
AG-18
+
+
Agentic AI AgentCore Observability
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configured
+
Resolution
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
us-east-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
+
AG-18
+
+
Agentic AI AgentCore Observability
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabled
+
Resolution
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
us-east-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
+
AG-18
+
+
Agentic AI AgentCore Observability
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configured
+
Resolution
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
us-east-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
+
AG-18
+
+
Agentic AI AgentCore Observability
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabled
+
Resolution
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
us-east-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
+
AG-19
+
+
Agentic AI Memory Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configured
+
Resolution
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
us-east-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
+
AG-19
+
+
Agentic AI Memory Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configured
+
Resolution
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
us-east-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configured
+
Resolution
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
us-east-1
-
SM-20
-
SageMaker Compilation Job Encryption Check
-
No compilation jobs found
-
No action required
-
-
Informational
-
N/A
+
AG-20
+
+
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.
+
Resolution
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
us-east-1
-
SM-21
-
SageMaker AutoML Job Network Isolation Check
-
No AutoML jobs found
-
No action required
-
-
Informational
-
N/A
+
AG-21
+
+
Agentic AI Resource Policy Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: The following AgentCore resources do not have resource-based policies: Runtime 'origami_expeditions', Runtime 'neoCyan_Agent', Runtime 'customer_support_agent', Runtime 'cdk_agent_core', Runtime 'awsapimcpserver' and 2 more. Without RBPs, access control relies solely on identity-based policies.
+
Resolution
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
us-east-1
-
SM-22
-
Model Approval Workflow Check
-
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
+
AG-22
+
+
Agentic AI Policy Engine Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Resolution
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
us-east-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
+
111122223333
us-east-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
+
AG-23
+
+
Agentic AI Gateway Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: The following Gateways do not use customer-managed KMS encryption: 'customersupport-gw', 'wildrydes-gateway-ab3991f6'. Gateway configuration data uses AWS-managed keys.
+
Resolution
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
Low
-
Passed
-
-
-
111122223333
-
us-east-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
+
Failed
111122223333
us-west-2
SM-01
-
Non-VPC Only Network Access
-
SageMaker domain 'd-krxh4fmtaxjl' (PromptEvaluationDomain) is not configured for VPC-only access
-
Configure the SageMaker domain to use VPC-only network access type
-
+
+
Non-VPC Only Network Access
+
+ Details and remediation
+
+
Details
SageMaker domain 'd-krxh4fmtaxjl' (PromptEvaluationDomain) is not configured for VPC-only access
+
Resolution
Configure the SageMaker domain to use VPC-only network access type
+
Reference
+
+
+
High
Failed
@@ -4746,10 +7150,17 @@
Security Assessment Overview
111122223333
us-west-2
SM-02
-
SSO Not Properly Configured
-
SageMaker domain 'd-krxh4fmtaxjl' (PromptEvaluationDomain) is using authentication mode: IAM
-
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
-
+
+
SSO Not Properly Configured
+
+ Details and remediation
+
+
Details
SageMaker domain 'd-krxh4fmtaxjl' (PromptEvaluationDomain) is using authentication mode: IAM
+
Resolution
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
+
Reference
+
+
+
Medium
Failed
@@ -4757,10 +7168,17 @@
Security Assessment Overview
111122223333
us-west-2
SM-03
-
Missing Encryption Configuration
-
Domain 'PromptEvaluationDomain' - No KMS key configured
-
Configure encryption using AWS KMS customer managed keys for enhanced security
-
+
+
Missing Encryption Configuration
+
+ Details and remediation
+
+
Details
Domain 'PromptEvaluationDomain' - No KMS key configured
+
Resolution
Configure encryption using AWS KMS customer managed keys for enhanced security
+
Reference
+
+
+
High
Failed
@@ -4768,10 +7186,17 @@
Security Assessment Overview
111122223333
us-west-2
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
+
+
GuardDuty Enabled
+
+ Details and remediation
+
+
Details
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
Resolution
No action required
+
Reference
+
+
+
Medium
Passed
@@ -4779,10 +7204,17 @@
Security Assessment Overview
111122223333
us-west-2
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
+
+
SageMaker Model Registry Issue
+
+ Details and remediation
+
+
Details
No model package groups found
+
Resolution
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
Reference
+
+
+
Informational
N/A
@@ -4790,10 +7222,17 @@
Security Assessment Overview
111122223333
us-west-2
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
+
+
SageMaker Feature Store Issue
+
+ Details and remediation
+
+
Details
No feature groups found
+
Resolution
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
Reference
+
+
+
Informational
N/A
@@ -4801,10 +7240,17 @@
Security Assessment Overview
111122223333
us-west-2
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
+
+
SageMaker Pipelines Issue
+
+ Details and remediation
+
+
Details
No ML pipelines found
+
Resolution
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
Reference
+
+
+
Informational
N/A
@@ -4812,10 +7258,17 @@
Security Assessment Overview
111122223333
us-west-2
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
+
+
SageMaker Clarify No Clarify Usage
+
+ Details and remediation
+
+
Details
No SageMaker Clarify jobs found
+
Resolution
Implement SageMaker Clarify for model explainability and bias detection
+
Reference
+
+
+
Informational
N/A
@@ -4823,10 +7276,17 @@
Security Assessment Overview
111122223333
us-west-2
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
+
+
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation
+
+
Details
No Model Monitor schedules found
+
Resolution
Configure comprehensive model monitoring schedules
+
Reference
+
+
+
Informational
N/A
@@ -4834,10 +7294,17 @@
Security Assessment Overview
111122223333
us-west-2
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
+
+
Model Registry Registry Not Used
+
+ Details and remediation
+
+
Details
Model Registry is not being utilized
+
Resolution
Implement proper model versioning and approval workflows
+
Reference
+
+
+
Informational
N/A
@@ -4845,10 +7312,17 @@
Security Assessment Overview
111122223333
us-west-2
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
+
+
SageMaker Notebook Root Access Check
+
+ Details and remediation
+
+
Details
No notebook instances found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -4856,10 +7330,17 @@
Security Assessment Overview
111122223333
us-west-2
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
+
+
SageMaker Notebook VPC Deployment Check
+
+ Details and remediation
+
+
Details
No notebook instances found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -4867,10 +7348,17 @@
Security Assessment Overview
111122223333
us-west-2
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
+
+
SageMaker Model Network Isolation Check
+
+ Details and remediation
+
+
Details
No models found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -4878,10 +7366,17 @@
Security Assessment Overview
111122223333
us-west-2
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
+
+
SageMaker Endpoint Instance Count Check
+
+ Details and remediation
+
+
Details
No InService endpoints found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -4889,10 +7384,17 @@
Security Assessment Overview
111122223333
us-west-2
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
+
+
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation
+
+
Details
No monitoring schedules found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -4900,10 +7402,17 @@
Security Assessment Overview
111122223333
us-west-2
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
-
No action required
-
+
+
SageMaker Model Repository Access Check
+
+ Details and remediation
+
+
Details
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
+
+
Model Approval Workflow Check
+
+ Details and remediation
+
+
Details
No model package groups found. Model Registry is not being used for model governance.
+
Resolution
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
Reference
+
+
+
Informational
N/A
@@ -4999,10 +7564,17 @@
Security Assessment Overview
111122223333
us-west-2
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
+
+
Model Drift Detection Check
+
+ Details and remediation
+
+
Details
No InService endpoints found to monitor.
+
Resolution
No action required
+
Reference
+
+
+
Medium
Passed
@@ -5010,10 +7582,17 @@
Security Assessment Overview
111122223333
us-west-2
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
+
+
A/B Testing and Shadow Deployment Check
+
+ Details and remediation
+
+
Details
No InService endpoints found.
+
Resolution
No action required
+
Reference
+
+
+
Low
Passed
@@ -5021,29290 +7600,8763 @@
Security Assessment Overview
111122223333
us-west-2
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
+
+
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation
+
+
Details
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Resolution
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
eu-west-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
+
SM-01
+
+
SageMaker Internet Access Check
+
+ Details and remediation
+
+
Details
No SageMaker notebook instances or domains found to check
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
eu-west-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
+
SM-02
+
+
SageMaker SSO Configuration Check
+
+ Details and remediation
+
+
Details
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
-
+
111122223333
eu-west-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
+
SM-03
+
+
Data Protection Check
+
+ Details and remediation
+
+
Details
No SageMaker resources found to check for data protection
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
eu-west-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
+
SM-04
+
+
GuardDuty Enabled
+
+ Details and remediation
+
+
Details
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
-
+
111122223333
eu-west-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
+
SM-05
+
+
SageMaker Model Registry Issue
+
+ Details and remediation
+
+
Details
No model package groups found
+
Resolution
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
eu-west-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
+
SM-05
+
+
SageMaker Feature Store Issue
+
+ Details and remediation
+
+
Details
No feature groups found
+
Resolution
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
eu-west-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
+
SM-05
+
+
SageMaker Pipelines Issue
+
+ Details and remediation
+
+
Details
No ML pipelines found
+
Resolution
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
eu-west-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
+
SM-06
+
+
SageMaker Clarify No Clarify Usage
+
+ Details and remediation
+
+
Details
No SageMaker Clarify jobs found
+
Resolution
Implement SageMaker Clarify for model explainability and bias detection
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
eu-west-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
+
SM-07
+
+
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation
+
+
Details
No Model Monitor schedules found
+
Resolution
Configure comprehensive model monitoring schedules
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
eu-west-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
+
SM-08
+
+
Model Registry Registry Not Used
+
+ Details and remediation
+
+
Details
Model Registry is not being utilized
+
Resolution
Implement proper model versioning and approval workflows
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
eu-west-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
+
SM-09
+
+
SageMaker Notebook Root Access Check
+
+ Details and remediation
+
+
Details
No notebook instances found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
eu-west-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
+
SM-10
+
+
SageMaker Notebook VPC Deployment Check
+
+ Details and remediation
+
+
Details
No notebook instances found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
N/A
-
+
111122223333
eu-west-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
+
SM-11
+
+
SageMaker Model Network Isolation Check
+
+ Details and remediation
+
+
Details
No models found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
N/A
-
+
111122223333
eu-west-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
+
SM-12
+
+
SageMaker Endpoint Instance Count Check
+
+ Details and remediation
+
+
Details
No InService endpoints found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
eu-west-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
+
SM-13
+
+
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation
+
+
Details
No monitoring schedules found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
N/A
-
+
111122223333
eu-west-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
+
SM-14
+
+
SageMaker Model Repository Access Check
+
+ Details and remediation
+
+
Details
No models found or all use default Platform access
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
N/A
-
+
111122223333
eu-west-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
+
SM-15
+
+
SageMaker Feature Store Encryption Check
+
+ Details and remediation
+
+
Details
No feature groups with offline stores found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
N/A
-
+
111122223333
eu-west-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
+
SM-16
+
+
SageMaker Data Quality Job Encryption Check
+
+ Details and remediation
+
+
Details
No data quality job definitions found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
eu-west-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
+
SM-17
+
+
SageMaker Processing Job Encryption Check
+
+ Details and remediation
+
+
Details
No processing jobs found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
N/A
-
+
111122223333
eu-west-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
+
SM-18
+
+
SageMaker Transform Job Encryption Check
+
+ Details and remediation
+
+
Details
No transform jobs found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
N/A
-
+
111122223333
eu-west-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
+
SM-20
+
+
SageMaker Compilation Job Encryption Check
+
+ Details and remediation
+
+
Details
No compilation jobs found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
N/A
-
+
111122223333
eu-west-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
+
SM-21
+
+
SageMaker AutoML Job Network Isolation Check
+
+ Details and remediation
+
+
Details
No AutoML jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
eu-west-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
+
SM-22
+
+
Model Approval Workflow Check
+
+ Details and remediation
+
+
Details
No model package groups found. Model Registry is not being used for model governance.
+
Resolution
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
eu-west-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
-
Informational
-
N/A
+
SM-23
+
+
Model Drift Detection Check
+
+ Details and remediation
+
+
Details
No InService endpoints found to monitor.
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
-
+
111122223333
eu-west-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
-
Informational
-
N/A
+
SM-24
+
+
A/B Testing and Shadow Deployment Check
+
+ Details and remediation
+
+
Details
No InService endpoints found.
+
Resolution
No action required
+
Reference
+
+
+
+
Low
+
Passed
-
+
111122223333
eu-west-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
+
SM-25
+
+
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation
+
+
Details
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Resolution
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
eu-west-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
+
us-west-2
+
AC-01
+
+
AgentCore VPC Configuration Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
eu-west-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
+
us-west-2
+
AC-04
+
+
AgentCore Observability Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
eu-west-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
+
us-west-2
+
AC-05
+
+
AgentCore Encryption Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
eu-west-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
us-west-2
+
AC-06
+
+
AgentCore Browser Tool Recording Check
+
+ Details and remediation
+
+
Details
No AgentCore Runtimes found to check browser tool configuration
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
eu-west-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
+
us-west-2
+
AC-07
+
+
AgentCore Memory Configuration Check
+
+ Details and remediation
+
+
Details
No Memory resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
eu-west-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
-
Informational
-
N/A
+
us-west-2
+
AC-13
+
+
AgentCore Gateway Configuration Check
+
+ Details and remediation
+
+
Details
Found 1 Gateway resources
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
-
+
111122223333
-
eu-west-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
+
us-west-2
+
AC-08
+
+
AgentCore VPC Endpoints Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
eu-west-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
-
Informational
-
N/A
+
us-west-2
+
AC-10
+
+
AgentCore Resource-Based Policies Missing
+
+ Details and remediation
+
+
Details
The following AgentCore resources do not have resource-based policies: Gateway 'aws-news-mcp'. Without RBPs, access control relies solely on identity-based policies.
+
Resolution
Attach resource-based policies to AgentCore resources to:
+1. Implement defense-in-depth access control
+2. Enable cross-account access control
+3. Restrict access based on source VPC or IP
+4. Implement hierarchical authorization for Agent Runtimes
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
eu-west-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
+
us-west-2
+
AC-11
+
+
AgentCore Policy Engine Encryption Check
+
+ Details and remediation
+
+
Details
No Policy Engines found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
+
us-west-2
+
AC-12
+
+
AgentCore Gateway Encryption Missing
+
+ Details and remediation
+
+
Details
The following Gateways do not use customer-managed KMS encryption: 'aws-news-mcp'. Gateway configuration data uses AWS-managed keys.
+
Resolution
1. Create gateways with customer-managed KMS keys for additional control
+2. AWS-managed keys are single-tenant and region-specific
+3. Consider CMK for enhanced audit capabilities and key rotation control
+
Reference
+
+
+
+
Low
+
Failed
-
+
111122223333
-
sa-east-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
+
us-west-2
+
AG-25
+
+
Agentic AI Gateway Tool Policy Enforcement Missing
+
+ Details and remediation
+
+
Details
Gateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.
+
Resolution
Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
sa-east-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
+
us-west-2
+
AG-26
+
+
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation
+
+
Details
Gateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) does not expose DEBUG-level exception detail.
+
Resolution
No action required
+
Reference
+
+
+
Medium
Passed
-
-
111122223333
-
sa-east-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
+
111122223333
-
sa-east-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
+
us-west-2
+
AG-27
+
+
Agentic AI Gateway WAF Protection Missing
+
+ Details and remediation
+
+
Details
Gateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) is not associated with an AWS WAF web ACL.
+
Resolution
Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.
+
Reference
+
+
+
+
Low
+
Failed
-
+
111122223333
-
sa-east-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
+
us-west-2
+
AG-15
+
+
Agentic AI Runtime Network Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Resolution
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
+
us-west-2
+
AG-18
+
+
Agentic AI AgentCore Observability
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Resolution
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
+
us-west-2
+
AG-19
+
+
Agentic AI Memory Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Resolution
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
+
us-west-2
+
AG-20
+
+
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Resolution
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
+
us-west-2
+
AG-21
+
+
Agentic AI Resource Policy Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: The following AgentCore resources do not have resource-based policies: Gateway 'aws-news-mcp'. Without RBPs, access control relies solely on identity-based policies.
+
Resolution
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
sa-east-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
+
us-west-2
+
AG-22
+
+
Agentic AI Policy Engine Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Resolution
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
+
us-west-2
+
AG-23
+
+
Agentic AI Gateway Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: The following Gateways do not use customer-managed KMS encryption: 'aws-news-mcp'. Gateway configuration data uses AWS-managed keys.
+
Resolution
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
+
Low
+
Failed
-
+
111122223333
-
sa-east-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
+
us-west-2
+
BR-02
+
+
Amazon Bedrock private connectivity not used
+
+ Details and remediation
+
+
Details
No Bedrock service VPC endpoints found in VPCs: vpc-0f85a6754ab37efb7, vpc-5c3b6524, vpc-03bcafcb58a3029fc
+
Resolution
Create a VPC endpoint in your VPC with any of the following Bedrock service endpoints that your application may be using:
+- com.amazonaws.region.bedrock
+- com.amazonaws.region.bedrock-runtime
+- com.amazonaws.region.bedrock-agent
+- com.amazonaws.region.bedrock-agent-runtime
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
sa-east-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
+
us-west-2
+
BR-04
+
+
Bedrock Model Invocation Logging Check
+
+ Details and remediation
+
+
Details
Model invocation logging is not enabled. This limits your ability to track and audit model usage.
+
Resolution
Enable model invocation logging to collect invocation logs, model input data, and model output data. Configure logging to deliver to Amazon S3, CloudWatch Logs, or both for comprehensive monitoring.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
sa-east-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
-
No action required
-
-
Informational
-
N/A
+
us-west-2
+
BR-05
+
+
Bedrock Guardrails Check
+
+ Details and remediation
+
+
Details
Amazon Bedrock Guardrails are properly configured with 1 guardrails
+
Resolution
No action required. Continue monitoring and updating guardrails as needed.
+
Reference
+
+
+
+
High
+
Passed
-
+
111122223333
-
sa-east-1
-
SM-15
-
SageMaker Feature Store Encryption Check
-
No feature groups with offline stores found
-
No action required
-
-
Informational
-
N/A
+
us-west-2
+
BR-06
+
+
Bedrock CloudTrail Logging Check
+
+ Details and remediation
+
+
Details
CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
+
Resolution
No action required. Continue monitoring CloudTrail logs for Bedrock activity.
+
Reference
+
+
+
+
Medium
+
Passed
-
+
111122223333
-
sa-east-1
-
SM-16
-
SageMaker Data Quality Job Encryption Check
-
No data quality job definitions found
-
No action required
-
+
us-west-2
+
BR-07
+
+
Bedrock Prompt Management Check
+
+ Details and remediation
+
+
Details
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Resolution
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
SM-17
-
SageMaker Processing Job Encryption Check
-
No processing jobs found
-
No action required
-
+
us-west-2
+
BR-08
+
+
Bedrock Agent IAM Roles Check
+
+ Details and remediation
+
+
Details
No Bedrock agents found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
SM-18
-
SageMaker Transform Job Encryption Check
-
No transform jobs found
-
No action required
-
+
us-west-2
+
BR-09
+
+
Bedrock Knowledge Base Encryption Review
+
+ Details and remediation
+
+
Details
Knowledge Base 'knowledge-base-bedrock-agent' (XSPYLN4FQL) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
Resolution
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
Knowledge Base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (SUGAG7RGYD) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
Resolution
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
SM-20
-
SageMaker Compilation Job Encryption Check
-
No compilation jobs found
-
No action required
-
+
us-west-2
+
BR-09
+
+
Bedrock Knowledge Base Encryption Review
+
+ Details and remediation
+
+
Details
Knowledge Base 'promptfoo-rag-workshop-111122223333-kb' (N74ZIKTUFL) uses 'RDS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
Resolution
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
SM-21
-
SageMaker AutoML Job Network Isolation Check
-
No AutoML jobs found
-
No action required
-
+
us-west-2
+
BR-09
+
+
Bedrock Knowledge Base Encryption Review
+
+ Details and remediation
+
+
Details
Knowledge Base 'InvestmentResearchKB' (M1GMUG3BP0) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
Resolution
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
sa-east-1
-
SM-22
-
Model Approval Workflow Check
-
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
+
us-west-2
+
BR-09
+
+
Bedrock Knowledge Base Encryption Review
+
+ Details and remediation
+
+
Details
Knowledge Base 'knowledge-base-quick-start-xtwwd' (ENFHSBBLMV) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
Resolution
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
sa-east-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
111122223333
-
sa-east-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
+
111122223333
-
sa-east-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
+
us-west-2
+
BR-09
+
+
Bedrock Knowledge Base Encryption Review
+
+ Details and remediation
+
+
Details
Knowledge Base 'kb-s3-vector-store' (116IXQU5VP) uses 'S3_VECTORS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
Resolution
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
eu-west-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
+
us-west-2
+
BR-10
+
+
Bedrock Guardrail IAM Enforcement Missing
+
+ Details and remediation
+
+
Details
The following roles can invoke Bedrock models without enforced guardrails: 111122223333-us-east-1-kb-bedrock-service-role, agentcore-wildrydes_gateway_role_ab3991f6-role, AgentCoreEvalsSDK-us-east-1-d04ba7b68b, AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76, AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b, AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D, AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ, AmazonBedrockExecutionRoleForKnowledgeBase_072pr, AmazonBedrockExecutionRoleForKnowledgeBase_byjin, AmazonBedrockExecutionRoleForKnowledgeBase_h9718...
+
Resolution
Add IAM policy conditions to enforce guardrail usage:
+1. Use 'bedrock:GuardrailIdentifier' condition key
+2. Specify required guardrail ARN or ID
+3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
eu-west-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
+
us-west-2
+
BR-11
+
+
Bedrock Custom Model Encryption Check
+
+ Details and remediation
+
+
Details
No custom/fine-tuned models found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
eu-west-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
+
us-west-2
+
BR-12
+
+
Bedrock Invocation Log Encryption Check
+
+ Details and remediation
+
+
Details
Model invocation logging to S3 is not configured
+
Resolution
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
eu-west-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
+
us-west-2
+
BR-13
+
+
Bedrock Flows Guardrails Check
+
+ Details and remediation
+
+
Details
No Bedrock Flows found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
eu-west-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
+
us-west-2
+
BR-16
+
+
Guardrail Tier Validation Check
+
+ Details and remediation
+
+
Details
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is using the 'CLASSIC' content-filter tier instead of 'STANDARD'. The STANDARD tier provides more robust content filtering and broader language support than the CLASSIC tier.
+
Resolution
Update the guardrail to use the STANDARD content-filter tier for improved contextual understanding, better prompt attack filtering (distinguishing jailbreaks from prompt injection), and broader language support. The STANDARD tier requires cross-Region inference. Review pricing implications before upgrading.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
eu-west-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
+
us-west-2
+
BR-17
+
+
Custom Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No custom (fine-tuned) Bedrock models found in this region
+
Resolution
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
Reference
+
+
+
+
High
N/A
-
+
111122223333
-
eu-west-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
+
us-west-2
+
BR-18
+
+
Model Evaluation Implementation Check
+
+ Details and remediation
+
+
Details
No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
+
Resolution
Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
eu-west-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
+
us-west-2
+
BR-19
+
+
Prompt Flow Validation Check
+
+ Details and remediation
+
+
Details
No Bedrock prompt flows configured in this region
+
Resolution
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
Reference
+
+
+
+
Medium
N/A
-
+
111122223333
-
eu-west-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
+
us-west-2
+
BR-20
+
+
Knowledge Base Customer-Managed KMS Encryption Review
+
+ Details and remediation
+
+
Details
Knowledge base 'knowledge-base-bedrock-agent' (ID: XSPYLN4FQL) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
Resolution
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
eu-west-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
+
us-west-2
+
BR-20
+
+
Knowledge Base Customer-Managed KMS Encryption Review
+
+ Details and remediation
+
+
Details
Knowledge base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (ID: SUGAG7RGYD) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
Resolution
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
eu-west-1
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
+
us-west-2
+
BR-20
+
+
Knowledge Base Customer-Managed KMS Encryption Review
+
+ Details and remediation
+
+
Details
Knowledge base 'promptfoo-rag-workshop-111122223333-kb' (ID: N74ZIKTUFL) uses 'RDS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
Resolution
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
eu-west-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
+
us-west-2
+
BR-20
+
+
Knowledge Base Customer-Managed KMS Encryption Review
+
+ Details and remediation
+
+
Details
Knowledge base 'InvestmentResearchKB' (ID: M1GMUG3BP0) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
Resolution
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
eu-west-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
+
us-west-2
+
BR-20
+
+
Knowledge Base Customer-Managed KMS Encryption Review
+
+ Details and remediation
+
+
Details
Knowledge base 'knowledge-base-quick-start-xtwwd' (ID: ENFHSBBLMV) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
Resolution
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
eu-west-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
+
us-west-2
+
BR-20
+
+
Knowledge Base Customer-Managed KMS Encryption Review
+
+ Details and remediation
+
+
Details
Knowledge base 'kb-s3-vector-store' (ID: 116IXQU5VP) uses 'S3_VECTORS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
Resolution
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
eu-west-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
Informational
+
us-west-2
+
BR-21
+
+
Agent Action Group IAM Least Privilege Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
Reference
+
+
+
+
High
N/A
-
+
111122223333
-
eu-west-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
Continue monitoring quota utilization. Review and adjust quotas as application requirements change.
+
Reference
+
+
+
+
Low
+
Passed
-
+
111122223333
-
eu-west-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Informational
-
N/A
+
us-west-2
+
BR-23
+
+
Guardrail Content Filter Coverage Check
+
+ Details and remediation
+
+
Details
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is missing content filters: VIOLENCE, SEXUAL, HATE, INSULTS. Complete content filter coverage is essential for comprehensive content safety.
+
Resolution
Update guardrail to enable all content filters (HATE, INSULTS, SEXUAL, VIOLENCE). Configure appropriate threshold levels (LOW, MEDIUM, HIGH) for both input and output filtering based on your use case. Review AWS documentation for threshold guidance.
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
eu-west-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
Informational
-
N/A
+
us-west-2
+
BR-24
+
+
Automated Reasoning Policy Implementation Check
+
+ Details and remediation
+
+
Details
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.
+
Resolution
Configure Automated Reasoning policies on guardrails to mathematically verify model responses. Define policies that specify allowed and disallowed behaviors. Use for high-assurance use cases where formal verification is required.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
eu-west-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
-
Informational
+
us-west-2
+
BR-25
+
+
RAG Evaluation Jobs Check
+
+ Details and remediation
+
+
Details
Knowledge base 'knowledge-base-bedrock-agent' (ID: XSPYLN4FQL) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Resolution
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
Reference
+
+
+
+
Low
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-25
+
+
RAG Evaluation Jobs Check
+
+ Details and remediation
+
+
Details
Knowledge base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (ID: SUGAG7RGYD) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Resolution
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
Reference
+
+
+
+
Low
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-25
+
+
RAG Evaluation Jobs Check
+
+ Details and remediation
+
+
Details
Knowledge base 'promptfoo-rag-workshop-111122223333-kb' (ID: N74ZIKTUFL) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Resolution
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
Reference
+
+
+
+
Low
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-25
+
+
RAG Evaluation Jobs Check
+
+ Details and remediation
+
+
Details
Knowledge base 'InvestmentResearchKB' (ID: M1GMUG3BP0) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Resolution
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
Reference
+
+
+
+
Low
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-25
+
+
RAG Evaluation Jobs Check
+
+ Details and remediation
+
+
Details
Knowledge base 'knowledge-base-quick-start-xtwwd' (ID: ENFHSBBLMV) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Resolution
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
Reference
+
+
+
+
Low
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-25
+
+
RAG Evaluation Jobs Check
+
+ Details and remediation
+
+
Details
Knowledge base 'kb-s3-vector-store' (ID: 116IXQU5VP) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Resolution
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
Reference
+
+
+
+
Low
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-26
+
+
Guardrail Sensitive Information Filter Check
+
+ Details and remediation
+
+
Details
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) has no sensitive-information filters configured (no PII entities or regex patterns). Prompts and model responses are not screened for sensitive data such as PII.
+
Resolution
Configure sensitive-information filters on the guardrail: add PII entity types (e.g. NAME, EMAIL, SSN, CREDIT_DEBIT_CARD_NUMBER) and/or custom regex patterns, and set the appropriate BLOCK or ANONYMIZE action for input and output.
+
Reference
+
+
+
+
High
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-27
+
+
Guardrail Contextual Grounding Check
+
+ Details and remediation
+
+
Details
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have contextual grounding checks enabled. Without grounding and relevance checks, the guardrail cannot detect hallucinated (ungrounded) or off-topic model responses.
+
Resolution
Enable contextual grounding checks (GROUNDING and RELEVANCE filter types) on the guardrail with appropriate thresholds. This is especially important for RAG applications to ensure responses are grounded in the retrieved source material.
+
Reference
+
+
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
BR-28
+
+
Agent Guardrail Association Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
Reference
+
+
+
+
High
N/A
-
+
111122223333
-
eu-west-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
+
us-west-2
+
BR-29
+
+
Agent Idle Session TTL Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
Reference
+
+
+
+
Low
N/A
-
+
111122223333
-
eu-west-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
+
us-west-2
+
BR-30
+
+
Imported Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No imported custom Bedrock models found in this region
+
Resolution
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
Reference
+
+
+
+
High
N/A
-
+
111122223333
-
eu-west-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
+
us-west-2
+
BR-31
+
+
Batch Inference Output Encryption Check
+
+ Details and remediation
+
+
Details
No Bedrock batch inference (model invocation) jobs found in this region
+
Resolution
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
Reference
+
+
+
+
Medium
N/A
-
+
111122223333
-
eu-west-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
+
us-west-2
+
BR-32
+
+
Bedrock CloudWatch Alarm Check
+
+ Details and remediation
+
+
Details
No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
+
Resolution
Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.
+
Reference
+
+
+
Medium
-
Passed
+
Failed
-
+
111122223333
-
eu-west-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
+
us-west-2
+
AG-07
+
+
Agentic AI Model Invocation Logging
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is not enabled. This limits your ability to track and audit model usage.
+
Resolution
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
eu-west-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
+
us-west-2
+
AG-08
+
+
Agentic AI API Audit Trail
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
+
Resolution
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Reference
+
+
+
Medium
Passed
-
+
111122223333
-
eu-west-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
+
us-west-2
+
AG-10
+
+
Agentic AI Adversarial Evaluation Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
+
Resolution
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
eu-west-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
+
us-west-2
+
AG-11
+
+
Agentic AI Prompt Flow Validation
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Resolution
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
eu-west-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
+
us-west-2
+
AG-06
+
+
Agentic AI Tool Execution Least Privilege
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Resolution
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
eu-west-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
+
us-west-2
+
AG-12
+
+
Agentic AI Invocation Abuse Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 7 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.
+
Resolution
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Reference
+
+
+
+
Low
+
Passed
-
+
111122223333
-
eu-west-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
+
us-west-2
+
AG-02
+
+
Agentic AI Harmful Content Guardrail Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is missing content filters: VIOLENCE, SEXUAL, HATE, INSULTS. Complete content filter coverage is essential for comprehensive content safety.
+
Resolution
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
eu-west-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
+
us-west-2
+
AG-04
+
+
Agentic AI Automated Reasoning Guardrails
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.
+
Resolution
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
111122223333
-
eu-west-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
+
us-west-2
+
AG-03
+
+
Agentic AI Sensitive Information Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) has no sensitive-information filters configured (no PII entities or regex patterns). Prompts and model responses are not screened for sensitive data such as PII.
+
Resolution
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Reference
+
+
+
+
High
+
Failed
-
+
111122223333
-
eu-west-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
+
us-west-2
+
AG-05
+
+
Agentic AI Grounding Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have contextual grounding checks enabled. Without grounding and relevance checks, the guardrail cannot detect hallucinated (ungrounded) or off-topic model responses.
+
Resolution
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Reference
+
+
+
+
Medium
+
Failed
+
+
+
111122223333
+
us-west-2
+
AG-01
+
+
Agentic AI Agent Guardrail Association
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Resolution
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
-
eu-west-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
+
us-west-2
+
AG-13
+
+
Agentic AI Session Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Resolution
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Reference
+
+
+
Informational
N/A
-
+
111122223333
+
us-west-2
+
AG-14
+
+
Agentic AI Operational Abuse Alarms
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
+
Resolution
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Reference
+
+
+
+
Medium
+
Failed
+
+
+
444455556666
eu-west-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
+
AC-01
+
+
AgentCore VPC Configuration Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
444455556666
eu-west-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
+
AC-04
+
+
AgentCore Observability Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
444455556666
eu-west-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
-
No action required
-
+
AC-05
+
+
AgentCore Encryption Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
444455556666
eu-west-1
-
SM-15
-
SageMaker Feature Store Encryption Check
-
No feature groups with offline stores found
-
No action required
-
+
AC-06
+
+
AgentCore Browser Tool Recording Check
+
+ Details and remediation
+
+
Details
No AgentCore Runtimes found to check browser tool configuration
No AgentCore resources found to check for resource-based policies
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
444455556666
eu-west-1
-
SM-20
-
SageMaker Compilation Job Encryption Check
-
No compilation jobs found
-
No action required
-
+
AC-11
+
+
AgentCore Policy Engine Encryption Check
+
+ Details and remediation
+
+
Details
No Policy Engines found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
444455556666
eu-west-1
-
SM-21
-
SageMaker AutoML Job Network Isolation Check
-
No AutoML jobs found
-
No action required
-
+
AC-12
+
+
AgentCore Gateway Encryption Check
+
+ Details and remediation
+
+
Details
No Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
444455556666
eu-west-1
-
SM-22
-
Model Approval Workflow Check
-
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
+
AG-24
+
+
Agentic AI Gateway Inbound Authorization
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
444455556666
eu-west-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
+
AG-25
+
+
Agentic AI Gateway Tool Policy Enforcement
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
eu-west-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
+
AG-26
+
+
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
eu-west-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
+
AG-27
+
+
Agentic AI Gateway WAF Protection
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
us-east-1
-
FS-01
-
AWS Shield Advanced Not Enabled
-
AWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.
-
1. Subscribe to AWS Shield Advanced for DDoS protection.
-2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection.
-3. Enable Shield Response Team (SRT) access and configure proactive engagement.
-4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.
-
-
Low
-
Failed
+
+
444455556666
+
eu-west-1
+
AG-15
+
+
Agentic AI Runtime Network Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Resolution
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
-
us-west-2
-
FS-01
-
AWS Shield Advanced Not Enabled
-
AWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.
-
1. Subscribe to AWS Shield Advanced for DDoS protection.
-2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection.
-3. Enable Shield Response Team (SRT) access and configure proactive engagement.
-4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.
-
-
Low
-
Failed
+
+
444455556666
+
eu-west-1
+
AG-18
+
+
Agentic AI AgentCore Observability
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Resolution
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
-
us-east-1
-
FS-01
-
No Regional WAF Web ACLs Found
-
No AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.
-
1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP).
-2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock.
-3. Add AWS Managed Rules for known bad inputs.
-
-
Medium
-
Failed
+
+
444455556666
+
eu-west-1
+
AG-19
+
+
Agentic AI Memory Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Resolution
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
-
us-west-2
-
FS-01
-
No Regional WAF Web ACLs Found
-
No AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.
-
1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP).
-2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock.
-3. Add AWS Managed Rules for known bad inputs.
-
-
Medium
-
Failed
+
+
444455556666
+
eu-west-1
+
AG-20
+
+
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Resolution
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
-
us-east-1
-
FS-02
-
API Gateway Usage Plans Missing Throttle
-
Usage plans without throttling: myAskMeAnything-UsagePlan. Unbounded API calls can exhaust Bedrock token quotas and inflate costs.
-
Set rateLimit and burstLimit on all usage plans associated with GenAI API stages. Consider per-consumer API keys with individual quotas.
-
-
Medium
-
Failed
+
+
444455556666
+
eu-west-1
+
AG-21
+
+
Agentic AI Resource Policy Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Resolution
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
-
us-west-2
-
FS-02
-
API Gateway Usage Plans Missing Throttle
-
Usage plans without throttling: myAskMeAnything-UsagePlan. Unbounded API calls can exhaust Bedrock token quotas and inflate costs.
-
Set rateLimit and burstLimit on all usage plans associated with GenAI API stages. Consider per-consumer API keys with individual quotas.
-
-
Medium
-
Failed
+
+
444455556666
+
eu-west-1
+
AG-22
+
+
Agentic AI Policy Engine Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Resolution
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
-
us-east-1
-
FS-03
-
Bedrock Token Quotas Customized
-
Found 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.
-
No action required. Periodically re-review quotas against expected peak load.
-
-
Medium
-
Passed
+
+
444455556666
+
eu-west-1
+
AG-23
+
+
Agentic AI Gateway Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Resolution
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
us-west-2
-
FS-03
-
Bedrock Token Quotas Customized
-
Found 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.
-
No action required. Periodically re-review quotas against expected peak load.
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-east-1
-
FS-04
-
No Cost Anomaly Detection Monitors
-
No AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.
-
1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker.
-2. Configure alert subscriptions (SNS/email) for anomalies above threshold.
-3. Set daily spend budgets with AWS Budgets as a secondary control.
-
-
Medium
-
Failed
+
BR-02
+
+
Amazon Bedrock private connectivity check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess private connectivity
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
us-west-2
-
FS-04
-
No Cost Anomaly Detection Monitors
-
No AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.
-
1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker.
-2. Configure alert subscriptions (SNS/email) for anomalies above threshold.
-3. Set daily spend budgets with AWS Budgets as a secondary control.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-05
-
No Bedrock CloudWatch Alarms Found
-
No CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.
-
Create CloudWatch alarms for:
-- AWS/Bedrock InvocationThrottles (threshold > 0)
-- AWS/Bedrock TokensProcessed (threshold based on quota)
-- Custom application-level token counters via EMF
-
-
Medium
-
Failed
+
BR-04
+
+
Bedrock Model Invocation Logging Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to monitor with invocation logging
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
us-west-2
-
FS-05
-
No Bedrock CloudWatch Alarms Found
-
No CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.
-
Create CloudWatch alarms for:
-- AWS/Bedrock InvocationThrottles (threshold > 0)
-- AWS/Bedrock TokensProcessed (threshold based on quota)
-- Custom application-level token counters via EMF
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-06
-
No AI/ML Service Budgets Configured
-
No AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.
-
1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds.
-2. Add SNS notifications to on-call channels.
-3. Consider budget actions to apply IAM deny policies when thresholds are breached.
-
-
Medium
-
Failed
+
BR-05
+
+
Bedrock Guardrails Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to protect with guardrails
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
us-west-2
-
FS-06
-
No AI/ML Service Budgets Configured
-
No AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.
-
1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds.
-2. Add SNS notifications to on-call channels.
-3. Consider budget actions to apply IAM deny policies when thresholds are breached.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-07
-
Agent Action Boundary Check
-
No Bedrock agents found.
-
No action required.
-
+
BR-06
+
+
Bedrock CloudTrail Logging Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
444455556666
us-west-2
-
FS-07
-
Agent Action Boundary Check
-
No Bedrock agents found.
-
No action required.
-
+
BR-07
+
+
Bedrock Prompt Management Check
+
+ Details and remediation
+
+
Details
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Resolution
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
us-east-1
-
FS-08
-
AgentCore Runtimes Missing Policy Engine
-
Runtimes without authorizer configuration: origami_expeditions, neoCyan_Agent, customer_support_agent, cdk_agent_core, awsapimcpserver. Without a policy engine, agents can invoke any registered tool without authorization checks.
-
Configure an authorizer (Lambda or Cedar policy store) on each AgentCore runtime to enforce fine-grained tool-call authorization.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-08
-
AgentCore Runtimes Missing Policy Engine
-
Runtimes without authorizer configuration: origami_expeditions, neoCyan_Agent, customer_support_agent, cdk_agent_core, awsapimcpserver. Without a policy engine, agents can invoke any registered tool without authorization checks.
-
Configure an authorizer (Lambda or Cedar policy store) on each AgentCore runtime to enforce fine-grained tool-call authorization.
1. Set reserved concurrency on agent Lambda functions.
-2. Implement maximum iteration counts in agent orchestration logic.
-3. Use Step Functions with MaxConcurrency and timeout states.
-4. Add circuit-breaker patterns to agent tool invocations.
1. Set reserved concurrency on agent Lambda functions.
-2. Implement maximum iteration counts in agent orchestration logic.
-3. Use Step Functions with MaxConcurrency and timeout states.
-4. Add circuit-breaker patterns to agent tool invocations.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-10
-
Human-in-the-Loop Check — No Agent Workflows Found
-
No Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.
-
Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
FS-10
-
Human-in-the-Loop Check — No Agent Workflows Found
-
No Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.
-
Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
FS-11
-
No Agent Rate Alarms Found
-
No CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.
-
Create CloudWatch alarms on:
-- Bedrock agent invocation counts (threshold based on expected max)
-- Lambda invocation errors for agent functions
-- Step Functions execution failures and timeouts
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-11
-
No Agent Rate Alarms Found
-
No CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.
-
Create CloudWatch alarms on:
-- Bedrock agent invocation counts (threshold based on expected max)
-- Lambda invocation errors for agent functions
-- Step Functions execution failures and timeouts
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-12
-
No Bedrock-Scoped SCPs Found
-
No Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.
-
1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list.
-2. Use bedrock:ModelId condition key to allowlist approved models.
-3. Maintain a model inventory and update the SCP when models are approved/retired.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-12
-
No Bedrock-Scoped SCPs Found
-
No Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.
-
1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list.
-2. Use bedrock:ModelId condition key to allowlist approved models.
-3. Maintain a model inventory and update the SCP when models are approved/retired.
-
-
High
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-13
-
Model Provenance Tags Present
-
All reviewed models have required provenance tags.
-
No action required.
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-13
-
Model Provenance Tags Present
-
All reviewed models have required provenance tags.
-
No action required.
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-east-1
-
FS-14
-
Model Governance Config Rules Present
-
Found 11 model-related Config rule(s).
-
No action required.
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-14
-
Model Governance Config Rules Present
-
Found 11 model-related Config rule(s).
-
No action required.
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-east-1
-
FS-15
-
No Bedrock Evaluation Jobs Found
-
No Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.
-
1. Run Bedrock Model Evaluation with adversarial/red-team datasets.
-2. Use FMEval library for automated robustness testing.
-3. Schedule periodic re-evaluation after model updates.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-15
-
No Bedrock Evaluation Jobs Found
-
No Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.
-
1. Run Bedrock Model Evaluation with adversarial/red-team datasets.
-2. Use FMEval library for automated robustness testing.
-3. Schedule periodic re-evaluation after model updates.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-16
-
ECR Repositories Without Image Scanning
-
4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111122223333-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.
-
Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-16
-
ECR Repositories Without Image Scanning
-
4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111122223333-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.
-
Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.
-
-
High
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-20
-
No SageMaker Feature Groups Found
-
No SageMaker Feature Store groups found.
-
No action required.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
FS-20
-
No SageMaker Feature Groups Found
-
No SageMaker Feature Store groups found.
-
No action required.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
FS-21
-
Training Data Buckets Without Versioning
-
13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111122223333-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111122223333-huo1mvme4t.
-
Enable S3 versioning on all training data buckets. Consider enabling MFA Delete for additional protection against poisoning.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-21
-
Training Data Buckets Without Versioning
-
13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111122223333-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111122223333-huo1mvme4t.
-
Enable S3 versioning on all training data buckets. Consider enabling MFA Delete for additional protection against poisoning.
-
-
High
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-22
-
Overly Permissive Knowledge Base IAM Roles
-
827 role(s) with wildcard KB permissions:
-- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'Admin' allows '*'
-- Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' allows 'bedrock:*'
-- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'Agentic-AI-MCP-Strands-SDK-Works-VSCodeInstanceRole-NCTUnlnRBFO6' allows '*'
-- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-
Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-22
-
Overly Permissive Knowledge Base IAM Roles
-
827 role(s) with wildcard KB permissions:
-- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'Admin' allows '*'
-- Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' allows 'bedrock:*'
-- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'Agentic-AI-MCP-Strands-SDK-Works-VSCodeInstanceRole-NCTUnlnRBFO6' allows '*'
-- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-
Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.
-
-
High
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-24
-
ADVISORY: Knowledge Base Metadata Filtering — Manual Review Required
-
Found 3 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.
-
1. Add metadata fields (tenantId, dataClassification) to KB data sources.
-2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls.
-3. Validate filters in integration tests to prevent cross-tenant data leakage.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
FS-24
-
ADVISORY: Knowledge Base Metadata Filtering — Manual Review Required
-
Found 3 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.
-
1. Add metadata fields (tenantId, dataClassification) to KB data sources.
-2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls.
-3. Validate filters in integration tests to prevent cross-tenant data leakage.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
FS-25
-
OpenSearch Serverless Encryption Policies Present
-
Found 5 encryption policy(ies); 5 use a customer-managed KMS key.
-
Verify all vector store collections use customer-managed KMS keys.
-
-
High
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-25
-
OpenSearch Serverless Encryption Policies Present
-
Found 5 encryption policy(ies); 5 use a customer-managed KMS key.
-
Verify all vector store collections use customer-managed KMS keys.
-
-
High
-
Passed
-
-
-
111122223333
-
us-east-1
-
FS-26
-
OpenSearch Serverless Collections Not VPC-Restricted
-
Found 5 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.
-
Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-26
-
OpenSearch Serverless Collections Not VPC-Restricted
-
Found 5 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.
-
Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.
-
-
High
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-27
-
Contextual Grounding Enabled on Guardrails
-
Guardrails with contextual grounding: nist-ai-rmf-guardrail.
-
No action required for contextual grounding. Also consider enabling Automated Reasoning checks for formal policy verification.
-
-
High
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-27
-
Contextual Grounding Enabled on Guardrails
-
Guardrails with contextual grounding: nist-ai-rmf-guardrail.
-
No action required for contextual grounding. Also consider enabling Automated Reasoning checks for formal policy verification.
-
-
High
-
Passed
-
-
-
111122223333
-
us-east-1
-
FS-27
-
No Automated Reasoning Policies Found
-
No Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.
-
1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds).
-2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail).
-3. Set confidenceThreshold on the policy to control strictness.
-4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response).
-5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-27
-
No Automated Reasoning Policies Found
-
No Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.
-
1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds).
-2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail).
-3. Set confidenceThreshold on the policy to control strictness.
-4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response).
-5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-28
-
Denied Topics Configured on CLASSIC Tier
-
Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides broader language support and improved detection for denied topics.
-
Verify topics cover regulated financial advice categories. For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (set topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile on the guardrail). When authoring denied-topic policies, use existing compliance materials as the source: employee policies, training materials, procedure documents, and incident reports (PDF §1.2.1 Practical guidance).
-
-
High
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-28
-
Denied Topics Configured on CLASSIC Tier
-
Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides broader language support and improved detection for denied topics.
-
Verify topics cover regulated financial advice categories. For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (set topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile on the guardrail). When authoring denied-topic policies, use existing compliance materials as the source: employee policies, training materials, procedure documents, and incident reports (PDF §1.2.1 Practical guidance).
Application-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.
-
1. Implement post-processing to append required disclaimers to GenAI outputs.
-2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures.
-3. Document disclaimer requirements in the AI use case register.
-4. Test disclaimer presence in QA/UAT before production deployment.
Application-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.
-
1. Implement post-processing to append required disclaimers to GenAI outputs.
-2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures.
-3. Document disclaimer requirements in the AI use case register.
-4. Test disclaimer presence in QA/UAT before production deployment.
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation with compliance-specific datasets:
-- Fair lending test cases (ECOA, Fair Housing Act)
-- UDAP/UDAAP unfair/deceptive practice scenarios
-- AML/KYC edge cases
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation with compliance-specific datasets:
-- Fair lending test cases (ECOA, Fair Housing Act)
-- UDAP/UDAAP unfair/deceptive practice scenarios
-- AML/KYC edge cases
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
FS-31
-
Knowledge Base Data Sources Past Review Threshold
-
2 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit):
-- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 722 days ago
-- KB '111122223333-us-east-1-kb' source '111122223333-us-east-1-kb-datasource' last synced 199 days ago
-Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.
-
1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match.
-2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61.
-3. Set CloudWatch alarms on sync job failures.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-31
-
Knowledge Base Data Sources Past Review Threshold
-
2 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit):
-- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 722 days ago
-- KB '111122223333-us-east-1-kb' source '111122223333-us-east-1-kb-datasource' last synced 199 days ago
-Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.
-
1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match.
-2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61.
-3. Set CloudWatch alarms on sync job failures.
Source attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.
-
1. Use Bedrock RetrieveAndGenerate with citations enabled.
-2. Include source document references in response post-processing.
-3. Test citation accuracy in QA before production deployment.
-4. Consider Bedrock Guardrails grounding checks to validate response accuracy.
Source attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.
-
1. Use Bedrock RetrieveAndGenerate with citations enabled.
-2. Include source document references in response post-processing.
-3. Test citation accuracy in QA before production deployment.
-4. Consider Bedrock Guardrails grounding checks to validate response accuracy.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
FS-33
-
KB Data Source Buckets Without Versioning
-
KB data source S3 buckets without versioning: 111122223333-us-east-1-kb-data-bucket.
-
Enable S3 versioning on all KB data source buckets. Enable S3 Object Integrity (checksum) for tamper detection.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-33
-
KB Data Source Buckets Without Versioning
-
KB data source S3 buckets without versioning: 111122223333-us-east-1-kb-data-bucket.
-
Enable S3 versioning on all KB data source buckets. Enable S3 Object Integrity (checksum) for tamper detection.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-34
-
Legacy Foundation Models Available in Region
-
Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.
-
1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config).
-2. Migrate active usage to current model versions.
-3. Document training-data cutoff dates for all models in use.
-4. Add data-currency disclaimers to outputs from models with old cutoffs.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
FS-34
-
Legacy Foundation Models Available in Region
-
Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.
-
1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config).
-2. Migrate active usage to current model versions.
-3. Document training-data cutoff dates for all models in use.
-4. Add data-currency disclaimers to outputs from models with old cutoffs.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
FS-35
-
ADVISORY: Harmful-Content Test Coverage — Manual Review Required
-
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation or FMEval with harmful content datasets:
-- Toxicity detection
-- Hate speech classification
-- Violence/self-harm content
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
FS-35
-
ADVISORY: Harmful-Content Test Coverage — Manual Review Required
-
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation or FMEval with harmful content datasets:
-- Toxicity detection
-- Hate speech classification
-- Violence/self-harm content
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
FS-36
-
Guardrail Content Filters on CLASSIC Tier
-
Guardrails with content filters: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides improved contextual understanding, typographical error detection, 60+ language support, and better prompt-attack classification (distinguishes jailbreaks from prompt injection).
-
Consider upgrading to STANDARD tier content filters for FinServ workloads that handle multiple languages or require higher detection accuracy. STANDARD tier requires cross-region inference (crossRegionDetails.guardrailProfileArn on the guardrail). To upgrade: update the guardrail's contentPolicy.filtersConfig.contentFiltersTierConfig with tierName=STANDARD and configure a guardrail cross-region profile.
-
-
High
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-36
-
Guardrail Content Filters on CLASSIC Tier
-
Guardrails with content filters: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides improved contextual understanding, typographical error detection, 60+ language support, and better prompt-attack classification (distinguishes jailbreaks from prompt injection).
-
Consider upgrading to STANDARD tier content filters for FinServ workloads that handle multiple languages or require higher detection accuracy. STANDARD tier requires cross-region inference (crossRegionDetails.guardrailProfileArn on the guardrail). To upgrade: update the guardrail's contentPolicy.filtersConfig.contentFiltersTierConfig with tierName=STANDARD and configure a guardrail cross-region profile.
-
-
High
-
Passed
-
-
-
111122223333
-
us-east-1
-
FS-37
-
ADVISORY: User Feedback Mechanism — Manual Review Required
-
User feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.
-
1. Implement thumbs-up/down or flag-for-review UI in GenAI applications.
-2. Route flagged outputs to human reviewers via SQS/SNS.
-3. Log feedback to DynamoDB/S3 for model improvement.
-4. Define SLAs for reviewing flagged content.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
FS-37
-
ADVISORY: User Feedback Mechanism — Manual Review Required
-
User feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.
-
1. Implement thumbs-up/down or flag-for-review UI in GenAI applications.
-2. Route flagged outputs to human reviewers via SQS/SNS.
-3. Log feedback to DynamoDB/S3 for model improvement.
-4. Define SLAs for reviewing flagged content.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
FS-38
-
No Guardrails With Word Filters
-
Found 1 guardrail(s) but none have word/phrase filters. Profanity and prohibited financial terms may appear in outputs.
-
Add word filters to guardrails:
-- Enable AWS managed profanity list
-- Add custom denylist for prohibited financial terms
-- Add allowlist for required regulatory language
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-38
-
No Guardrails With Word Filters
-
Found 1 guardrail(s) but none have word/phrase filters. Profanity and prohibited financial terms may appear in outputs.
-
Add word filters to guardrails:
-- Enable AWS managed profanity list
-- Add custom denylist for prohibited financial terms
-- Add allowlist for required regulatory language
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-39
-
No SageMaker Clarify Bias Monitoring
-
No SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.
-
1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions.
-2. Define protected attributes (age, gender, race proxies).
-3. Set bias metric thresholds and alert on violations.
-4. Document bias testing results for regulatory examination.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-39
-
No SageMaker Clarify Bias Monitoring
-
No SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.
-
1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions.
-2. Define protected attributes (age, gender, race proxies).
-3. Set bias metric thresholds and alert on violations.
-4. Document bias testing results for regulatory examination.
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation with bias test datasets:
-- Demographic parity test cases
-- Equal opportunity scenarios
-- Counterfactual fairness tests
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation with bias test datasets:
-- Demographic parity test cases
-- Equal opportunity scenarios
-- Counterfactual fairness tests
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
FS-41
-
No SageMaker Clarify Explainability Monitoring
-
No SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).
-
1. Configure SageMaker Clarify explainability for credit/lending models.
-2. Generate SHAP values for feature importance.
-3. Map top features to human-readable adverse action reason codes.
-4. Store explanations for regulatory examination.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-41
-
No SageMaker Clarify Explainability Monitoring
-
No SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).
-
1. Configure SageMaker Clarify explainability for credit/lending models.
-2. Generate SHAP values for feature importance.
-3. Map top features to human-readable adverse action reason codes.
-4. Store explanations for regulatory examination.
-
-
High
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-42
-
No SageMaker Model Cards Found
-
No SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.
-
1. Create SageMaker Model Cards for all production models.
-2. Document: intended use, out-of-scope uses, training data, bias evaluations.
-3. Include regulatory compliance attestations.
-4. Review and update cards at each model version release.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-42
-
No SageMaker Model Cards Found
-
No SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.
-
1. Create SageMaker Model Cards for all production models.
-2. Document: intended use, out-of-scope uses, training data, bias evaluations.
-3. Include regulatory compliance attestations.
-4. Review and update cards at each model version release.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-43
-
No CloudWatch Logs Data Protection Policies
-
No CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.
-
1. Create CloudWatch Logs data protection policies to mask PII.
-2. Enable masking for: SSN, credit card numbers, bank account numbers, email.
-3. Apply policies to Bedrock invocation log groups.
-4. Test masking with synthetic PII before production deployment.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-43
-
No CloudWatch Logs Data Protection Policies
-
No CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.
-
1. Create CloudWatch Logs data protection policies to mask PII.
-2. Enable masking for: SSN, credit card numbers, bank account numbers, email.
-3. Apply policies to Bedrock invocation log groups.
-4. Test masking with synthetic PII before production deployment.
-
-
High
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-44
-
Amazon Macie Enabled
-
Amazon Macie is enabled and scanning S3 buckets.
-
Verify Macie jobs cover training data and KB data source buckets.
-
-
High
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-44
-
Amazon Macie Enabled
-
Amazon Macie is enabled and scanning S3 buckets.
-
Verify Macie jobs cover training data and KB data source buckets.
-
-
High
-
Passed
-
-
-
111122223333
-
us-east-1
-
FS-45
-
Guardrail PII Filters Configured
-
Guardrails with PII filters: nist-ai-rmf-guardrail.
-
No action required.
-
-
High
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-45
-
Guardrail PII Filters Configured
-
Guardrails with PII filters: nist-ai-rmf-guardrail.
Application-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.
-
1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.'
-2. Implement post-processing to append disclaimers.
-3. Test disclaimer presence in QA before production.
Application-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.
-
1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.'
-2. Implement post-processing to append disclaimers.
-3. Test disclaimer presence in QA before production.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
FS-50
-
Relevance Grounding Filters Present
-
Guardrails with RELEVANCE grounding filters: nist-ai-rmf-guardrail.
-
No action required.
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-50
-
Relevance Grounding Filters Present
-
Guardrails with RELEVANCE grounding filters: nist-ai-rmf-guardrail.
-
No action required.
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-east-1
-
FS-51
-
No Guardrails With Prompt Attack Filters
-
Found 1 guardrail(s) but none have PROMPT_ATTACK filters. Prompt injection attacks may bypass system prompts and access controls.
-
1. Enable PROMPT_ATTACK content filter in Bedrock Guardrails.
-2. Set input filter strength to HIGH.
-3. Use input tags () to differentiate user inputs from developer-provided prompts — required for PROMPT_ATTACK filters to work correctly with InvokeModel/InvokeModelWithResponseStream.
-4. Consider STANDARD tier (GA June 2025) for better jailbreak vs. injection classification and broader language support.
-5. Implement application-level input sanitization as defense-in-depth.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-51
-
No Guardrails With Prompt Attack Filters
-
Found 1 guardrail(s) but none have PROMPT_ATTACK filters. Prompt injection attacks may bypass system prompts and access controls.
-
1. Enable PROMPT_ATTACK content filter in Bedrock Guardrails.
-2. Set input filter strength to HIGH.
-3. Use input tags () to differentiate user inputs from developer-provided prompts — required for PROMPT_ATTACK filters to work correctly with InvokeModel/InvokeModelWithResponseStream.
-4. Consider STANDARD tier (GA June 2025) for better jailbreak vs. injection classification and broader language support.
-5. Implement application-level input sanitization as defense-in-depth.
-
-
High
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-52
-
Bedrock Lambda Functions on Deprecated Runtimes
-
Functions on deprecated runtimes: e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Deprecated runtimes may use outdated boto3/SDK versions lacking security patches.
-
1. Upgrade Lambda functions to a supported runtime — Python 3.12+, Node.js 22.x or 24.x, Java 21+, or .NET 8+.
-2. Update boto3 to the latest version in Lambda layers (pin the version in requirements.txt and redeploy).
-3. Enable Lambda runtime management controls for automatic minor-version updates (runtimeManagementConfig.updateRuntimeOn = 'Auto').
-4. Refer to https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html for the authoritative list of supported and deprecated runtimes.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-52
-
Bedrock Lambda Functions on Deprecated Runtimes
-
Functions on deprecated runtimes: e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Deprecated runtimes may use outdated boto3/SDK versions lacking security patches.
-
1. Upgrade Lambda functions to a supported runtime — Python 3.12+, Node.js 22.x or 24.x, Java 21+, or .NET 8+.
-2. Update boto3 to the latest version in Lambda layers (pin the version in requirements.txt and redeploy).
-3. Enable Lambda runtime management controls for automatic minor-version updates (runtimeManagementConfig.updateRuntimeOn = 'Auto').
-4. Refer to https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html for the authoritative list of supported and deprecated runtimes.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-53
-
No WAF Web ACLs — Injection Rules Not Applicable
-
No regional WAF Web ACLs found.
-
Create WAF Web ACLs with injection protection rules (see FS-01).
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
FS-53
-
No WAF Web ACLs — Injection Rules Not Applicable
-
No regional WAF Web ACLs found.
-
Create WAF Web ACLs with injection protection rules (see FS-01).
Penetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.
-
1. Conduct penetration testing of GenAI applications at least annually and before major releases.
-2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts.
-3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it.
-4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail.
-5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.
Penetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.
-
1. Conduct penetration testing of GenAI applications at least annually and before major releases.
-2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts.
-3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it.
-4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail.
-5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
FS-55
-
No Output Validation Functions Found
-
No Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.
-
1. Implement output validation Lambda functions in GenAI pipelines.
-2. Validate output schema, length, and content before downstream use.
-3. Sanitize outputs before rendering in web UIs (XSS prevention).
-4. Encode outputs appropriately for the target context (HTML, SQL, JSON).
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-55
-
No Output Validation Functions Found
-
No Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.
-
1. Implement output validation Lambda functions in GenAI pipelines.
-2. Validate output schema, length, and content before downstream use.
-3. Sanitize outputs before rendering in web UIs (XSS prevention).
-4. Encode outputs appropriately for the target context (HTML, SQL, JSON).
Output encoding practices cannot be verified via AWS APIs. Manual code review required.
-
1. HTML-encode GenAI outputs before rendering in web UIs.
-2. Use parameterized queries when GenAI output is used in database operations.
-3. JSON-encode outputs before embedding in JavaScript contexts.
-4. Validate output length and format before passing to downstream APIs.
Output encoding practices cannot be verified via AWS APIs. Manual code review required.
-
1. HTML-encode GenAI outputs before rendering in web UIs.
-2. Use parameterized queries when GenAI output is used in database operations.
-3. JSON-encode outputs before embedding in JavaScript contexts.
-4. Validate output length and format before passing to downstream APIs.
Found 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.
-
1. Use Bedrock structured output (response schemas) where supported.
-2. Implement JSON schema validation on Lambda output processors.
-3. Reject malformed outputs and return safe error responses.
-4. Log schema validation failures to CloudWatch for monitoring.
Found 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.
-
1. Use Bedrock structured output (response schemas) where supported.
-2. Implement JSON schema validation on Lambda output processors.
-3. Reject malformed outputs and return safe error responses.
-4. Log schema validation failures to CloudWatch for monitoring.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
FS-59
-
Topic Restrictions Configured on CLASSIC Tier
-
Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only; the STANDARD tier (GA June 2025) adds broader language support for off-topic detection.
-
For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile).
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-59
-
Topic Restrictions Configured on CLASSIC Tier
-
Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only; the STANDARD tier (GA June 2025) adds broader language support for off-topic detection.
-
For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile).
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-east-1
-
FS-60
-
ADVISORY: Contextual Grounding for Off-Topic Prevention
-
Contextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.
-
1. Include explicit scope instructions in system prompts.
-2. Use Bedrock Guardrails relevance grounding filter.
-3. Test with off-topic prompts in QA to verify rejection behavior.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
FS-60
-
ADVISORY: Contextual Grounding for Off-Topic Prevention
-
Contextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.
-
1. Include explicit scope instructions in system prompts.
-2. Use Bedrock Guardrails relevance grounding filter.
-3. Test with off-topic prompts in QA to verify rejection behavior.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
FS-61
-
No Automated KB Sync Schedules Detected
-
Found 3 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.
-
1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature.
-2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync.
-3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance).
-4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-61
-
No Automated KB Sync Schedules Detected
-
Found 3 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.
-
1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature.
-2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync.
-3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance).
-4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-62
-
ADVISORY: Data Currency Disclaimer — Manual Review Required
-
Data currency disclaimers cannot be verified via AWS APIs. Manual review required.
-
1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].'
-2. Expose KB last sync timestamp in application responses.
-3. Alert users when KB data is older than defined threshold.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
FS-62
-
ADVISORY: Data Currency Disclaimer — Manual Review Required
-
Data currency disclaimers cannot be verified via AWS APIs. Manual review required.
-
1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].'
-2. Expose KB last sync timestamp in application responses.
-3. Alert users when KB data is older than defined threshold.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
FS-63
-
Foundation Model Lifecycle Management
-
No legacy models detected. 10 lifecycle-related Config rule(s) found.
-
No action required.
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-63
-
Foundation Model Lifecycle Management
-
No legacy models detected. 10 lifecycle-related Config rule(s) found.
-
No action required.
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-east-1
-
FS-65
-
KB Data Source Buckets Missing S3 Event Notifications
-
The following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time:
-- semiconductor-demo-9999
-- 111122223333-us-east-1-kb-data-bucket
-
1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket.
-2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting.
-3. Integrate alerts into your security incident response workflow.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-65
-
KB Data Source Buckets Missing S3 Event Notifications
-
The following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time:
-- semiconductor-demo-9999
-- 111122223333-us-east-1-kb-data-bucket
-
1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket.
-2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting.
-3. Integrate alerts into your security incident response workflow.
The following runtimes have no JWT or IAM authorizer configured for end-user identity propagation. Tool calls are authorized only by the agent execution role, not the originating user:
-- origami_expeditions
-- neoCyan_Agent
-- customer_support_agent
-- cdk_agent_core
-- awsapimcpserver
-
1. Configure a custom JWT authorizer or IAM authorizer on each AgentCore runtime.
-2. Propagate the end-user's identity token to downstream tool services.
-3. Ensure tool services validate the propagated identity before executing actions.
-4. Do not expose propagated identity tokens to unauthorized third parties.
The following runtimes have no JWT or IAM authorizer configured for end-user identity propagation. Tool calls are authorized only by the agent execution role, not the originating user:
-- origami_expeditions
-- neoCyan_Agent
-- customer_support_agent
-- cdk_agent_core
-- awsapimcpserver
-
1. Configure a custom JWT authorizer or IAM authorizer on each AgentCore runtime.
-2. Propagate the end-user's identity token to downstream tool services.
-3. Ensure tool services validate the propagated identity before executing actions.
-4. Do not expose propagated identity tokens to unauthorized third parties.
-
-
High
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-67
-
Agent Action-Group Lambdas May Lack Transaction Thresholds
-
The following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions:
-- aiml-security-aiml-security-111122223333-FinServAssessment
-- aiml-security-aiml-security-111122223333-BedrockAssessment
-- resco-aiml-BedrockAssessment
-- aiml-security-aiml-security-111122223333-AgentCoreAssessment
-- e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk
-- e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII
-- resco-aiml-AgentCoreAssessment
-
1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda.
-2. Implement threshold enforcement logic in the Lambda handler.
-3. Configure AgentCore Policy Engine rules to cap financial transaction amounts.
-4. Route transactions exceeding thresholds to a human-in-the-loop approval step.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-67
-
Agent Action-Group Lambdas May Lack Transaction Thresholds
-
The following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions:
-- aiml-security-aiml-security-111122223333-FinServAssessment
-- aiml-security-aiml-security-111122223333-BedrockAssessment
-- resco-aiml-BedrockAssessment
-- aiml-security-aiml-security-111122223333-AgentCoreAssessment
-- e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk
-- e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII
-- resco-aiml-AgentCoreAssessment
-
1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda.
-2. Implement threshold enforcement logic in the Lambda handler.
-3. Configure AgentCore Policy Engine rules to cap financial transaction amounts.
-4. Route transactions exceeding thresholds to a human-in-the-loop approval step.
-
-
High
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-68
-
API Gateway Request Body Size Limits Not Enforced
-
Found 3 REST API(s) and 0 regional WAF Web ACL(s), but none enforce a maximum request-body size. Note: an API Gateway request validator does NOT cap body size (it validates the schema and required params; the REST limit is a fixed 10 MB), and a WAF body SizeConstraint only inspects the first ~16 KB of the body by default. Oversized prompts can exhaust Bedrock token quotas and inflate costs.
-
1. Add a maxLength (or maxItems/maxProperties) bound to the request-body JSON-Schema model used by your request validator, so oversized prompts are rejected with a 400.
-2. Add a WAF SizeConstraintStatement on the request Body sized within WAF's body-inspection window (default 16 KB; raise via the web ACL AssociationConfig, or set OversizeHandling=MATCH to block bodies beyond the window), and associate the ACL with the API stage.
-3. Set the max_tokens parameter in Bedrock API calls to cap output length.
-4. Implement client-side token counting before submitting requests.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-68
-
API Gateway Request Body Size Limits Not Enforced
-
Found 3 REST API(s) and 0 regional WAF Web ACL(s), but none enforce a maximum request-body size. Note: an API Gateway request validator does NOT cap body size (it validates the schema and required params; the REST limit is a fixed 10 MB), and a WAF body SizeConstraint only inspects the first ~16 KB of the body by default. Oversized prompts can exhaust Bedrock token quotas and inflate costs.
-
1. Add a maxLength (or maxItems/maxProperties) bound to the request-body JSON-Schema model used by your request validator, so oversized prompts are rejected with a 400.
-2. Add a WAF SizeConstraintStatement on the request Body sized within WAF's body-inspection window (default 16 KB; raise via the web ACL AssociationConfig, or set OversizeHandling=MATCH to block bodies beyond the window), and associate the ACL with the API stage.
-3. Set the max_tokens parameter in Bedrock API calls to cap output length.
-4. Implement client-side token counting before submitting requests.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
FS-69
-
Prompt Input Validation Functions Present
-
Found 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111122223333-CleanupBucket.
-
Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-69
-
Prompt Input Validation Functions Present
-
Found 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111122223333-CleanupBucket.
-
Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.
-
-
Medium
-
Passed
-
-
-
111122223333
-
eu-west-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
-
Informational
-
N/A
-
-
-
444455556666
-
Global
-
BR-01
-
AmazonBedrockFullAccess role check
-
No roles found with AmazonBedrockFullAccess policy
-
No action required
-
-
High
-
Passed
-
-
-
444455556666
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
No identities found with overly permissive marketplace subscription access
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
us-east-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
Global
-
BR-15
-
Cross-Account Guardrails Enforcement Check
-
Check must run in AWS Organizations management account to evaluate organizational policies
-
Run assessment in management account to check cross-account guardrails enforcement
-
-
Medium
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
No imported custom Bedrock models found in this region
-
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
-
Informational
-
N/A
-
-
-
444455556666
-
Global
-
AG-09
-
Agentic AI Guardrail Enforcement Boundary
-
Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policies
-
Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
-
Informational
-
N/A
-
-
-
444455556666
-
Global
-
AC-02
-
AgentCore IAM Full Access Check
-
No roles with overly permissive AgentCore access found
-
No action required
-
-
High
-
Passed
-
-
-
444455556666
-
Global
-
AC-03
-
AgentCore Stale Access
-
The following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (82 days)
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Medium
-
Failed
-
-
-
444455556666
-
Global
-
AC-03
-
AgentCore Unused Permissions
-
The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Informational
-
N/A
-
-
-
444455556666
-
Global
-
AC-09
-
AgentCore Service-Linked Role Missing
-
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
-
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
-
-
Medium
-
Failed
-
-
-
444455556666
-
us-east-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
Global
-
AG-16
-
Agentic AI AgentCore Least Privilege
-
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: No roles with overly permissive AgentCore access found
-
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
-
-
High
-
Passed
-
-
-
444455556666
-
Global
-
AG-17
-
Agentic AI Stale AgentCore Access
-
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (82 days)
-
Remove or restrict stale AgentCore permissions for principals that no longer need access.
-
-
Medium
-
Failed
-
-
-
444455556666
-
Global
-
AG-17
-
Agentic AI Stale AgentCore Access
-
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
-
Remove or restrict stale AgentCore permissions for principals that no longer need access.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
eu-west-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
eu-west-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
eu-west-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
444455556666
-
eu-west-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
444455556666
-
Global
-
SM-02
-
SageMaker IAM Permissions Check
-
No issues found with IAM permissions and no stale access detected
-
No action required
-
-
High
-
Passed
-
-
-
444455556666
-
us-east-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
us-east-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
us-east-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
us-east-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
444455556666
-
us-east-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
ap-south-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
ap-south-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
ap-south-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
444455556666
-
ap-south-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
sa-east-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
sa-east-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
sa-east-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
444455556666
-
sa-east-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
us-west-2
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
us-west-2
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
us-west-2
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
444455556666
-
us-west-2
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
No imported custom Bedrock models found in this region
-
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-01
-
AWS Shield Advanced Not Enabled
-
AWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.
-
1. Subscribe to AWS Shield Advanced for DDoS protection.
-2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection.
-3. Enable Shield Response Team (SRT) access and configure proactive engagement.
-4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.
-
-
Low
-
Failed
-
-
-
777788889999
-
us-east-1
-
FS-01
-
No Regional WAF Web ACLs Found
-
No AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.
-
1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP).
-2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock.
-3. Add AWS Managed Rules for known bad inputs.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
FS-02
-
No API Gateway Usage Plans Found
-
No usage plans configured. GenAI API endpoints may have no rate limits.
-
Create API Gateway usage plans with throttle settings (rateLimit and burstLimit) for all Bedrock-facing APIs.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-03
-
Bedrock Token Quotas Customized
-
Found 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.
-
No action required. Periodically re-review quotas against expected peak load.
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-east-1
-
FS-04
-
No Cost Anomaly Detection Monitors
-
No AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.
-
1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker.
-2. Configure alert subscriptions (SNS/email) for anomalies above threshold.
-3. Set daily spend budgets with AWS Budgets as a secondary control.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
FS-05
-
No Bedrock CloudWatch Alarms Found
-
No CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.
-
Create CloudWatch alarms for:
-- AWS/Bedrock InvocationThrottles (threshold > 0)
-- AWS/Bedrock TokensProcessed (threshold based on quota)
-- Custom application-level token counters via EMF
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
FS-06
-
No AI/ML Service Budgets Configured
-
No AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.
-
1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds.
-2. Add SNS notifications to on-call channels.
-3. Consider budget actions to apply IAM deny policies when thresholds are breached.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
FS-07
-
Agent Action Boundaries Look Appropriate
-
Reviewed 1 agent(s); no wildcard sensitive actions found.
-
No action required.
-
-
High
-
Passed
-
-
-
777788889999
-
us-east-1
-
FS-08
-
No AgentCore Runtimes Found
-
No AgentCore runtimes found; policy engine check not applicable.
-
If using AgentCore, configure the Policy Engine to authorize tool calls.
1. Set reserved concurrency on agent Lambda functions.
-2. Implement maximum iteration counts in agent orchestration logic.
-3. Use Step Functions with MaxConcurrency and timeout states.
-4. Add circuit-breaker patterns to agent tool invocations.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
FS-10
-
Human-in-the-Loop Check — No Agent Workflows Found
-
No Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.
-
Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-11
-
No Agent Rate Alarms Found
-
No CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.
-
Create CloudWatch alarms on:
-- Bedrock agent invocation counts (threshold based on expected max)
-- Lambda invocation errors for agent functions
-- Step Functions execution failures and timeouts
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
FS-12
-
No Bedrock-Scoped SCPs Found
-
No Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.
-
1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list.
-2. Use bedrock:ModelId condition key to allowlist approved models.
-3. Maintain a model inventory and update the SCP when models are approved/retired.
Tag all models with: source (e.g., 'aws-marketplace', 'internal'), version, and approval-date. Enforce tagging via SCP or AWS Config rule.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
FS-14
-
Model Governance Config Rules Present
-
Found 13 model-related Config rule(s).
-
No action required.
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-east-1
-
FS-15
-
No Bedrock Evaluation Jobs Found
-
No Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.
-
1. Run Bedrock Model Evaluation with adversarial/red-team datasets.
-2. Use FMEval library for automated robustness testing.
-3. Schedule periodic re-evaluation after model updates.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
FS-16
-
ECR Repositories Without Image Scanning
-
2 ECR repo(s) without scan-on-push: cdk-hnb659fds-container-assets-777788889999-us-east-1, aiml-sec-test-agentcore-no-encryption.
-
Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
FS-20
-
Feature Groups Without Offline Store
-
1 feature group(s) lack an active offline store: aiml-sec-test-feature-group. Without offline store, historical feature data cannot be used for rollback.
-
1. Enable offline store (S3-backed) for all production feature groups.
-2. Enable S3 versioning on the offline store bucket.
-3. Document rollback procedures for poisoned feature data.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
FS-21
-
Training Data Buckets Have Versioning
-
All 2 training bucket(s) have versioning enabled.
-
No action required.
-
-
High
-
Passed
-
-
-
777788889999
-
us-east-1
-
FS-22
-
Overly Permissive Knowledge Base IAM Roles
-
823 role(s) with wildcard KB permissions:
-- Role 'Admin' allows '*'
-- Role 'aiml-sec-test-resources-BedrockAgentRole-RScmoTZfp2sC' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-sec-test-resources-BedrockAgentRole-RScmoTZfp2sC' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' allows 'bedrock:*'
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:GetModelInvocationLoggingConfiguration' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-
Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
FS-24
-
ADVISORY: Knowledge Base Metadata Filtering — Manual Review Required
-
Found 1 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.
-
1. Add metadata fields (tenantId, dataClassification) to KB data sources.
-2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls.
-3. Validate filters in integration tests to prevent cross-tenant data leakage.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-25
-
OpenSearch Serverless Encryption Policies Present
-
Found 1 encryption policy(ies); 1 use a customer-managed KMS key.
-
Verify all vector store collections use customer-managed KMS keys.
-
-
High
-
Passed
-
-
-
777788889999
-
us-east-1
-
FS-26
-
OpenSearch Serverless Collections Not VPC-Restricted
-
Found 1 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.
-
Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
FS-27
-
COULD NOT ASSESS: Guardrail Contextual Grounding Check
-
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
-
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
-2. Confirm the service/feature is supported in the assessed region.
-3. Ensure botocore meets the version floor in requirements.txt.
-4. Re-run the assessment; assess this control manually until it succeeds.
-
-
Low
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-27
-
No Automated Reasoning Policies Found
-
No Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.
-
1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds).
-2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail).
-3. Set confidenceThreshold on the policy to control strictness.
-4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response).
-5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
FS-28
-
COULD NOT ASSESS: Financial Denied Topics Check
-
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
-
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
-2. Confirm the service/feature is supported in the assessed region.
-3. Ensure botocore meets the version floor in requirements.txt.
-4. Re-run the assessment; assess this control manually until it succeeds.
Application-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.
-
1. Implement post-processing to append required disclaimers to GenAI outputs.
-2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures.
-3. Document disclaimer requirements in the AI use case register.
-4. Test disclaimer presence in QA/UAT before production deployment.
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation with compliance-specific datasets:
-- Fair lending test cases (ECOA, Fair Housing Act)
-- UDAP/UDAAP unfair/deceptive practice scenarios
-- AML/KYC edge cases
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-31
-
Knowledge Base Data Sources Past Review Threshold
-
1 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit):
-- KB 'knowledge-base-prowler-findings' source 'knowledge-base-quick-start-9lb68-data-source' last synced 423 days ago
-Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.
-
1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match.
-2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61.
-3. Set CloudWatch alarms on sync job failures.
Source attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.
-
1. Use Bedrock RetrieveAndGenerate with citations enabled.
-2. Include source document references in response post-processing.
-3. Test citation accuracy in QA before production deployment.
-4. Consider Bedrock Guardrails grounding checks to validate response accuracy.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-33
-
KB Data Source Buckets Have Versioning
-
All reviewed KB data source buckets have versioning enabled.
-
No action required.
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-east-1
-
FS-34
-
Legacy Foundation Models Available in Region
-
Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.
-
1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config).
-2. Migrate active usage to current model versions.
-3. Document training-data cutoff dates for all models in use.
-4. Add data-currency disclaimers to outputs from models with old cutoffs.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-35
-
ADVISORY: Harmful-Content Test Coverage — Manual Review Required
-
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation or FMEval with harmful content datasets:
-- Toxicity detection
-- Hate speech classification
-- Violence/self-harm content
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-36
-
COULD NOT ASSESS: Guardrail Content Filters Check
-
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
-
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
-2. Confirm the service/feature is supported in the assessed region.
-3. Ensure botocore meets the version floor in requirements.txt.
-4. Re-run the assessment; assess this control manually until it succeeds.
-
-
Low
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-37
-
ADVISORY: User Feedback Mechanism — Manual Review Required
-
User feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.
-
1. Implement thumbs-up/down or flag-for-review UI in GenAI applications.
-2. Route flagged outputs to human reviewers via SQS/SNS.
-3. Log feedback to DynamoDB/S3 for model improvement.
-4. Define SLAs for reviewing flagged content.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-38
-
COULD NOT ASSESS: Guardrail Word Filters Check
-
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
-
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
-2. Confirm the service/feature is supported in the assessed region.
-3. Ensure botocore meets the version floor in requirements.txt.
-4. Re-run the assessment; assess this control manually until it succeeds.
-
-
Low
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-39
-
No SageMaker Clarify Bias Monitoring
-
No SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.
-
1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions.
-2. Define protected attributes (age, gender, race proxies).
-3. Set bias metric thresholds and alert on violations.
-4. Document bias testing results for regulatory examination.
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation with bias test datasets:
-- Demographic parity test cases
-- Equal opportunity scenarios
-- Counterfactual fairness tests
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-41
-
No SageMaker Clarify Explainability Monitoring
-
No SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).
-
1. Configure SageMaker Clarify explainability for credit/lending models.
-2. Generate SHAP values for feature importance.
-3. Map top features to human-readable adverse action reason codes.
-4. Store explanations for regulatory examination.
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
FS-42
-
No SageMaker Model Cards Found
-
No SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.
-
1. Create SageMaker Model Cards for all production models.
-2. Document: intended use, out-of-scope uses, training data, bias evaluations.
-3. Include regulatory compliance attestations.
-4. Review and update cards at each model version release.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
FS-43
-
No CloudWatch Logs Data Protection Policies
-
No CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.
-
1. Create CloudWatch Logs data protection policies to mask PII.
-2. Enable masking for: SSN, credit card numbers, bank account numbers, email.
-3. Apply policies to Bedrock invocation log groups.
-4. Test masking with synthetic PII before production deployment.
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
FS-44
-
Amazon Macie Not Enabled
-
Amazon Macie is not enabled. S3 buckets containing training data and KB data sources are not being scanned for PII/sensitive data.
-
1. Enable Amazon Macie in all regions where AI/ML data is stored.
-2. Create Macie classification jobs for training data and KB buckets.
-3. Configure Macie findings to route to Security Hub and SNS.
-4. Remediate PII findings before using data for model training.
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
FS-45
-
COULD NOT ASSESS: Guardrail PII Filters Check
-
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
-
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
-2. Confirm the service/feature is supported in the assessed region.
-3. Ensure botocore meets the version floor in requirements.txt.
-4. Re-run the assessment; assess this control manually until it succeeds.
-
-
Low
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-46
-
AI/ML Buckets Without Data Classification Tags
-
3 AI/ML bucket(s) without data-classification tags: aiml-sec-test-resources-bedrockloggingbucket-wtuvpinrlpmd, aiml-sec-test-resources-sagemakerbucket-6zzmxxaxco6g, aiml-security-mgmt-aimlassessmentbucket-kbitsdgexylv.
-
Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
FS-47
-
COULD NOT ASSESS: Guardrail Grounding Threshold Check
-
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
-
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
-2. Confirm the service/feature is supported in the assessed region.
-3. Ensure botocore meets the version floor in requirements.txt.
-4. Re-run the assessment; assess this control manually until it succeeds.
-
-
Low
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-48
-
Active Knowledge Bases for RAG Present
-
Found 1 active Knowledge Base(s) for RAG grounding.
Application-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.
-
1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.'
-2. Implement post-processing to append disclaimers.
-3. Test disclaimer presence in QA before production.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-50
-
COULD NOT ASSESS: Guardrail Relevance Grounding Check
-
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
-
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
-2. Confirm the service/feature is supported in the assessed region.
-3. Ensure botocore meets the version floor in requirements.txt.
-4. Re-run the assessment; assess this control manually until it succeeds.
-
-
Low
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-51
-
COULD NOT ASSESS: Prompt Injection Input Validation Check
-
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
-
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
-2. Confirm the service/feature is supported in the assessed region.
-3. Ensure botocore meets the version floor in requirements.txt.
-4. Re-run the assessment; assess this control manually until it succeeds.
-
-
Low
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-52
-
Bedrock Lambda Functions on Current Runtimes
-
All 10 Bedrock Lambda function(s) use current runtimes.
-
No action required.
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-east-1
-
FS-53
-
No WAF Web ACLs — Injection Rules Not Applicable
-
No regional WAF Web ACLs found.
-
Create WAF Web ACLs with injection protection rules (see FS-01).
Penetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.
-
1. Conduct penetration testing of GenAI applications at least annually and before major releases.
-2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts.
-3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it.
-4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail.
-5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-55
-
No Output Validation Functions Found
-
No Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.
-
1. Implement output validation Lambda functions in GenAI pipelines.
-2. Validate output schema, length, and content before downstream use.
-3. Sanitize outputs before rendering in web UIs (XSS prevention).
-4. Encode outputs appropriately for the target context (HTML, SQL, JSON).
Output encoding practices cannot be verified via AWS APIs. Manual code review required.
-
1. HTML-encode GenAI outputs before rendering in web UIs.
-2. Use parameterized queries when GenAI output is used in database operations.
-3. JSON-encode outputs before embedding in JavaScript contexts.
-4. Validate output length and format before passing to downstream APIs.
Found 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.
-
1. Use Bedrock structured output (response schemas) where supported.
-2. Implement JSON schema validation on Lambda output processors.
-3. Reject malformed outputs and return safe error responses.
-4. Log schema validation failures to CloudWatch for monitoring.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-59
-
COULD NOT ASSESS: Guardrail Topic Allowlist Check
-
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
-
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
-2. Confirm the service/feature is supported in the assessed region.
-3. Ensure botocore meets the version floor in requirements.txt.
-4. Re-run the assessment; assess this control manually until it succeeds.
-
-
Low
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-60
-
ADVISORY: Contextual Grounding for Off-Topic Prevention
-
Contextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.
-
1. Include explicit scope instructions in system prompts.
-2. Use Bedrock Guardrails relevance grounding filter.
-3. Test with off-topic prompts in QA to verify rejection behavior.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-61
-
No Automated KB Sync Schedules Detected
-
Found 1 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.
-
1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature.
-2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync.
-3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance).
-4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
FS-62
-
ADVISORY: Data Currency Disclaimer — Manual Review Required
-
Data currency disclaimers cannot be verified via AWS APIs. Manual review required.
-
1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].'
-2. Expose KB last sync timestamp in application responses.
-3. Alert users when KB data is older than defined threshold.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-63
-
Foundation Model Lifecycle Management
-
No legacy models detected. 11 lifecycle-related Config rule(s) found.
-
No action required.
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-east-1
-
FS-65
-
KB Data Source Buckets Missing S3 Event Notifications
-
The following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time:
-- sat2-prowler-2025-prowlerfindingsbucket-wc1k0mza7lpk
-
1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket.
-2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting.
-3. Integrate alerts into your security incident response workflow.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
FS-66
-
No AgentCore Runtimes Found
-
No AgentCore runtimes found; identity propagation check not applicable.
-
If using AgentCore, configure token propagation so end-user identities are forwarded to tool services.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-67
-
Agent Action-Group Lambdas May Lack Transaction Thresholds
-
The following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions:
-- aiml-security-aiml-security-mgmt-FinServAssessment
-- aiml-security-aiml-security-mgmt-AgentCoreAssessment
-- aiml-security-aiml-security-mgmt-BedrockAssessment
-
1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda.
-2. Implement threshold enforcement logic in the Lambda handler.
-3. Configure AgentCore Policy Engine rules to cap financial transaction amounts.
-4. Route transactions exceeding thresholds to a human-in-the-loop approval step.
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
FS-68
-
API Gateway Request Body Size Limits — Not Applicable
-
No API Gateway REST APIs and no regional WAF Web ACLs were found in this region. There is no input-payload surface to assess for body-size limits.
-
If GenAI endpoints are fronted by API Gateway or WAF in another region, run the assessment there. Otherwise no action is required.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
FS-69
-
Prompt Input Validation Functions Present
-
Found 1 Lambda function(s) with input validation/sanitization naming patterns: aiml-security-aiml-security-mgmt-CleanupBucket.
-
Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-west-2
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
777788889999
-
Global
-
AC-02
-
AgentCore IAM Wildcard Permissions
-
The following roles have wildcard AgentCore permissions on all resources: aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV
-
Scope permissions to specific AgentCore resources using resource ARNs
-
-
High
-
Failed
-
-
-
777788889999
-
Global
-
AC-03
-
AgentCore Unused Permissions
-
The following principals have AgentCore permissions but have never accessed the service: role 'aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV', role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Informational
-
N/A
-
-
-
777788889999
-
Global
-
AC-09
-
AgentCore Service-Linked Role Missing
-
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
-
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
Consider using customer-managed KMS keys for better control and audit capabilities
-
-
Low
-
Failed
-
-
-
777788889999
-
us-east-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
Global
-
AG-16
-
Agentic AI AgentCore Least Privilege
-
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have wildcard AgentCore permissions on all resources: aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV
-
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
-
-
High
-
Failed
-
-
-
777788889999
-
Global
-
AG-17
-
Agentic AI Stale AgentCore Access
-
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV', role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
-
Remove or restrict stale AgentCore permissions for principals that no longer need access.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
ap-south-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
ap-south-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
ap-south-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
777788889999
-
ap-south-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
777788889999
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'aiml-sec-test-resources-SageMakerFullAccessRole-ZREdSNCErx2S' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-01
-
Direct Internet Access Enabled
-
SageMaker notebook instance 'aiml-sec-test-notebook-with-internet' has direct internet access enabled
-
Configure the notebook instance to use VPC connectivity and disable direct internet access
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-01
-
Non-VPC Only Network Access
-
SageMaker domain 'd-ilmtsfeenavc' (aiml-sec-test-domain-fail-028e1010-52cbf970) is not configured for VPC-only access
-
Configure the SageMaker domain to use VPC-only network access type
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-01
-
Non-VPC Only Network Access
-
SageMaker domain 'd-cmz7ohkxxop3' (aiml-sec-test-domain-fail-fef4e7f0-bb429d11) is not configured for VPC-only access
-
Configure the SageMaker domain to use VPC-only network access type
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-02
-
SSO Not Properly Configured
-
SageMaker domain 'd-7zl8skw96ppk' (aiml-sec-test-domain-pass-028e1010-3dba8b08) is using authentication mode: IAM
-
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-02
-
SSO Not Properly Configured
-
SageMaker domain 'd-ilmtsfeenavc' (aiml-sec-test-domain-fail-028e1010-52cbf970) is using authentication mode: IAM
-
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-02
-
SSO Not Properly Configured
-
SageMaker domain 'd-uqjoi05f0zzp' (aiml-sec-test-domain-pass-fef4e7f0-51d1e898) is using authentication mode: IAM
-
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-02
-
SSO Not Properly Configured
-
SageMaker domain 'd-cmz7ohkxxop3' (aiml-sec-test-domain-fail-fef4e7f0-bb429d11) is using authentication mode: IAM
-
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-03
-
Missing Encryption Configuration
-
Notebook Instance 'aiml-sec-test-notebook-with-internet' - No KMS key configured
-
Configure encryption using AWS KMS customer managed keys for enhanced security
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-03
-
Missing Encryption Configuration
-
Domain 'aiml-sec-test-domain-fail-028e1010-52cbf970' - No KMS key configured
-
Configure encryption using AWS KMS customer managed keys for enhanced security
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-03
-
Missing Encryption Configuration
-
Domain 'aiml-sec-test-domain-fail-fef4e7f0-bb429d11' - No KMS key configured
-
Configure encryption using AWS KMS customer managed keys for enhanced security
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-03
-
Missing Encryption Configuration
-
Training Job 'aiml-sec-test-training-no-encryption-028e1010-e2fb8765' - No output encryption configured
-
Configure encryption using AWS KMS customer managed keys for enhanced security
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-03
-
Missing VPC Encryption
-
Training Job 'aiml-sec-test-training-no-encryption-028e1010-e2fb8765' - Inter-container traffic encryption not enabled
-
Enable encryption for inter-container traffic and VPC communication
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-east-1
-
SM-05
-
SageMaker Model Registry Issue
-
Model group 'aiml-sec-test-model-package-group' has minimal versioning
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Low
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
SM-08
-
Model Registry Empty Model Group
-
Model group aiml-sec-test-model-package-group has no registered models
-
Implement proper model versioning and approval workflows
-
-
Low
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-09
-
SageMaker Notebook Root Access Enabled
-
Notebook instance 'aiml-sec-test-notebook-with-internet' has root access enabled. Root access allows users to install arbitrary software, modify system configurations, and potentially escalate privileges.
-
Disable root access by updating the notebook instance with RootAccess=Disabled. Note: Lifecycle configurations will still run with root access.
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-10
-
SageMaker Notebook Not in VPC
-
Notebook instance 'aiml-sec-test-notebook-with-internet' is not deployed in a custom VPC. This uses SageMaker's service VPC with reduced network isolation.
-
Create the notebook instance within a custom VPC by specifying SubnetId and SecurityGroupIds. This provides network isolation and allows use of VPC endpoints.
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-11
-
SageMaker Model Network Isolation Disabled
-
Model 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' does not have network isolation enabled. Model containers can make outbound network calls, potentially exfiltrating data.
-
Enable network isolation by setting EnableNetworkIsolation=True when creating models. This prevents containers from making outbound network calls.
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
SM-14
-
SageMaker Model Platform Repository Access
-
Model 'SageMakerModelWithIsolation-JASFpUHjajdk' uses Platform repository access mode. Container images are pulled from public/external registries, exposing supply chain risks.
-
Configure RepositoryAccessMode=Vpc in ImageConfig to pull images from private ECR repositories through VPC. This provides supply chain security.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-14
-
SageMaker Model Platform Repository Access
-
Model 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' uses Platform repository access mode. Container images are pulled from public/external registries, exposing supply chain risks.
-
Configure RepositoryAccessMode=Vpc in ImageConfig to pull images from private ECR repositories through VPC. This provides supply chain security.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-15
-
SageMaker Feature Store Offline Encryption Missing
-
Feature group 'aiml-sec-test-feature-group' offline store does not have KMS encryption configured. Feature data in S3 may not be encrypted with customer-managed keys.
-
Configure KmsKeyId in OfflineStoreConfig.S3StorageConfig when creating feature groups to encrypt offline store data with customer-managed KMS keys.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-16
-
SageMaker Data Quality Job Encryption Check
-
No data quality job definitions found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
SM-17
-
SageMaker Processing Job Encryption Check
-
All 1 processing jobs have volume encryption configured
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-east-1
-
SM-18
-
SageMaker Transform Job Encryption Check
-
All 1 transform jobs have volume encryption configured
Checked 1 model package groups. Approval workflows appear to be properly configured.
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-east-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-east-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
777788889999
-
us-east-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
eu-west-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
eu-west-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
eu-west-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
777788889999
-
eu-west-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-west-2
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-west-2
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-west-2
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
777788889999
-
us-west-2
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
sa-east-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
sa-east-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
sa-east-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
777788889999
-
sa-east-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
777788889999
-
Global
-
BR-01
-
AmazonBedrockFullAccess role check
-
Role 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' has AmazonBedrockFullAccess policy attached
-
Limit the AmazonBedrockFullAccess policy only to required access
-
-
High
-
Failed
-
-
-
777788889999
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
777788889999
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'aiml-sec-test-resources-MarketplaceOverlyPermissive-igL3hGIapee1' has overly permissive marketplace subscription access through policy 'OverlyPermissiveMarketplace'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
777788889999
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'ProwlerApp-EC2-Role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
BR-02
-
Amazon Bedrock private connectivity
-
Bedrock VPC endpoints found: VPC vpc-089a9d593e34658c6 has endpoint com.amazonaws.us-east-1.bedrock-runtime
-
No action required
-
-
High
-
Passed
-
-
-
777788889999
-
us-east-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
Model invocation logging is not enabled. This limits your ability to track and audit model usage.
-
Enable model invocation logging to collect invocation logs, model input data, and model output data. Configure logging to deliver to Amazon S3, CloudWatch Logs, or both for comprehensive monitoring.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
BR-05
-
Bedrock Guardrails Check
-
Amazon Bedrock Guardrails are properly configured with 1 guardrails
-
No action required. Continue monitoring and updating guardrails as needed.
-
-
High
-
Passed
-
-
-
777788889999
-
us-east-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
-
No action required. Continue monitoring CloudTrail logs for Bedrock activity.
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-east-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management is being used with 1 prompts
-
No action required. Continue using Prompt Management for consistent and optimized prompts.
-
-
Low
-
Passed
-
-
-
777788889999
-
us-east-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
Error during check: An error occurred (AccessDeniedException) when calling the GetAgent operation: You do not have sufficient permissions to the key. Check credentials for appropriate permissions to the key (kms:Decrypt, kms:GenerateDataKey) and try again.
-
Investigate error and retry assessment
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
BR-09
-
Bedrock Knowledge Base Encryption Review
-
Knowledge Base 'knowledge-base-prowler-findings' (9K2QZLVCZW) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
-
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
-2. For S3 data sources: Verify CMK-encrypted S3 buckets
-3. For RDS: Verify KMS encryption on the database
-4. Consider using CMK for transient data during ingestion
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Missing
-
The following roles can invoke Bedrock models without enforced guardrails: aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G, aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a, aiml-sec-test-resources-BedrockKnowledgeBaseRole-6NNC1i9FuTbM, AmazonBedrockExecutionRoleForKnowledgeBase_7erx6, ProwlerApp-EC2-Role
-
Add IAM policy conditions to enforce guardrail usage:
-1. Use 'bedrock:GuardrailIdentifier' condition key
-2. Specify required guardrail ARN or ID
-3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
Global
-
BR-15
-
Cross-Account Guardrails Enforcement Check
-
Check must run in AWS Organizations management account to evaluate organizational policies
-
Run assessment in management account to check cross-account guardrails enforcement
-
-
Medium
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-16
-
Guardrail Tier Validation Check
-
Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
-
Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-18
-
Model Evaluation Implementation Check
-
No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
-
Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Review
-
Knowledge base 'knowledge-base-prowler-findings' (ID: 9K2QZLVCZW) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
-
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
-2. For Amazon RDS/Aurora: verify KMS encryption on the database
-3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
-4. Verify the customer-managed KMS key used for transient data during ingestion
Continue monitoring quota utilization. Review and adjust quotas as application requirements change.
-
-
Low
-
Passed
-
-
-
777788889999
-
us-east-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
-
Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-25
-
RAG Evaluation Jobs Check
-
Knowledge base 'knowledge-base-prowler-findings' (ID: 9K2QZLVCZW) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
-
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
-
-
Low
-
Failed
-
-
-
777788889999
-
us-east-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
-
Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
-
Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-28
-
Agent Guardrail Association Check
-
1 agents have an associated guardrail
-
No action required. Continue associating guardrails with new agents.
-
-
Low
-
Passed
-
-
-
777788889999
-
us-east-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
No imported custom Bedrock models found in this region
-
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
-
Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is not enabled. This limits your ability to track and audit model usage.
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
-
Medium
-
Passed
-
-
-
777788889999
-
Global
-
AG-09
-
Agentic AI Guardrail Enforcement Boundary
-
Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policies
-
Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 9 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
-
Low
-
Passed
-
-
-
777788889999
-
us-east-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: 1 agents have an associated guardrail
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
-
Low
-
Passed
-
-
-
777788889999
-
us-east-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-west-2
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
No imported custom Bedrock models found in this region
-
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
-
Informational
-
N/A
-
-
-
-
Risk Distribution
-
Pass Rate by Severity
-
-
HIGH
12.8%
28 of 219 checks passed
-
MEDIUM
29.3%
82 of 280 checks passed
-
LOW
30.3%
30 of 99 checks passed
-
Overall
23.4%
140 of 598 actionable checks
-
-
Risk by Account
-
111122223333
193
78 High · 95 Med · 20 Low
444455556666
3
0 High · 3 Med · 0 Low
777788889999
64
28 High · 31 Med · 5 Low
-
Risk by Region
-
ap-south-1
0
0 High · 0 Med · 0 Low
eu-west-1
0
0 High · 0 Med · 0 Low
sa-east-1
0
0 High · 0 Med · 0 Low
us-east-1
157
52 High · 90 Med · 15 Low
us-west-2
64
22 High · 32 Med · 10 Low
-
Findings by Assessment Area
-
-
Bedrock
461
50 Failed · 18 Passed
-
SageMaker
423
34 Failed · 61 Passed
-
AgentCore
182
39 Failed · 3 Passed
-
Agentic AI Security
388
47 Failed · 18 Passed
-
Financial Services Risk
210
90 Failed · 40 Passed
-
-
-
-
Amazon Bedrock Findings
-
-
-
-
-
-
-
-
-
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
-
111122223333
-
Global
-
BR-01
-
AmazonBedrockFullAccess role check
-
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonBedrockFullAccess policy attached
-
Limit the AmazonBedrockFullAccess policy only to required access
-
-
High
-
Failed
-
-
-
111122223333
-
Global
-
BR-01
-
AmazonBedrockFullAccess role check
-
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonBedrockFullAccess policy attached
-
Limit the AmazonBedrockFullAccess policy only to required access
-
-
High
-
Failed
-
-
-
111122223333
-
Global
-
BR-01
-
AmazonBedrockFullAccess role check
-
Role 'myAskMeAnything-role-kmsizqwf' has AmazonBedrockFullAccess policy attached
-
Limit the AmazonBedrockFullAccess policy only to required access
-
-
High
-
Failed
-
-
-
111122223333
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-cdk_agent_core'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
111122223333
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b' has overly permissive marketplace subscription access through policy 'BedrockAgentCoreRuntimeExecutionPolicy-neoCyan_Agent'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
111122223333
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_knnc9' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_knnc9'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
111122223333
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'AmazonBedrockExecutionRoleForKnowledgeBase_qxqw2' has overly permissive marketplace subscription access through policy 'AmazonBedrockFoundationModelPolicyForKnowledgeBase_qxqw2'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
111122223333
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'AmazonSageMaker-ExecutionRole-20250525T153161' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
111122223333
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
111122223333
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
111122223333
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'myAskMeAnything-role-kmsizqwf' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
111122223333
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
User 'BedrockAPIKey-20pp' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
111122223333
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
User 'BedrockAPIKey-yhc3' has overly permissive marketplace subscription access through policy 'AmazonBedrockLimitedAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
111122223333
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
User 'BedrockClientUser' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
111122223333
-
us-east-1
-
BR-02
-
Amazon Bedrock private connectivity not used
-
No Bedrock service VPC endpoints found in VPCs: vpc-03472be90d65c2f68, vpc-39319f44, vpc-064f3e808e378cbc8, vpc-02d020a365a06c7fe
-
Create a VPC endpoint in your VPC with any of the following Bedrock service endpoints that your application may be using:
-- com.amazonaws.region.bedrock
-- com.amazonaws.region.bedrock-runtime
-- com.amazonaws.region.bedrock-agent
-- com.amazonaws.region.bedrock-agent-runtime
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
Model invocation logging is properly configured with delivery to: Amazon S3, CloudWatch Logs
-
No action required
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-east-1
-
BR-05
-
Bedrock Guardrails Check
-
Amazon Bedrock Guardrails are properly configured with 1 guardrails
-
No action required. Continue monitoring and updating guardrails as needed.
-
-
High
-
Passed
-
-
-
111122223333
-
us-east-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
-
No action required. Continue monitoring CloudTrail logs for Bedrock activity.
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-east-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
BR-09
-
Bedrock Knowledge Base Encryption Review
-
Knowledge Base 'knowledge-base-semiconductors' (RQYFDSE1LT) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
-
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
-2. For S3 data sources: Verify CMK-encrypted S3 buckets
-3. For RDS: Verify KMS encryption on the database
-4. Consider using CMK for transient data during ingestion
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
BR-09
-
Bedrock Knowledge Base Encryption Review
-
Knowledge Base '111122223333-us-east-1-kb' (PAJOKBSIMQ) uses 'S3_VECTORS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
-
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
-2. For S3 data sources: Verify CMK-encrypted S3 buckets
-3. For RDS: Verify KMS encryption on the database
-4. Consider using CMK for transient data during ingestion
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
BR-09
-
Bedrock Knowledge Base Encryption Review
-
Knowledge Base 'e2e-rag-knowledgebase' (ESIYAYSYTJ) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
-
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
-2. For S3 data sources: Verify CMK-encrypted S3 buckets
-3. For RDS: Verify KMS encryption on the database
-4. Consider using CMK for transient data during ingestion
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Missing
-
The following roles can invoke Bedrock models without enforced guardrails: 111122223333-us-east-1-kb-bedrock-service-role, agentcore-wildrydes_gateway_role_ab3991f6-role, AgentCoreEvalsSDK-us-east-1-d04ba7b68b, AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76, AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b, AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D, AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ, AmazonBedrockExecutionRoleForKnowledgeBase_072pr, AmazonBedrockExecutionRoleForKnowledgeBase_byjin, AmazonBedrockExecutionRoleForKnowledgeBase_h9718...
-
Add IAM policy conditions to enforce guardrail usage:
-1. Use 'bedrock:GuardrailIdentifier' condition key
-2. Specify required guardrail ARN or ID
-3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}
-
-
High
-
Failed
-
-
-
111122223333
-
us-east-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
BR-12
-
Bedrock Invocation Log Encryption
-
S3 bucket 'nistairmfguardrail-invocationlogsbucket8fe5371b-wmlsng7pkyhm' for invocation logs uses SSE-S3 encryption instead of customer-managed KMS. Invocation logs may contain sensitive prompts and responses.
-
1. Enable SSE-KMS with a customer-managed key on the S3 bucket
-2. Update bucket policy to require encrypted uploads
-3. Consider enabling S3 bucket versioning and MFA delete for log integrity
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
Global
-
BR-15
-
Cross-Account Guardrails Enforcement Check
-
Check must run in AWS Organizations management account to evaluate organizational policies
-
Run assessment in management account to check cross-account guardrails enforcement
-
-
Medium
-
N/A
-
-
-
111122223333
-
us-east-1
-
BR-16
-
Guardrail Tier Validation Check
-
Guardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) is using the 'CLASSIC' content-filter tier instead of 'STANDARD'. The STANDARD tier provides more robust content filtering and broader language support than the CLASSIC tier.
-
Update the guardrail to use the STANDARD content-filter tier for improved contextual understanding, better prompt attack filtering (distinguishing jailbreaks from prompt injection), and broader language support. The STANDARD tier requires cross-Region inference. Review pricing implications before upgrading.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
111122223333
-
us-east-1
-
BR-18
-
Model Evaluation Implementation Check
-
No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
-
Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
111122223333
-
us-east-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Review
-
Knowledge base 'knowledge-base-semiconductors' (ID: RQYFDSE1LT) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
-
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
-2. For Amazon RDS/Aurora: verify KMS encryption on the database
-3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
-4. Verify the customer-managed KMS key used for transient data during ingestion
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Review
-
Knowledge base '111122223333-us-east-1-kb' (ID: PAJOKBSIMQ) uses 'S3_VECTORS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
-
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
-2. For Amazon RDS/Aurora: verify KMS encryption on the database
-3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
-4. Verify the customer-managed KMS key used for transient data during ingestion
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Review
-
Knowledge base 'e2e-rag-knowledgebase' (ID: ESIYAYSYTJ) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
-
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
-2. For Amazon RDS/Aurora: verify KMS encryption on the database
-3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
-4. Verify the customer-managed KMS key used for transient data during ingestion
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
No action required. Continue monitoring filter effectiveness and adjust thresholds as needed.
-
-
Low
-
Passed
-
-
-
111122223333
-
us-east-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
Guardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.
-
Configure Automated Reasoning policies on guardrails to mathematically verify model responses. Define policies that specify allowed and disallowed behaviors. Use for high-assurance use cases where formal verification is required.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
BR-25
-
RAG Evaluation Jobs Check
-
Knowledge base 'knowledge-base-semiconductors' (ID: RQYFDSE1LT) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
-
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
-
-
Low
-
Failed
-
-
-
111122223333
-
us-east-1
-
BR-25
-
RAG Evaluation Jobs Check
-
Knowledge base '111122223333-us-east-1-kb' (ID: PAJOKBSIMQ) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
-
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
-
-
Low
-
Failed
-
-
-
111122223333
-
us-east-1
-
BR-25
-
RAG Evaluation Jobs Check
-
Knowledge base 'e2e-rag-knowledgebase' (ID: ESIYAYSYTJ) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
-
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
-
-
Low
-
Failed
-
-
-
111122223333
-
us-east-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
1 guardrails have sensitive-information (PII) filters configured
-
No action required. Periodically review the PII entity types and regex patterns to ensure coverage matches your data.
-
-
Low
-
Passed
-
-
-
111122223333
-
us-east-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
1 guardrails have contextual grounding checks enabled
-
No action required. Review grounding and relevance thresholds periodically to balance hallucination detection against false positives.
-
-
Low
-
Passed
-
-
-
111122223333
-
us-east-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
111122223333
-
us-east-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
111122223333
-
us-east-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
No imported custom Bedrock models found in this region
-
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
111122223333
-
us-east-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
111122223333
-
us-east-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
-
Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.
-
-
Medium
-
Failed
-
-
-
111122223333
-
ap-south-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
111122223333
-
ap-south-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-02
-
Amazon Bedrock private connectivity not used
-
No Bedrock service VPC endpoints found in VPCs: vpc-0f85a6754ab37efb7, vpc-5c3b6524, vpc-03bcafcb58a3029fc
-
Create a VPC endpoint in your VPC with any of the following Bedrock service endpoints that your application may be using:
-- com.amazonaws.region.bedrock
-- com.amazonaws.region.bedrock-runtime
-- com.amazonaws.region.bedrock-agent
-- com.amazonaws.region.bedrock-agent-runtime
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
BR-04
-
Bedrock Model Invocation Logging Check
-
Model invocation logging is not enabled. This limits your ability to track and audit model usage.
-
Enable model invocation logging to collect invocation logs, model input data, and model output data. Configure logging to deliver to Amazon S3, CloudWatch Logs, or both for comprehensive monitoring.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
BR-05
-
Bedrock Guardrails Check
-
Amazon Bedrock Guardrails are properly configured with 1 guardrails
-
No action required. Continue monitoring and updating guardrails as needed.
-
-
High
-
Passed
-
-
-
111122223333
-
us-west-2
-
BR-06
-
Bedrock CloudTrail Logging Check
-
CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
-
No action required. Continue monitoring CloudTrail logs for Bedrock activity.
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-west-2
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-09
-
Bedrock Knowledge Base Encryption Review
-
Knowledge Base 'knowledge-base-bedrock-agent' (XSPYLN4FQL) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
-
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
-2. For S3 data sources: Verify CMK-encrypted S3 buckets
-3. For RDS: Verify KMS encryption on the database
-4. Consider using CMK for transient data during ingestion
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-09
-
Bedrock Knowledge Base Encryption Review
-
Knowledge Base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (SUGAG7RGYD) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
-
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
-2. For S3 data sources: Verify CMK-encrypted S3 buckets
-3. For RDS: Verify KMS encryption on the database
-4. Consider using CMK for transient data during ingestion
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-09
-
Bedrock Knowledge Base Encryption Review
-
Knowledge Base 'promptfoo-rag-workshop-111122223333-kb' (N74ZIKTUFL) uses 'RDS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
-
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
-2. For S3 data sources: Verify CMK-encrypted S3 buckets
-3. For RDS: Verify KMS encryption on the database
-4. Consider using CMK for transient data during ingestion
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-09
-
Bedrock Knowledge Base Encryption Review
-
Knowledge Base 'InvestmentResearchKB' (M1GMUG3BP0) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
-
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
-2. For S3 data sources: Verify CMK-encrypted S3 buckets
-3. For RDS: Verify KMS encryption on the database
-4. Consider using CMK for transient data during ingestion
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-09
-
Bedrock Knowledge Base Encryption Review
-
Knowledge Base 'knowledge-base-quick-start-xtwwd' (ENFHSBBLMV) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
-
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
-2. For S3 data sources: Verify CMK-encrypted S3 buckets
-3. For RDS: Verify KMS encryption on the database
-4. Consider using CMK for transient data during ingestion
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-09
-
Bedrock Knowledge Base Encryption Review
-
Knowledge Base 'kb-s3-vector-store' (116IXQU5VP) uses 'S3_VECTORS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
-
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
-2. For S3 data sources: Verify CMK-encrypted S3 buckets
-3. For RDS: Verify KMS encryption on the database
-4. Consider using CMK for transient data during ingestion
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-10
-
Bedrock Guardrail IAM Enforcement Missing
-
The following roles can invoke Bedrock models without enforced guardrails: 111122223333-us-east-1-kb-bedrock-service-role, agentcore-wildrydes_gateway_role_ab3991f6-role, AgentCoreEvalsSDK-us-east-1-d04ba7b68b, AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76, AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b, AmazonBedrockExecutionRoleForAgents_S0T9VNPP9D, AmazonBedrockExecutionRoleForAgents_WNCOPE29NZ, AmazonBedrockExecutionRoleForKnowledgeBase_072pr, AmazonBedrockExecutionRoleForKnowledgeBase_byjin, AmazonBedrockExecutionRoleForKnowledgeBase_h9718...
-
Add IAM policy conditions to enforce guardrail usage:
-1. Use 'bedrock:GuardrailIdentifier' condition key
-2. Specify required guardrail ARN or ID
-3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-16
-
Guardrail Tier Validation Check
-
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is using the 'CLASSIC' content-filter tier instead of 'STANDARD'. The STANDARD tier provides more robust content filtering and broader language support than the CLASSIC tier.
-
Update the guardrail to use the STANDARD content-filter tier for improved contextual understanding, better prompt attack filtering (distinguishing jailbreaks from prompt injection), and broader language support. The STANDARD tier requires cross-Region inference. Review pricing implications before upgrading.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-18
-
Model Evaluation Implementation Check
-
No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
-
Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Review
-
Knowledge base 'knowledge-base-bedrock-agent' (ID: XSPYLN4FQL) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
-
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
-2. For Amazon RDS/Aurora: verify KMS encryption on the database
-3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
-4. Verify the customer-managed KMS key used for transient data during ingestion
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Review
-
Knowledge base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (ID: SUGAG7RGYD) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
-
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
-2. For Amazon RDS/Aurora: verify KMS encryption on the database
-3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
-4. Verify the customer-managed KMS key used for transient data during ingestion
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Review
-
Knowledge base 'promptfoo-rag-workshop-111122223333-kb' (ID: N74ZIKTUFL) uses 'RDS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
-
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
-2. For Amazon RDS/Aurora: verify KMS encryption on the database
-3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
-4. Verify the customer-managed KMS key used for transient data during ingestion
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Review
-
Knowledge base 'InvestmentResearchKB' (ID: M1GMUG3BP0) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
-
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
-2. For Amazon RDS/Aurora: verify KMS encryption on the database
-3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
-4. Verify the customer-managed KMS key used for transient data during ingestion
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Review
-
Knowledge base 'knowledge-base-quick-start-xtwwd' (ID: ENFHSBBLMV) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
-
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
-2. For Amazon RDS/Aurora: verify KMS encryption on the database
-3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
-4. Verify the customer-managed KMS key used for transient data during ingestion
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Review
-
Knowledge base 'kb-s3-vector-store' (ID: 116IXQU5VP) uses 'S3_VECTORS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
-
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
-2. For Amazon RDS/Aurora: verify KMS encryption on the database
-3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
-4. Verify the customer-managed KMS key used for transient data during ingestion
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
Continue monitoring quota utilization. Review and adjust quotas as application requirements change.
-
-
Low
-
Passed
-
-
-
111122223333
-
us-west-2
-
BR-23
-
Guardrail Content Filter Coverage Check
-
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is missing content filters: HATE, VIOLENCE, SEXUAL, INSULTS. Complete content filter coverage is essential for comprehensive content safety.
-
Update guardrail to enable all content filters (HATE, INSULTS, SEXUAL, VIOLENCE). Configure appropriate threshold levels (LOW, MEDIUM, HIGH) for both input and output filtering based on your use case. Review AWS documentation for threshold guidance.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.
-
Configure Automated Reasoning policies on guardrails to mathematically verify model responses. Define policies that specify allowed and disallowed behaviors. Use for high-assurance use cases where formal verification is required.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
BR-25
-
RAG Evaluation Jobs Check
-
Knowledge base 'knowledge-base-bedrock-agent' (ID: XSPYLN4FQL) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
-
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
-
-
Low
-
Failed
-
-
-
111122223333
-
us-west-2
-
BR-25
-
RAG Evaluation Jobs Check
-
Knowledge base 'IDP-DOCUMENTBEDROCKKB-CY8N0Q7N4YDT' (ID: SUGAG7RGYD) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
-
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
-
-
Low
-
Failed
-
-
-
111122223333
-
us-west-2
-
BR-25
-
RAG Evaluation Jobs Check
-
Knowledge base 'promptfoo-rag-workshop-111122223333-kb' (ID: N74ZIKTUFL) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
-
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
-
-
Low
-
Failed
-
-
-
111122223333
-
us-west-2
-
BR-25
-
RAG Evaluation Jobs Check
-
Knowledge base 'InvestmentResearchKB' (ID: M1GMUG3BP0) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
-
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
-
-
Low
-
Failed
-
-
-
111122223333
-
us-west-2
-
BR-25
-
RAG Evaluation Jobs Check
-
Knowledge base 'knowledge-base-quick-start-xtwwd' (ID: ENFHSBBLMV) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
-
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
-
-
Low
-
Failed
-
-
-
111122223333
-
us-west-2
-
BR-25
-
RAG Evaluation Jobs Check
-
Knowledge base 'kb-s3-vector-store' (ID: 116IXQU5VP) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
-
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
-
-
Low
-
Failed
-
-
-
111122223333
-
us-west-2
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) has no sensitive-information filters configured (no PII entities or regex patterns). Prompts and model responses are not screened for sensitive data such as PII.
-
Configure sensitive-information filters on the guardrail: add PII entity types (e.g. NAME, EMAIL, SSN, CREDIT_DEBIT_CARD_NUMBER) and/or custom regex patterns, and set the appropriate BLOCK or ANONYMIZE action for input and output.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
BR-27
-
Guardrail Contextual Grounding Check
-
Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have contextual grounding checks enabled. Without grounding and relevance checks, the guardrail cannot detect hallucinated (ungrounded) or off-topic model responses.
-
Enable contextual grounding checks (GROUNDING and RELEVANCE filter types) on the guardrail with appropriate thresholds. This is especially important for RAG applications to ensure responses are grounded in the retrieved source material.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
No imported custom Bedrock models found in this region
-
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
111122223333
-
us-west-2
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
-
Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.
-
-
Medium
-
Failed
-
-
-
111122223333
-
sa-east-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
111122223333
-
sa-east-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
111122223333
-
eu-west-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
444455556666
-
ap-south-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
Global
-
BR-01
-
AmazonBedrockFullAccess role check
-
No roles found with AmazonBedrockFullAccess policy
-
No action required
-
-
High
-
Passed
-
-
-
444455556666
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
No identities found with overly permissive marketplace subscription access
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
us-east-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
Global
-
BR-15
-
Cross-Account Guardrails Enforcement Check
-
Check must run in AWS Organizations management account to evaluate organizational policies
-
Run assessment in management account to check cross-account guardrails enforcement
-
-
Medium
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
No imported custom Bedrock models found in this region
-
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
444455556666
-
us-east-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
444455556666
-
eu-west-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
444455556666
-
sa-east-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
No imported custom Bedrock models found in this region
-
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
444455556666
-
us-west-2
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
777788889999
-
sa-east-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
777788889999
-
eu-west-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
777788889999
-
ap-south-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
Global
-
BR-01
-
AmazonBedrockFullAccess role check
-
Role 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' has AmazonBedrockFullAccess policy attached
-
Limit the AmazonBedrockFullAccess policy only to required access
-
-
High
-
Failed
-
-
-
777788889999
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
777788889999
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'aiml-sec-test-resources-MarketplaceOverlyPermissive-igL3hGIapee1' has overly permissive marketplace subscription access through policy 'OverlyPermissiveMarketplace'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
777788889999
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'ProwlerApp-EC2-Role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
BR-02
-
Amazon Bedrock private connectivity
-
Bedrock VPC endpoints found: VPC vpc-089a9d593e34658c6 has endpoint com.amazonaws.us-east-1.bedrock-runtime
-
No action required
-
-
High
-
Passed
-
-
-
777788889999
-
us-east-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
Model invocation logging is not enabled. This limits your ability to track and audit model usage.
-
Enable model invocation logging to collect invocation logs, model input data, and model output data. Configure logging to deliver to Amazon S3, CloudWatch Logs, or both for comprehensive monitoring.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
BR-05
-
Bedrock Guardrails Check
-
Amazon Bedrock Guardrails are properly configured with 1 guardrails
-
No action required. Continue monitoring and updating guardrails as needed.
-
-
High
-
Passed
-
-
-
777788889999
-
us-east-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
-
No action required. Continue monitoring CloudTrail logs for Bedrock activity.
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-east-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management is being used with 1 prompts
-
No action required. Continue using Prompt Management for consistent and optimized prompts.
-
-
Low
-
Passed
-
-
-
777788889999
-
us-east-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
Error during check: An error occurred (AccessDeniedException) when calling the GetAgent operation: You do not have sufficient permissions to the key. Check credentials for appropriate permissions to the key (kms:Decrypt, kms:GenerateDataKey) and try again.
-
Investigate error and retry assessment
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
BR-09
-
Bedrock Knowledge Base Encryption Review
-
Knowledge Base 'knowledge-base-prowler-findings' (9K2QZLVCZW) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
-
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
-2. For S3 data sources: Verify CMK-encrypted S3 buckets
-3. For RDS: Verify KMS encryption on the database
-4. Consider using CMK for transient data during ingestion
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Missing
-
The following roles can invoke Bedrock models without enforced guardrails: aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G, aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a, aiml-sec-test-resources-BedrockKnowledgeBaseRole-6NNC1i9FuTbM, AmazonBedrockExecutionRoleForKnowledgeBase_7erx6, ProwlerApp-EC2-Role
-
Add IAM policy conditions to enforce guardrail usage:
-1. Use 'bedrock:GuardrailIdentifier' condition key
-2. Specify required guardrail ARN or ID
-3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
Global
-
BR-15
-
Cross-Account Guardrails Enforcement Check
-
Check must run in AWS Organizations management account to evaluate organizational policies
-
Run assessment in management account to check cross-account guardrails enforcement
-
-
Medium
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-16
-
Guardrail Tier Validation Check
-
Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
-
Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-18
-
Model Evaluation Implementation Check
-
No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
-
Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Review
-
Knowledge base 'knowledge-base-prowler-findings' (ID: 9K2QZLVCZW) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
-
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
-2. For Amazon RDS/Aurora: verify KMS encryption on the database
-3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
-4. Verify the customer-managed KMS key used for transient data during ingestion
Continue monitoring quota utilization. Review and adjust quotas as application requirements change.
-
-
Low
-
Passed
-
-
-
777788889999
-
us-east-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
-
Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-25
-
RAG Evaluation Jobs Check
-
Knowledge base 'knowledge-base-prowler-findings' (ID: 9K2QZLVCZW) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
-
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
-
-
Low
-
Failed
-
-
-
777788889999
-
us-east-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
-
Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
-
Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-28
-
Agent Guardrail Association Check
-
1 agents have an associated guardrail
-
No action required. Continue associating guardrails with new agents.
-
-
Low
-
Passed
-
-
-
777788889999
-
us-east-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
No imported custom Bedrock models found in this region
-
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
777788889999
-
us-east-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
-
Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-west-2
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
No imported custom Bedrock models found in this region
-
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
777788889999
-
us-west-2
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
-
Amazon SageMaker Findings
-
-
-
-
-
-
-
-
-
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
-
111122223333
-
ap-south-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
111122223333
-
ap-south-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
111122223333
-
ap-south-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
111122223333
-
ap-south-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
111122223333
-
ap-south-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
111122223333
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'AmazonSageMaker-ExecutionRole-20231014T200029' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
-
High
-
Failed
-
-
-
111122223333
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'AmazonSageMaker-ExecutionRole-20250525T153161' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
-
High
-
Failed
-
-
-
111122223333
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'AmazonSageMakerServiceCatalogProductsExecutionRole' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
-
High
-
Failed
-
-
-
111122223333
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'EMR_EC2_DefaultRole' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
-
High
-
Failed
-
-
-
111122223333
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'IDPSageMakerCfnStack-SageMakerExecutionRole-aqrHz6dVkoHC' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
-
High
-
Failed
-
-
-
111122223333
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'LLMEvaluationPromptfoo-SageMakerExecutionRole-M69xCHJ9c3LU' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
-
High
-
Failed
-
-
-
111122223333
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'SageMaker-EMR-ExecutionRole' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
-
High
-
Failed
-
-
-
111122223333
-
us-east-1
-
SM-01
-
Non-VPC Only Network Access
-
SageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is not configured for VPC-only access
-
Configure the SageMaker domain to use VPC-only network access type
-
-
High
-
Failed
-
-
-
111122223333
-
us-east-1
-
SM-02
-
SSO Not Properly Configured
-
SageMaker domain 'd-cz8qi7j81si3' (QuickSetupDomain-20250525T153160) is using authentication mode: IAM
-
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
SM-03
-
Missing Encryption Configuration
-
Domain 'QuickSetupDomain-20250525T153160' - No KMS key configured
-
Configure encryption using AWS KMS customer managed keys for enhanced security
-
-
High
-
Failed
-
-
-
111122223333
-
us-east-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-east-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-east-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
111122223333
-
us-east-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
SM-01
-
Non-VPC Only Network Access
-
SageMaker domain 'd-krxh4fmtaxjl' (PromptEvaluationDomain) is not configured for VPC-only access
-
Configure the SageMaker domain to use VPC-only network access type
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
SM-02
-
SSO Not Properly Configured
-
SageMaker domain 'd-krxh4fmtaxjl' (PromptEvaluationDomain) is using authentication mode: IAM
-
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
SM-03
-
Missing Encryption Configuration
-
Domain 'PromptEvaluationDomain' - No KMS key configured
-
Configure encryption using AWS KMS customer managed keys for enhanced security
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-west-2
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-west-2
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
111122223333
-
us-west-2
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
111122223333
-
sa-east-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
111122223333
-
sa-east-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
111122223333
-
sa-east-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
111122223333
-
sa-east-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
111122223333
-
eu-west-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
111122223333
-
eu-west-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
111122223333
-
eu-west-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
111122223333
-
eu-west-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
eu-west-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
eu-west-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
eu-west-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
444455556666
-
eu-west-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
444455556666
-
Global
-
SM-02
-
SageMaker IAM Permissions Check
-
No issues found with IAM permissions and no stale access detected
-
No action required
-
-
High
-
Passed
-
-
-
444455556666
-
us-east-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
us-east-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
us-east-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
us-east-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
444455556666
-
us-east-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
ap-south-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
ap-south-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
ap-south-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
444455556666
-
ap-south-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
sa-east-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
sa-east-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
sa-east-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
444455556666
-
sa-east-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
us-west-2
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
us-west-2
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
444455556666
-
us-west-2
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
444455556666
-
us-west-2
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
ap-south-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
ap-south-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
ap-south-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
777788889999
-
ap-south-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
777788889999
-
Global
-
SM-02
-
SageMaker Full Access Policy Used
-
Role 'aiml-sec-test-resources-SageMakerFullAccessRole-ZREdSNCErx2S' has AmazonSageMakerFullAccess policy attached
-
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-01
-
Direct Internet Access Enabled
-
SageMaker notebook instance 'aiml-sec-test-notebook-with-internet' has direct internet access enabled
-
Configure the notebook instance to use VPC connectivity and disable direct internet access
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-01
-
Non-VPC Only Network Access
-
SageMaker domain 'd-ilmtsfeenavc' (aiml-sec-test-domain-fail-028e1010-52cbf970) is not configured for VPC-only access
-
Configure the SageMaker domain to use VPC-only network access type
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-01
-
Non-VPC Only Network Access
-
SageMaker domain 'd-cmz7ohkxxop3' (aiml-sec-test-domain-fail-fef4e7f0-bb429d11) is not configured for VPC-only access
-
Configure the SageMaker domain to use VPC-only network access type
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-02
-
SSO Not Properly Configured
-
SageMaker domain 'd-7zl8skw96ppk' (aiml-sec-test-domain-pass-028e1010-3dba8b08) is using authentication mode: IAM
-
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-02
-
SSO Not Properly Configured
-
SageMaker domain 'd-ilmtsfeenavc' (aiml-sec-test-domain-fail-028e1010-52cbf970) is using authentication mode: IAM
-
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-02
-
SSO Not Properly Configured
-
SageMaker domain 'd-uqjoi05f0zzp' (aiml-sec-test-domain-pass-fef4e7f0-51d1e898) is using authentication mode: IAM
-
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-02
-
SSO Not Properly Configured
-
SageMaker domain 'd-cmz7ohkxxop3' (aiml-sec-test-domain-fail-fef4e7f0-bb429d11) is using authentication mode: IAM
-
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-03
-
Missing Encryption Configuration
-
Notebook Instance 'aiml-sec-test-notebook-with-internet' - No KMS key configured
-
Configure encryption using AWS KMS customer managed keys for enhanced security
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-03
-
Missing Encryption Configuration
-
Domain 'aiml-sec-test-domain-fail-028e1010-52cbf970' - No KMS key configured
-
Configure encryption using AWS KMS customer managed keys for enhanced security
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-03
-
Missing Encryption Configuration
-
Domain 'aiml-sec-test-domain-fail-fef4e7f0-bb429d11' - No KMS key configured
-
Configure encryption using AWS KMS customer managed keys for enhanced security
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-03
-
Missing Encryption Configuration
-
Training Job 'aiml-sec-test-training-no-encryption-028e1010-e2fb8765' - No output encryption configured
-
Configure encryption using AWS KMS customer managed keys for enhanced security
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-03
-
Missing VPC Encryption
-
Training Job 'aiml-sec-test-training-no-encryption-028e1010-e2fb8765' - Inter-container traffic encryption not enabled
-
Enable encryption for inter-container traffic and VPC communication
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-east-1
-
SM-05
-
SageMaker Model Registry Issue
-
Model group 'aiml-sec-test-model-package-group' has minimal versioning
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Low
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
SM-08
-
Model Registry Empty Model Group
-
Model group aiml-sec-test-model-package-group has no registered models
-
Implement proper model versioning and approval workflows
-
-
Low
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-09
-
SageMaker Notebook Root Access Enabled
-
Notebook instance 'aiml-sec-test-notebook-with-internet' has root access enabled. Root access allows users to install arbitrary software, modify system configurations, and potentially escalate privileges.
-
Disable root access by updating the notebook instance with RootAccess=Disabled. Note: Lifecycle configurations will still run with root access.
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-10
-
SageMaker Notebook Not in VPC
-
Notebook instance 'aiml-sec-test-notebook-with-internet' is not deployed in a custom VPC. This uses SageMaker's service VPC with reduced network isolation.
-
Create the notebook instance within a custom VPC by specifying SubnetId and SecurityGroupIds. This provides network isolation and allows use of VPC endpoints.
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-11
-
SageMaker Model Network Isolation Disabled
-
Model 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' does not have network isolation enabled. Model containers can make outbound network calls, potentially exfiltrating data.
-
Enable network isolation by setting EnableNetworkIsolation=True when creating models. This prevents containers from making outbound network calls.
-
-
High
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
SM-14
-
SageMaker Model Platform Repository Access
-
Model 'SageMakerModelWithIsolation-JASFpUHjajdk' uses Platform repository access mode. Container images are pulled from public/external registries, exposing supply chain risks.
-
Configure RepositoryAccessMode=Vpc in ImageConfig to pull images from private ECR repositories through VPC. This provides supply chain security.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-14
-
SageMaker Model Platform Repository Access
-
Model 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' uses Platform repository access mode. Container images are pulled from public/external registries, exposing supply chain risks.
-
Configure RepositoryAccessMode=Vpc in ImageConfig to pull images from private ECR repositories through VPC. This provides supply chain security.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-15
-
SageMaker Feature Store Offline Encryption Missing
-
Feature group 'aiml-sec-test-feature-group' offline store does not have KMS encryption configured. Feature data in S3 may not be encrypted with customer-managed keys.
-
Configure KmsKeyId in OfflineStoreConfig.S3StorageConfig when creating feature groups to encrypt offline store data with customer-managed KMS keys.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
SM-16
-
SageMaker Data Quality Job Encryption Check
-
No data quality job definitions found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-east-1
-
SM-17
-
SageMaker Processing Job Encryption Check
-
All 1 processing jobs have volume encryption configured
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-east-1
-
SM-18
-
SageMaker Transform Job Encryption Check
-
All 1 transform jobs have volume encryption configured
Checked 1 model package groups. Approval workflows appear to be properly configured.
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-east-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-east-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
777788889999
-
us-east-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
eu-west-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
eu-west-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
777788889999
-
eu-west-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
eu-west-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
777788889999
-
eu-west-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-west-2
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-west-2
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-west-2
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
777788889999
-
us-west-2
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
sa-east-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
sa-east-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
777788889999
-
sa-east-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
777788889999
-
sa-east-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
777788889999
-
sa-east-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
-
Amazon Bedrock AgentCore Findings
-
-
-
-
-
-
-
-
-
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
-
111122223333
-
ap-south-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
AC-13
-
AgentCore Gateway Configuration Check
-
Found 1 Gateway resources
-
No action required
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-west-2
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
AC-10
-
AgentCore Resource-Based Policies Missing
-
The following AgentCore resources do not have resource-based policies: Gateway 'aws-news-mcp'. Without RBPs, access control relies solely on identity-based policies.
-
Attach resource-based policies to AgentCore resources to:
-1. Implement defense-in-depth access control
-2. Enable cross-account access control
-3. Restrict access based on source VPC or IP
-4. Implement hierarchical authorization for Agent Runtimes
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
AC-12
-
AgentCore Gateway Encryption Missing
-
The following Gateways do not use customer-managed KMS encryption: 'aws-news-mcp'. Gateway configuration data uses AWS-managed keys.
-
1. Create gateways with customer-managed KMS keys for additional control
-2. AWS-managed keys are single-tenant and region-specific
-3. Consider CMK for enhanced audit capabilities and key rotation control
-
-
Low
-
Failed
-
-
-
111122223333
-
Global
-
AC-02
-
AgentCore IAM Full Access Policy
-
The following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161
-
Replace with least-privilege policies scoped to specific AgentCore resources and actions
-
-
High
-
Failed
-
-
-
111122223333
-
Global
-
AC-02
-
AgentCore IAM Wildcard Permissions
-
The following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-role
-
Scope permissions to specific AgentCore resources using resource ARNs
-
-
High
-
Failed
-
-
-
111122223333
-
Global
-
AC-03
-
AgentCore Stale Access
-
The following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (199 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (199 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (199 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (82 days)
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Medium
-
Failed
-
-
-
111122223333
-
Global
-
AC-03
-
AgentCore Unused Permissions
-
The following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CloudSeerTrustedServiceRole', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW'
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Informational
-
N/A
-
-
-
111122223333
-
Global
-
AC-09
-
AgentCore Service-Linked Role Missing
-
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
-
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-01
-
AgentCore Runtime VPC Configuration
-
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.
-
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
-
-
High
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-01
-
AgentCore Runtime VPC Configuration
-
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.
-
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
-
-
High
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-01
-
AgentCore Runtime VPC Configuration
-
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.
-
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
-
-
High
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-01
-
AgentCore Runtime VPC Configuration
-
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.
-
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
-
-
High
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-01
-
AgentCore Runtime VPC Configuration
-
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.
-
Configure VPC with private subnets and required VPC endpoints (ECR, S3, CloudWatch Logs)
-
-
High
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-04
-
AgentCore Runtime CloudWatch Logs
-
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs for monitoring and troubleshooting
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-04
-
AgentCore Runtime X-Ray Tracing
-
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabled
-
Enable X-Ray tracing for distributed tracing and performance analysis
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-04
-
AgentCore Runtime CloudWatch Logs
-
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs for monitoring and troubleshooting
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-04
-
AgentCore Runtime X-Ray Tracing
-
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabled
-
Enable X-Ray tracing for distributed tracing and performance analysis
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-04
-
AgentCore Runtime CloudWatch Logs
-
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs for monitoring and troubleshooting
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-04
-
AgentCore Runtime X-Ray Tracing
-
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabled
-
Enable X-Ray tracing for distributed tracing and performance analysis
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-04
-
AgentCore Runtime CloudWatch Logs
-
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs for monitoring and troubleshooting
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-04
-
AgentCore Runtime X-Ray Tracing
-
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabled
-
Enable X-Ray tracing for distributed tracing and performance analysis
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-04
-
AgentCore Runtime CloudWatch Logs
-
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs for monitoring and troubleshooting
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-04
-
AgentCore Runtime X-Ray Tracing
-
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabled
-
Enable X-Ray tracing for distributed tracing and performance analysis
Consider using customer-managed KMS keys for better control and audit capabilities
-
-
Low
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-06
-
AgentCore Runtime Storage Configuration
-
Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have storage configuration for browser tools
-
Configure S3 storage for browser tool session recordings and artifacts
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-06
-
AgentCore Runtime Storage Configuration
-
Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have storage configuration for browser tools
-
Configure S3 storage for browser tool session recordings and artifacts
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-06
-
AgentCore Runtime Storage Configuration
-
Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have storage configuration for browser tools
-
Configure S3 storage for browser tool session recordings and artifacts
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-06
-
AgentCore Runtime Storage Configuration
-
Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have storage configuration for browser tools
-
Configure S3 storage for browser tool session recordings and artifacts
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-06
-
AgentCore Runtime Storage Configuration
-
Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have storage configuration for browser tools
-
Configure S3 storage for browser tool session recordings and artifacts
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-07
-
AgentCore Memory Encryption
-
Memory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configured
-
Enable encryption with customer-managed KMS keys
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-07
-
AgentCore Memory Encryption
-
Memory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configured
-
Enable encryption with customer-managed KMS keys
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-07
-
AgentCore Memory Encryption
-
Memory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configured
-
Enable encryption with customer-managed KMS keys
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
Found 2 Gateway resources
-
No action required
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-east-1
-
AC-08
-
AgentCore VPC Endpoints Missing
-
No AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.
-
Create VPC interface endpoints for AgentCore services:
-1. com.amazonaws.region.bedrock-agentcore
-2. com.amazonaws.region.bedrock-agentcore-control
-3. com.amazonaws.region.bedrock-agentcore-runtime
-This enables private connectivity via AWS PrivateLink
-
-
High
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-10
-
AgentCore Resource-Based Policies Missing
-
The following AgentCore resources do not have resource-based policies: Runtime 'origami_expeditions', Runtime 'neoCyan_Agent', Runtime 'customer_support_agent', Runtime 'cdk_agent_core', Runtime 'awsapimcpserver' and 2 more. Without RBPs, access control relies solely on identity-based policies.
-
Attach resource-based policies to AgentCore resources to:
-1. Implement defense-in-depth access control
-2. Enable cross-account access control
-3. Restrict access based on source VPC or IP
-4. Implement hierarchical authorization for Agent Runtimes
-
-
High
-
Failed
-
-
-
111122223333
-
us-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
AC-12
-
AgentCore Gateway Encryption Missing
-
The following Gateways do not use customer-managed KMS encryption: 'customersupport-gw', 'wildrydes-gateway-ab3991f6'. Gateway configuration data uses AWS-managed keys.
-
1. Create gateways with customer-managed KMS keys for additional control
-2. AWS-managed keys are single-tenant and region-specific
-3. Consider CMK for enhanced audit capabilities and key rotation control
-
-
Low
-
Failed
-
-
-
111122223333
-
sa-east-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
111122223333
-
eu-west-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
ap-south-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-west-2
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
Global
-
AC-02
-
AgentCore IAM Full Access Check
-
No roles with overly permissive AgentCore access found
-
No action required
-
-
High
-
Passed
-
-
-
444455556666
-
Global
-
AC-03
-
AgentCore Stale Access
-
The following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (82 days)
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Medium
-
Failed
-
-
-
444455556666
-
Global
-
AC-03
-
AgentCore Unused Permissions
-
The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Informational
-
N/A
-
-
-
444455556666
-
Global
-
AC-09
-
AgentCore Service-Linked Role Missing
-
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
-
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
-
-
Medium
-
Failed
-
-
-
444455556666
-
us-east-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
us-east-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
+
444455556666
-
eu-west-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
ap-south-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
-
us-west-2
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
777788889999
us-west-2
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
+
BR-08
+
+
Bedrock Agent IAM Roles Check
+
+ Details and remediation
+
+
Details
No Bedrock agents found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
+
+
444455556666
us-west-2
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
+
BR-09
+
+
Bedrock Knowledge Base Encryption Check
+
+ Details and remediation
+
+
Details
No Knowledge Bases found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
+
+
444455556666
us-west-2
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
+
BR-10
+
+
Bedrock Guardrail IAM Enforcement Check
+
+ Details and remediation
+
+
Details
No guardrails configured - IAM enforcement check not applicable
+
Resolution
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
+
+
444455556666
us-west-2
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
+
BR-11
+
+
Bedrock Custom Model Encryption Check
+
+ Details and remediation
+
+
Details
No custom/fine-tuned models found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
+
+
444455556666
us-west-2
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
+
BR-12
+
+
Bedrock Invocation Log Encryption Check
+
+ Details and remediation
+
+
Details
Model invocation logging to S3 is not configured
+
Resolution
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
+
+
444455556666
us-west-2
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
+
BR-13
+
+
Bedrock Flows Guardrails Check
+
+ Details and remediation
+
+
Details
No Bedrock Flows found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
+
+
444455556666
us-west-2
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
+
BR-16
+
+
Guardrail Tier Validation Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
Reference
+
+
+
+
Medium
N/A
-
-
777788889999
+
+
444455556666
us-west-2
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
+
BR-17
+
+
Custom Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No custom (fine-tuned) Bedrock models found in this region
+
Resolution
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
Reference
+
+
+
+
High
N/A
-
-
777788889999
-
sa-east-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
+
+
444455556666
+
us-west-2
+
BR-18
+
+
Model Evaluation Implementation Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess with model evaluation jobs
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
-
sa-east-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
+
+
444455556666
+
us-west-2
+
BR-19
+
+
Prompt Flow Validation Check
+
+ Details and remediation
+
+
Details
No Bedrock prompt flows configured in this region
+
Resolution
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
Reference
+
+
+
+
Medium
N/A
-
-
777788889999
-
sa-east-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
+
+
444455556666
+
us-west-2
+
BR-20
+
+
Knowledge Base Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No Bedrock knowledge bases found in this region
+
Resolution
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
Reference
+
+
+
+
High
N/A
-
-
777788889999
-
sa-east-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
+
+
444455556666
+
us-west-2
+
BR-21
+
+
Agent Action Group IAM Least Privilege Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
Reference
+
+
+
+
High
N/A
-
-
777788889999
-
sa-east-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
+
+
444455556666
+
us-west-2
+
BR-22
+
+
Model Invocation Throttling Limits Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess model invocation throttling quotas
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
-
sa-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
+
+
444455556666
+
us-west-2
+
BR-23
+
+
Guardrail Content Filter Coverage Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
Reference
+
+
+
+
High
N/A
-
-
777788889999
-
sa-east-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
+
+
444455556666
+
us-west-2
+
BR-24
+
+
Automated Reasoning Policy Implementation Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
Reference
+
+
+
+
Medium
N/A
-
-
777788889999
-
sa-east-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
+
+
444455556666
+
us-west-2
+
BR-25
+
+
RAG Evaluation Jobs Check
+
+ Details and remediation
+
+
Details
No Bedrock knowledge bases found in this region
+
Resolution
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
Reference
+
+
+
+
Low
N/A
-
-
777788889999
-
sa-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
+
+
444455556666
+
us-west-2
+
BR-26
+
+
Guardrail Sensitive Information Filter Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
Reference
+
+
+
+
High
N/A
-
-
777788889999
-
sa-east-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
+
+
444455556666
+
us-west-2
+
BR-27
+
+
Guardrail Contextual Grounding Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
Reference
+
+
+
+
Medium
N/A
-
-
777788889999
-
eu-west-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
+
+
444455556666
+
us-west-2
+
BR-28
+
+
Agent Guardrail Association Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
Reference
+
+
+
+
High
N/A
-
-
777788889999
-
eu-west-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
+
+
444455556666
+
us-west-2
+
BR-29
+
+
Agent Idle Session TTL Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
Reference
+
+
+
+
Low
N/A
-
-
777788889999
-
eu-west-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
+
+
444455556666
+
us-west-2
+
BR-30
+
+
Imported Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No imported custom Bedrock models found in this region
+
Resolution
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
Reference
+
+
+
+
High
N/A
-
-
777788889999
-
eu-west-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
+
+
444455556666
+
us-west-2
+
BR-31
+
+
Batch Inference Output Encryption Check
+
+ Details and remediation
+
+
Details
No Bedrock batch inference (model invocation) jobs found in this region
+
Resolution
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
Reference
+
+
+
+
Medium
N/A
-
-
777788889999
-
eu-west-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
+
+
444455556666
+
us-west-2
+
BR-32
+
+
Bedrock CloudWatch Alarm Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to monitor with CloudWatch alarms
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
-
eu-west-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
+
+
444455556666
+
us-west-2
+
AG-07
+
+
Agentic AI Model Invocation Logging
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Resolution
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
-
eu-west-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
+
+
444455556666
+
us-west-2
+
AG-08
+
+
Agentic AI API Audit Trail
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Resolution
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
-
eu-west-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
+
+
444455556666
+
us-west-2
+
AG-10
+
+
Agentic AI Adversarial Evaluation Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Resolution
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
-
eu-west-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
+
+
444455556666
+
us-west-2
+
AG-11
+
+
Agentic AI Prompt Flow Validation
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Resolution
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
-
eu-west-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
+
+
444455556666
+
us-west-2
+
AG-06
+
+
Agentic AI Tool Execution Least Privilege
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Resolution
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
-
Global
-
AC-02
-
AgentCore IAM Wildcard Permissions
-
The following roles have wildcard AgentCore permissions on all resources: aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV
-
Scope permissions to specific AgentCore resources using resource ARNs
-
-
High
-
Failed
-
-
-
777788889999
-
Global
-
AC-03
-
AgentCore Unused Permissions
-
The following principals have AgentCore permissions but have never accessed the service: role 'aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV', role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
-
Review and remove unused AgentCore permissions following least privilege principle
-
+
+
444455556666
+
us-west-2
+
AG-12
+
+
Agentic AI Invocation Abuse Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Resolution
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
-
Global
-
AC-09
-
AgentCore Service-Linked Role Missing
-
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
-
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
-
-
Medium
-
Failed
-
-
-
777788889999
-
us-east-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
+
+
444455556666
+
us-west-2
+
AG-02
+
+
Agentic AI Harmful Content Guardrail Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Resolution
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
-
us-east-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
+
+
444455556666
+
us-west-2
+
AG-04
+
+
Agentic AI Automated Reasoning Guardrails
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Resolution
Configure automated reasoning policies on guardrails where formal response validation is required.
Consider using customer-managed KMS keys for better control and audit capabilities
-
-
Low
-
Failed
-
-
-
777788889999
-
us-east-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
+
+
444455556666
+
us-west-2
+
AG-03
+
+
Agentic AI Sensitive Information Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Resolution
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
-
us-east-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
+
+
444455556666
+
us-west-2
+
AG-05
+
+
Agentic AI Grounding Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Resolution
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
-
us-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
+
+
444455556666
+
us-west-2
+
AG-01
+
+
Agentic AI Agent Guardrail Association
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Resolution
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
-
us-east-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
+
+
444455556666
+
us-west-2
+
AG-13
+
+
Agentic AI Session Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Resolution
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
-
us-east-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
+
+
444455556666
+
us-west-2
+
AG-14
+
+
Agentic AI Operational Abuse Alarms
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Resolution
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
+
+
444455556666
+
Global
+
BR-01
+
+
AmazonBedrockFullAccess role check
+
+ Details and remediation
+
+
Details
No roles found with AmazonBedrockFullAccess policy
+
Resolution
No action required
+
Reference
+
+
+
+
High
+
Passed
+
+
+
444455556666
+
Global
+
BR-03
+
+
Marketplace Subscription Access Check
+
+ Details and remediation
+
+
Details
No identities found with overly permissive marketplace subscription access
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
+
+
+
444455556666
us-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
+
BR-02
+
+
Amazon Bedrock private connectivity check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess private connectivity
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
+
+
444455556666
us-east-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
Agentic AI Security Findings
Scope: API-provable Agentic AI security controls mapped to the AWS Well-Architected Agentic AI Lens security guidance. Human-in-the-loop governance is referenced in methodology but not scored automatically unless an AWS API can prove the control.
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
-
111122223333
-
ap-south-1
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
+
BR-04
+
+
Bedrock Model Invocation Logging Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to monitor with invocation logging
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
ap-south-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
+
+
444455556666
+
us-east-1
+
BR-05
+
+
Bedrock Guardrails Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to protect with guardrails
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
ap-south-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
+
+
444455556666
+
us-east-1
+
BR-06
+
+
Bedrock CloudTrail Logging Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
ap-south-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
+
+
444455556666
+
us-east-1
+
BR-07
+
+
Bedrock Prompt Management Check
+
+ Details and remediation
+
+
Details
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Resolution
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
ap-south-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
+
+
444455556666
+
us-east-1
+
BR-08
+
+
Bedrock Agent IAM Roles Check
+
+ Details and remediation
+
+
Details
No Bedrock agents found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
ap-south-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
+
+
444455556666
+
us-east-1
+
BR-09
+
+
Bedrock Knowledge Base Encryption Check
+
+ Details and remediation
+
+
Details
No Knowledge Bases found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
ap-south-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
+
+
444455556666
+
us-east-1
+
BR-10
+
+
Bedrock Guardrail IAM Enforcement Check
+
+ Details and remediation
+
+
Details
No guardrails configured - IAM enforcement check not applicable
+
Resolution
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
ap-south-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
+
+
444455556666
+
us-east-1
+
BR-11
+
+
Bedrock Custom Model Encryption Check
+
+ Details and remediation
+
+
Details
No custom/fine-tuned models found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
ap-south-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
+
+
444455556666
+
us-east-1
+
BR-12
+
+
Bedrock Invocation Log Encryption Check
+
+ Details and remediation
+
+
Details
Model invocation logging to S3 is not configured
+
Resolution
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
ap-south-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
+
+
444455556666
+
us-east-1
+
BR-13
+
+
Bedrock Flows Guardrails Check
+
+ Details and remediation
+
+
Details
No Bedrock Flows found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
ap-south-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
+
+
444455556666
+
Global
+
BR-15
+
+
Cross-Account Guardrails Enforcement Check
+
+ Details and remediation
+
+
Details
Check must run in AWS Organizations management account to evaluate organizational policies
+
Resolution
Run assessment in management account to check cross-account guardrails enforcement
Agentic AI Gateway Tool Policy Enforcement Missing
-
Gateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.
-
Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
Gateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) does not expose DEBUG-level exception detail.
-
No action required
-
+
+
444455556666
+
us-east-1
+
BR-16
+
+
Guardrail Tier Validation Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
Reference
+
+
+
Medium
-
Passed
-
-
-
111122223333
-
us-west-2
-
AG-27
-
Agentic AI Gateway WAF Protection Missing
-
Gateway 'aws-news-mcp' (aws-news-mcp-vx9kxwqv9p) is not associated with an AWS WAF web ACL.
-
Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.
-
-
Low
-
Failed
-
-
-
111122223333
-
us-west-2
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
Informational
N/A
-
-
111122223333
-
us-west-2
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Informational
+
+
444455556666
+
us-east-1
+
BR-17
+
+
Custom Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No custom (fine-tuned) Bedrock models found in this region
+
Resolution
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
Reference
+
+
+
+
High
N/A
-
-
111122223333
-
us-west-2
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
+
+
444455556666
+
us-east-1
+
BR-18
+
+
Model Evaluation Implementation Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess with model evaluation jobs
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
us-west-2
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
Informational
+
+
444455556666
+
us-east-1
+
BR-19
+
+
Prompt Flow Validation Check
+
+ Details and remediation
+
+
Details
No Bedrock prompt flows configured in this region
+
Resolution
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
Reference
+
+
+
+
Medium
N/A
-
-
111122223333
-
us-west-2
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: The following AgentCore resources do not have resource-based policies: Gateway 'aws-news-mcp'. Without RBPs, access control relies solely on identity-based policies.
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
+
+
444455556666
+
us-east-1
+
BR-20
+
+
Knowledge Base Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No Bedrock knowledge bases found in this region
+
Resolution
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
Reference
+
+
+
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
N/A
-
-
111122223333
-
us-west-2
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: The following Gateways do not use customer-managed KMS encryption: 'aws-news-mcp'. Gateway configuration data uses AWS-managed keys.
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Low
-
Failed
-
-
-
111122223333
+
+
444455556666
us-east-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is properly configured with delivery to: Amazon S3, CloudWatch Logs
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
-
Medium
-
Passed
+
BR-21
+
+
Agent Action Group IAM Least Privilege Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
Reference
+
+
+
+
High
+
N/A
-
-
111122223333
+
+
444455556666
us-east-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
-
Medium
-
Passed
-
-
-
111122223333
-
Global
-
AG-09
-
Agentic AI Guardrail Enforcement Boundary
-
Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policies
-
Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.
-
+
BR-22
+
+
Model Invocation Throttling Limits Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess model invocation throttling quotas
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
us-east-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
-
Medium
-
Failed
-
-
-
111122223333
+
+
444455556666
us-east-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
-
Informational
+
BR-23
+
+
Guardrail Content Filter Coverage Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
Reference
+
+
+
+
High
N/A
-
-
111122223333
+
+
444455556666
us-east-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
-
Informational
+
BR-24
+
+
Automated Reasoning Policy Implementation Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
Reference
+
+
+
+
Medium
N/A
-
-
111122223333
+
+
444455556666
us-east-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 11 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
+
BR-25
+
+
RAG Evaluation Jobs Check
+
+ Details and remediation
+
+
Details
No Bedrock knowledge bases found in this region
+
Resolution
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
Reference
+
+
+
Low
-
Passed
+
N/A
-
-
111122223333
+
+
444455556666
us-east-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: 1 guardrails have complete content filter coverage (hate, insults, sexual, violence)
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
-
Low
-
Passed
+
BR-26
+
+
Guardrail Sensitive Information Filter Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
Reference
+
+
+
+
High
+
N/A
-
-
111122223333
+
+
444455556666
us-east-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: Guardrail 'nist-ai-rmf-guardrail' (ID: do7xkmhadx7k) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
BR-27
+
+
Guardrail Contextual Grounding Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
Reference
+
+
+
Medium
-
Failed
+
N/A
-
-
111122223333
+
+
444455556666
us-east-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: 1 guardrails have sensitive-information (PII) filters configured
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
-
Low
-
Passed
+
BR-28
+
+
Agent Guardrail Association Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
Reference
+
+
+
+
High
+
N/A
-
-
111122223333
+
+
444455556666
us-east-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: 1 guardrails have contextual grounding checks enabled
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
+
BR-29
+
+
Agent Idle Session TTL Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
Reference
+
+
+
Low
-
Passed
+
N/A
-
-
111122223333
+
+
444455556666
us-east-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
-
Informational
+
BR-30
+
+
Imported Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No imported custom Bedrock models found in this region
+
Resolution
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
Reference
+
+
+
+
High
N/A
-
-
111122223333
+
+
444455556666
us-east-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
-
Informational
+
BR-31
+
+
Batch Inference Output Encryption Check
+
+ Details and remediation
+
+
Details
No Bedrock batch inference (model invocation) jobs found in this region
+
Resolution
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
Reference
+
+
+
+
Medium
N/A
-
-
111122223333
+
+
444455556666
us-east-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
-
Medium
-
Failed
+
BR-32
+
+
Bedrock CloudWatch Alarm Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to monitor with CloudWatch alarms
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
-
ap-south-1
+
+
444455556666
+
us-east-1
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
+
+
Agentic AI Model Invocation Logging
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Resolution
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
ap-south-1
+
+
444455556666
+
us-east-1
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
+
+
Agentic AI API Audit Trail
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Resolution
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
ap-south-1
+
+
444455556666
+
Global
+
AG-09
+
+
Agentic AI Guardrail Enforcement Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policies
+
Resolution
Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-east-1
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
+
+
Agentic AI Adversarial Evaluation Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Resolution
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
ap-south-1
+
+
444455556666
+
us-east-1
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
+
+
Agentic AI Prompt Flow Validation
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Resolution
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
ap-south-1
+
+
444455556666
+
us-east-1
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
+
+
Agentic AI Tool Execution Least Privilege
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Resolution
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
ap-south-1
+
+
444455556666
+
us-east-1
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
+
+
Agentic AI Invocation Abuse Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Resolution
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
ap-south-1
+
+
444455556666
+
us-east-1
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
+
+
Agentic AI Harmful Content Guardrail Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Resolution
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
ap-south-1
+
+
444455556666
+
us-east-1
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
+
Agentic AI Automated Reasoning Guardrails
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Resolution
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
ap-south-1
+
+
444455556666
+
us-east-1
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
+
+
Agentic AI Sensitive Information Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Resolution
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
ap-south-1
+
+
444455556666
+
us-east-1
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
+
+
Agentic AI Grounding Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Resolution
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
ap-south-1
+
+
444455556666
+
us-east-1
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
+
+
Agentic AI Agent Guardrail Association
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Resolution
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
ap-south-1
+
+
444455556666
+
us-east-1
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
+
+
Agentic AI Session Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Resolution
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
ap-south-1
+
+
444455556666
+
us-east-1
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
+
+
Agentic AI Operational Abuse Alarms
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Resolution
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
444455556666
us-west-2
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is not enabled. This limits your ability to track and audit model usage.
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
-
Medium
-
Failed
+
SM-01
+
+
SageMaker Internet Access Check
+
+ Details and remediation
+
+
Details
No SageMaker notebook instances or domains found to check
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
us-west-2
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
+
SM-02
+
+
SageMaker SSO Configuration Check
+
+ Details and remediation
+
+
Details
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
Resolution
No action required
+
Reference
+
+
+
Medium
Passed
-
-
111122223333
+
+
444455556666
us-west-2
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
+
SM-03
+
+
Data Protection Check
+
+ Details and remediation
+
+
Details
No SageMaker resources found to check for data protection
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
SM-04
+
+
GuardDuty Enabled
+
+ Details and remediation
+
+
Details
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
Resolution
No action required
+
Reference
+
+
+
Medium
-
Failed
+
Passed
-
-
111122223333
+
+
444455556666
us-west-2
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
+
SM-05
+
+
SageMaker Model Registry Issue
+
+ Details and remediation
+
+
Details
No model package groups found
+
Resolution
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
SM-05
+
+
SageMaker Feature Store Issue
+
+ Details and remediation
+
+
Details
No feature groups found
+
Resolution
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
SM-05
+
+
SageMaker Pipelines Issue
+
+ Details and remediation
+
+
Details
No ML pipelines found
+
Resolution
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
SM-06
+
+
SageMaker Clarify No Clarify Usage
+
+ Details and remediation
+
+
Details
No SageMaker Clarify jobs found
+
Resolution
Implement SageMaker Clarify for model explainability and bias detection
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
SM-07
+
+
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation
+
+
Details
No Model Monitor schedules found
+
Resolution
Configure comprehensive model monitoring schedules
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
SM-08
+
+
Model Registry Registry Not Used
+
+ Details and remediation
+
+
Details
Model Registry is not being utilized
+
Resolution
Implement proper model versioning and approval workflows
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
444455556666
+
us-west-2
+
SM-09
+
+
SageMaker Notebook Root Access Check
+
+ Details and remediation
+
+
Details
No notebook instances found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
444455556666
us-west-2
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
+
SM-10
+
+
SageMaker Notebook VPC Deployment Check
+
+ Details and remediation
+
+
Details
No notebook instances found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
444455556666
us-west-2
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 7 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
-
Low
-
Passed
+
SM-11
+
+
SageMaker Model Network Isolation Check
+
+ Details and remediation
+
+
Details
No models found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
us-west-2
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) is missing content filters: HATE, VIOLENCE, SEXUAL, INSULTS. Complete content filter coverage is essential for comprehensive content safety.
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
-
High
-
Failed
+
SM-12
+
+
SageMaker Endpoint Instance Count Check
+
+ Details and remediation
+
+
Details
No InService endpoints found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
us-west-2
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have an Automated Reasoning policy configured. Automated Reasoning provides formal verification of model responses against defined policies.
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
-
Medium
-
Failed
+
SM-13
+
+
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation
+
+
Details
No monitoring schedules found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
us-west-2
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) has no sensitive-information filters configured (no PII entities or regex patterns). Prompts and model responses are not screened for sensitive data such as PII.
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
-
High
-
Failed
+
SM-14
+
+
SageMaker Model Repository Access Check
+
+ Details and remediation
+
+
Details
No models found or all use default Platform access
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
us-west-2
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: Guardrail 'Sample-Guardrail' (ID: mmi5rrre65gv) does not have contextual grounding checks enabled. Without grounding and relevance checks, the guardrail cannot detect hallucinated (ungrounded) or off-topic model responses.
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
-
Medium
-
Failed
+
SM-15
+
+
SageMaker Feature Store Encryption Check
+
+ Details and remediation
+
+
Details
No feature groups with offline stores found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
us-west-2
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
+
SM-16
+
+
SageMaker Data Quality Job Encryption Check
+
+ Details and remediation
+
+
Details
No data quality job definitions found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
444455556666
us-west-2
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
+
SM-17
+
+
SageMaker Processing Job Encryption Check
+
+ Details and remediation
+
+
Details
No processing jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
444455556666
us-west-2
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
-
Medium
-
Failed
-
-
-
111122223333
-
sa-east-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
+
SM-18
+
+
SageMaker Transform Job Encryption Check
+
+ Details and remediation
+
+
Details
No transform jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
sa-east-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
+
+
444455556666
+
us-west-2
+
SM-20
+
+
SageMaker Compilation Job Encryption Check
+
+ Details and remediation
+
+
Details
No compilation jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
sa-east-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
+
+
444455556666
+
us-west-2
+
SM-21
+
+
SageMaker AutoML Job Network Isolation Check
+
+ Details and remediation
+
+
Details
No AutoML jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
sa-east-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
+
+
444455556666
+
us-west-2
+
SM-22
+
+
Model Approval Workflow Check
+
+ Details and remediation
+
+
Details
No model package groups found. Model Registry is not being used for model governance.
+
Resolution
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
sa-east-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
+
+
444455556666
+
us-west-2
+
SM-23
+
+
Model Drift Detection Check
+
+ Details and remediation
+
+
Details
No InService endpoints found to monitor.
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
+
+
+
444455556666
+
us-west-2
+
SM-24
+
+
A/B Testing and Shadow Deployment Check
+
+ Details and remediation
+
+
Details
No InService endpoints found.
+
Resolution
No action required
+
Reference
+
+
+
+
Low
+
Passed
+
+
+
444455556666
+
us-west-2
+
SM-25
+
+
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation
+
+
Details
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Resolution
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
sa-east-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
+
+
444455556666
+
Global
+
AC-02
+
+
AgentCore IAM Full Access Check
+
+ Details and remediation
+
+
Details
No roles with overly permissive AgentCore access found
+
Resolution
No action required
+
Reference
+
+
+
+
High
+
Passed
+
+
+
444455556666
+
Global
+
AC-03
+
+
AgentCore Stale Access
+
+ Details and remediation
+
+
Details
The following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (82 days)
+
Resolution
Review and remove unused AgentCore permissions following least privilege principle
+
Reference
+
+
+
+
Medium
+
Failed
+
+
+
444455556666
+
Global
+
AC-03
+
+
AgentCore Unused Permissions
+
+ Details and remediation
+
+
Details
The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
+
Resolution
Review and remove unused AgentCore permissions following least privilege principle
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
sa-east-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
+
444455556666
+
Global
+
AC-09
+
+
AgentCore Service-Linked Role Missing
+
+ Details and remediation
+
+
Details
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
+
Resolution
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
+
Reference
+
+
+
+
Medium
+
Failed
+
+
+
444455556666
+
us-east-1
+
AC-01
+
+
AgentCore VPC Configuration Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
sa-east-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
+
+
444455556666
+
us-east-1
+
AC-04
+
+
AgentCore Observability Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
sa-east-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
+
+
444455556666
+
us-east-1
+
AC-05
+
+
AgentCore Encryption Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
sa-east-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
+
+
444455556666
+
us-east-1
+
AC-06
+
+
AgentCore Browser Tool Recording Check
+
+ Details and remediation
+
+
Details
No AgentCore Runtimes found to check browser tool configuration
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
sa-east-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
+
+
444455556666
+
us-east-1
+
AC-07
+
+
AgentCore Memory Configuration Check
+
+ Details and remediation
+
+
Details
No Memory resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
sa-east-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
Agentic AI Gateway Tool Policy Enforcement Missing
-
Gateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.
-
Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.
-
-
High
-
Failed
+
AC-10
+
+
AgentCore Resource-Based Policies Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found to check for resource-based policies
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
us-east-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
Gateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) does not expose DEBUG-level exception detail.
-
No action required
-
-
Medium
-
Passed
+
AC-11
+
+
AgentCore Policy Engine Encryption Check
+
+ Details and remediation
+
+
Details
No Policy Engines found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
us-east-1
-
AG-27
-
Agentic AI Gateway WAF Protection Missing
-
Gateway 'customersupport-gw' (customersupport-gw-oxqopzjxae) is not associated with an AWS WAF web ACL.
-
Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.
Agentic AI Gateway Tool Policy Enforcement Missing
-
Gateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) does not have a policy engine configuration. Tool calls are not evaluated by AgentCore policy enforcement.
-
Attach an AgentCore policy engine to the gateway and use ENFORCE mode for production tool authorization.
-
-
High
-
Failed
+
+
Agentic AI Gateway Tool Policy Enforcement
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
us-east-1
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
Gateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) does not expose DEBUG-level exception detail.
-
No action required
-
-
Medium
-
Passed
+
+
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
us-east-1
AG-27
-
Agentic AI Gateway WAF Protection Missing
-
Gateway 'wildrydes-gateway-ab3991f6' (wildrydes-gateway-ab3991f6-jrlh9ok6ya) is not associated with an AWS WAF web ACL.
-
Associate an AWS WAF web ACL with internet-facing AgentCore gateways to add request filtering and abuse protection.
-
-
Low
-
Failed
-
-
-
111122223333
-
Global
-
AG-16
-
Agentic AI AgentCore Least Privilege
-
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have BedrockAgentCoreFullAccess policy: AmazonSageMaker-ExecutionRole-20250525T153161
-
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
-
-
High
-
Failed
+
+
Agentic AI Gateway WAF Protection
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
Global
AG-16
-
Agentic AI AgentCore Least Privilege
-
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have wildcard AgentCore permissions on all resources: agentcore-wildrydes_gateway_role_ab3991f6-role
-
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
-
+
+
Agentic AI AgentCore Least Privilege
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: No roles with overly permissive AgentCore access found
+
Resolution
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
+
Reference
+
+
+
High
-
Failed
+
Passed
-
-
111122223333
+
+
444455556666
Global
AG-17
-
Agentic AI Stale AgentCore Access
-
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have not accessed AgentCore in 60+ days: role 'AmazonSageMaker-ExecutionRole-20250525T153161' (199 days), role 'AWSServiceRoleForBedrockAgentCoreRuntimeIdentity' (199 days), role 'CustomerSupportAssistantBedrockAgentCoreRole-us-east-1' (199 days), role 'resco-aiml-security-19304-AgentCoreSecurityAssessme-w773pPsFWNsn' (82 days)
-
Remove or restrict stale AgentCore permissions for principals that no longer need access.
-
+
+
Agentic AI Stale AgentCore Access
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (82 days)
+
Resolution
Remove or restrict stale AgentCore permissions for principals that no longer need access.
+
Reference
+
+
+
Medium
Failed
-
-
111122223333
+
+
444455556666
Global
AG-17
-
Agentic AI Stale AgentCore Access
-
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'agentcore-wildrydes_gateway_role_ab3991f6-role', role 'AIMLSecurityMemberRole', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-a6ddf3fc76', role 'AmazonBedrockAgentCoreSDKRuntime-us-east-1-ed660add8b', role 'aws-api-mcp-server-execution-role', role 'CloudSeerTrustedServiceRole', role 'CustomerSupportStackInfra-RuntimeAgentCoreRole-N188nLB5RtLO', role 'IDP-AnalyticsProcessorFunctionRole-H3gwkJtNqrqW'
-
Remove or restrict stale AgentCore permissions for principals that no longer need access.
-
+
+
Agentic AI Stale AgentCore Access
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
+
Resolution
Remove or restrict stale AgentCore permissions for principals that no longer need access.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
444455556666
us-east-1
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) is not configured with VPC. This exposes the runtime to public internet.
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
High
-
Failed
+
+
Agentic AI Runtime Network Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Resolution
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
us-east-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) is not configured with VPC. This exposes the runtime to public internet.
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
High
-
Failed
+
AG-18
+
+
Agentic AI AgentCore Observability
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Resolution
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
us-east-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) is not configured with VPC. This exposes the runtime to public internet.
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
High
-
Failed
+
AG-19
+
+
Agentic AI Memory Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Resolution
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
us-east-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) is not configured with VPC. This exposes the runtime to public internet.
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
High
-
Failed
+
AG-20
+
+
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Resolution
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
us-east-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) is not configured with VPC. This exposes the runtime to public internet.
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
High
-
Failed
+
AG-21
+
+
Agentic AI Resource Policy Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Resolution
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Medium
-
Failed
+
AG-22
+
+
Agentic AI Policy Engine Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Resolution
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
444455556666
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'origami_expeditions' (origami_expeditions-TR4jDoHXe8) does not have X-Ray tracing enabled
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Medium
-
Failed
+
AG-23
+
+
Agentic AI Gateway Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Resolution
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
-
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Medium
-
Failed
+
+
444455556666
+
eu-west-1
+
SM-01
+
+
SageMaker Internet Access Check
+
+ Details and remediation
+
+
Details
No SageMaker notebook instances or domains found to check
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
-
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'neoCyan_Agent' (neoCyan_Agent-yAFXSWFaA3) does not have X-Ray tracing enabled
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
+
+
444455556666
+
eu-west-1
+
SM-02
+
+
SageMaker SSO Configuration Check
+
+ Details and remediation
+
+
Details
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
Resolution
No action required
+
Reference
+
+
+
Medium
-
Failed
+
Passed
-
-
111122223333
-
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Medium
-
Failed
+
+
444455556666
+
eu-west-1
+
SM-03
+
+
Data Protection Check
+
+ Details and remediation
+
+
Details
No SageMaker resources found to check for data protection
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
-
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'customer_support_agent' (customer_support_agent-ZP4e8z55dP) does not have X-Ray tracing enabled
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
+
+
444455556666
+
eu-west-1
+
SM-04
+
+
GuardDuty Enabled
+
+ Details and remediation
+
+
Details
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
Resolution
No action required
+
Reference
+
+
+
Medium
-
Failed
+
Passed
-
-
111122223333
-
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Medium
-
Failed
+
+
444455556666
+
eu-west-1
+
SM-05
+
+
SageMaker Model Registry Issue
+
+ Details and remediation
+
+
Details
No model package groups found
+
Resolution
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
-
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'cdk_agent_core' (cdk_agent_core-7FqFlD86LW) does not have X-Ray tracing enabled
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Medium
-
Failed
+
+
444455556666
+
eu-west-1
+
SM-05
+
+
SageMaker Feature Store Issue
+
+ Details and remediation
+
+
Details
No feature groups found
+
Resolution
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
SM-05
+
+
SageMaker Pipelines Issue
+
+ Details and remediation
+
+
Details
No ML pipelines found
+
Resolution
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
SM-06
+
+
SageMaker Clarify No Clarify Usage
+
+ Details and remediation
+
+
Details
No SageMaker Clarify jobs found
+
Resolution
Implement SageMaker Clarify for model explainability and bias detection
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
SM-07
+
+
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation
+
+
Details
No Model Monitor schedules found
+
Resolution
Configure comprehensive model monitoring schedules
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
SM-08
+
+
Model Registry Registry Not Used
+
+ Details and remediation
+
+
Details
Model Registry is not being utilized
+
Resolution
Implement proper model versioning and approval workflows
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
SM-09
+
+
SageMaker Notebook Root Access Check
+
+ Details and remediation
+
+
Details
No notebook instances found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
444455556666
+
eu-west-1
+
SM-10
+
+
SageMaker Notebook VPC Deployment Check
+
+ Details and remediation
+
+
Details
No notebook instances found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
-
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have CloudWatch Logs configured
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Medium
-
Failed
+
+
444455556666
+
eu-west-1
+
SM-11
+
+
SageMaker Model Network Isolation Check
+
+ Details and remediation
+
+
Details
No models found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
-
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: Runtime 'awsapimcpserver' (awsapimcpserver-mJrqgt37GO) does not have X-Ray tracing enabled
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Medium
-
Failed
+
+
444455556666
+
eu-west-1
+
SM-12
+
+
SageMaker Endpoint Instance Count Check
+
+ Details and remediation
+
+
Details
No InService endpoints found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
-
us-east-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'CustomerSupportMemory-x69jBq5GLp' (CustomerSupportMemory-x69jBq5GLp) does not have customer-managed encryption configured
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Medium
-
Failed
+
+
444455556666
+
eu-west-1
+
SM-13
+
+
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation
+
+
Details
No monitoring schedules found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
-
us-east-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'cdk_agent_core_mem-uxfIagADuF' (cdk_agent_core_mem-uxfIagADuF) does not have customer-managed encryption configured
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Medium
-
Failed
+
+
444455556666
+
eu-west-1
+
SM-14
+
+
SageMaker Model Repository Access Check
+
+ Details and remediation
+
+
Details
No models found or all use default Platform access
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
-
us-east-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: Memory 'wildrydes_memory_ab3991f6-9FjiHOHjT2' (wildrydes_memory_ab3991f6-9FjiHOHjT2) does not have customer-managed encryption configured
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Medium
-
Failed
+
+
444455556666
+
eu-west-1
+
SM-15
+
+
SageMaker Feature Store Encryption Check
+
+ Details and remediation
+
+
Details
No feature groups with offline stores found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
-
us-east-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
High
-
Failed
+
+
444455556666
+
eu-west-1
+
SM-16
+
+
SageMaker Data Quality Job Encryption Check
+
+ Details and remediation
+
+
Details
No data quality job definitions found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
-
us-east-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: The following AgentCore resources do not have resource-based policies: Runtime 'origami_expeditions', Runtime 'neoCyan_Agent', Runtime 'customer_support_agent', Runtime 'cdk_agent_core', Runtime 'awsapimcpserver' and 2 more. Without RBPs, access control relies solely on identity-based policies.
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
-
High
-
Failed
+
+
444455556666
+
eu-west-1
+
SM-17
+
+
SageMaker Processing Job Encryption Check
+
+ Details and remediation
+
+
Details
No processing jobs found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
-
us-east-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
+
+
444455556666
+
eu-west-1
+
SM-18
+
+
SageMaker Transform Job Encryption Check
+
+ Details and remediation
+
+
Details
No transform jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
us-east-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: The following Gateways do not use customer-managed KMS encryption: 'customersupport-gw', 'wildrydes-gateway-ab3991f6'. Gateway configuration data uses AWS-managed keys.
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
No model package groups found. Model Registry is not being used for model governance.
+
Resolution
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
sa-east-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
+
+
444455556666
+
eu-west-1
+
SM-23
+
+
Model Drift Detection Check
+
+ Details and remediation
+
+
Details
No InService endpoints found to monitor.
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
+
+
+
444455556666
+
eu-west-1
+
SM-24
+
+
A/B Testing and Shadow Deployment Check
+
+ Details and remediation
+
+
Details
No InService endpoints found.
+
Resolution
No action required
+
Reference
+
+
+
+
Low
+
Passed
+
+
+
444455556666
+
eu-west-1
+
SM-25
+
+
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation
+
+
Details
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Resolution
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
sa-east-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
+
+
444455556666
+
Global
+
SM-02
+
+
SageMaker IAM Permissions Check
+
+ Details and remediation
+
+
Details
No issues found with IAM permissions and no stale access detected
+
Resolution
No action required
+
Reference
+
+
+
+
High
+
Passed
+
+
+
444455556666
+
us-east-1
+
SM-01
+
+
SageMaker Internet Access Check
+
+ Details and remediation
+
+
Details
No SageMaker notebook instances or domains found to check
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
sa-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
+
+
444455556666
+
us-east-1
+
SM-02
+
+
SageMaker SSO Configuration Check
+
+ Details and remediation
+
+
Details
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
+
+
+
444455556666
+
us-east-1
+
SM-03
+
+
Data Protection Check
+
+ Details and remediation
+
+
Details
No SageMaker resources found to check for data protection
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
sa-east-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
+
+
444455556666
+
us-east-1
+
SM-04
+
+
GuardDuty Enabled
+
+ Details and remediation
+
+
Details
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
+
+
+
444455556666
+
us-east-1
+
SM-05
+
+
SageMaker Model Registry Issue
+
+ Details and remediation
+
+
Details
No model package groups found
+
Resolution
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
sa-east-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
+
+
444455556666
+
us-east-1
+
SM-05
+
+
SageMaker Feature Store Issue
+
+ Details and remediation
+
+
Details
No feature groups found
+
Resolution
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
sa-east-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
+
+
444455556666
+
us-east-1
+
SM-05
+
+
SageMaker Pipelines Issue
+
+ Details and remediation
+
+
Details
No ML pipelines found
+
Resolution
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
sa-east-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
+
+
444455556666
+
us-east-1
+
SM-06
+
+
SageMaker Clarify No Clarify Usage
+
+ Details and remediation
+
+
Details
No SageMaker Clarify jobs found
+
Resolution
Implement SageMaker Clarify for model explainability and bias detection
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
sa-east-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
+
+
444455556666
+
us-east-1
+
SM-07
+
+
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation
+
+
Details
No Model Monitor schedules found
+
Resolution
Configure comprehensive model monitoring schedules
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
eu-west-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
+
+
444455556666
+
us-east-1
+
SM-08
+
+
Model Registry Registry Not Used
+
+ Details and remediation
+
+
Details
Model Registry is not being utilized
+
Resolution
Implement proper model versioning and approval workflows
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
eu-west-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
+
+
444455556666
+
us-east-1
+
SM-09
+
+
SageMaker Notebook Root Access Check
+
+ Details and remediation
+
+
Details
No notebook instances found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
eu-west-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
+
+
444455556666
+
us-east-1
+
SM-10
+
+
SageMaker Notebook VPC Deployment Check
+
+ Details and remediation
+
+
Details
No notebook instances found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
eu-west-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
+
+
444455556666
+
us-east-1
+
SM-11
+
+
SageMaker Model Network Isolation Check
+
+ Details and remediation
+
+
Details
No models found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
eu-west-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
+
+
444455556666
+
us-east-1
+
SM-12
+
+
SageMaker Endpoint Instance Count Check
+
+ Details and remediation
+
+
Details
No InService endpoints found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
eu-west-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
+
+
444455556666
+
us-east-1
+
SM-13
+
+
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation
+
+
Details
No monitoring schedules found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
eu-west-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
+
+
444455556666
+
us-east-1
+
SM-14
+
+
SageMaker Model Repository Access Check
+
+ Details and remediation
+
+
Details
No models found or all use default Platform access
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
eu-west-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
+
444455556666
+
us-east-1
+
SM-15
+
+
SageMaker Feature Store Encryption Check
+
+ Details and remediation
+
+
Details
No feature groups with offline stores found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
eu-west-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
+
+
444455556666
+
us-east-1
+
SM-16
+
+
SageMaker Data Quality Job Encryption Check
+
+ Details and remediation
+
+
Details
No data quality job definitions found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
eu-west-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
+
+
444455556666
+
us-east-1
+
SM-17
+
+
SageMaker Processing Job Encryption Check
+
+ Details and remediation
+
+
Details
No processing jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
eu-west-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
+
+
444455556666
+
us-east-1
+
SM-18
+
+
SageMaker Transform Job Encryption Check
+
+ Details and remediation
+
+
Details
No transform jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
eu-west-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
+
+
444455556666
+
us-east-1
+
SM-20
+
+
SageMaker Compilation Job Encryption Check
+
+ Details and remediation
+
+
Details
No compilation jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
eu-west-1
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
+
+
444455556666
+
us-east-1
+
SM-21
+
+
SageMaker AutoML Job Network Isolation Check
+
+ Details and remediation
+
+
Details
No AutoML jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
eu-west-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
+
+
444455556666
+
us-east-1
+
SM-22
+
+
Model Approval Workflow Check
+
+ Details and remediation
+
+
Details
No model package groups found. Model Registry is not being used for model governance.
+
Resolution
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
eu-west-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
+
+
444455556666
+
us-east-1
+
SM-23
+
+
Model Drift Detection Check
+
+ Details and remediation
+
+
Details
No InService endpoints found to monitor.
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
-
-
111122223333
-
eu-west-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
+
+
444455556666
+
us-east-1
+
SM-24
+
+
A/B Testing and Shadow Deployment Check
+
+ Details and remediation
+
+
Details
No InService endpoints found.
+
Resolution
No action required
+
Reference
+
+
+
+
Low
+
Passed
+
+
+
444455556666
+
us-east-1
+
SM-25
+
+
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation
+
+
Details
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Resolution
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
eu-west-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
+
+
444455556666
+
us-east-1
+
FS-00
+
+
FinServ Regional Scope Not Applicable
+
+ Details and remediation
+
+
Details
No regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.
+
Resolution
No action required unless GenAI workloads are expected in this region.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
-
eu-west-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
+
+
444455556666
+
us-west-2
+
FS-00
+
+
FinServ Regional Scope Not Applicable
+
+ Details and remediation
+
+
Details
No regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.
+
Resolution
No action required unless GenAI workloads are expected in this region.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
444455556666
eu-west-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
+
FS-00
+
+
FinServ Regional Scope Not Applicable
+
+ Details and remediation
+
+
Details
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
+
Resolution
No action required unless GenAI workloads are expected in this region.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
444455556666
eu-west-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
+
BR-02
+
+
Amazon Bedrock private connectivity check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess private connectivity
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
444455556666
eu-west-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
+
BR-04
+
+
Bedrock Model Invocation Logging Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to monitor with invocation logging
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
444455556666
eu-west-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
+
BR-05
+
+
Bedrock Guardrails Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to protect with guardrails
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
444455556666
eu-west-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
+
BR-06
+
+
Bedrock CloudTrail Logging Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
ap-south-1
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
+
eu-west-1
+
BR-07
+
+
Bedrock Prompt Management Check
+
+ Details and remediation
+
+
Details
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Resolution
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
ap-south-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
+
eu-west-1
+
BR-08
+
+
Bedrock Agent IAM Roles Check
+
+ Details and remediation
+
+
Details
No Bedrock agents found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
ap-south-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
+
eu-west-1
+
BR-09
+
+
Bedrock Knowledge Base Encryption Check
+
+ Details and remediation
+
+
Details
No Knowledge Bases found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
ap-south-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
+
eu-west-1
+
BR-10
+
+
Bedrock Guardrail IAM Enforcement Check
+
+ Details and remediation
+
+
Details
No guardrails configured - IAM enforcement check not applicable
+
Resolution
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
ap-south-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
+
eu-west-1
+
BR-11
+
+
Bedrock Custom Model Encryption Check
+
+ Details and remediation
+
+
Details
No custom/fine-tuned models found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
ap-south-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
+
eu-west-1
+
BR-12
+
+
Bedrock Invocation Log Encryption Check
+
+ Details and remediation
+
+
Details
Model invocation logging to S3 is not configured
+
Resolution
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
ap-south-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
+
eu-west-1
+
BR-13
+
+
Bedrock Flows Guardrails Check
+
+ Details and remediation
+
+
Details
No Bedrock Flows found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
ap-south-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
Informational
+
eu-west-1
+
BR-16
+
+
Guardrail Tier Validation Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
Reference
+
+
+
+
Medium
N/A
-
+
444455556666
-
ap-south-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
-
Informational
+
eu-west-1
+
BR-17
+
+
Custom Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No custom (fine-tuned) Bedrock models found in this region
+
Resolution
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
Reference
+
+
+
+
High
N/A
-
+
444455556666
-
ap-south-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
+
eu-west-1
+
BR-18
+
+
Model Evaluation Implementation Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess with model evaluation jobs
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
ap-south-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
+
eu-west-1
+
BR-19
+
+
Prompt Flow Validation Check
+
+ Details and remediation
+
+
Details
No Bedrock prompt flows configured in this region
+
Resolution
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
Reference
+
+
+
+
Medium
N/A
-
+
444455556666
-
ap-south-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
-
Informational
+
eu-west-1
+
BR-20
+
+
Knowledge Base Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No Bedrock knowledge bases found in this region
+
Resolution
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
Reference
+
+
+
+
High
N/A
-
+
444455556666
-
ap-south-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
-
Informational
+
eu-west-1
+
BR-21
+
+
Agent Action Group IAM Least Privilege Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
Reference
+
+
+
+
High
N/A
-
+
444455556666
-
ap-south-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
+
eu-west-1
+
BR-22
+
+
Model Invocation Throttling Limits Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess model invocation throttling quotas
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
ap-south-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
-
Informational
+
eu-west-1
+
BR-23
+
+
Guardrail Content Filter Coverage Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
Reference
+
+
+
+
High
N/A
-
+
444455556666
-
ap-south-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
-
Informational
+
eu-west-1
+
BR-24
+
+
Automated Reasoning Policy Implementation Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
Reference
+
+
+
+
Medium
N/A
-
+
444455556666
-
ap-south-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
-
Informational
+
eu-west-1
+
BR-25
+
+
RAG Evaluation Jobs Check
+
+ Details and remediation
+
+
Details
No Bedrock knowledge bases found in this region
+
Resolution
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
Reference
+
+
+
+
Low
N/A
-
+
444455556666
-
ap-south-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
-
Informational
+
eu-west-1
+
BR-26
+
+
Guardrail Sensitive Information Filter Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
Reference
+
+
+
+
High
N/A
-
+
444455556666
-
ap-south-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
-
Informational
+
eu-west-1
+
BR-27
+
+
Guardrail Contextual Grounding Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
Reference
+
+
+
+
Medium
N/A
-
+
444455556666
-
ap-south-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
-
Informational
+
eu-west-1
+
BR-28
+
+
Agent Guardrail Association Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
Reference
+
+
+
+
High
N/A
-
+
444455556666
-
ap-south-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
-
Informational
+
eu-west-1
+
BR-29
+
+
Agent Idle Session TTL Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
Reference
+
+
+
+
Low
N/A
-
+
444455556666
-
ap-south-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
-
Informational
+
eu-west-1
+
BR-30
+
+
Imported Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Resolution
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
Reference
+
+
+
+
Low
N/A
-
+
444455556666
-
ap-south-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
-
Informational
+
eu-west-1
+
BR-31
+
+
Batch Inference Output Encryption Check
+
+ Details and remediation
+
+
Details
No Bedrock batch inference (model invocation) jobs found in this region
+
Resolution
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
Reference
+
+
+
+
Medium
N/A
-
+
444455556666
-
ap-south-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
+
eu-west-1
+
BR-32
+
+
Bedrock CloudWatch Alarm Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to monitor with CloudWatch alarms
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
us-east-1
+
eu-west-1
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
+
+
Agentic AI Model Invocation Logging
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Resolution
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
us-east-1
+
eu-west-1
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
-
Informational
-
N/A
-
-
-
444455556666
-
Global
-
AG-09
-
Agentic AI Guardrail Enforcement Boundary
-
Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policies
-
Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.
-
+
+
Agentic AI API Audit Trail
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Resolution
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
us-east-1
+
eu-west-1
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
+
+
Agentic AI Adversarial Evaluation Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Resolution
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
us-east-1
+
eu-west-1
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
+
+
Agentic AI Prompt Flow Validation
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Resolution
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
us-east-1
+
eu-west-1
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
+
+
Agentic AI Tool Execution Least Privilege
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Resolution
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
us-east-1
+
eu-west-1
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
+
+
Agentic AI Invocation Abuse Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Resolution
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
us-east-1
+
eu-west-1
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
+
+
Agentic AI Harmful Content Guardrail Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Resolution
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
us-east-1
+
eu-west-1
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
+
Agentic AI Automated Reasoning Guardrails
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Resolution
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
us-east-1
+
eu-west-1
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
+
+
Agentic AI Sensitive Information Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Resolution
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
us-east-1
+
eu-west-1
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
+
+
Agentic AI Grounding Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Resolution
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
us-east-1
+
eu-west-1
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
+
+
Agentic AI Agent Guardrail Association
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Resolution
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
us-east-1
+
eu-west-1
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
+
+
Agentic AI Session Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Resolution
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
us-east-1
+
eu-west-1
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
+
+
Agentic AI Operational Abuse Alarms
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Resolution
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
us-west-2
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
+
AC-01
+
+
AgentCore VPC Configuration Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
us-west-2
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
+
AC-04
+
+
AgentCore Observability Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
us-west-2
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
+
AC-05
+
+
AgentCore Encryption Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
us-west-2
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
+
AC-06
+
+
AgentCore Browser Tool Recording Check
+
+ Details and remediation
+
+
Details
No AgentCore Runtimes found to check browser tool configuration
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
us-west-2
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
+
AC-07
+
+
AgentCore Memory Configuration Check
+
+ Details and remediation
+
+
Details
No Memory resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
us-west-2
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
+
AC-13
+
+
AgentCore Gateway Configuration Check
+
+ Details and remediation
+
+
Details
No Gateway resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
us-west-2
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
+
AC-08
+
+
AgentCore VPC Endpoints Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
us-west-2
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
+
AC-10
+
+
AgentCore Resource-Based Policies Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found to check for resource-based policies
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
us-west-2
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
+
AC-11
+
+
AgentCore Policy Engine Encryption Check
+
+ Details and remediation
+
+
Details
No Policy Engines found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
us-west-2
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
+
AC-12
+
+
AgentCore Gateway Encryption Check
+
+ Details and remediation
+
+
Details
No Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
444455556666
us-west-2
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway Inbound Authorization
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
sa-east-1
+
us-west-2
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway Tool Policy Enforcement
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
sa-east-1
+
us-west-2
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
sa-east-1
+
us-west-2
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway WAF Protection
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
sa-east-1
+
us-west-2
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
+
+
Agentic AI Runtime Network Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Resolution
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
sa-east-1
+
us-west-2
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
+
+
Agentic AI AgentCore Observability
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Resolution
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
sa-east-1
+
us-west-2
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
+
+
Agentic AI Memory Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Resolution
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
sa-east-1
+
us-west-2
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
+
+
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Resolution
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
sa-east-1
+
us-west-2
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
eu-west-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
+
+
Agentic AI Resource Policy Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Resolution
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
eu-west-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
+
us-west-2
+
AG-22
+
+
Agentic AI Policy Engine Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Resolution
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
Informational
N/A
-
+
444455556666
-
eu-west-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
+
us-west-2
+
AG-23
+
+
Agentic AI Gateway Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Resolution
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
eu-west-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
+
+
777788889999
+
Global
+
AC-02
+
+
AgentCore IAM Wildcard Permissions
+
+ Details and remediation
+
+
Details
The following roles have wildcard AgentCore permissions on all resources: aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV
+
Resolution
Scope permissions to specific AgentCore resources using resource ARNs
+
Reference
+
+
+
+
High
+
Failed
+
+
+
777788889999
+
Global
+
AC-03
+
+
AgentCore Unused Permissions
+
+ Details and remediation
+
+
Details
The following principals have AgentCore permissions but have never accessed the service: role 'aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV', role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
+
Resolution
Review and remove unused AgentCore permissions following least privilege principle
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
eu-west-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
+
+
777788889999
+
Global
+
AC-09
+
+
AgentCore Service-Linked Role Missing
+
+ Details and remediation
+
+
Details
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
+
Resolution
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
+
Reference
+
+
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-east-1
+
AC-01
+
+
AgentCore VPC Configuration Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
eu-west-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
+
+
777788889999
+
us-east-1
+
AC-04
+
+
AgentCore Observability Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
eu-west-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
Consider using customer-managed KMS keys for better control and audit capabilities
+
Reference
+
+
+
+
Low
+
Failed
+
+
+
777788889999
+
us-east-1
+
AC-06
+
+
AgentCore Browser Tool Recording Check
+
+ Details and remediation
+
+
Details
No AgentCore Runtimes found to check browser tool configuration
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
eu-west-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
+
777788889999
+
us-east-1
+
AC-07
+
+
AgentCore Memory Configuration Check
+
+ Details and remediation
+
+
Details
No Memory resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
eu-west-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
+
+
777788889999
+
us-east-1
+
AC-13
+
+
AgentCore Gateway Configuration Check
+
+ Details and remediation
+
+
Details
No Gateway resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
eu-west-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
+
+
777788889999
+
us-east-1
+
AC-08
+
+
AgentCore VPC Endpoints Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
eu-west-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
+
+
777788889999
+
us-east-1
+
AC-10
+
+
AgentCore Resource-Based Policies Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found to check for resource-based policies
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
eu-west-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
+
+
777788889999
+
us-east-1
+
AC-11
+
+
AgentCore Policy Engine Encryption Check
+
+ Details and remediation
+
+
Details
No Policy Engines found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
eu-west-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
+
+
777788889999
+
us-east-1
+
AC-12
+
+
AgentCore Gateway Encryption Check
+
+ Details and remediation
+
+
Details
No Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
us-east-1
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway Inbound Authorization
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
us-east-1
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway Tool Policy Enforcement
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
us-east-1
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
us-east-1
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway WAF Protection
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
Global
AG-16
-
Agentic AI AgentCore Least Privilege
-
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: No roles with overly permissive AgentCore access found
-
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
-
+
+
Agentic AI AgentCore Least Privilege
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have wildcard AgentCore permissions on all resources: aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV
+
Resolution
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
+
Reference
+
+
+
High
-
Passed
-
-
-
444455556666
-
Global
-
AG-17
-
Agentic AI Stale AgentCore Access
-
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have not accessed AgentCore in 60+ days: role 'resco-aiml-security-23026-AgentCoreSecurityAssessme-2AEt2MTxg4AU' (82 days)
-
Remove or restrict stale AgentCore permissions for principals that no longer need access.
-
-
Medium
Failed
-
-
444455556666
+
+
777788889999
Global
AG-17
-
Agentic AI Stale AgentCore Access
-
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
-
Remove or restrict stale AgentCore permissions for principals that no longer need access.
-
+
+
Agentic AI Stale AgentCore Access
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV', role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
+
Resolution
Remove or restrict stale AgentCore permissions for principals that no longer need access.
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
us-east-1
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
+
+
Agentic AI Runtime Network Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Resolution
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
us-east-1
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
+
+
Agentic AI AgentCore Observability
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Resolution
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
us-east-1
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
+
+
Agentic AI Memory Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Resolution
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AG-20
+
+
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Resolution
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AG-21
+
+
Agentic AI Resource Policy Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Resolution
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AG-22
+
+
Agentic AI Policy Engine Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Resolution
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
AG-23
+
+
Agentic AI Gateway Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Resolution
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AC-01
+
+
AgentCore VPC Configuration Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AC-04
+
+
AgentCore Observability Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AC-05
+
+
AgentCore Encryption Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AC-06
+
+
AgentCore Browser Tool Recording Check
+
+ Details and remediation
+
+
Details
No AgentCore Runtimes found to check browser tool configuration
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AC-07
+
+
AgentCore Memory Configuration Check
+
+ Details and remediation
+
+
Details
No Memory resources found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AC-13
+
+
AgentCore Gateway Configuration Check
+
+ Details and remediation
+
+
Details
No Gateway resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
us-east-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
+
+
777788889999
+
eu-west-1
+
AC-08
+
+
AgentCore VPC Endpoints Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
us-east-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
+
+
777788889999
+
eu-west-1
+
AC-10
+
+
AgentCore Resource-Based Policies Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found to check for resource-based policies
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
us-east-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
+
+
777788889999
+
eu-west-1
+
AC-11
+
+
AgentCore Policy Engine Encryption Check
+
+ Details and remediation
+
+
Details
No Policy Engines found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
us-east-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
+
+
777788889999
+
eu-west-1
+
AC-12
+
+
AgentCore Gateway Encryption Check
+
+ Details and remediation
+
+
Details
No Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
eu-west-1
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway Inbound Authorization
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
eu-west-1
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway Tool Policy Enforcement
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
eu-west-1
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
eu-west-1
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway WAF Protection
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
eu-west-1
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
+
+
Agentic AI Runtime Network Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Resolution
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
eu-west-1
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
+
+
Agentic AI AgentCore Observability
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Resolution
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
eu-west-1
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
+
+
Agentic AI Memory Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Resolution
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
eu-west-1
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
+
+
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Resolution
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
eu-west-1
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
+
+
Agentic AI Resource Policy Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Resolution
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
eu-west-1
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
+
+
Agentic AI Policy Engine Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Resolution
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
eu-west-1
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
444455556666
-
sa-east-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
+
+
Agentic AI Gateway Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Resolution
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
sa-east-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
+
+
777788889999
+
us-west-2
+
AC-01
+
+
AgentCore VPC Configuration Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
sa-east-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
+
+
777788889999
+
us-west-2
+
AC-04
+
+
AgentCore Observability Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
sa-east-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
+
+
777788889999
+
us-west-2
+
AC-05
+
+
AgentCore Encryption Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
sa-east-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
+
+
777788889999
+
us-west-2
+
AC-06
+
+
AgentCore Browser Tool Recording Check
+
+ Details and remediation
+
+
Details
No AgentCore Runtimes found to check browser tool configuration
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
sa-east-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
+
+
777788889999
+
us-west-2
+
AC-07
+
+
AgentCore Memory Configuration Check
+
+ Details and remediation
+
+
Details
No Memory resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
sa-east-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
+
+
777788889999
+
us-west-2
+
AC-13
+
+
AgentCore Gateway Configuration Check
+
+ Details and remediation
+
+
Details
No Gateway resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
sa-east-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
+
777788889999
+
us-west-2
+
AC-08
+
+
AgentCore VPC Endpoints Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
sa-east-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
+
+
777788889999
+
us-west-2
+
AC-10
+
+
AgentCore Resource-Based Policies Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found to check for resource-based policies
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
sa-east-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
+
+
777788889999
+
us-west-2
+
AC-11
+
+
AgentCore Policy Engine Encryption Check
+
+ Details and remediation
+
+
Details
No Policy Engines found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
sa-east-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
+
+
777788889999
+
us-west-2
+
AC-12
+
+
AgentCore Gateway Encryption Check
+
+ Details and remediation
+
+
Details
No Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
sa-east-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
+
+
777788889999
+
us-west-2
+
AG-24
+
+
Agentic AI Gateway Inbound Authorization
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
sa-east-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
+
+
777788889999
+
us-west-2
+
AG-25
+
+
Agentic AI Gateway Tool Policy Enforcement
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
us-west-2
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
+
AG-26
+
+
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
us-west-2
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
+
AG-27
+
+
Agentic AI Gateway WAF Protection
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
us-west-2
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
+
AG-15
+
+
Agentic AI Runtime Network Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Resolution
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
us-west-2
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
+
AG-18
+
+
Agentic AI AgentCore Observability
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Resolution
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
us-west-2
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
+
AG-19
+
+
Agentic AI Memory Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Resolution
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
us-west-2
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
+
AG-20
+
+
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Resolution
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
us-west-2
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
+
AG-21
+
+
Agentic AI Resource Policy Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Resolution
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
us-west-2
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
AG-22
+
+
Agentic AI Policy Engine Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Resolution
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
+
+
777788889999
us-west-2
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
+
AG-23
+
+
Agentic AI Gateway Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Resolution
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
us-west-2
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
+
+
777788889999
+
eu-west-1
+
BR-02
+
+
Amazon Bedrock private connectivity check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess private connectivity
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
us-west-2
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
+
+
777788889999
+
eu-west-1
+
BR-04
+
+
Bedrock Model Invocation Logging Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to monitor with invocation logging
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
us-west-2
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
+
+
777788889999
+
eu-west-1
+
BR-05
+
+
Bedrock Guardrails Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to protect with guardrails
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
us-west-2
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
+
+
777788889999
+
eu-west-1
+
BR-06
+
+
Bedrock CloudTrail Logging Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
ap-south-1
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
+
eu-west-1
+
BR-07
+
+
Bedrock Prompt Management Check
+
+ Details and remediation
+
+
Details
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Resolution
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
ap-south-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
+
eu-west-1
+
BR-08
+
+
Bedrock Agent IAM Roles Check
+
+ Details and remediation
+
+
Details
No Bedrock agents found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
ap-south-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
+
eu-west-1
+
BR-09
+
+
Bedrock Knowledge Base Encryption Check
+
+ Details and remediation
+
+
Details
No Knowledge Bases found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
ap-south-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
+
eu-west-1
+
BR-10
+
+
Bedrock Guardrail IAM Enforcement Check
+
+ Details and remediation
+
+
Details
No guardrails configured - IAM enforcement check not applicable
+
Resolution
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
ap-south-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
+
eu-west-1
+
BR-11
+
+
Bedrock Custom Model Encryption Check
+
+ Details and remediation
+
+
Details
No custom/fine-tuned models found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
ap-south-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
+
eu-west-1
+
BR-12
+
+
Bedrock Invocation Log Encryption Check
+
+ Details and remediation
+
+
Details
Model invocation logging to S3 is not configured
+
Resolution
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
ap-south-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
+
eu-west-1
+
BR-13
+
+
Bedrock Flows Guardrails Check
+
+ Details and remediation
+
+
Details
No Bedrock Flows found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
ap-south-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
Informational
+
eu-west-1
+
BR-16
+
+
Guardrail Tier Validation Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
Reference
+
+
+
+
Medium
N/A
-
+
777788889999
-
ap-south-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
-
Informational
+
eu-west-1
+
BR-17
+
+
Custom Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No custom (fine-tuned) Bedrock models found in this region
+
Resolution
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
Reference
+
+
+
+
High
N/A
-
+
777788889999
-
ap-south-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
+
eu-west-1
+
BR-18
+
+
Model Evaluation Implementation Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess with model evaluation jobs
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
ap-south-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
+
eu-west-1
+
BR-19
+
+
Prompt Flow Validation Check
+
+ Details and remediation
+
+
Details
No Bedrock prompt flows configured in this region
+
Resolution
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
Reference
+
+
+
+
Medium
N/A
-
+
777788889999
-
sa-east-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
-
Informational
+
eu-west-1
+
BR-20
+
+
Knowledge Base Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No Bedrock knowledge bases found in this region
+
Resolution
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
Reference
+
+
+
+
High
N/A
-
+
777788889999
-
sa-east-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
-
Informational
+
eu-west-1
+
BR-21
+
+
Agent Action Group IAM Least Privilege Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
Reference
+
+
+
+
High
N/A
-
+
777788889999
-
sa-east-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
+
eu-west-1
+
BR-22
+
+
Model Invocation Throttling Limits Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess model invocation throttling quotas
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
sa-east-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
-
Informational
+
eu-west-1
+
BR-23
+
+
Guardrail Content Filter Coverage Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
Reference
+
+
+
+
High
N/A
-
+
777788889999
-
sa-east-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
-
Informational
+
eu-west-1
+
BR-24
+
+
Automated Reasoning Policy Implementation Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
Reference
+
+
+
+
Medium
N/A
-
+
777788889999
-
sa-east-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
-
Informational
+
eu-west-1
+
BR-25
+
+
RAG Evaluation Jobs Check
+
+ Details and remediation
+
+
Details
No Bedrock knowledge bases found in this region
+
Resolution
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
Reference
+
+
+
+
Low
N/A
-
+
777788889999
-
sa-east-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
-
Informational
+
eu-west-1
+
BR-26
+
+
Guardrail Sensitive Information Filter Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
Reference
+
+
+
+
High
N/A
-
+
777788889999
-
sa-east-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
-
Informational
+
eu-west-1
+
BR-27
+
+
Guardrail Contextual Grounding Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
Reference
+
+
+
+
Medium
N/A
-
+
777788889999
-
sa-east-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
-
Informational
+
eu-west-1
+
BR-28
+
+
Agent Guardrail Association Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
Reference
+
+
+
+
High
N/A
-
+
777788889999
-
sa-east-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
-
Informational
+
eu-west-1
+
BR-29
+
+
Agent Idle Session TTL Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
Reference
+
+
+
+
Low
N/A
-
+
777788889999
-
sa-east-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
-
Informational
+
eu-west-1
+
BR-30
+
+
Imported Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Resolution
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
Reference
+
+
+
+
Low
N/A
-
+
777788889999
-
sa-east-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
-
Informational
+
eu-west-1
+
BR-31
+
+
Batch Inference Output Encryption Check
+
+ Details and remediation
+
+
Details
No Bedrock batch inference (model invocation) jobs found in this region
+
Resolution
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
Reference
+
+
+
+
Medium
N/A
-
+
777788889999
-
sa-east-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
+
eu-west-1
+
BR-32
+
+
Bedrock CloudWatch Alarm Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to monitor with CloudWatch alarms
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -34312,10 +16364,17 @@
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
+
+
Agentic AI Model Invocation Logging
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Resolution
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Reference
+
+
+
Informational
N/A
@@ -34323,10 +16382,17 @@
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
+
+
Agentic AI API Audit Trail
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Resolution
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Reference
+
+
+
Informational
N/A
@@ -34334,10 +16400,17 @@
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
+
+
Agentic AI Adversarial Evaluation Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Resolution
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Reference
+
+
+
Informational
N/A
@@ -34345,10 +16418,17 @@
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
+
+
Agentic AI Prompt Flow Validation
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Resolution
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Reference
+
+
+
Informational
N/A
@@ -34356,10 +16436,17 @@
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
+
+
Agentic AI Tool Execution Least Privilege
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Resolution
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Reference
+
+
+
Informational
N/A
@@ -34367,10 +16454,17 @@
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
+
+
Agentic AI Invocation Abuse Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Resolution
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Reference
+
+
+
Informational
N/A
@@ -34378,10 +16472,17 @@
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
+
+
Agentic AI Harmful Content Guardrail Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Resolution
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Reference
+
+
+
Informational
N/A
@@ -34389,10 +16490,17 @@
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
+
Agentic AI Automated Reasoning Guardrails
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Resolution
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Reference
+
+
+
Informational
N/A
@@ -34400,3690 +16508,4661 @@
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
+
+
Agentic AI Sensitive Information Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Resolution
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-05
+
+
Agentic AI Grounding Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Resolution
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-01
+
+
Agentic AI Agent Guardrail Association
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Resolution
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-13
+
+
Agentic AI Session Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Resolution
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
AG-14
+
+
Agentic AI Operational Abuse Alarms
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Resolution
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Reference
+
+
+
Informational
N/A
-
+
+
777788889999
+
Global
+
SM-02
+
+
SageMaker Full Access Policy Used
+
+ Details and remediation
+
+
Details
Role 'aiml-sec-test-resources-SageMakerFullAccessRole-ZREdSNCErx2S' has AmazonSageMakerFullAccess policy attached
+
Resolution
Replace AmazonSageMakerFullAccess with more restrictive custom policies that follow the principle of least privilege
+
Reference
+
+
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-01
+
+
Direct Internet Access Enabled
+
+ Details and remediation
+
+
Details
SageMaker notebook instance 'aiml-sec-test-notebook-with-internet' has direct internet access enabled
+
Resolution
Configure the notebook instance to use VPC connectivity and disable direct internet access
+
Reference
+
+
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-01
+
+
Non-VPC Only Network Access
+
+ Details and remediation
+
+
Details
SageMaker domain 'd-ilmtsfeenavc' (aiml-sec-test-domain-fail-028e1010-52cbf970) is not configured for VPC-only access
+
Resolution
Configure the SageMaker domain to use VPC-only network access type
+
Reference
+
+
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-01
+
+
Non-VPC Only Network Access
+
+ Details and remediation
+
+
Details
SageMaker domain 'd-cmz7ohkxxop3' (aiml-sec-test-domain-fail-fef4e7f0-bb429d11) is not configured for VPC-only access
+
Resolution
Configure the SageMaker domain to use VPC-only network access type
+
Reference
+
+
+
+
High
+
Failed
+
+
+
777788889999
+
us-east-1
+
SM-02
+
+
SSO Not Properly Configured
+
+ Details and remediation
+
+
Details
SageMaker domain 'd-7zl8skw96ppk' (aiml-sec-test-domain-pass-028e1010-3dba8b08) is using authentication mode: IAM
+
Resolution
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
+
Reference
+
+
+
+
Medium
+
Failed
+
+
777788889999
-
eu-west-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
-
Informational
-
N/A
+
us-east-1
+
SM-02
+
+
SSO Not Properly Configured
+
+ Details and remediation
+
+
Details
SageMaker domain 'd-ilmtsfeenavc' (aiml-sec-test-domain-fail-028e1010-52cbf970) is using authentication mode: IAM
+
Resolution
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
777788889999
-
eu-west-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
-
Informational
-
N/A
+
us-east-1
+
SM-02
+
+
SSO Not Properly Configured
+
+ Details and remediation
+
+
Details
SageMaker domain 'd-uqjoi05f0zzp' (aiml-sec-test-domain-pass-fef4e7f0-51d1e898) is using authentication mode: IAM
+
Resolution
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
777788889999
-
eu-west-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
-
Informational
-
N/A
+
us-east-1
+
SM-02
+
+
SSO Not Properly Configured
+
+ Details and remediation
+
+
Details
SageMaker domain 'd-cmz7ohkxxop3' (aiml-sec-test-domain-fail-fef4e7f0-bb429d11) is using authentication mode: IAM
+
Resolution
Enable and properly configure AWS IAM Identity Center (successor to AWS SSO) for centralized access management. Ensure Identity Store ID is configured.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
777788889999
-
eu-west-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
-
Informational
-
N/A
+
us-east-1
+
SM-03
+
+
Missing Encryption Configuration
+
+ Details and remediation
+
+
Details
Notebook Instance 'aiml-sec-test-notebook-with-internet' - No KMS key configured
+
Resolution
Configure encryption using AWS KMS customer managed keys for enhanced security
+
Reference
+
+
+
+
High
+
Failed
-
+
777788889999
-
ap-south-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
-
Informational
-
N/A
+
us-east-1
+
SM-03
+
+
Missing Encryption Configuration
+
+ Details and remediation
+
+
Details
Domain 'aiml-sec-test-domain-fail-028e1010-52cbf970' - No KMS key configured
+
Resolution
Configure encryption using AWS KMS customer managed keys for enhanced security
+
Reference
+
+
+
+
High
+
Failed
-
+
777788889999
-
ap-south-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
-
Informational
-
N/A
+
us-east-1
+
SM-03
+
+
Missing Encryption Configuration
+
+ Details and remediation
+
+
Details
Domain 'aiml-sec-test-domain-fail-fef4e7f0-bb429d11' - No KMS key configured
+
Resolution
Configure encryption using AWS KMS customer managed keys for enhanced security
+
Reference
+
+
+
+
High
+
Failed
-
+
777788889999
-
ap-south-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
-
Informational
-
N/A
+
us-east-1
+
SM-03
+
+
Missing Encryption Configuration
+
+ Details and remediation
+
+
Details
Training Job 'aiml-sec-test-training-no-encryption-028e1010-e2fb8765' - No output encryption configured
+
Resolution
Configure encryption using AWS KMS customer managed keys for enhanced security
+
Reference
+
+
+
+
High
+
Failed
-
+
777788889999
-
ap-south-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
-
Informational
-
N/A
+
us-east-1
+
SM-03
+
+
Missing VPC Encryption
+
+ Details and remediation
+
+
Details
Training Job 'aiml-sec-test-training-no-encryption-028e1010-e2fb8765' - Inter-container traffic encryption not enabled
+
Resolution
Enable encryption for inter-container traffic and VPC communication
+
Reference
+
+
+
+
Medium
+
Failed
-
+
777788889999
-
ap-south-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
-
Informational
-
N/A
+
us-east-1
+
SM-04
+
+
GuardDuty Enabled
+
+ Details and remediation
+
+
Details
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
-
+
777788889999
-
ap-south-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
-
Informational
-
N/A
+
us-east-1
+
SM-05
+
+
SageMaker Model Registry Issue
+
+ Details and remediation
+
+
Details
Model group 'aiml-sec-test-model-package-group' has minimal versioning
+
Resolution
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
Reference
+
+
+
+
Low
+
Failed
-
+
777788889999
-
ap-south-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
+
us-east-1
+
SM-05
+
+
SageMaker Pipelines Issue
+
+ Details and remediation
+
+
Details
No ML pipelines found
+
Resolution
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
ap-south-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
us-east-1
+
SM-06
+
+
SageMaker Clarify No Clarify Usage
+
+ Details and remediation
+
+
Details
No SageMaker Clarify jobs found
+
Resolution
Implement SageMaker Clarify for model explainability and bias detection
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
ap-south-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
+
us-east-1
+
SM-07
+
+
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation
+
+
Details
No Model Monitor schedules found
+
Resolution
Configure comprehensive model monitoring schedules
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
ap-south-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
-
Informational
-
N/A
+
us-east-1
+
SM-08
+
+
Model Registry Empty Model Group
+
+ Details and remediation
+
+
Details
Model group aiml-sec-test-model-package-group has no registered models
+
Resolution
Implement proper model versioning and approval workflows
+
Reference
+
+
+
+
Low
+
Failed
-
+
777788889999
-
ap-south-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
-
Informational
-
N/A
+
us-east-1
+
SM-09
+
+
SageMaker Notebook Root Access Enabled
+
+ Details and remediation
+
+
Details
Notebook instance 'aiml-sec-test-notebook-with-internet' has root access enabled. Root access allows users to install arbitrary software, modify system configurations, and potentially escalate privileges.
+
Resolution
Disable root access by updating the notebook instance with RootAccess=Disabled. Note: Lifecycle configurations will still run with root access.
+
Reference
+
+
+
+
High
+
Failed
-
+
777788889999
-
ap-south-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
-
Informational
-
N/A
+
us-east-1
+
SM-10
+
+
SageMaker Notebook Not in VPC
+
+ Details and remediation
+
+
Details
Notebook instance 'aiml-sec-test-notebook-with-internet' is not deployed in a custom VPC. This uses SageMaker's service VPC with reduced network isolation.
+
Resolution
Create the notebook instance within a custom VPC by specifying SubnetId and SecurityGroupIds. This provides network isolation and allows use of VPC endpoints.
+
Reference
+
+
+
+
High
+
Failed
-
+
777788889999
-
ap-south-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
-
Informational
-
N/A
+
us-east-1
+
SM-11
+
+
SageMaker Model Network Isolation Disabled
+
+ Details and remediation
+
+
Details
Model 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' does not have network isolation enabled. Model containers can make outbound network calls, potentially exfiltrating data.
+
Resolution
Enable network isolation by setting EnableNetworkIsolation=True when creating models. This prevents containers from making outbound network calls.
+
Reference
+
+
+
+
High
+
Failed
-
+
777788889999
-
us-west-2
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
+
us-east-1
+
SM-12
+
+
SageMaker Endpoint Instance Count Check
+
+ Details and remediation
+
+
Details
No InService endpoints found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-west-2
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
+
us-east-1
+
SM-13
+
+
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation
+
+
Details
No monitoring schedules found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-west-2
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
SM-14
+
+
SageMaker Model Platform Repository Access
+
+ Details and remediation
+
+
Details
Model 'SageMakerModelWithIsolation-JASFpUHjajdk' uses Platform repository access mode. Container images are pulled from public/external registries, exposing supply chain risks.
+
Resolution
Configure RepositoryAccessMode=Vpc in ImageConfig to pull images from private ECR repositories through VPC. This provides supply chain security.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
777788889999
-
us-west-2
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
SM-14
+
+
SageMaker Model Platform Repository Access
+
+ Details and remediation
+
+
Details
Model 'SageMakerModelNoIsolation-yQ7EpJeL7pgI' uses Platform repository access mode. Container images are pulled from public/external registries, exposing supply chain risks.
+
Resolution
Configure RepositoryAccessMode=Vpc in ImageConfig to pull images from private ECR repositories through VPC. This provides supply chain security.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
777788889999
-
us-west-2
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
Informational
-
N/A
+
us-east-1
+
SM-15
+
+
SageMaker Feature Store Offline Encryption Missing
+
+ Details and remediation
+
+
Details
Feature group 'aiml-sec-test-feature-group' offline store does not have KMS encryption configured. Feature data in S3 may not be encrypted with customer-managed keys.
+
Resolution
Configure KmsKeyId in OfflineStoreConfig.S3StorageConfig when creating feature groups to encrypt offline store data with customer-managed KMS keys.
+
Reference
+
+
+
+
Medium
+
Failed
-
+
777788889999
-
us-west-2
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
+
us-east-1
+
SM-16
+
+
SageMaker Data Quality Job Encryption Check
+
+ Details and remediation
+
+
Details
No data quality job definitions found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-west-2
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Informational
-
N/A
+
us-east-1
+
SM-17
+
+
SageMaker Processing Job Encryption Check
+
+ Details and remediation
+
+
Details
All 1 processing jobs have volume encryption configured
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
-
+
777788889999
-
us-west-2
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
Informational
-
N/A
+
us-east-1
+
SM-18
+
+
SageMaker Transform Job Encryption Check
+
+ Details and remediation
+
+
Details
All 1 transform jobs have volume encryption configured
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
-
+
777788889999
-
us-west-2
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
+
us-east-1
+
SM-20
+
+
SageMaker Compilation Job Encryption Check
+
+ Details and remediation
+
+
Details
No compilation jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-west-2
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
+
us-east-1
+
SM-21
+
+
SageMaker AutoML Job Network Isolation Check
+
+ Details and remediation
+
+
Details
No AutoML jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
sa-east-1
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
SM-22
+
+
Model Approval Workflow Check
+
+ Details and remediation
+
+
Details
Checked 1 model package groups. Approval workflows appear to be properly configured.
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
-
+
777788889999
-
sa-east-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
SM-23
+
+
Model Drift Detection Check
+
+ Details and remediation
+
+
Details
No InService endpoints found to monitor.
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
-
+
777788889999
-
sa-east-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
+
us-east-1
+
SM-24
+
+
A/B Testing and Shadow Deployment Check
+
+ Details and remediation
+
+
Details
No InService endpoints found.
+
Resolution
No action required
+
Reference
+
+
+
+
Low
+
Passed
-
+
777788889999
-
sa-east-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
+
us-east-1
+
SM-25
+
+
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation
+
+
Details
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Resolution
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
sa-east-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
+
us-west-2
+
SM-01
+
+
SageMaker Internet Access Check
+
+ Details and remediation
+
+
Details
No SageMaker notebook instances or domains found to check
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
sa-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Informational
-
N/A
+
us-west-2
+
SM-02
+
+
SageMaker SSO Configuration Check
+
+ Details and remediation
+
+
Details
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
-
+
777788889999
-
sa-east-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
+
us-west-2
+
SM-03
+
+
Data Protection Check
+
+ Details and remediation
+
+
Details
No SageMaker resources found to check for data protection
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
sa-east-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
Informational
-
N/A
+
us-west-2
+
SM-04
+
+
GuardDuty Enabled
+
+ Details and remediation
+
+
Details
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
-
+
777788889999
-
sa-east-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
+
us-west-2
+
SM-05
+
+
SageMaker Model Registry Issue
+
+ Details and remediation
+
+
Details
No model package groups found
+
Resolution
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
sa-east-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
+
us-west-2
+
SM-05
+
+
SageMaker Feature Store Issue
+
+ Details and remediation
+
+
Details
No feature groups found
+
Resolution
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
sa-east-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
+
us-west-2
+
SM-05
+
+
SageMaker Pipelines Issue
+
+ Details and remediation
+
+
Details
No ML pipelines found
+
Resolution
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
eu-west-1
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
+
us-west-2
+
SM-06
+
+
SageMaker Clarify No Clarify Usage
+
+ Details and remediation
+
+
Details
No SageMaker Clarify jobs found
+
Resolution
Implement SageMaker Clarify for model explainability and bias detection
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
eu-west-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
+
us-west-2
+
SM-07
+
+
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation
+
+
Details
No Model Monitor schedules found
+
Resolution
Configure comprehensive model monitoring schedules
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
eu-west-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
+
us-west-2
+
SM-08
+
+
Model Registry Registry Not Used
+
+ Details and remediation
+
+
Details
Model Registry is not being utilized
+
Resolution
Implement proper model versioning and approval workflows
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
eu-west-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
+
us-west-2
+
SM-09
+
+
SageMaker Notebook Root Access Check
+
+ Details and remediation
+
+
Details
No notebook instances found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
eu-west-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
+
us-west-2
+
SM-10
+
+
SageMaker Notebook VPC Deployment Check
+
+ Details and remediation
+
+
Details
No notebook instances found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
eu-west-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
+
us-west-2
+
SM-11
+
+
SageMaker Model Network Isolation Check
+
+ Details and remediation
+
+
Details
No models found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
eu-west-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
+
us-west-2
+
SM-12
+
+
SageMaker Endpoint Instance Count Check
+
+ Details and remediation
+
+
Details
No InService endpoints found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
eu-west-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
+
us-west-2
+
SM-13
+
+
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation
+
+
Details
No monitoring schedules found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
eu-west-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
+
us-west-2
+
SM-14
+
+
SageMaker Model Repository Access Check
+
+ Details and remediation
+
+
Details
No models found or all use default Platform access
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
eu-west-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
+
us-west-2
+
SM-15
+
+
SageMaker Feature Store Encryption Check
+
+ Details and remediation
+
+
Details
No feature groups with offline stores found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
eu-west-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: The following roles have wildcard AgentCore permissions on all resources: aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV
-
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
-
-
High
-
Failed
-
-
+
777788889999
-
Global
-
AG-17
-
Agentic AI Stale AgentCore Access
-
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'aiml-sec-test-resources-AgentCoreOverlyPermissiveRo-IQso7VQN0jOV', role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
-
Remove or restrict stale AgentCore permissions for principals that no longer need access.
-
+
us-west-2
+
SM-21
+
+
SageMaker AutoML Job Network Isolation Check
+
+ Details and remediation
+
+
Details
No AutoML jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-east-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
+
us-west-2
+
SM-22
+
+
Model Approval Workflow Check
+
+ Details and remediation
+
+
Details
No model package groups found. Model Registry is not being used for model governance.
+
Resolution
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Informational
-
N/A
+
us-west-2
+
SM-23
+
+
Model Drift Detection Check
+
+ Details and remediation
+
+
Details
No InService endpoints found to monitor.
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
-
+
777788889999
-
us-east-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Informational
-
N/A
+
us-west-2
+
SM-24
+
+
A/B Testing and Shadow Deployment Check
+
+ Details and remediation
+
+
Details
No InService endpoints found.
+
Resolution
No action required
+
Reference
+
+
+
+
Low
+
Passed
-
+
777788889999
-
us-east-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
+
us-west-2
+
SM-25
+
+
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation
+
+
Details
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Resolution
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-east-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
+
eu-west-1
+
SM-01
+
+
SageMaker Internet Access Check
+
+ Details and remediation
+
+
Details
No SageMaker notebook instances or domains found to check
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-east-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
+
eu-west-1
+
SM-02
+
+
SageMaker SSO Configuration Check
+
+ Details and remediation
+
+
Details
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
-
+
777788889999
-
us-east-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
+
eu-west-1
+
SM-03
+
+
Data Protection Check
+
+ Details and remediation
+
+
Details
No SageMaker resources found to check for data protection
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
-
us-east-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is not enabled. This limits your ability to track and audit model usage.
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
-
Medium
-
Failed
-
-
+
777788889999
-
us-east-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
+
eu-west-1
+
SM-04
+
+
GuardDuty Enabled
+
+ Details and remediation
+
+
Details
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
Resolution
No action required
+
Reference
+
+
+
Medium
Passed
-
+
777788889999
-
Global
-
AG-09
-
Agentic AI Guardrail Enforcement Boundary
-
Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policies
-
Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.
-
+
eu-west-1
+
SM-05
+
+
SageMaker Model Registry Issue
+
+ Details and remediation
+
+
Details
No model package groups found
+
Resolution
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
-
us-east-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
-
Medium
-
Failed
-
-
+
777788889999
-
us-east-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
+
eu-west-1
+
SM-05
+
+
SageMaker Feature Store Issue
+
+ Details and remediation
+
+
Details
No feature groups found
+
Resolution
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-east-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 9 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
-
Low
-
Passed
+
eu-west-1
+
SM-05
+
+
SageMaker Pipelines Issue
+
+ Details and remediation
+
+
Details
No ML pipelines found
+
Resolution
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
Reference
+
+
+
+
Informational
+
N/A
-
+
777788889999
-
us-east-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
+
eu-west-1
+
SM-06
+
+
SageMaker Clarify No Clarify Usage
+
+ Details and remediation
+
+
Details
No SageMaker Clarify jobs found
+
Resolution
Implement SageMaker Clarify for model explainability and bias detection
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-east-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
+
eu-west-1
+
SM-07
+
+
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation
+
+
Details
No Model Monitor schedules found
+
Resolution
Configure comprehensive model monitoring schedules
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-east-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
+
eu-west-1
+
SM-08
+
+
Model Registry Registry Not Used
+
+ Details and remediation
+
+
Details
Model Registry is not being utilized
+
Resolution
Implement proper model versioning and approval workflows
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-east-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: 1 agents have an associated guardrail
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
-
Low
-
Passed
+
eu-west-1
+
SM-09
+
+
SageMaker Notebook Root Access Check
+
+ Details and remediation
+
+
Details
No notebook instances found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
+
777788889999
-
us-east-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
-
Medium
-
Failed
+
eu-west-1
+
SM-10
+
+
SageMaker Notebook VPC Deployment Check
+
+ Details and remediation
+
+
Details
No notebook instances found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
+
777788889999
-
us-west-2
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
+
eu-west-1
+
SM-11
+
+
SageMaker Model Network Isolation Check
+
+ Details and remediation
+
+
Details
No models found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-west-2
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
+
eu-west-1
+
SM-12
+
+
SageMaker Endpoint Instance Count Check
+
+ Details and remediation
+
+
Details
No InService endpoints found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-west-2
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
+
eu-west-1
+
SM-13
+
+
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation
+
+
Details
No monitoring schedules found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-west-2
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
+
eu-west-1
+
SM-14
+
+
SageMaker Model Repository Access Check
+
+ Details and remediation
+
+
Details
No models found or all use default Platform access
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-west-2
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
+
eu-west-1
+
SM-15
+
+
SageMaker Feature Store Encryption Check
+
+ Details and remediation
+
+
Details
No feature groups with offline stores found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-west-2
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
+
eu-west-1
+
SM-16
+
+
SageMaker Data Quality Job Encryption Check
+
+ Details and remediation
+
+
Details
No data quality job definitions found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-west-2
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
+
eu-west-1
+
SM-17
+
+
SageMaker Processing Job Encryption Check
+
+ Details and remediation
+
+
Details
No processing jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-west-2
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
eu-west-1
+
SM-18
+
+
SageMaker Transform Job Encryption Check
+
+ Details and remediation
+
+
Details
No transform jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-west-2
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
+
eu-west-1
+
SM-20
+
+
SageMaker Compilation Job Encryption Check
+
+ Details and remediation
+
+
Details
No compilation jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-west-2
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
+
eu-west-1
+
SM-21
+
+
SageMaker AutoML Job Network Isolation Check
+
+ Details and remediation
+
+
Details
No AutoML jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-west-2
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
+
eu-west-1
+
SM-22
+
+
Model Approval Workflow Check
+
+ Details and remediation
+
+
Details
No model package groups found. Model Registry is not being used for model governance.
+
Resolution
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-west-2
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
+
eu-west-1
+
SM-23
+
+
Model Drift Detection Check
+
+ Details and remediation
+
+
Details
No InService endpoints found to monitor.
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
+
+
+
777788889999
+
eu-west-1
+
SM-24
+
+
A/B Testing and Shadow Deployment Check
+
+ Details and remediation
+
+
Details
No InService endpoints found.
+
Resolution
No action required
+
Reference
+
+
+
+
Low
+
Passed
+
+
+
777788889999
+
eu-west-1
+
SM-25
+
+
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation
+
+
Details
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Resolution
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
AWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.
-
1. Subscribe to AWS Shield Advanced for DDoS protection.
-2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection.
-3. Enable Shield Response Team (SRT) access and configure proactive engagement.
-4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.
-
-
Low
-
Failed
-
-
111122223333
-
us-west-2
+
+
777788889999
+
us-east-1
FS-01
-
AWS Shield Advanced Not Enabled
-
AWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.
-
1. Subscribe to AWS Shield Advanced for DDoS protection.
+
+
AWS Shield Advanced Not Enabled
+
+ Details and remediation
+
+
Details
AWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.
+
Resolution
1. Subscribe to AWS Shield Advanced for DDoS protection.
2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection.
3. Enable Shield Response Team (SRT) access and configure proactive engagement.
-4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.
-
+4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.
+
Reference
+
+
+
Low
Failed
-
-
111122223333
+
+
777788889999
us-east-1
FS-01
-
No Regional WAF Web ACLs Found
-
No AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.
-
1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP).
-2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock.
-3. Add AWS Managed Rules for known bad inputs.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-01
-
No Regional WAF Web ACLs Found
-
No AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.
-
1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP).
+
+
No Regional WAF Web ACLs Found
+
+ Details and remediation
+
+
Details
No AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.
+
Resolution
1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP).
2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock.
-3. Add AWS Managed Rules for known bad inputs.
-
+3. Add AWS Managed Rules for known bad inputs.
+
Reference
+
+
+
Medium
Failed
-
-
111122223333
+
+
777788889999
us-east-1
FS-02
-
API Gateway Usage Plans Missing Throttle
-
Usage plans without throttling: myAskMeAnything-UsagePlan. Unbounded API calls can exhaust Bedrock token quotas and inflate costs.
-
Set rateLimit and burstLimit on all usage plans associated with GenAI API stages. Consider per-consumer API keys with individual quotas.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-02
-
API Gateway Usage Plans Missing Throttle
-
Usage plans without throttling: myAskMeAnything-UsagePlan. Unbounded API calls can exhaust Bedrock token quotas and inflate costs.
-
Set rateLimit and burstLimit on all usage plans associated with GenAI API stages. Consider per-consumer API keys with individual quotas.
-
-
Medium
-
Failed
+
+
No API Gateway Usage Plans Found
+
+ Details and remediation
+
+
Details
No usage plans configured. GenAI API endpoints may have no rate limits.
+
Resolution
Create API Gateway usage plans with throttle settings (rateLimit and burstLimit) for all Bedrock-facing APIs.
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
+
+
777788889999
us-east-1
FS-03
-
Bedrock Token Quotas Customized
-
Found 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.
-
No action required. Periodically re-review quotas against expected peak load.
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-03
-
Bedrock Token Quotas Customized
-
Found 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.
-
No action required. Periodically re-review quotas against expected peak load.
-
+
+
Bedrock Token Quotas Customized
+
+ Details and remediation
+
+
Details
Found 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.
+
Resolution
No action required. Periodically re-review quotas against expected peak load.
+
Reference
+
+
+
Medium
Passed
-
-
111122223333
-
us-east-1
-
FS-04
-
No Cost Anomaly Detection Monitors
-
No AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.
-
1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker.
-2. Configure alert subscriptions (SNS/email) for anomalies above threshold.
-3. Set daily spend budgets with AWS Budgets as a secondary control.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
+
+
777788889999
+
us-east-1
FS-04
-
No Cost Anomaly Detection Monitors
-
No AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.
-
1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker.
+
+
No Cost Anomaly Detection Monitors
+
+ Details and remediation
+
+
Details
No AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.
+
Resolution
1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker.
2. Configure alert subscriptions (SNS/email) for anomalies above threshold.
-3. Set daily spend budgets with AWS Budgets as a secondary control.
-
+3. Set daily spend budgets with AWS Budgets as a secondary control.
+
Reference
+
+
+
Medium
Failed
-
-
111122223333
+
+
777788889999
us-east-1
FS-05
-
No Bedrock CloudWatch Alarms Found
-
No CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.
-
Create CloudWatch alarms for:
-- AWS/Bedrock InvocationThrottles (threshold > 0)
-- AWS/Bedrock TokensProcessed (threshold based on quota)
-- Custom application-level token counters via EMF
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-05
-
No Bedrock CloudWatch Alarms Found
-
No CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.
-
Create CloudWatch alarms for:
+
+
No Bedrock CloudWatch Alarms Found
+
+ Details and remediation
+
+
Details
No CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.
+
Resolution
Create CloudWatch alarms for:
- AWS/Bedrock InvocationThrottles (threshold > 0)
- AWS/Bedrock TokensProcessed (threshold based on quota)
-- Custom application-level token counters via EMF
-
+- Custom application-level token counters via EMF
+
Reference
+
+
+
Medium
Failed
-
-
111122223333
+
+
777788889999
us-east-1
FS-06
-
No AI/ML Service Budgets Configured
-
No AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.
-
1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds.
-2. Add SNS notifications to on-call channels.
-3. Consider budget actions to apply IAM deny policies when thresholds are breached.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-06
-
No AI/ML Service Budgets Configured
-
No AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.
-
1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds.
+
+
No AI/ML Service Budgets Configured
+
+ Details and remediation
+
+
Details
No AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.
+
Resolution
1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds.
2. Add SNS notifications to on-call channels.
-3. Consider budget actions to apply IAM deny policies when thresholds are breached.
-
+3. Consider budget actions to apply IAM deny policies when thresholds are breached.
+
Reference
+
+
+
Medium
Failed
-
-
111122223333
+
+
777788889999
us-east-1
FS-07
-
Agent Action Boundary Check
-
No Bedrock agents found.
-
No action required.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
FS-07
-
Agent Action Boundary Check
-
No Bedrock agents found.
-
No action required.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
FS-08
-
AgentCore Runtimes Missing Policy Engine
-
Runtimes without authorizer configuration: origami_expeditions, neoCyan_Agent, customer_support_agent, cdk_agent_core, awsapimcpserver. Without a policy engine, agents can invoke any registered tool without authorization checks.
-
Configure an authorizer (Lambda or Cedar policy store) on each AgentCore runtime to enforce fine-grained tool-call authorization.
-
+
+
Agent Action Boundaries Look Appropriate
+
+ Details and remediation
+
+
Details
Reviewed 1 agent(s); no wildcard sensitive actions found.
+
Resolution
No action required.
+
Reference
+
+
+
High
-
Failed
+
Passed
-
-
111122223333
-
us-west-2
+
+
777788889999
+
us-east-1
FS-08
-
AgentCore Runtimes Missing Policy Engine
-
Runtimes without authorizer configuration: origami_expeditions, neoCyan_Agent, customer_support_agent, cdk_agent_core, awsapimcpserver. Without a policy engine, agents can invoke any registered tool without authorization checks.
-
Configure an authorizer (Lambda or Cedar policy store) on each AgentCore runtime to enforce fine-grained tool-call authorization.
-
-
High
-
Failed
+
+
No AgentCore Runtimes Found
+
+ Details and remediation
+
+
Details
No AgentCore runtimes found; policy engine check not applicable.
+
Resolution
If using AgentCore, configure the Policy Engine to authorize tool calls.
1. Set reserved concurrency on agent Lambda functions.
-2. Implement maximum iteration counts in agent orchestration logic.
-3. Use Step Functions with MaxConcurrency and timeout states.
-4. Add circuit-breaker patterns to agent tool invocations.
1. Set reserved concurrency on agent Lambda functions.
2. Implement maximum iteration counts in agent orchestration logic.
3. Use Step Functions with MaxConcurrency and timeout states.
-4. Add circuit-breaker patterns to agent tool invocations.
-
+4. Add circuit-breaker patterns to agent tool invocations.
+
Reference
+
+
+
Medium
Failed
-
-
111122223333
+
+
777788889999
us-east-1
FS-10
-
Human-in-the-Loop Check — No Agent Workflows Found
-
No Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.
-
Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
FS-10
-
Human-in-the-Loop Check — No Agent Workflows Found
-
No Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.
-
Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.
-
+
+
Human-in-the-Loop Check — No Agent Workflows Found
+
+ Details and remediation
+
+
Details
No Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.
+
Resolution
Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
777788889999
us-east-1
FS-11
-
No Agent Rate Alarms Found
-
No CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.
-
Create CloudWatch alarms on:
-- Bedrock agent invocation counts (threshold based on expected max)
-- Lambda invocation errors for agent functions
-- Step Functions execution failures and timeouts
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-11
-
No Agent Rate Alarms Found
-
No CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.
-
Create CloudWatch alarms on:
+
+
No Agent Rate Alarms Found
+
+ Details and remediation
+
+
Details
No CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.
+
Resolution
Create CloudWatch alarms on:
- Bedrock agent invocation counts (threshold based on expected max)
- Lambda invocation errors for agent functions
-- Step Functions execution failures and timeouts
-
+- Step Functions execution failures and timeouts
+
Reference
+
+
+
Medium
Failed
-
-
111122223333
+
+
777788889999
us-east-1
FS-12
-
No Bedrock-Scoped SCPs Found
-
No Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.
-
1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list.
-2. Use bedrock:ModelId condition key to allowlist approved models.
-3. Maintain a model inventory and update the SCP when models are approved/retired.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-12
-
No Bedrock-Scoped SCPs Found
-
No Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.
-
1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list.
+
+
No Bedrock-Scoped SCPs Found
+
+ Details and remediation
+
+
Details
No Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.
+
Resolution
1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list.
2. Use bedrock:ModelId condition key to allowlist approved models.
-3. Maintain a model inventory and update the SCP when models are approved/retired.
-
+3. Maintain a model inventory and update the SCP when models are approved/retired.
+
Reference
+
+
+
High
Failed
-
-
111122223333
+
+
777788889999
us-east-1
FS-13
-
Model Provenance Tags Present
-
All reviewed models have required provenance tags.
-
No action required.
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-13
-
Model Provenance Tags Present
-
All reviewed models have required provenance tags.
Tag all models with: source (e.g., 'aws-marketplace', 'internal'), version, and approval-date. Enforce tagging via SCP or AWS Config rule.
+
Reference
+
+
+
Medium
-
Passed
+
Failed
-
-
111122223333
+
+
777788889999
us-east-1
FS-14
-
Model Governance Config Rules Present
-
Found 11 model-related Config rule(s).
-
No action required.
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-14
-
Model Governance Config Rules Present
-
Found 11 model-related Config rule(s).
-
No action required.
-
+
+
Model Governance Config Rules Present
+
+ Details and remediation
+
+
Details
Found 13 model-related Config rule(s).
+
Resolution
No action required.
+
Reference
+
+
+
Medium
Passed
-
-
111122223333
+
+
777788889999
us-east-1
FS-15
-
No Bedrock Evaluation Jobs Found
-
No Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.
-
1. Run Bedrock Model Evaluation with adversarial/red-team datasets.
-2. Use FMEval library for automated robustness testing.
-3. Schedule periodic re-evaluation after model updates.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-15
-
No Bedrock Evaluation Jobs Found
-
No Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.
-
1. Run Bedrock Model Evaluation with adversarial/red-team datasets.
+
+
No Bedrock Evaluation Jobs Found
+
+ Details and remediation
+
+
Details
No Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.
+
Resolution
1. Run Bedrock Model Evaluation with adversarial/red-team datasets.
2. Use FMEval library for automated robustness testing.
-3. Schedule periodic re-evaluation after model updates.
-
+3. Schedule periodic re-evaluation after model updates.
+
Reference
+
+
+
Medium
Failed
-
-
111122223333
+
+
777788889999
us-east-1
FS-16
-
ECR Repositories Without Image Scanning
-
4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111122223333-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.
-
Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-16
-
ECR Repositories Without Image Scanning
-
4 ECR repo(s) without scan-on-push: mlexplorationrepo, cdk-hnb659fds-container-assets-111122223333-us-east-1, bedrock-agentcore-customer_support_agent, bedrock-agentcore-origami_expeditions.
-
Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.
-
+
+
ECR Repositories Without Image Scanning
+
+ Details and remediation
+
+
Details
2 ECR repo(s) without scan-on-push: cdk-hnb659fds-container-assets-777788889999-us-east-1, aiml-sec-test-agentcore-no-encryption.
+
Resolution
Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.
+
Reference
+
+
+
High
Failed
-
-
111122223333
+
+
777788889999
us-east-1
FS-20
-
No SageMaker Feature Groups Found
-
No SageMaker Feature Store groups found.
-
No action required.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
FS-20
-
No SageMaker Feature Groups Found
-
No SageMaker Feature Store groups found.
-
No action required.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
FS-21
-
Training Data Buckets Without Versioning
-
13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111122223333-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111122223333-huo1mvme4t.
-
Enable S3 versioning on all training data buckets. Consider enabling MFA Delete for additional protection against poisoning.
-
-
High
+
+
Feature Groups Without Offline Store
+
+ Details and remediation
+
+
Details
1 feature group(s) lack an active offline store: aiml-sec-test-feature-group. Without offline store, historical feature data cannot be used for rollback.
+
Resolution
1. Enable offline store (S3-backed) for all production feature groups.
+2. Enable S3 versioning on the offline store bucket.
+3. Document rollback procedures for poisoned feature data.
+
Reference
+
+
+
+
Medium
Failed
-
-
111122223333
-
us-west-2
+
+
777788889999
+
us-east-1
FS-21
-
Training Data Buckets Without Versioning
-
13 training data bucket(s) without versioning: ancbedrocklogging, bedrock-agentcore-codebuild-sources-111122223333-us-east-1, bedrock-bda-us-east-1-dda43109-6557-48bb-993d-3f97126b64b4, bedrock-bda-us-east-1-logging-00719114-debd-4487-85d1-09cbc3fc8, bedrock-kb-bucket-f736570b, bedrock-video-generation-us-east-1-h5ltpm, fsi-genai-workshop-bedrock-datasources-111122223333-us-west-2, knowledgebase-bedrock-agent-agasthik, llmevaluationpromptfoo-bedrockkb-cozhbzbrcmd2, sagemaker-studio-111122223333-huo1mvme4t.
-
Enable S3 versioning on all training data buckets. Consider enabling MFA Delete for additional protection against poisoning.
-
+
+
Training Data Buckets Have Versioning
+
+ Details and remediation
+
+
Details
All 2 training bucket(s) have versioning enabled.
+
Resolution
No action required.
+
Reference
+
+
+
High
-
Failed
+
Passed
-
-
111122223333
+
+
777788889999
us-east-1
FS-22
-
Overly Permissive Knowledge Base IAM Roles
-
827 role(s) with wildcard KB permissions:
-- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'Admin' allows '*'
-- Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' allows 'bedrock:*'
-- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'Agentic-AI-MCP-Strands-SDK-Works-VSCodeInstanceRole-NCTUnlnRBFO6' allows '*'
-- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-
Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-22
-
Overly Permissive Knowledge Base IAM Roles
-
827 role(s) with wildcard KB permissions:
-- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateKnowledgeBase' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role '111122223333-us-east-1-kb-setup-function-role' allows 'bedrock:CreateDataSource' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+
+
Overly Permissive Knowledge Base IAM Roles
+
+ Details and remediation
+
+
Details
823 role(s) with wildcard KB permissions:
- Role 'Admin' allows '*'
-- Role 'agentcore-wildrydes_gateway_role_ab3991f6-role' allows 'bedrock:*'
-- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'AgentCoreEvalsSDK-us-east-1-d04ba7b68b' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'Agentic-AI-MCP-Strands-SDK-Works-VSCodeInstanceRole-NCTUnlnRBFO6' allows '*'
-- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-19304724716-BedrockSecurityAssessment-vv6H0eGD9ESX' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-
Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.
-
+- Role 'aiml-sec-test-resources-BedrockAgentRole-RScmoTZfp2sC' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-sec-test-resources-BedrockAgentRole-RScmoTZfp2sC' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' allows 'bedrock:*'
+- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:GetModelInvocationLoggingConfiguration' on Resource '*' (no ARN scoping to specific Knowledge Bases)
+
Resolution
Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.
+
Reference
+
+
+
High
Failed
-
-
111122223333
+
+
777788889999
us-east-1
FS-24
-
ADVISORY: Knowledge Base Metadata Filtering — Manual Review Required
-
Found 3 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.
-
1. Add metadata fields (tenantId, dataClassification) to KB data sources.
-2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls.
-3. Validate filters in integration tests to prevent cross-tenant data leakage.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
FS-24
-
ADVISORY: Knowledge Base Metadata Filtering — Manual Review Required
-
Found 3 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.
-
1. Add metadata fields (tenantId, dataClassification) to KB data sources.
-2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls.
-3. Validate filters in integration tests to prevent cross-tenant data leakage.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-east-1
-
FS-25
-
OpenSearch Serverless Encryption Policies Present
-
Found 5 encryption policy(ies); 5 use a customer-managed KMS key.
-
Verify all vector store collections use customer-managed KMS keys.
-
-
High
-
Passed
+
+
ADVISORY: Knowledge Base Metadata Filtering — Manual Review Required
+
+ Details and remediation
+
+
Details
Found 1 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.
+
Resolution
1. Add metadata fields (tenantId, dataClassification) to KB data sources.
+2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls.
+3. Validate filters in integration tests to prevent cross-tenant data leakage.
+
Reference
+
+
+
+
Informational
+
N/A
-
-
111122223333
-
us-west-2
+
+
777788889999
+
us-east-1
FS-25
-
OpenSearch Serverless Encryption Policies Present
-
Found 5 encryption policy(ies); 5 use a customer-managed KMS key.
-
Verify all vector store collections use customer-managed KMS keys.
-
+
+
OpenSearch Serverless Encryption Policies Present
+
+ Details and remediation
+
+
Details
Found 1 encryption policy(ies); 1 use a customer-managed KMS key.
+
Resolution
Verify all vector store collections use customer-managed KMS keys.
+
Reference
+
+
+
High
Passed
-
-
111122223333
+
+
777788889999
us-east-1
FS-26
-
OpenSearch Serverless Collections Not VPC-Restricted
-
Found 5 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.
-
Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-26
-
OpenSearch Serverless Collections Not VPC-Restricted
-
Found 5 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.
-
Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.
-
+
+
OpenSearch Serverless Collections Not VPC-Restricted
+
+ Details and remediation
+
+
Details
Found 1 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.
+
Resolution
Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.
+
Reference
+
+
+
High
Failed
-
-
111122223333
+
+
777788889999
us-east-1
FS-27
-
Contextual Grounding Enabled on Guardrails
-
Guardrails with contextual grounding: nist-ai-rmf-guardrail.
-
No action required for contextual grounding. Also consider enabling Automated Reasoning checks for formal policy verification.
-
-
High
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-27
-
Contextual Grounding Enabled on Guardrails
-
Guardrails with contextual grounding: nist-ai-rmf-guardrail.
-
No action required for contextual grounding. Also consider enabling Automated Reasoning checks for formal policy verification.
-
-
High
-
Passed
+
+
COULD NOT ASSESS: Guardrail Contextual Grounding Check
+
+ Details and remediation
+
+
Details
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
Resolution
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
+
Reference
+
+
+
+
Low
+
N/A
-
-
111122223333
+
+
777788889999
us-east-1
FS-27
-
No Automated Reasoning Policies Found
-
No Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.
-
1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds).
-2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail).
-3. Set confidenceThreshold on the policy to control strictness.
-4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response).
-5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-27
-
No Automated Reasoning Policies Found
-
No Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.
-
1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds).
+
+
No Automated Reasoning Policies Found
+
+ Details and remediation
+
+
Details
No Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.
+
Resolution
1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds).
2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail).
3. Set confidenceThreshold on the policy to control strictness.
4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response).
-5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).
Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides broader language support and improved detection for denied topics.
-
Verify topics cover regulated financial advice categories. For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (set topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile on the guardrail). When authoring denied-topic policies, use existing compliance materials as the source: employee policies, training materials, procedure documents, and incident reports (PDF §1.2.1 Practical guidance).
-
-
High
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-28
-
Denied Topics Configured on CLASSIC Tier
-
Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides broader language support and improved detection for denied topics.
-
Verify topics cover regulated financial advice categories. For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (set topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile on the guardrail). When authoring denied-topic policies, use existing compliance materials as the source: employee policies, training materials, procedure documents, and incident reports (PDF §1.2.1 Practical guidance).
Application-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.
-
1. Implement post-processing to append required disclaimers to GenAI outputs.
-2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures.
-3. Document disclaimer requirements in the AI use case register.
-4. Test disclaimer presence in QA/UAT before production deployment.
-
-
Informational
+
+
COULD NOT ASSESS: Financial Denied Topics Check
+
+ Details and remediation
+
+
Details
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
Resolution
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
Application-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.
-
1. Implement post-processing to append required disclaimers to GenAI outputs.
+
Application-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.
+
Resolution
1. Implement post-processing to append required disclaimers to GenAI outputs.
2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures.
3. Document disclaimer requirements in the AI use case register.
-4. Test disclaimer presence in QA/UAT before production deployment.
-
+4. Test disclaimer presence in QA/UAT before production deployment.
+
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation with compliance-specific datasets:
-- Fair lending test cases (ECOA, Fair Housing Act)
-- UDAP/UDAAP unfair/deceptive practice scenarios
-- AML/KYC edge cases
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation with compliance-specific datasets:
+
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.
+
Resolution
Run Bedrock Model Evaluation with compliance-specific datasets:
- Fair lending test cases (ECOA, Fair Housing Act)
- UDAP/UDAAP unfair/deceptive practice scenarios
-- AML/KYC edge cases
-
+- AML/KYC edge cases
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
777788889999
us-east-1
FS-31
-
Knowledge Base Data Sources Past Review Threshold
-
2 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit):
-- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 722 days ago
-- KB '111122223333-us-east-1-kb' source '111122223333-us-east-1-kb-datasource' last synced 199 days ago
-Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.
-
1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match.
-2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61.
-3. Set CloudWatch alarms on sync job failures.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-31
-
Knowledge Base Data Sources Past Review Threshold
-
2 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit):
-- KB 'knowledge-base-semiconductors' source 'knowledge-base-quick-start-qpvuv-data-source' last synced 722 days ago
-- KB '111122223333-us-east-1-kb' source '111122223333-us-east-1-kb-datasource' last synced 199 days ago
-Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.
-
1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match.
+
+
Knowledge Base Data Sources Past Review Threshold
+
+ Details and remediation
+
+
Details
1 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit):
+- KB 'knowledge-base-prowler-findings' source 'knowledge-base-quick-start-9lb68-data-source' last synced 423 days ago
+Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.
+
Resolution
1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match.
2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61.
-3. Set CloudWatch alarms on sync job failures.
Source attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.
-
1. Use Bedrock RetrieveAndGenerate with citations enabled.
-2. Include source document references in response post-processing.
-3. Test citation accuracy in QA before production deployment.
-4. Consider Bedrock Guardrails grounding checks to validate response accuracy.
Source attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.
+
Resolution
1. Use Bedrock RetrieveAndGenerate with citations enabled.
2. Include source document references in response post-processing.
3. Test citation accuracy in QA before production deployment.
-4. Consider Bedrock Guardrails grounding checks to validate response accuracy.
KB data source S3 buckets without versioning: 111122223333-us-east-1-kb-data-bucket.
-
Enable S3 versioning on all KB data source buckets. Enable S3 Object Integrity (checksum) for tamper detection.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-33
-
KB Data Source Buckets Without Versioning
-
KB data source S3 buckets without versioning: 111122223333-us-east-1-kb-data-bucket.
-
Enable S3 versioning on all KB data source buckets. Enable S3 Object Integrity (checksum) for tamper detection.
-
+
+
KB Data Source Buckets Have Versioning
+
+ Details and remediation
+
+
Details
All reviewed KB data source buckets have versioning enabled.
+
Resolution
No action required.
+
Reference
+
+
+
Medium
-
Failed
+
Passed
-
-
111122223333
+
+
777788889999
us-east-1
FS-34
-
Legacy Foundation Models Available in Region
-
Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.
-
1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config).
-2. Migrate active usage to current model versions.
-3. Document training-data cutoff dates for all models in use.
-4. Add data-currency disclaimers to outputs from models with old cutoffs.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
FS-34
-
Legacy Foundation Models Available in Region
-
Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.
-
1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config).
+
+
Legacy Foundation Models Available in Region
+
+ Details and remediation
+
+
Details
Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.
+
Resolution
1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config).
2. Migrate active usage to current model versions.
3. Document training-data cutoff dates for all models in use.
-4. Add data-currency disclaimers to outputs from models with old cutoffs.
-
+4. Add data-currency disclaimers to outputs from models with old cutoffs.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
777788889999
us-east-1
FS-35
-
ADVISORY: Harmful-Content Test Coverage — Manual Review Required
-
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation or FMEval with harmful content datasets:
-- Toxicity detection
-- Hate speech classification
-- Violence/self-harm content
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
FS-35
-
ADVISORY: Harmful-Content Test Coverage — Manual Review Required
-
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation or FMEval with harmful content datasets:
+
+
ADVISORY: Harmful-Content Test Coverage — Manual Review Required
+
+ Details and remediation
+
+
Details
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.
+
Resolution
Run Bedrock Model Evaluation or FMEval with harmful content datasets:
- Toxicity detection
- Hate speech classification
-- Violence/self-harm content
-
+- Violence/self-harm content
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
777788889999
us-east-1
FS-36
-
Guardrail Content Filters on CLASSIC Tier
-
Guardrails with content filters: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides improved contextual understanding, typographical error detection, 60+ language support, and better prompt-attack classification (distinguishes jailbreaks from prompt injection).
-
Consider upgrading to STANDARD tier content filters for FinServ workloads that handle multiple languages or require higher detection accuracy. STANDARD tier requires cross-region inference (crossRegionDetails.guardrailProfileArn on the guardrail). To upgrade: update the guardrail's contentPolicy.filtersConfig.contentFiltersTierConfig with tierName=STANDARD and configure a guardrail cross-region profile.
-
-
High
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-36
-
Guardrail Content Filters on CLASSIC Tier
-
Guardrails with content filters: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only. The STANDARD tier (GA June 2025) provides improved contextual understanding, typographical error detection, 60+ language support, and better prompt-attack classification (distinguishes jailbreaks from prompt injection).
-
Consider upgrading to STANDARD tier content filters for FinServ workloads that handle multiple languages or require higher detection accuracy. STANDARD tier requires cross-region inference (crossRegionDetails.guardrailProfileArn on the guardrail). To upgrade: update the guardrail's contentPolicy.filtersConfig.contentFiltersTierConfig with tierName=STANDARD and configure a guardrail cross-region profile.
-
-
High
-
Passed
-
-
-
111122223333
-
us-east-1
-
FS-37
-
ADVISORY: User Feedback Mechanism — Manual Review Required
-
User feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.
-
1. Implement thumbs-up/down or flag-for-review UI in GenAI applications.
-2. Route flagged outputs to human reviewers via SQS/SNS.
-3. Log feedback to DynamoDB/S3 for model improvement.
-4. Define SLAs for reviewing flagged content.
-
-
Informational
+
+
COULD NOT ASSESS: Guardrail Content Filters Check
+
+ Details and remediation
+
+
Details
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
Resolution
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
+
Reference
+
+
+
+
Low
N/A
-
-
111122223333
-
us-west-2
+
+
777788889999
+
us-east-1
FS-37
-
ADVISORY: User Feedback Mechanism — Manual Review Required
-
User feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.
-
1. Implement thumbs-up/down or flag-for-review UI in GenAI applications.
+
+
ADVISORY: User Feedback Mechanism — Manual Review Required
+
+ Details and remediation
+
+
Details
User feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.
+
Resolution
1. Implement thumbs-up/down or flag-for-review UI in GenAI applications.
2. Route flagged outputs to human reviewers via SQS/SNS.
3. Log feedback to DynamoDB/S3 for model improvement.
-4. Define SLAs for reviewing flagged content.
-
+4. Define SLAs for reviewing flagged content.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
777788889999
us-east-1
FS-38
-
No Guardrails With Word Filters
-
Found 1 guardrail(s) but none have word/phrase filters. Profanity and prohibited financial terms may appear in outputs.
-
Add word filters to guardrails:
-- Enable AWS managed profanity list
-- Add custom denylist for prohibited financial terms
-- Add allowlist for required regulatory language
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-38
-
No Guardrails With Word Filters
-
Found 1 guardrail(s) but none have word/phrase filters. Profanity and prohibited financial terms may appear in outputs.
-
Add word filters to guardrails:
-- Enable AWS managed profanity list
-- Add custom denylist for prohibited financial terms
-- Add allowlist for required regulatory language
-
-
Medium
-
Failed
+
+
COULD NOT ASSESS: Guardrail Word Filters Check
+
+ Details and remediation
+
+
Details
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
Resolution
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
+
Reference
+
+
+
+
Low
+
N/A
-
-
111122223333
+
+
777788889999
us-east-1
FS-39
-
No SageMaker Clarify Bias Monitoring
-
No SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.
-
1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions.
-2. Define protected attributes (age, gender, race proxies).
-3. Set bias metric thresholds and alert on violations.
-4. Document bias testing results for regulatory examination.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-39
-
No SageMaker Clarify Bias Monitoring
-
No SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.
-
1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions.
+
+
No SageMaker Clarify Bias Monitoring
+
+ Details and remediation
+
+
Details
No SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.
+
Resolution
1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions.
2. Define protected attributes (age, gender, race proxies).
3. Set bias metric thresholds and alert on violations.
-4. Document bias testing results for regulatory examination.
-
+4. Document bias testing results for regulatory examination.
+
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation with bias test datasets:
-- Demographic parity test cases
-- Equal opportunity scenarios
-- Counterfactual fairness tests
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation with bias test datasets:
+
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.
+
Resolution
Run Bedrock Model Evaluation with bias test datasets:
- Demographic parity test cases
- Equal opportunity scenarios
-- Counterfactual fairness tests
-
+- Counterfactual fairness tests
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
777788889999
us-east-1
FS-41
-
No SageMaker Clarify Explainability Monitoring
-
No SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).
-
1. Configure SageMaker Clarify explainability for credit/lending models.
-2. Generate SHAP values for feature importance.
-3. Map top features to human-readable adverse action reason codes.
-4. Store explanations for regulatory examination.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-41
-
No SageMaker Clarify Explainability Monitoring
-
No SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).
-
1. Configure SageMaker Clarify explainability for credit/lending models.
+
+
No SageMaker Clarify Explainability Monitoring
+
+ Details and remediation
+
+
Details
No SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).
+
Resolution
1. Configure SageMaker Clarify explainability for credit/lending models.
2. Generate SHAP values for feature importance.
3. Map top features to human-readable adverse action reason codes.
-4. Store explanations for regulatory examination.
-
+4. Store explanations for regulatory examination.
+
Reference
+
+
+
High
Failed
-
-
111122223333
+
+
777788889999
us-east-1
FS-42
-
No SageMaker Model Cards Found
-
No SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.
-
1. Create SageMaker Model Cards for all production models.
-2. Document: intended use, out-of-scope uses, training data, bias evaluations.
-3. Include regulatory compliance attestations.
-4. Review and update cards at each model version release.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-42
-
No SageMaker Model Cards Found
-
No SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.
-
1. Create SageMaker Model Cards for all production models.
+
+
No SageMaker Model Cards Found
+
+ Details and remediation
+
+
Details
No SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.
+
Resolution
1. Create SageMaker Model Cards for all production models.
2. Document: intended use, out-of-scope uses, training data, bias evaluations.
3. Include regulatory compliance attestations.
-4. Review and update cards at each model version release.
-
+4. Review and update cards at each model version release.
+
Reference
+
+
+
Medium
Failed
-
-
111122223333
+
+
777788889999
us-east-1
FS-43
-
No CloudWatch Logs Data Protection Policies
-
No CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.
-
1. Create CloudWatch Logs data protection policies to mask PII.
-2. Enable masking for: SSN, credit card numbers, bank account numbers, email.
-3. Apply policies to Bedrock invocation log groups.
-4. Test masking with synthetic PII before production deployment.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-43
-
No CloudWatch Logs Data Protection Policies
-
No CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.
-
1. Create CloudWatch Logs data protection policies to mask PII.
+
+
No CloudWatch Logs Data Protection Policies
+
+ Details and remediation
+
+
Details
No CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.
+
Resolution
1. Create CloudWatch Logs data protection policies to mask PII.
2. Enable masking for: SSN, credit card numbers, bank account numbers, email.
3. Apply policies to Bedrock invocation log groups.
-4. Test masking with synthetic PII before production deployment.
-
+4. Test masking with synthetic PII before production deployment.
+
Reference
+
+
+
High
Failed
-
-
111122223333
+
+
777788889999
us-east-1
FS-44
-
Amazon Macie Enabled
-
Amazon Macie is enabled and scanning S3 buckets.
-
Verify Macie jobs cover training data and KB data source buckets.
-
-
High
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-44
-
Amazon Macie Enabled
-
Amazon Macie is enabled and scanning S3 buckets.
-
Verify Macie jobs cover training data and KB data source buckets.
-
+
+
Amazon Macie Not Enabled
+
+ Details and remediation
+
+
Details
Amazon Macie is not enabled. S3 buckets containing training data and KB data sources are not being scanned for PII/sensitive data.
+
Resolution
1. Enable Amazon Macie in all regions where AI/ML data is stored.
+2. Create Macie classification jobs for training data and KB buckets.
+3. Configure Macie findings to route to Security Hub and SNS.
+4. Remediate PII findings before using data for model training.
+
Reference
+
+
+
High
-
Passed
+
Failed
-
-
111122223333
+
+
777788889999
us-east-1
FS-45
-
Guardrail PII Filters Configured
-
Guardrails with PII filters: nist-ai-rmf-guardrail.
-
No action required.
-
-
High
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-45
-
Guardrail PII Filters Configured
-
Guardrails with PII filters: nist-ai-rmf-guardrail.
-
No action required.
-
-
High
-
Passed
+
+
COULD NOT ASSESS: Guardrail PII Filters Check
+
+ Details and remediation
+
+
Details
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
Resolution
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule.
-
+
+
AI/ML Buckets Without Data Classification Tags
+
+ Details and remediation
+
+
Details
3 AI/ML bucket(s) without data-classification tags: aiml-sec-test-resources-bedrockloggingbucket-wtuvpinrlpmd, aiml-sec-test-resources-sagemakerbucket-6zzmxxaxco6g, aiml-security-mgmt-aimlassessmentbucket-kbitsdgexylv.
+
Resolution
Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule.
+
Reference
+
+
+
Medium
Failed
-
-
111122223333
+
+
777788889999
us-east-1
FS-47
-
Guardrail Grounding Thresholds Appropriate
-
All 1 guardrail(s) with a GROUNDING filter have thresholds ≥0.7.
-
No action required.
-
-
High
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-47
-
Guardrail Grounding Thresholds Appropriate
-
All 1 guardrail(s) with a GROUNDING filter have thresholds ≥0.7.
-
No action required.
-
-
High
-
Passed
+
+
COULD NOT ASSESS: Guardrail Grounding Threshold Check
+
+ Details and remediation
+
+
Details
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
Resolution
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
+
Reference
+
+
+
+
Low
+
N/A
-
-
111122223333
+
+
777788889999
us-east-1
FS-48
-
Active Knowledge Bases for RAG Present
-
Found 3 active Knowledge Base(s) for RAG grounding.
-
No action required.
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-48
-
Active Knowledge Bases for RAG Present
-
Found 3 active Knowledge Base(s) for RAG grounding.
-
No action required.
-
+
+
Active Knowledge Bases for RAG Present
+
+ Details and remediation
+
+
Details
Found 1 active Knowledge Base(s) for RAG grounding.
Application-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.
-
1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.'
-2. Implement post-processing to append disclaimers.
-3. Test disclaimer presence in QA before production.
Application-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.
+
Resolution
1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.'
2. Implement post-processing to append disclaimers.
-3. Test disclaimer presence in QA before production.
-
+3. Test disclaimer presence in QA before production.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
777788889999
us-east-1
FS-50
-
Relevance Grounding Filters Present
-
Guardrails with RELEVANCE grounding filters: nist-ai-rmf-guardrail.
-
No action required.
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-50
-
Relevance Grounding Filters Present
-
Guardrails with RELEVANCE grounding filters: nist-ai-rmf-guardrail.
-
No action required.
-
-
Medium
-
Passed
+
+
COULD NOT ASSESS: Guardrail Relevance Grounding Check
+
+ Details and remediation
+
+
Details
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
Resolution
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
+
Reference
+
+
+
+
Low
+
N/A
-
-
111122223333
+
+
777788889999
us-east-1
FS-51
-
No Guardrails With Prompt Attack Filters
-
Found 1 guardrail(s) but none have PROMPT_ATTACK filters. Prompt injection attacks may bypass system prompts and access controls.
-
1. Enable PROMPT_ATTACK content filter in Bedrock Guardrails.
-2. Set input filter strength to HIGH.
-3. Use input tags () to differentiate user inputs from developer-provided prompts — required for PROMPT_ATTACK filters to work correctly with InvokeModel/InvokeModelWithResponseStream.
-4. Consider STANDARD tier (GA June 2025) for better jailbreak vs. injection classification and broader language support.
-5. Implement application-level input sanitization as defense-in-depth.
-
-
High
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-51
-
No Guardrails With Prompt Attack Filters
-
Found 1 guardrail(s) but none have PROMPT_ATTACK filters. Prompt injection attacks may bypass system prompts and access controls.
-
1. Enable PROMPT_ATTACK content filter in Bedrock Guardrails.
-2. Set input filter strength to HIGH.
-3. Use input tags () to differentiate user inputs from developer-provided prompts — required for PROMPT_ATTACK filters to work correctly with InvokeModel/InvokeModelWithResponseStream.
-4. Consider STANDARD tier (GA June 2025) for better jailbreak vs. injection classification and broader language support.
-5. Implement application-level input sanitization as defense-in-depth.
-
-
High
-
Failed
+
+
COULD NOT ASSESS: Prompt Injection Input Validation Check
+
+ Details and remediation
+
+
Details
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
Resolution
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
+
Reference
+
+
+
+
Low
+
N/A
-
-
111122223333
+
+
777788889999
us-east-1
FS-52
-
Bedrock Lambda Functions on Deprecated Runtimes
-
Functions on deprecated runtimes: e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Deprecated runtimes may use outdated boto3/SDK versions lacking security patches.
-
1. Upgrade Lambda functions to a supported runtime — Python 3.12+, Node.js 22.x or 24.x, Java 21+, or .NET 8+.
-2. Update boto3 to the latest version in Lambda layers (pin the version in requirements.txt and redeploy).
-3. Enable Lambda runtime management controls for automatic minor-version updates (runtimeManagementConfig.updateRuntimeOn = 'Auto').
-4. Refer to https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html for the authoritative list of supported and deprecated runtimes.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-52
-
Bedrock Lambda Functions on Deprecated Runtimes
-
Functions on deprecated runtimes: e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk, e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII. Deprecated runtimes may use outdated boto3/SDK versions lacking security patches.
-
1. Upgrade Lambda functions to a supported runtime — Python 3.12+, Node.js 22.x or 24.x, Java 21+, or .NET 8+.
-2. Update boto3 to the latest version in Lambda layers (pin the version in requirements.txt and redeploy).
-3. Enable Lambda runtime management controls for automatic minor-version updates (runtimeManagementConfig.updateRuntimeOn = 'Auto').
-4. Refer to https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html for the authoritative list of supported and deprecated runtimes.
-
+
+
Bedrock Lambda Functions on Current Runtimes
+
+ Details and remediation
+
+
Details
All 10 Bedrock Lambda function(s) use current runtimes.
+
Resolution
No action required.
+
Reference
+
+
+
Medium
-
Failed
+
Passed
-
-
111122223333
+
+
777788889999
us-east-1
FS-53
-
No WAF Web ACLs — Injection Rules Not Applicable
-
No regional WAF Web ACLs found.
-
Create WAF Web ACLs with injection protection rules (see FS-01).
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
FS-53
-
No WAF Web ACLs — Injection Rules Not Applicable
-
No regional WAF Web ACLs found.
-
Create WAF Web ACLs with injection protection rules (see FS-01).
-
+
+
No WAF Web ACLs — Injection Rules Not Applicable
+
+ Details and remediation
+
+
Details
No regional WAF Web ACLs found.
+
Resolution
Create WAF Web ACLs with injection protection rules (see FS-01).
Penetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.
-
1. Conduct penetration testing of GenAI applications at least annually and before major releases.
-2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts.
-3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it.
-4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail.
-5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.
Penetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.
+
Resolution
1. Conduct penetration testing of GenAI applications at least annually and before major releases.
2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts.
3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it.
4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail.
-5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.
-
+5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
777788889999
us-east-1
FS-55
-
No Output Validation Functions Found
-
No Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.
-
1. Implement output validation Lambda functions in GenAI pipelines.
+
+
No Output Validation Functions Found
+
+ Details and remediation
+
+
Details
No Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.
+
Resolution
1. Implement output validation Lambda functions in GenAI pipelines.
2. Validate output schema, length, and content before downstream use.
3. Sanitize outputs before rendering in web UIs (XSS prevention).
-4. Encode outputs appropriately for the target context (HTML, SQL, JSON).
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-55
-
No Output Validation Functions Found
-
No Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.
-
1. Implement output validation Lambda functions in GenAI pipelines.
-2. Validate output schema, length, and content before downstream use.
-3. Sanitize outputs before rendering in web UIs (XSS prevention).
-4. Encode outputs appropriately for the target context (HTML, SQL, JSON).
-
+4. Encode outputs appropriately for the target context (HTML, SQL, JSON).
+
Output encoding practices cannot be verified via AWS APIs. Manual code review required.
-
1. HTML-encode GenAI outputs before rendering in web UIs.
-2. Use parameterized queries when GenAI output is used in database operations.
-3. JSON-encode outputs before embedding in JavaScript contexts.
-4. Validate output length and format before passing to downstream APIs.
Output encoding practices cannot be verified via AWS APIs. Manual code review required.
+
Resolution
1. HTML-encode GenAI outputs before rendering in web UIs.
2. Use parameterized queries when GenAI output is used in database operations.
3. JSON-encode outputs before embedding in JavaScript contexts.
-4. Validate output length and format before passing to downstream APIs.
-
+4. Validate output length and format before passing to downstream APIs.
+
Found 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.
-
1. Use Bedrock structured output (response schemas) where supported.
-2. Implement JSON schema validation on Lambda output processors.
-3. Reject malformed outputs and return safe error responses.
-4. Log schema validation failures to CloudWatch for monitoring.
Found 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.
-
1. Use Bedrock structured output (response schemas) where supported.
+
Found 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.
+
Resolution
1. Use Bedrock structured output (response schemas) where supported.
2. Implement JSON schema validation on Lambda output processors.
3. Reject malformed outputs and return safe error responses.
-4. Log schema validation failures to CloudWatch for monitoring.
-
+4. Log schema validation failures to CloudWatch for monitoring.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
777788889999
us-east-1
FS-59
-
Topic Restrictions Configured on CLASSIC Tier
-
Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only; the STANDARD tier (GA June 2025) adds broader language support for off-topic detection.
-
For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile).
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-59
-
Topic Restrictions Configured on CLASSIC Tier
-
Guardrails with topic policies: nist-ai-rmf-guardrail. The following use the CLASSIC tier: nist-ai-rmf-guardrail. CLASSIC tier supports English, French, and Spanish only; the STANDARD tier (GA June 2025) adds broader language support for off-topic detection.
-
For multilingual FinServ deployments, consider upgrading denied topics to the STANDARD tier (topicsTierConfig.tierName=STANDARD via UpdateGuardrail; requires a cross-region inference profile).
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-east-1
-
FS-60
-
ADVISORY: Contextual Grounding for Off-Topic Prevention
-
Contextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.
-
1. Include explicit scope instructions in system prompts.
-2. Use Bedrock Guardrails relevance grounding filter.
-3. Test with off-topic prompts in QA to verify rejection behavior.
-
-
Informational
+
+
COULD NOT ASSESS: Guardrail Topic Allowlist Check
+
+ Details and remediation
+
+
Details
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
+
Resolution
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
+2. Confirm the service/feature is supported in the assessed region.
+3. Ensure botocore meets the version floor in requirements.txt.
+4. Re-run the assessment; assess this control manually until it succeeds.
+
Reference
+
+
+
+
Low
N/A
-
-
111122223333
-
us-west-2
+
+
777788889999
+
us-east-1
FS-60
-
ADVISORY: Contextual Grounding for Off-Topic Prevention
-
Contextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.
-
1. Include explicit scope instructions in system prompts.
+
+
ADVISORY: Contextual Grounding for Off-Topic Prevention
+
+ Details and remediation
+
+
Details
Contextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.
+
Resolution
1. Include explicit scope instructions in system prompts.
2. Use Bedrock Guardrails relevance grounding filter.
-3. Test with off-topic prompts in QA to verify rejection behavior.
-
+3. Test with off-topic prompts in QA to verify rejection behavior.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
777788889999
us-east-1
FS-61
-
No Automated KB Sync Schedules Detected
-
Found 3 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.
-
1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature.
-2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync.
-3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance).
-4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-61
-
No Automated KB Sync Schedules Detected
-
Found 3 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.
-
1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature.
+
+
No Automated KB Sync Schedules Detected
+
+ Details and remediation
+
+
Details
Found 1 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.
+
Resolution
1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature.
2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync.
3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance).
-4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.
-
+4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.
+
Reference
+
+
+
Medium
Failed
-
-
111122223333
+
+
777788889999
us-east-1
FS-62
-
ADVISORY: Data Currency Disclaimer — Manual Review Required
-
Data currency disclaimers cannot be verified via AWS APIs. Manual review required.
-
1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].'
-2. Expose KB last sync timestamp in application responses.
-3. Alert users when KB data is older than defined threshold.
-
-
Informational
-
N/A
-
-
-
111122223333
-
us-west-2
-
FS-62
-
ADVISORY: Data Currency Disclaimer — Manual Review Required
-
Data currency disclaimers cannot be verified via AWS APIs. Manual review required.
-
1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].'
+
+
ADVISORY: Data Currency Disclaimer — Manual Review Required
+
+ Details and remediation
+
+
Details
Data currency disclaimers cannot be verified via AWS APIs. Manual review required.
+
Resolution
1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].'
2. Expose KB last sync timestamp in application responses.
-3. Alert users when KB data is older than defined threshold.
-
+3. Alert users when KB data is older than defined threshold.
+
Reference
+
+
+
Informational
N/A
-
-
111122223333
+
+
777788889999
us-east-1
FS-63
-
Foundation Model Lifecycle Management
-
No legacy models detected. 10 lifecycle-related Config rule(s) found.
-
No action required.
-
-
Medium
-
Passed
-
-
-
111122223333
-
us-west-2
-
FS-63
-
Foundation Model Lifecycle Management
-
No legacy models detected. 10 lifecycle-related Config rule(s) found.
-
No action required.
-
+
+
Foundation Model Lifecycle Management
+
+ Details and remediation
+
+
Details
No legacy models detected. 11 lifecycle-related Config rule(s) found.
+
Resolution
No action required.
+
Reference
+
+
+
Medium
Passed
-
-
111122223333
+
+
777788889999
us-east-1
FS-65
-
KB Data Source Buckets Missing S3 Event Notifications
-
The following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time:
-- semiconductor-demo-9999
-- 111122223333-us-east-1-kb-data-bucket
-
1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket.
-2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting.
-3. Integrate alerts into your security incident response workflow.
-
-
Medium
-
Failed
-
-
-
111122223333
-
us-west-2
-
FS-65
-
KB Data Source Buckets Missing S3 Event Notifications
-
The following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time:
-- semiconductor-demo-9999
-- 111122223333-us-east-1-kb-data-bucket
-
1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket.
+
+
KB Data Source Buckets Missing S3 Event Notifications
+
+ Details and remediation
+
+
Details
The following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time:
+- sat2-prowler-2025-prowlerfindingsbucket-wc1k0mza7lpk
+
Resolution
1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket.
2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting.
-3. Integrate alerts into your security incident response workflow.
-
+3. Integrate alerts into your security incident response workflow.
+
The following runtimes have no JWT or IAM authorizer configured for end-user identity propagation. Tool calls are authorized only by the agent execution role, not the originating user:
-- origami_expeditions
-- neoCyan_Agent
-- customer_support_agent
-- cdk_agent_core
-- awsapimcpserver
-
1. Configure a custom JWT authorizer or IAM authorizer on each AgentCore runtime.
-2. Propagate the end-user's identity token to downstream tool services.
-3. Ensure tool services validate the propagated identity before executing actions.
-4. Do not expose propagated identity tokens to unauthorized third parties.
-
+
+
No AgentCore Runtimes Found
+
+ Details and remediation
+
+
Details
No AgentCore runtimes found; identity propagation check not applicable.
+
Resolution
If using AgentCore, configure token propagation so end-user identities are forwarded to tool services.
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-67
+
+
Agent Action-Group Lambdas May Lack Transaction Thresholds
+
+ Details and remediation
+
+
Details
The following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions:
+- aiml-security-aiml-security-mgmt-FinServAssessment
+- aiml-security-aiml-security-mgmt-AgentCoreAssessment
+- aiml-security-aiml-security-mgmt-BedrockAssessment
+
Resolution
1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda.
+2. Implement threshold enforcement logic in the Lambda handler.
+3. Configure AgentCore Policy Engine rules to cap financial transaction amounts.
+4. Route transactions exceeding thresholds to a human-in-the-loop approval step.
+
Reference
+
+
+
High
Failed
-
-
111122223333
+
+
777788889999
+
us-east-1
+
FS-68
+
+
API Gateway Request Body Size Limits — Not Applicable
+
+ Details and remediation
+
+
Details
No API Gateway REST APIs and no regional WAF Web ACLs were found in this region. There is no input-payload surface to assess for body-size limits.
+
Resolution
If GenAI endpoints are fronted by API Gateway or WAF in another region, run the assessment there. Otherwise no action is required.
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-east-1
+
FS-69
+
+
Prompt Input Validation Functions Present
+
+ Details and remediation
+
+
Details
Found 1 Lambda function(s) with input validation/sanitization naming patterns: aiml-security-aiml-security-mgmt-CleanupBucket.
+
Resolution
Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.
The following runtimes have no JWT or IAM authorizer configured for end-user identity propagation. Tool calls are authorized only by the agent execution role, not the originating user:
-- origami_expeditions
-- neoCyan_Agent
-- customer_support_agent
-- cdk_agent_core
-- awsapimcpserver
-
1. Configure a custom JWT authorizer or IAM authorizer on each AgentCore runtime.
-2. Propagate the end-user's identity token to downstream tool services.
-3. Ensure tool services validate the propagated identity before executing actions.
-4. Do not expose propagated identity tokens to unauthorized third parties.
-
+
FS-00
+
+
FinServ Regional Scope Not Applicable
+
+ Details and remediation
+
+
Details
No regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.
+
Resolution
No action required unless GenAI workloads are expected in this region.
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
777788889999
+
eu-west-1
+
FS-00
+
+
FinServ Regional Scope Not Applicable
+
+ Details and remediation
+
+
Details
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
+
Resolution
No action required unless GenAI workloads are expected in this region.
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
777788889999
+
Global
+
BR-01
+
+
AmazonBedrockFullAccess role check
+
+ Details and remediation
+
+
Details
Role 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' has AmazonBedrockFullAccess policy attached
+
Resolution
Limit the AmazonBedrockFullAccess policy only to required access
+
Reference
+
+
+
High
Failed
-
-
111122223333
-
us-east-1
-
FS-67
-
Agent Action-Group Lambdas May Lack Transaction Thresholds
-
The following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions:
-- aiml-security-aiml-security-111122223333-FinServAssessment
-- aiml-security-aiml-security-111122223333-BedrockAssessment
-- resco-aiml-BedrockAssessment
-- aiml-security-aiml-security-111122223333-AgentCoreAssessment
-- e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk
-- e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII
-- resco-aiml-AgentCoreAssessment
-
1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda.
-2. Implement threshold enforcement logic in the Lambda handler.
-3. Configure AgentCore Policy Engine rules to cap financial transaction amounts.
-4. Route transactions exceeding thresholds to a human-in-the-loop approval step.
-
+
+
777788889999
+
Global
+
BR-03
+
+
Marketplace Subscription Access Check
+
+ Details and remediation
+
+
Details
Role 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' has overly permissive marketplace subscription access through policy 'AmazonBedrockFullAccess'
+
Resolution
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
Reference
+
+
+
High
Failed
-
-
111122223333
-
us-west-2
-
FS-67
-
Agent Action-Group Lambdas May Lack Transaction Thresholds
-
The following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions:
-- aiml-security-aiml-security-111122223333-FinServAssessment
-- aiml-security-aiml-security-111122223333-BedrockAssessment
-- resco-aiml-BedrockAssessment
-- aiml-security-aiml-security-111122223333-AgentCoreAssessment
-- e2ebedrockrag-OSSInfraStack-BKBOSSInfraSetupLambda-031La8JAQXtk
-- e2ebedrockrag-OSSInfraSta-OSSIndexCreationProvider-g56en9UzRjII
-- resco-aiml-AgentCoreAssessment
-
1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda.
-2. Implement threshold enforcement logic in the Lambda handler.
-3. Configure AgentCore Policy Engine rules to cap financial transaction amounts.
-4. Route transactions exceeding thresholds to a human-in-the-loop approval step.
-
+
+
777788889999
+
Global
+
BR-03
+
+
Marketplace Subscription Access Check
+
+ Details and remediation
+
+
Details
Role 'aiml-sec-test-resources-MarketplaceOverlyPermissive-igL3hGIapee1' has overly permissive marketplace subscription access through policy 'OverlyPermissiveMarketplace'
+
Resolution
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
Reference
+
+
+
High
Failed
-
-
111122223333
-
us-east-1
-
FS-68
-
API Gateway Request Body Size Limits Not Enforced
-
Found 3 REST API(s) and 0 regional WAF Web ACL(s), but none enforce a maximum request-body size. Note: an API Gateway request validator does NOT cap body size (it validates the schema and required params; the REST limit is a fixed 10 MB), and a WAF body SizeConstraint only inspects the first ~16 KB of the body by default. Oversized prompts can exhaust Bedrock token quotas and inflate costs.
-
1. Add a maxLength (or maxItems/maxProperties) bound to the request-body JSON-Schema model used by your request validator, so oversized prompts are rejected with a 400.
-2. Add a WAF SizeConstraintStatement on the request Body sized within WAF's body-inspection window (default 16 KB; raise via the web ACL AssociationConfig, or set OversizeHandling=MATCH to block bodies beyond the window), and associate the ACL with the API stage.
-3. Set the max_tokens parameter in Bedrock API calls to cap output length.
-4. Implement client-side token counting before submitting requests.
-
-
Medium
+
+
777788889999
+
Global
+
BR-03
+
+
Marketplace Subscription Access Check
+
+ Details and remediation
+
+
Details
Role 'ProwlerApp-EC2-Role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'
+
Resolution
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
Reference
+
+
+
+
High
Failed
-
-
111122223333
-
us-west-2
-
FS-68
-
API Gateway Request Body Size Limits Not Enforced
-
Found 3 REST API(s) and 0 regional WAF Web ACL(s), but none enforce a maximum request-body size. Note: an API Gateway request validator does NOT cap body size (it validates the schema and required params; the REST limit is a fixed 10 MB), and a WAF body SizeConstraint only inspects the first ~16 KB of the body by default. Oversized prompts can exhaust Bedrock token quotas and inflate costs.
-
1. Add a maxLength (or maxItems/maxProperties) bound to the request-body JSON-Schema model used by your request validator, so oversized prompts are rejected with a 400.
-2. Add a WAF SizeConstraintStatement on the request Body sized within WAF's body-inspection window (default 16 KB; raise via the web ACL AssociationConfig, or set OversizeHandling=MATCH to block bodies beyond the window), and associate the ACL with the API stage.
-3. Set the max_tokens parameter in Bedrock API calls to cap output length.
-4. Implement client-side token counting before submitting requests.
-
+
+
777788889999
+
us-east-1
+
BR-02
+
+
Amazon Bedrock private connectivity
+
+ Details and remediation
+
+
Details
Bedrock VPC endpoints found: VPC vpc-089a9d593e34658c6 has endpoint com.amazonaws.us-east-1.bedrock-runtime
+
Resolution
No action required
+
Reference
+
+
+
+
High
+
Passed
+
+
+
777788889999
+
us-east-1
+
BR-04
+
+
Bedrock Model Invocation Logging Check
+
+ Details and remediation
+
+
Details
Model invocation logging is not enabled. This limits your ability to track and audit model usage.
+
Resolution
Enable model invocation logging to collect invocation logs, model input data, and model output data. Configure logging to deliver to Amazon S3, CloudWatch Logs, or both for comprehensive monitoring.
+
Reference
+
+
+
Medium
Failed
-
-
111122223333
+
+
777788889999
us-east-1
-
FS-69
-
Prompt Input Validation Functions Present
-
Found 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111122223333-CleanupBucket.
-
Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.
-
+
BR-05
+
+
Bedrock Guardrails Check
+
+ Details and remediation
+
+
Details
Amazon Bedrock Guardrails are properly configured with 1 guardrails
+
Resolution
No action required. Continue monitoring and updating guardrails as needed.
+
Reference
+
+
+
+
High
+
Passed
+
+
+
777788889999
+
us-east-1
+
BR-06
+
+
Bedrock CloudTrail Logging Check
+
+ Details and remediation
+
+
Details
CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
+
Resolution
No action required. Continue monitoring CloudTrail logs for Bedrock activity.
+
Reference
+
+
+
Medium
Passed
-
-
111122223333
-
us-west-2
-
FS-69
-
Prompt Input Validation Functions Present
-
Found 3 Lambda function(s) with input validation/sanitization naming patterns: resco-aiml-CleanupBucket, visa-bulletin-tracker-prod-cleanup, aiml-security-aiml-security-111122223333-CleanupBucket.
-
Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.
-
-
Medium
+
+
777788889999
+
us-east-1
+
BR-07
+
+
Bedrock Prompt Management Check
+
+ Details and remediation
+
+
Details
Prompt Management is being used with 1 prompts
+
Resolution
No action required. Continue using Prompt Management for consistent and optimized prompts.
+
Reference
+
+
+
+
Low
Passed
-
-
111122223333
-
eu-west-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
111122223333
-
ap-south-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
111122223333
-
sa-east-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
444455556666
+
+
777788889999
us-east-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
+
BR-08
+
+
Bedrock Agent IAM Roles Check
+
+ Details and remediation
+
+
Details
Error during check: An error occurred (AccessDeniedException) when calling the GetAgent operation: You do not have sufficient permissions to the key. Check credentials for appropriate permissions to the key (kms:Decrypt, kms:GenerateDataKey) and try again.
+
Resolution
Investigate error and retry assessment
+
Reference
+
+
+
+
High
+
Failed
-
-
444455556666
-
us-west-2
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
+
+
777788889999
+
us-east-1
+
BR-09
+
+
Bedrock Knowledge Base Encryption Review
+
+ Details and remediation
+
+
Details
Knowledge Base 'knowledge-base-prowler-findings' (9K2QZLVCZW) uses 'OPENSEARCH_SERVERLESS' storage. Encryption is managed at the storage layer and cannot be validated from the KB API. Verify encryption configuration on the underlying storage resource.
+
Resolution
1. For OpenSearch Serverless: Verify encryption with CMK at collection level
+2. For S3 data sources: Verify CMK-encrypted S3 buckets
+3. For RDS: Verify KMS encryption on the database
+4. Consider using CMK for transient data during ingestion
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
eu-west-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
+
+
777788889999
+
us-east-1
+
BR-10
+
+
Bedrock Guardrail IAM Enforcement Missing
+
+ Details and remediation
+
+
Details
The following roles can invoke Bedrock models without enforced guardrails: aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G, aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a, aiml-sec-test-resources-BedrockKnowledgeBaseRole-6NNC1i9FuTbM, AmazonBedrockExecutionRoleForKnowledgeBase_7erx6, ProwlerApp-EC2-Role
+
Resolution
Add IAM policy conditions to enforce guardrail usage:
+1. Use 'bedrock:GuardrailIdentifier' condition key
+2. Specify required guardrail ARN or ID
+3. Example: "Condition": {"StringEquals": {"bedrock:GuardrailIdentifier": "arn:aws:bedrock:region:account:guardrail/guardrail-id"}}
+
Reference
+
+
+
+
High
+
Failed
-
-
444455556666
-
ap-south-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
+
+
777788889999
+
us-east-1
+
BR-11
+
+
Bedrock Custom Model Encryption Check
+
+ Details and remediation
+
+
Details
No custom/fine-tuned models found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
-
444455556666
-
sa-east-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
+
+
777788889999
+
us-east-1
+
BR-12
+
+
Bedrock Invocation Log Encryption Check
+
+ Details and remediation
+
+
Details
Model invocation logging to S3 is not configured
+
Resolution
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
us-east-1
-
FS-01
-
AWS Shield Advanced Not Enabled
-
AWS Shield Advanced is not subscribed. GenAI API endpoints are vulnerable to volumetric DDoS attacks that can exhaust token quotas and inflate costs.
-
1. Subscribe to AWS Shield Advanced for DDoS protection.
-2. After subscribing, explicitly add resource protections in the Shield Advanced console for each Bedrock-facing resource (API Gateway stages, ALBs, CloudFront distributions, Route 53 hosted zones). Shield Advanced subscription alone does NOT automatically protect resources — each resource must be individually added to receive protection.
-3. Enable Shield Response Team (SRT) access and configure proactive engagement.
-4. Alternatively, use AWS Firewall Manager with a Shield Advanced policy to automate resource protection based on tags or resource types.
-
-
Low
-
Failed
+
BR-13
+
+
Bedrock Flows Guardrails Check
+
+ Details and remediation
+
+
Details
No Bedrock Flows found in the account
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
-
+
777788889999
-
us-east-1
-
FS-01
-
No Regional WAF Web ACLs Found
-
No AWS WAF regional Web ACLs found. Without WAF, GenAI endpoints lack rate-based rules to block abusive callers.
-
1. Create a WAF Web ACL with rate-based rules (e.g., 1000 req/5 min per IP).
-2. Associate the ACL with API Gateway stages or ALBs fronting Bedrock.
-3. Add AWS Managed Rules for known bad inputs.
-
+
Global
+
BR-15
+
+
Cross-Account Guardrails Enforcement Check
+
+ Details and remediation
+
+
Details
Check must run in AWS Organizations management account to evaluate organizational policies
+
Resolution
Run assessment in management account to check cross-account guardrails enforcement
+
Reference
+
+
+
Medium
-
Failed
+
N/A
-
+
777788889999
us-east-1
-
FS-02
-
No API Gateway Usage Plans Found
-
No usage plans configured. GenAI API endpoints may have no rate limits.
-
Create API Gateway usage plans with throttle settings (rateLimit and burstLimit) for all Bedrock-facing APIs.
-
+
BR-16
+
+
Guardrail Tier Validation Check
+
+ Details and remediation
+
+
Details
Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
+
Resolution
Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
us-east-1
-
FS-03
-
Bedrock Token Quotas Customized
-
Found 236 Bedrock token-based quota(s); at least one applied value exceeds the AWS default, indicating quotas have been reviewed and raised.
-
No action required. Periodically re-review quotas against expected peak load.
-
-
Medium
-
Passed
+
BR-17
+
+
Custom Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No custom (fine-tuned) Bedrock models found in this region
+
Resolution
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
Reference
+
+
+
+
High
+
N/A
-
+
777788889999
us-east-1
-
FS-04
-
No Cost Anomaly Detection Monitors
-
No AWS Cost Anomaly Detection monitors found. Unexpected spikes in Bedrock/SageMaker usage (e.g., from prompt injection loops) will go undetected.
-
1. Create a Cost Anomaly Detection monitor scoped to AWS/Bedrock and AWS/SageMaker.
-2. Configure alert subscriptions (SNS/email) for anomalies above threshold.
-3. Set daily spend budgets with AWS Budgets as a secondary control.
-
+
BR-18
+
+
Model Evaluation Implementation Check
+
+ Details and remediation
+
+
Details
No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
+
Resolution
Create model evaluation jobs using Amazon Bedrock Evaluations to assess foundation model performance against safety and quality metrics. Use built-in datasets or custom test sets. Enable LLM-as-a-judge evaluation for comprehensive assessment.
+
Reference
+
+
+
Medium
Failed
-
+
777788889999
us-east-1
-
FS-05
-
No Bedrock CloudWatch Alarms Found
-
No CloudWatch alarms found for Bedrock metrics. Token exhaustion and throttling events will not trigger operational alerts.
-
Create CloudWatch alarms for:
-- AWS/Bedrock InvocationThrottles (threshold > 0)
-- AWS/Bedrock TokensProcessed (threshold based on quota)
-- Custom application-level token counters via EMF
-
+
BR-19
+
+
Prompt Flow Validation Check
+
+ Details and remediation
+
+
Details
No Bedrock prompt flows configured in this region
+
Resolution
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
Reference
+
+
+
Medium
-
Failed
+
N/A
-
+
777788889999
us-east-1
-
FS-06
-
No AI/ML Service Budgets Configured
-
No AWS Budgets found scoped to Bedrock or SageMaker. Unbounded GenAI spend can go undetected until the monthly bill.
-
1. Create cost budgets for AWS Bedrock and SageMaker with 80%/100% alert thresholds.
-2. Add SNS notifications to on-call channels.
-3. Consider budget actions to apply IAM deny policies when thresholds are breached.
-
-
Medium
-
Failed
+
BR-20
+
+
Knowledge Base Customer-Managed KMS Encryption Review
+
+ Details and remediation
+
+
Details
Knowledge base 'knowledge-base-prowler-findings' (ID: 9K2QZLVCZW) uses 'OPENSEARCH_SERVERLESS' storage. The vector-store encryption key is managed at the storage layer and cannot be validated from the Knowledge Base API. Verify customer-managed KMS encryption on the underlying store.
+
Resolution
1. For OpenSearch Serverless: verify the collection uses a customer-managed KMS key
+2. For Amazon RDS/Aurora: verify KMS encryption on the database
+3. For third-party stores (Pinecone, Redis, MongoDB): verify the provider's encryption configuration
+4. Verify the customer-managed KMS key used for transient data during ingestion
+
Reference
+
+
+
+
Informational
+
N/A
-
+
777788889999
us-east-1
-
FS-07
-
Agent Action Boundaries Look Appropriate
-
Reviewed 1 agent(s); no wildcard sensitive actions found.
1. Set reserved concurrency on agent Lambda functions.
-2. Implement maximum iteration counts in agent orchestration logic.
-3. Use Step Functions with MaxConcurrency and timeout states.
-4. Add circuit-breaker patterns to agent tool invocations.
-
-
Medium
+
BR-25
+
+
RAG Evaluation Jobs Check
+
+ Details and remediation
+
+
Details
Knowledge base 'knowledge-base-prowler-findings' (ID: 9K2QZLVCZW) does not have recent RAG evaluation jobs. RAG evaluations assess context relevance, response correctness, faithfulness, and harmfulness to prevent hallucinations.
+
Resolution
Create RAG evaluation jobs for knowledge bases using Amazon Bedrock Model Evaluation. Configure evaluations to test context relevance, answer correctness, and faithfulness metrics. Run evaluations regularly (monthly or after significant KB updates) to maintain quality.
+
Reference
+
+
+
+
Low
Failed
-
+
777788889999
us-east-1
-
FS-10
-
Human-in-the-Loop Check — No Agent Workflows Found
-
No Step Functions state machines with agent/approval naming found. Verify that high-risk agent actions (e.g., fund transfers, account changes) have human approval gates.
-
Implement Step Functions .waitForTaskToken patterns for high-risk agent actions. Route approval requests to human reviewers via SNS/SES/Slack.
-
+
BR-26
+
+
Guardrail Sensitive Information Filter Check
+
+ Details and remediation
+
+
Details
Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
+
Resolution
Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
us-east-1
-
FS-11
-
No Agent Rate Alarms Found
-
No CloudWatch alarms found for agent invocation rates. Looping or runaway agents will not trigger operational alerts.
-
Create CloudWatch alarms on:
-- Bedrock agent invocation counts (threshold based on expected max)
-- Lambda invocation errors for agent functions
-- Step Functions execution failures and timeouts
-
-
Medium
-
Failed
+
BR-27
+
+
Guardrail Contextual Grounding Check
+
+ Details and remediation
+
+
Details
Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
+
Resolution
Retry the assessment. If the error persists, grant bedrock:GetGuardrail and verify the guardrail still exists.
+
Reference
+
+
+
+
Informational
+
N/A
-
+
777788889999
us-east-1
-
FS-12
-
No Bedrock-Scoped SCPs Found
-
No Service Control Policies reference Bedrock. Without SCPs, any account in the organization can access any Bedrock model, including unapproved third-party models.
-
1. Create an SCP that denies bedrock:InvokeModel for model IDs not on the approved list.
-2. Use bedrock:ModelId condition key to allowlist approved models.
-3. Maintain a model inventory and update the SCP when models are approved/retired.
-
-
High
-
Failed
+
BR-28
+
+
Agent Guardrail Association Check
+
+ Details and remediation
+
+
Details
1 agents have an associated guardrail
+
Resolution
No action required. Continue associating guardrails with new agents.
Tag all models with: source (e.g., 'aws-marketplace', 'internal'), version, and approval-date. Enforce tagging via SCP or AWS Config rule.
-
-
Medium
-
Failed
+
BR-30
+
+
Imported Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No imported custom Bedrock models found in this region
+
Resolution
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
Reference
+
+
+
+
High
+
N/A
-
+
777788889999
us-east-1
-
FS-14
-
Model Governance Config Rules Present
-
Found 13 model-related Config rule(s).
-
No action required.
-
+
BR-31
+
+
Batch Inference Output Encryption Check
+
+ Details and remediation
+
+
Details
No Bedrock batch inference (model invocation) jobs found in this region
+
Resolution
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
Reference
+
+
+
Medium
-
Passed
+
N/A
-
+
777788889999
us-east-1
-
FS-15
-
No Bedrock Evaluation Jobs Found
-
No Bedrock Model Evaluation jobs found. Models have not been evaluated for adversarial robustness. FinServ model-risk management (SR 11-7) expects documented model validation/evaluation.
-
1. Run Bedrock Model Evaluation with adversarial/red-team datasets.
-2. Use FMEval library for automated robustness testing.
-3. Schedule periodic re-evaluation after model updates.
-
+
BR-32
+
+
Bedrock CloudWatch Alarm Check
+
+ Details and remediation
+
+
Details
No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
+
Resolution
Create CloudWatch alarms on AWS/Bedrock runtime metrics such as Invocations, InvocationThrottles, InputTokenCount, OutputTokenCount, and ContentFilteredCount, and route them to an Amazon SNS topic for notification.
+
Reference
+
+
+
Medium
Failed
-
+
777788889999
us-east-1
-
FS-16
-
ECR Repositories Without Image Scanning
-
2 ECR repo(s) without scan-on-push: cdk-hnb659fds-container-assets-777788889999-us-east-1, aiml-sec-test-agentcore-no-encryption.
-
Enable scan-on-push for all ECR repositories containing model containers. Consider enabling Enhanced Scanning (Inspector) for CVE detection.
-
-
High
+
AG-07
+
+
Agentic AI Model Invocation Logging
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: Model invocation logging is not enabled. This limits your ability to track and audit model usage.
+
Resolution
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Reference
+
+
+
+
Medium
Failed
-
+
777788889999
us-east-1
-
FS-20
-
Feature Groups Without Offline Store
-
1 feature group(s) lack an active offline store: aiml-sec-test-feature-group. Without offline store, historical feature data cannot be used for rollback.
-
1. Enable offline store (S3-backed) for all production feature groups.
-2. Enable S3 versioning on the offline store bucket.
-3. Document rollback procedures for poisoned feature data.
-
+
AG-08
+
+
Agentic AI API Audit Trail
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: CloudTrail is properly configured to log Bedrock API activity in trails: IsengardTrail-DO-NOT-DELETE
+
Resolution
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Reference
+
+
+
Medium
-
Failed
+
Passed
-
+
777788889999
-
us-east-1
-
FS-21
-
Training Data Buckets Have Versioning
-
All 2 training bucket(s) have versioning enabled.
-
No action required.
-
-
High
-
Passed
+
Global
+
AG-09
+
+
Agentic AI Guardrail Enforcement Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Check must run in AWS Organizations management account to evaluate organizational policies
+
Resolution
Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.
+
Reference
+
+
+
+
Informational
+
N/A
-
+
777788889999
us-east-1
-
FS-22
-
Overly Permissive Knowledge Base IAM Roles
-
823 role(s) with wildcard KB permissions:
-- Role 'Admin' allows '*'
-- Role 'aiml-sec-test-resources-BedrockAgentRole-RScmoTZfp2sC' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-sec-test-resources-BedrockAgentRole-RScmoTZfp2sC' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G' allows 'bedrock:InvokeModel' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-sec-test-resources-BedrockAgentRoleWithoutGuar-Z3kN5ANhP89G' allows 'bedrock:InvokeModelWithResponseStream' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-sec-test-resources-BedrockFullAccessRole-zAFkGLkWQ61a' allows 'bedrock:*'
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:ListGuardrails' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:GetGuardrail' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:ListModelInvocationJobs' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-- Role 'aiml-security-mgmt-BedrockSecurityAssessmentFunctio-a7GKJ6O4151K' allows 'bedrock:GetModelInvocationLoggingConfiguration' on Resource '*' (no ARN scoping to specific Knowledge Bases)
-
Replace wildcard bedrock:* with specific actions such as bedrock:Retrieve, bedrock:RetrieveAndGenerate. Scope resources to specific Knowledge Base ARNs.
-
-
High
+
AG-10
+
+
Agentic AI Adversarial Evaluation Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No Bedrock model evaluation jobs found. Model evaluation helps assess toxicity, accuracy, semantic robustness, and other safety metrics before production deployment.
+
Resolution
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Reference
+
+
+
+
Medium
Failed
-
+
777788889999
us-east-1
-
FS-24
-
ADVISORY: Knowledge Base Metadata Filtering — Manual Review Required
-
Found 1 Knowledge Base(s). Tenant-isolation metadata filtering is a design pattern that cannot be verified via API — manual review required. Verify that metadata attributes (e.g., tenantId, classification) are indexed and that Retrieve calls include RetrievalFilter conditions for tenant isolation.
-
1. Add metadata fields (tenantId, dataClassification) to KB data sources.
-2. Pass RetrievalFilter in all Retrieve/RetrieveAndGenerate calls.
-3. Validate filters in integration tests to prevent cross-tenant data leakage.
-
+
AG-11
+
+
Agentic AI Prompt Flow Validation
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Resolution
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
us-east-1
-
FS-25
-
OpenSearch Serverless Encryption Policies Present
-
Found 1 encryption policy(ies); 1 use a customer-managed KMS key.
-
Verify all vector store collections use customer-managed KMS keys.
-
-
High
+
AG-12
+
+
Agentic AI Invocation Abuse Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: 9 custom throttling quotas are configured. Regular quota review helps maintain appropriate rate limits.
+
Resolution
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Reference
+
+
+
+
Low
Passed
-
+
777788889999
us-east-1
-
FS-26
-
OpenSearch Serverless Collections Not VPC-Restricted
-
Found 1 network policy(ies) but none restrict to VPC. Vector stores may be accessible from the public internet.
-
Update network policies to allow access only from VPC endpoints. Create an OpenSearch Serverless VPC endpoint in your VPC.
-
-
High
-
Failed
+
AG-02
+
+
Agentic AI Harmful Content Guardrail Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
+
Resolution
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Reference
+
+
+
+
Informational
+
N/A
-
+
777788889999
us-east-1
-
FS-27
-
COULD NOT ASSESS: Guardrail Contextual Grounding Check
-
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
-
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
-2. Confirm the service/feature is supported in the assessed region.
-3. Ensure botocore meets the version floor in requirements.txt.
-4. Re-run the assessment; assess this control manually until it succeeds.
-
-
Low
+
AG-03
+
+
Agentic AI Sensitive Information Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
+
Resolution
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Reference
+
+
+
+
Informational
N/A
-
+
777788889999
us-east-1
-
FS-27
-
No Automated Reasoning Policies Found
-
No Bedrock Automated Reasoning policies have been created. ARC (GA August 2025) uses formal verification to guarantee that GenAI outputs comply with authored business rules — e.g., loan criteria, regulatory thresholds, policy constraints. Without ARC policies, factual accuracy of outputs is not formally verified, only heuristically filtered by contextual grounding thresholds.
-
1. In the Amazon Bedrock console → Guardrails → Automated Reasoning, create a policy document encoding your FinServ business rules (e.g., eligibility criteria, rate limits, regulatory thresholds).
-2. Associate the ARC policy with your guardrail (automatedReasoningPolicy.policies field in CreateGuardrail/UpdateGuardrail).
-3. Set confidenceThreshold on the policy to control strictness.
-4. ARC requires cross-Region inference — ensure your guardrail has a guardrailProfileArn configured (crossRegionDetails in GetGuardrail response).
-5. Reference: AWS Announcement — Automated Reasoning checks GA (August 2025).
-
-
Medium
-
Failed
+
AG-05
+
+
Agentic AI Grounding Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: Guardrail 'aiml-sec-test-test-guardrail' (ID: jkceg2tprvwh) could not be assessed because GetGuardrail returned AccessDeniedException.
+
Resolution
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Reference
+
+
+
+
Informational
+
N/A
-
+
777788889999
us-east-1
-
FS-28
-
COULD NOT ASSESS: Financial Denied Topics Check
-
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
-
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
-2. Confirm the service/feature is supported in the assessed region.
-3. Ensure botocore meets the version floor in requirements.txt.
-4. Re-run the assessment; assess this control manually until it succeeds.
-
+
AG-01
+
+
Agentic AI Agent Guardrail Association
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: 1 agents have an associated guardrail
+
Resolution
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
Application-level compliance disclaimers cannot be verified via AWS APIs. Manual review required to confirm GenAI outputs include required regulatory disclosures.
-
1. Implement post-processing to append required disclaimers to GenAI outputs.
-2. Use Bedrock Guardrails word filters to block outputs that omit required disclosures.
-3. Document disclaimer requirements in the AI use case register.
-4. Test disclaimer presence in QA/UAT before production deployment.
-
+
AG-14
+
+
Agentic AI Operational Abuse Alarms
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No CloudWatch alarms are configured on Amazon Bedrock runtime metrics (AWS/Bedrock namespace). Without alarms, abuse, denial-of-wallet, sustained throttling, and content-filter spikes can go undetected.
+
Resolution
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Reference
+
+
+
+
Medium
+
Failed
+
+
+
777788889999
+
us-west-2
+
BR-02
+
+
Amazon Bedrock private connectivity check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess private connectivity
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include compliance-specific datasets (fair lending/ECOA, Fair Housing Act, UDAP/UDAAP, AML/KYC edge cases). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation with compliance-specific datasets:
-- Fair lending test cases (ECOA, Fair Housing Act)
-- UDAP/UDAAP unfair/deceptive practice scenarios
-- AML/KYC edge cases
-
+
us-west-2
+
BR-04
+
+
Bedrock Model Invocation Logging Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to monitor with invocation logging
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-east-1
-
FS-31
-
Knowledge Base Data Sources Past Review Threshold
-
1 data source(s) not synced in >7 days (a configurable review threshold, NOT an AWS-mandated limit):
-- KB 'knowledge-base-prowler-findings' source 'knowledge-base-quick-start-9lb68-data-source' last synced 423 days ago
-Confirm this age is acceptable for each data source's currency requirement — slow-changing reference data may legitimately sync infrequently.
-
1. Define the maximum acceptable data age per use case (e.g., intraday for market data, daily for product terms, weekly/monthly for regulatory guidance) and adjust the review threshold to match.
-2. Configure automated sync (EventBridge Scheduler → StartIngestionJob) at that cadence — see FS-61.
-3. Set CloudWatch alarms on sync job failures.
-
-
Medium
-
Failed
+
us-west-2
+
BR-05
+
+
Bedrock Guardrails Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to protect with guardrails
Source attribution in GenAI responses cannot be verified via AWS APIs. Manual review required to confirm responses include citations.
-
1. Use Bedrock RetrieveAndGenerate with citations enabled.
-2. Include source document references in response post-processing.
-3. Test citation accuracy in QA before production deployment.
-4. Consider Bedrock Guardrails grounding checks to validate response accuracy.
-
+
us-west-2
+
BR-06
+
+
Bedrock CloudTrail Logging Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-east-1
-
FS-33
-
KB Data Source Buckets Have Versioning
-
All reviewed KB data source buckets have versioning enabled.
-
No action required.
-
-
Medium
-
Passed
+
us-west-2
+
BR-07
+
+
Bedrock Prompt Management Check
+
+ Details and remediation
+
+
Details
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Resolution
Implement Prompt Management to:
+1. Create and version your prompts
+2. Test different prompt variants
+3. Share prompts across your organization
+4. Maintain consistent prompt templates
+
Reference
+
+
+
+
Informational
+
N/A
-
+
777788889999
-
us-east-1
-
FS-34
-
Legacy Foundation Models Available in Region
-
Legacy/deprecated foundation models are available in this account/region: anthropic.claude-sonnet-4-20250514-v1:0, twelvelabs.marengo-embed-2-7-v1:0, anthropic.claude-opus-4-1-20250805-v1:0, amazon.nova-premier-v1:0:8k, amazon.nova-premier-v1:0:20k, amazon.nova-premier-v1:0:1000k, amazon.nova-premier-v1:0:mm, amazon.nova-premier-v1:0, amazon.nova-canvas-v1:0, amazon.nova-reel-v1:0. This API reports model *availability*, not actual usage — it cannot determine which models your applications invoke. Legacy models have older training-data cutoffs and may produce outdated information if used. Review whether any are in active use.
-
1. Identify which (if any) of these legacy models your applications invoke (e.g., via CloudTrail InvokeModel events or application config).
-2. Migrate active usage to current model versions.
-3. Document training-data cutoff dates for all models in use.
-4. Add data-currency disclaimers to outputs from models with old cutoffs.
-
+
us-west-2
+
BR-08
+
+
Bedrock Agent IAM Roles Check
+
+ Details and remediation
+
+
Details
No Bedrock agents found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-east-1
-
FS-35
-
ADVISORY: Harmful-Content Test Coverage — Manual Review Required
-
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation/FMEval jobs include harmful-content datasets (toxicity, hate speech, violence/self-harm). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation or FMEval with harmful content datasets:
-- Toxicity detection
-- Hate speech classification
-- Violence/self-harm content
-
+
us-west-2
+
BR-09
+
+
Bedrock Knowledge Base Encryption Check
+
+ Details and remediation
+
+
Details
No Knowledge Bases found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-east-1
-
FS-36
-
COULD NOT ASSESS: Guardrail Content Filters Check
-
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
-
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
-2. Confirm the service/feature is supported in the assessed region.
-3. Ensure botocore meets the version floor in requirements.txt.
-4. Re-run the assessment; assess this control manually until it succeeds.
-
-
Low
+
us-west-2
+
BR-10
+
+
Bedrock Guardrail IAM Enforcement Check
+
+ Details and remediation
+
+
Details
No guardrails configured - IAM enforcement check not applicable
+
Resolution
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
Reference
+
+
+
+
Informational
N/A
-
+
777788889999
-
us-east-1
-
FS-37
-
ADVISORY: User Feedback Mechanism — Manual Review Required
-
User feedback mechanisms for harmful outputs cannot be verified via AWS APIs. Manual review required.
-
1. Implement thumbs-up/down or flag-for-review UI in GenAI applications.
-2. Route flagged outputs to human reviewers via SQS/SNS.
-3. Log feedback to DynamoDB/S3 for model improvement.
-4. Define SLAs for reviewing flagged content.
-
+
us-west-2
+
BR-11
+
+
Bedrock Custom Model Encryption Check
+
+ Details and remediation
+
+
Details
No custom/fine-tuned models found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-east-1
-
FS-38
-
COULD NOT ASSESS: Guardrail Word Filters Check
-
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
-
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
-2. Confirm the service/feature is supported in the assessed region.
-3. Ensure botocore meets the version floor in requirements.txt.
-4. Re-run the assessment; assess this control manually until it succeeds.
-
-
Low
+
us-west-2
+
BR-12
+
+
Bedrock Invocation Log Encryption Check
+
+ Details and remediation
+
+
Details
Model invocation logging to S3 is not configured
+
Resolution
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
Reference
+
+
+
+
Informational
N/A
-
+
777788889999
-
us-east-1
-
FS-39
-
No SageMaker Clarify Bias Monitoring
-
No SageMaker Clarify model bias monitoring schedules found. Models making financial decisions (credit, insurance) may exhibit discriminatory bias without detection.
-
1. Configure SageMaker Clarify bias detection for all models making credit, insurance, or employment decisions.
-2. Define protected attributes (age, gender, race proxies).
-3. Set bias metric thresholds and alert on violations.
-4. Document bias testing results for regulatory examination.
Bedrock model-evaluation dataset content cannot be inspected via API. Manually verify your model-evaluation jobs include bias/fairness datasets (demographic parity, equal-opportunity, counterfactual fairness) for any GenAI models used in financial decisions (ECOA/Fair Housing). Whether any evaluation jobs exist at all is assessed by FS-15.
-
Run Bedrock Model Evaluation with bias test datasets:
-- Demographic parity test cases
-- Equal opportunity scenarios
-- Counterfactual fairness tests
-
-
Informational
+
us-west-2
+
BR-16
+
+
Guardrail Tier Validation Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
Reference
+
+
+
+
Medium
N/A
-
+
777788889999
-
us-east-1
-
FS-41
-
No SageMaker Clarify Explainability Monitoring
-
No SageMaker Clarify explainability monitoring found. Models making adverse financial decisions may not provide required explanations (ECOA adverse action notices).
-
1. Configure SageMaker Clarify explainability for credit/lending models.
-2. Generate SHAP values for feature importance.
-3. Map top features to human-readable adverse action reason codes.
-4. Store explanations for regulatory examination.
-
+
us-west-2
+
BR-17
+
+
Custom Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No custom (fine-tuned) Bedrock models found in this region
+
Resolution
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
Reference
+
+
+
High
-
Failed
+
N/A
-
+
777788889999
-
us-east-1
-
FS-42
-
No SageMaker Model Cards Found
-
No SageMaker Model Cards found. Production AI models lack documented intended use, limitations, and bias evaluations.
-
1. Create SageMaker Model Cards for all production models.
-2. Document: intended use, out-of-scope uses, training data, bias evaluations.
-3. Include regulatory compliance attestations.
-4. Review and update cards at each model version release.
-
+
us-west-2
+
BR-18
+
+
Model Evaluation Implementation Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess with model evaluation jobs
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-19
+
+
Prompt Flow Validation Check
+
+ Details and remediation
+
+
Details
No Bedrock prompt flows configured in this region
+
Resolution
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
Reference
+
+
+
Medium
-
Failed
+
N/A
-
+
777788889999
-
us-east-1
-
FS-43
-
No CloudWatch Logs Data Protection Policies
-
No CloudWatch Logs data protection policies found. PII (SSN, account numbers, credit card numbers) in Bedrock invocation logs may be stored in plaintext.
-
1. Create CloudWatch Logs data protection policies to mask PII.
-2. Enable masking for: SSN, credit card numbers, bank account numbers, email.
-3. Apply policies to Bedrock invocation log groups.
-4. Test masking with synthetic PII before production deployment.
-
+
us-west-2
+
BR-20
+
+
Knowledge Base Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No Bedrock knowledge bases found in this region
+
Resolution
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
Reference
+
+
+
High
-
Failed
+
N/A
-
+
777788889999
-
us-east-1
-
FS-44
-
Amazon Macie Not Enabled
-
Amazon Macie is not enabled. S3 buckets containing training data and KB data sources are not being scanned for PII/sensitive data.
-
1. Enable Amazon Macie in all regions where AI/ML data is stored.
-2. Create Macie classification jobs for training data and KB buckets.
-3. Configure Macie findings to route to Security Hub and SNS.
-4. Remediate PII findings before using data for model training.
-
+
us-west-2
+
BR-21
+
+
Agent Action Group IAM Least Privilege Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
Reference
+
+
+
High
-
Failed
+
N/A
-
+
777788889999
-
us-east-1
-
FS-45
-
COULD NOT ASSESS: Guardrail PII Filters Check
-
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
-
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
-2. Confirm the service/feature is supported in the assessed region.
-3. Ensure botocore meets the version floor in requirements.txt.
-4. Re-run the assessment; assess this control manually until it succeeds.
-
-
Low
+
us-west-2
+
BR-22
+
+
Model Invocation Throttling Limits Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess model invocation throttling quotas
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
N/A
-
+
+
777788889999
+
us-west-2
+
BR-23
+
+
Guardrail Content Filter Coverage Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
Reference
+
+
+
+
High
+
N/A
+
+
777788889999
-
us-east-1
-
FS-46
-
AI/ML Buckets Without Data Classification Tags
-
3 AI/ML bucket(s) without data-classification tags: aiml-sec-test-resources-bedrockloggingbucket-wtuvpinrlpmd, aiml-sec-test-resources-sagemakerbucket-6zzmxxaxco6g, aiml-security-mgmt-aimlassessmentbucket-kbitsdgexylv.
-
Tag all AI/ML data buckets with 'data-classification' key. Values: Public, Internal, Confidential, Restricted. Enforce via SCP or AWS Config rule.
-
+
us-west-2
+
BR-24
+
+
Automated Reasoning Policy Implementation Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
Reference
+
+
+
Medium
-
Failed
+
N/A
-
+
777788889999
-
us-east-1
-
FS-47
-
COULD NOT ASSESS: Guardrail Grounding Threshold Check
-
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
-
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
-2. Confirm the service/feature is supported in the assessed region.
-3. Ensure botocore meets the version floor in requirements.txt.
-4. Re-run the assessment; assess this control manually until it succeeds.
-
+
us-west-2
+
BR-25
+
+
RAG Evaluation Jobs Check
+
+ Details and remediation
+
+
Details
No Bedrock knowledge bases found in this region
+
Resolution
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
Reference
+
+
+
Low
N/A
-
+
777788889999
-
us-east-1
-
FS-48
-
Active Knowledge Bases for RAG Present
-
Found 1 active Knowledge Base(s) for RAG grounding.
-
No action required.
-
+
us-west-2
+
BR-26
+
+
Guardrail Sensitive Information Filter Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
Reference
+
+
+
+
High
+
N/A
+
+
+
777788889999
+
us-west-2
+
BR-27
+
+
Guardrail Contextual Grounding Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
Application-level hallucination disclaimers cannot be verified via AWS APIs. Manual review required.
-
1. Add disclaimers to GenAI outputs: 'AI-generated content may contain errors. Verify with authoritative sources before acting.'
-2. Implement post-processing to append disclaimers.
-3. Test disclaimer presence in QA before production.
-
-
Informational
+
us-west-2
+
BR-28
+
+
Agent Guardrail Association Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
Reference
+
+
+
+
High
N/A
-
+
777788889999
-
us-east-1
-
FS-50
-
COULD NOT ASSESS: Guardrail Relevance Grounding Check
-
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
-
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
-2. Confirm the service/feature is supported in the assessed region.
-3. Ensure botocore meets the version floor in requirements.txt.
-4. Re-run the assessment; assess this control manually until it succeeds.
-
+
us-west-2
+
BR-29
+
+
Agent Idle Session TTL Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
Reference
+
+
+
Low
N/A
-
+
777788889999
-
us-east-1
-
FS-51
-
COULD NOT ASSESS: Prompt Injection Input Validation Check
-
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
-
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
-2. Confirm the service/feature is supported in the assessed region.
-3. Ensure botocore meets the version floor in requirements.txt.
-4. Re-run the assessment; assess this control manually until it succeeds.
-
-
Low
+
us-west-2
+
BR-30
+
+
Imported Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No imported custom Bedrock models found in this region
+
Resolution
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
Reference
+
+
+
+
High
N/A
-
+
777788889999
-
us-east-1
-
FS-52
-
Bedrock Lambda Functions on Current Runtimes
-
All 10 Bedrock Lambda function(s) use current runtimes.
-
No action required.
-
+
us-west-2
+
BR-31
+
+
Batch Inference Output Encryption Check
+
+ Details and remediation
+
+
Details
No Bedrock batch inference (model invocation) jobs found in this region
+
Resolution
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
Reference
+
+
+
Medium
-
Passed
+
N/A
-
+
777788889999
-
us-east-1
-
FS-53
-
No WAF Web ACLs — Injection Rules Not Applicable
-
No regional WAF Web ACLs found.
-
Create WAF Web ACLs with injection protection rules (see FS-01).
-
+
us-west-2
+
BR-32
+
+
Bedrock CloudWatch Alarm Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to monitor with CloudWatch alarms
Penetration testing evidence cannot be verified via AWS APIs. Manual review required to confirm GenAI applications have been tested.
-
1. Conduct penetration testing of GenAI applications at least annually and before major releases.
-2. Include AI-specific test cases: prompt injection, jailbreak, indirect (cross-domain) injection, system-prompt leakage, and data-extraction attempts.
-3. Consider AWS Security Agent for on-demand, AI-driven penetration testing (GA March 2026; available in US East N. Virginia, US West Oregon, Europe Ireland, Europe Frankfurt, Asia Pacific Sydney, Asia Pacific Tokyo, with cross-account shared-VPC testing via AWS RAM). Open-source tools such as Garak or PyRIT and manual red-teaming are complementary options. Verify current regional availability on the AWS Security Agent page before relying on it.
-4. Document findings and remediation for regulatory examination, and tag tested resources with a last-pentest-date for audit trail.
-5. For DORA compliance, include GenAI in TLPT (Threat-Led Penetration Testing) scope.
-
+
us-west-2
+
AG-07
+
+
Agentic AI Model Invocation Logging
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Resolution
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
-
us-east-1
-
FS-55
-
No Output Validation Functions Found
-
No Lambda functions with output validation/sanitization naming found. GenAI outputs may be passed directly to downstream systems without validation.
-
1. Implement output validation Lambda functions in GenAI pipelines.
-2. Validate output schema, length, and content before downstream use.
-3. Sanitize outputs before rendering in web UIs (XSS prevention).
-4. Encode outputs appropriately for the target context (HTML, SQL, JSON).
-
-
Medium
-
Failed
-
-
+
777788889999
-
us-east-1
-
FS-56
-
No WAF ACLs — XSS Prevention Not Applicable
-
No regional WAF Web ACLs found.
-
Create WAF ACLs with XSS prevention rules.
-
+
us-west-2
+
AG-08
+
+
Agentic AI API Audit Trail
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Resolution
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
Output encoding practices cannot be verified via AWS APIs. Manual code review required.
-
1. HTML-encode GenAI outputs before rendering in web UIs.
-2. Use parameterized queries when GenAI output is used in database operations.
-3. JSON-encode outputs before embedding in JavaScript contexts.
-4. Validate output length and format before passing to downstream APIs.
-
+
us-west-2
+
AG-10
+
+
Agentic AI Adversarial Evaluation Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Resolution
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
Found 0 Lambda function(s) whose names suggest schema/validation handling. Structured-output / JSON-schema validation of GenAI responses is an application-layer control that cannot be verified automatically — manual review required.
-
1. Use Bedrock structured output (response schemas) where supported.
-2. Implement JSON schema validation on Lambda output processors.
-3. Reject malformed outputs and return safe error responses.
-4. Log schema validation failures to CloudWatch for monitoring.
-
+
us-west-2
+
AG-11
+
+
Agentic AI Prompt Flow Validation
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Resolution
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
us-east-1
-
FS-59
-
COULD NOT ASSESS: Guardrail Topic Allowlist Check
-
This check could not be completed (error: An error occurred (AccessDeniedException) when calling the GetGuardrail operation: You don't have sufficient permissions to access this guardrail.). The most common cause is a missing IAM permission for the assessment role; it may also indicate an unsupported region or an outdated botocore. This control was NOT assessed — verify the role's permissions and re-run, and assess this control manually until resolved.
-
1. Confirm the assessment role grants the actions this check requires (see the documented IAM permission set in the README).
-2. Confirm the service/feature is supported in the assessed region.
-3. Ensure botocore meets the version floor in requirements.txt.
-4. Re-run the assessment; assess this control manually until it succeeds.
-
-
Low
+
us-west-2
+
AG-06
+
+
Agentic AI Tool Execution Least Privilege
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Resolution
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Reference
+
+
+
+
Informational
N/A
-
+
777788889999
-
us-east-1
-
FS-60
-
ADVISORY: Contextual Grounding for Off-Topic Prevention
-
Contextual grounding for off-topic prevention is covered by guardrail grounding checks (FS-47) and RAG configuration (FS-48). Additionally verify system prompts explicitly scope the assistant's role.
-
1. Include explicit scope instructions in system prompts.
-2. Use Bedrock Guardrails relevance grounding filter.
-3. Test with off-topic prompts in QA to verify rejection behavior.
-
+
us-west-2
+
AG-12
+
+
Agentic AI Invocation Abuse Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Resolution
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
-
us-east-1
-
FS-61
-
No Automated KB Sync Schedules Detected
-
Found 1 Knowledge Base(s) but no EventBridge Scheduler schedules or EventBridge rules with 'bedrock'/'knowledge' naming were found. Note: this check uses a name/target heuristic — sync automation with other naming conventions, AWS Step Functions-based orchestration, or native Bedrock API-triggered syncs (StartIngestionJob called directly) will not be detected. Verify sync automation manually if applicable.
-
1. Use EventBridge Scheduler (the AWS-recommended approach) to create a recurring schedule (e.g., rate(1 day) or a cron expression) that triggers a Lambda function calling the Bedrock StartIngestionJob API for each data source. Classic EventBridge scheduled rules also work but are a legacy feature.
-2. As of December 2024, Bedrock Knowledge Bases supports custom connectors and streaming data ingestion — use direct document ingestion (KnowledgeBaseDocuments API) for real-time updates without a full S3 sync.
-3. Set sync frequency based on data currency requirements (e.g., hourly for market data, daily for regulatory guidance).
-4. Configure CloudWatch alarms or SNS notifications on IngestionJob FAILED status for sync failure alerting.
-
-
Medium
-
Failed
-
-
+
777788889999
-
us-east-1
-
FS-62
-
ADVISORY: Data Currency Disclaimer — Manual Review Required
-
Data currency disclaimers cannot be verified via AWS APIs. Manual review required.
-
1. Add data currency disclaimers to GenAI outputs: 'Information based on data current as of [KB last sync date].'
-2. Expose KB last sync timestamp in application responses.
-3. Alert users when KB data is older than defined threshold.
-
+
us-west-2
+
AG-02
+
+
Agentic AI Harmful Content Guardrail Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Resolution
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
-
us-east-1
-
FS-63
-
Foundation Model Lifecycle Management
-
No legacy models detected. 11 lifecycle-related Config rule(s) found.
-
No action required.
-
-
Medium
-
Passed
-
-
-
777788889999
-
us-east-1
-
FS-65
-
KB Data Source Buckets Missing S3 Event Notifications
-
The following KB data-source S3 buckets have no event notifications configured. Unauthorized document modifications will not be detected in real time:
-- sat2-prowler-2025-prowlerfindingsbucket-wc1k0mza7lpk
-
1. Enable Amazon EventBridge notifications on each KB data-source S3 bucket.
-2. Create an EventBridge rule to route s3:ObjectCreated, s3:ObjectRemoved, and s3:ObjectModified events to an SNS topic or Lambda for alerting.
-3. Integrate alerts into your security incident response workflow.
-
-
Medium
-
Failed
-
-
+
777788889999
-
us-east-1
-
FS-66
-
No AgentCore Runtimes Found
-
No AgentCore runtimes found; identity propagation check not applicable.
-
If using AgentCore, configure token propagation so end-user identities are forwarded to tool services.
-
+
us-west-2
+
AG-04
+
+
Agentic AI Automated Reasoning Guardrails
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Resolution
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
-
us-east-1
-
FS-67
-
Agent Action-Group Lambdas May Lack Transaction Thresholds
-
The following agent action-group Lambda functions have no environment variables whose names suggest transaction-value threshold configuration (this is a best-effort heuristic — a threshold enforced in code or in an AgentCore Policy Engine rule would not be detected here, so treat this as a prompt for manual verification rather than a definitive gap). Without explicit limits, agents could initiate unbounded financial transactions:
-- aiml-security-aiml-security-mgmt-FinServAssessment
-- aiml-security-aiml-security-mgmt-AgentCoreAssessment
-- aiml-security-aiml-security-mgmt-BedrockAssessment
-
1. Add transaction-value threshold environment variables (e.g., MAX_TRANSACTION_AMOUNT) to each agent action-group Lambda.
-2. Implement threshold enforcement logic in the Lambda handler.
-3. Configure AgentCore Policy Engine rules to cap financial transaction amounts.
-4. Route transactions exceeding thresholds to a human-in-the-loop approval step.
-
-
High
-
Failed
-
-
+
777788889999
-
us-east-1
-
FS-68
-
API Gateway Request Body Size Limits — Not Applicable
-
No API Gateway REST APIs and no regional WAF Web ACLs were found in this region. There is no input-payload surface to assess for body-size limits.
-
If GenAI endpoints are fronted by API Gateway or WAF in another region, run the assessment there. Otherwise no action is required.
-
+
us-west-2
+
AG-03
+
+
Agentic AI Sensitive Information Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Resolution
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Reference
+
+
+
Informational
N/A
-
-
777788889999
-
us-east-1
-
FS-69
-
Prompt Input Validation Functions Present
-
Found 1 Lambda function(s) with input validation/sanitization naming patterns: aiml-security-aiml-security-mgmt-CleanupBucket.
-
Review these functions to confirm they cover: special-character stripping, format validation, size limits, and injection-sequence detection.
-
-
Medium
-
Passed
-
-
+
777788889999
us-west-2
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
+
AG-05
+
+
Agentic AI Grounding Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Resolution
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
eu-west-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
+
us-west-2
+
AG-01
+
+
Agentic AI Agent Guardrail Association
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Resolution
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
ap-south-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
+
us-west-2
+
AG-13
+
+
Agentic AI Session Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Resolution
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Reference
+
+
+
Informational
N/A
-
+
777788889999
-
sa-east-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
+
us-west-2
+
AG-14
+
+
Agentic AI Operational Abuse Alarms
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Resolution
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Reference
+
+
+
Informational
N/A
-
+
+
+
+
Amazon Bedrock Findings
+
+
+
+
Failed
50
Open findings
+
Passed
18
Controls met
+
N/A
225
Not applicable
+
Total
293
Rows in report
+
+
+
+
+
+
+
+
+
Amazon SageMaker Findings
+
+
+
+
Failed
34
Open findings
+
Passed
37
Controls met
+
N/A
190
Not applicable
+
Total
261
Rows in report
+
+
+
+
+
+
+
+
+
Amazon Bedrock AgentCore Findings
+
+
+
+
Failed
39
Open findings
+
Passed
3
Controls met
+
N/A
80
Not applicable
+
Total
122
Rows in report
+
+
+
+
+
+
+
+
Agentic AI Security Findings
+
Scope: API-provable Agentic AI security controls mapped to the AWS Well-Architected Agentic AI Lens security guidance. Human-in-the-loop governance is referenced in methodology but not scored automatically unless an AWS API can prove the control.
- 2026-07-09T22:25:20.613376
- Account: 123456789012 · 5 Regions
+ 2026-07-10T03:11:31.593820
+ Account: 123456789012 · 3 Regions
-
Security Checks
97
Evaluated across 5 regions
-
Total Findings
462
Across 5 regions
-
Actionable Findings
100
High, Medium, and Low severity
-
High Severity
4/41
9.8% passed · Immediate action required
-
Medium Severity
15/41
36.6% passed · Should be addressed
-
Low Severity
5/18
27.8% passed · Best practices
+
Security Checks
97
Evaluated across 3 regions
+
Total Findings
282
Across 3 regions
+
Actionable Findings
6
Failed High, Medium, and Low findings
+
High Severity
4/29
13.8% passed · Immediate action required
+
Medium Severity
9/25
36.0% passed · Should be addressed
+
Low Severity
3/10
30.0% passed · Best practices
Priority Recommendations
3
@@ -275,9714 +283,4026 @@
Security Assessment Overview
+
+
Risk Distribution
+
Pass Rate by Severity
+
+
HIGH
13.8%
4 of 29 checks passed
+
MEDIUM
36.0%
9 of 25 checks passed
+
LOW
30.0%
3 of 10 checks passed
+
Overall
25.0%
16 of 64 scored checks passed
+
+
+
Risk by Region / Scope
+
eu-west-1
0
0 High · 0 Med · 0 Low
us-east-1
0
0 High · 0 Med · 0 Low
us-west-2
0
0 High · 0 Med · 0 Low
Global
6
5 High · 1 Med · 0 Low
+
Findings by Assessment Area
+
+
Bedrock
89
4 Failed · 1 Passed
+
SageMaker
82
0 Failed · 13 Passed
+
AgentCore
33
1 Failed · 1 Passed
+
Agentic AI Security
75
1 Failed · 1 Passed
+
Financial Services Risk
3
0 Failed · 0 Passed
+
+
All Security Findings
-
+
-
+
-
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
+
Account ID
Region
Check ID
Finding
Severity
Status
123456789012
-
ap-south-1
+
eu-west-1
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
+
+
Amazon Bedrock private connectivity check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess private connectivity
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
+
+
Bedrock Model Invocation Logging Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to monitor with invocation logging
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
+
+
Bedrock Guardrails Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to protect with guardrails
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
+
+
Bedrock CloudTrail Logging Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
+
+
Bedrock Prompt Management Check
+
+ Details and remediation
+
+
Details
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Resolution
Implement Prompt Management to:
1. Create and version your prompts
2. Test different prompt variants
3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
+4. Maintain consistent prompt templates
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
+
+
Bedrock Agent IAM Roles Check
+
+ Details and remediation
+
+
Details
No Bedrock agents found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
+
+
Bedrock Knowledge Base Encryption Check
+
+ Details and remediation
+
+
Details
No Knowledge Bases found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
+
+
Bedrock Guardrail IAM Enforcement Check
+
+ Details and remediation
+
+
Details
No guardrails configured - IAM enforcement check not applicable
+
Resolution
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
+
+
Bedrock Custom Model Encryption Check
+
+ Details and remediation
+
+
Details
No custom/fine-tuned models found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
+
+
Bedrock Invocation Log Encryption Check
+
+ Details and remediation
+
+
Details
Model invocation logging to S3 is not configured
+
Resolution
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
+
+
Bedrock Flows Guardrails Check
+
+ Details and remediation
+
+
Details
No Bedrock Flows found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
+
+
Guardrail Tier Validation Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
Reference
+
+
+
Medium
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
+
+
Custom Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No custom (fine-tuned) Bedrock models found in this region
+
Resolution
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
Reference
+
+
+
High
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
+
+
Model Evaluation Implementation Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess with model evaluation jobs
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
+
+
Prompt Flow Validation Check
+
+ Details and remediation
+
+
Details
No Bedrock prompt flows configured in this region
+
Resolution
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
Reference
+
+
+
Medium
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
+
+
Knowledge Base Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No Bedrock knowledge bases found in this region
+
Resolution
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
Reference
+
+
+
High
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
+
+
Agent Action Group IAM Least Privilege Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
Reference
+
+
+
High
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
+
+
Model Invocation Throttling Limits Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess model invocation throttling quotas
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
+
+
Guardrail Content Filter Coverage Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
Reference
+
+
+
High
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
+
+
Automated Reasoning Policy Implementation Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
Reference
+
+
+
Medium
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
+
+
RAG Evaluation Jobs Check
+
+ Details and remediation
+
+
Details
No Bedrock knowledge bases found in this region
+
Resolution
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
Reference
+
+
+
Low
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
+
+
Guardrail Sensitive Information Filter Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
Reference
+
+
+
High
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
+
+
Guardrail Contextual Grounding Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
Reference
+
+
+
Medium
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
+
+
Agent Guardrail Association Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
Reference
+
+
+
High
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
+
+
Agent Idle Session TTL Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
Reference
+
+
+
Low
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
+
+
Imported Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
+
Resolution
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
+
Reference
+
+
+
Low
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
+
+
Batch Inference Output Encryption Check
+
+ Details and remediation
+
+
Details
No Bedrock batch inference (model invocation) jobs found in this region
+
Resolution
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
Reference
+
+
+
Medium
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
+
+
Bedrock CloudWatch Alarm Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to monitor with CloudWatch alarms
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
+
+
Agentic AI Model Invocation Logging
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Resolution
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
+
+
Agentic AI API Audit Trail
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Resolution
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
+
+
Agentic AI Adversarial Evaluation Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Resolution
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
+
+
Agentic AI Prompt Flow Validation
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Resolution
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
+
+
Agentic AI Tool Execution Least Privilege
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Resolution
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
+
+
Agentic AI Invocation Abuse Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Resolution
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
+
+
Agentic AI Harmful Content Guardrail Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Resolution
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
+
Agentic AI Automated Reasoning Guardrails
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Resolution
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
+
+
Agentic AI Sensitive Information Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Resolution
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
+
+
Agentic AI Grounding Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Resolution
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
+
+
Agentic AI Agent Guardrail Association
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Resolution
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
+
+
Agentic AI Session Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Resolution
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
+
eu-west-1
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
+
+
Agentic AI Operational Abuse Alarms
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Resolution
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
Global
+
BR-01
+
+
AmazonBedrockFullAccess role check
+
+ Details and remediation
+
+
Details
No roles found with AmazonBedrockFullAccess policy
+
Resolution
No action required
+
Reference
+
+
+
+
High
+
Passed
+
+
+
123456789012
+
Global
+
BR-03
+
+
Marketplace Subscription Access Check
+
+ Details and remediation
+
+
Details
Role 'aws-elasticbeanstalk-ec2-role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'
+
Resolution
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
Reference
+
+
+
+
High
+
Failed
+
+
+
123456789012
+
Global
+
BR-03
+
+
Marketplace Subscription Access Check
+
+ Details and remediation
+
+
Details
Role 'RescoAppStack-Ec2Role2FD9A272-UB7xzDXt03Lg' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'
+
Resolution
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
Reference
+
+
+
+
High
+
Failed
+
+
+
123456789012
+
Global
+
BR-03
+
+
Marketplace Subscription Access Check
+
+ Details and remediation
+
+
Details
Role 'xray-sample-SampleInstanceProfileRole-1WB21O2X8T7ZV' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'
+
Resolution
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
+
Reference
+
+
+
+
High
+
Failed
+
+
+
123456789012
+
us-east-1
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
+
+
Amazon Bedrock private connectivity check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess private connectivity
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
+
+
Bedrock Model Invocation Logging Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to monitor with invocation logging
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
+
+
Bedrock Guardrails Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to protect with guardrails
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
+
+
Bedrock CloudTrail Logging Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
+
+
Bedrock Prompt Management Check
+
+ Details and remediation
+
+
Details
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Resolution
Implement Prompt Management to:
1. Create and version your prompts
2. Test different prompt variants
3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
+4. Maintain consistent prompt templates
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
+
+
Bedrock Agent IAM Roles Check
+
+ Details and remediation
+
+
Details
No Bedrock agents found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
+
+
Bedrock Knowledge Base Encryption Check
+
+ Details and remediation
+
+
Details
No Knowledge Bases found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
+
+
Bedrock Guardrail IAM Enforcement Check
+
+ Details and remediation
+
+
Details
No guardrails configured - IAM enforcement check not applicable
+
Resolution
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
+
+
Bedrock Custom Model Encryption Check
+
+ Details and remediation
+
+
Details
No custom/fine-tuned models found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
+
+
Bedrock Invocation Log Encryption Check
+
+ Details and remediation
+
+
Details
Model invocation logging to S3 is not configured
+
Resolution
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
+
+
Bedrock Flows Guardrails Check
+
+ Details and remediation
+
+
Details
No Bedrock Flows found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
Global
+
BR-15
+
+
Cross-Account Guardrails Enforcement Check
+
+ Details and remediation
+
+
Details
Bedrock Guardrails policy type is not enabled at the organization level. Cross-account guardrails cannot be enforced without enabling this policy type.
+
Resolution
Enable Bedrock Guardrails policy type in AWS Organizations to enforce consistent safety controls across all accounts. Use AWS Organizations console or CLI to enable the policy type.
+
Reference
+
+
+
+
High
+
Failed
+
+
+
123456789012
+
us-east-1
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
+
+
Guardrail Tier Validation Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
Reference
+
+
+
Medium
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
+
+
Custom Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No custom (fine-tuned) Bedrock models found in this region
+
Resolution
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
Reference
+
+
+
High
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
+
+
Model Evaluation Implementation Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess with model evaluation jobs
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
+
+
Prompt Flow Validation Check
+
+ Details and remediation
+
+
Details
No Bedrock prompt flows configured in this region
+
Resolution
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
Reference
+
+
+
Medium
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
+
+
Knowledge Base Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No Bedrock knowledge bases found in this region
+
Resolution
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
Reference
+
+
+
High
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
+
+
Agent Action Group IAM Least Privilege Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
Reference
+
+
+
High
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
+
+
Model Invocation Throttling Limits Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess model invocation throttling quotas
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
+
+
Guardrail Content Filter Coverage Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
Reference
+
+
+
High
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
+
+
Automated Reasoning Policy Implementation Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
Reference
+
+
+
Medium
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
+
+
RAG Evaluation Jobs Check
+
+ Details and remediation
+
+
Details
No Bedrock knowledge bases found in this region
+
Resolution
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
Reference
+
+
+
Low
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
+
+
Guardrail Sensitive Information Filter Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
Reference
+
+
+
High
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
+
+
Guardrail Contextual Grounding Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
Reference
+
+
+
Medium
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
+
+
Agent Guardrail Association Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
Reference
+
+
+
High
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
+
+
Agent Idle Session TTL Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
Reference
+
+
+
Low
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
+
+
Imported Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No imported custom Bedrock models found in this region
+
Resolution
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
Reference
+
+
+
+
High
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
+
+
Batch Inference Output Encryption Check
+
+ Details and remediation
+
+
Details
No Bedrock batch inference (model invocation) jobs found in this region
+
Resolution
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
Reference
+
+
+
Medium
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
+
+
Bedrock CloudWatch Alarm Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to monitor with CloudWatch alarms
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
+
+
Agentic AI Model Invocation Logging
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Resolution
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
+
+
Agentic AI API Audit Trail
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Resolution
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
Global
+
AG-09
+
+
Agentic AI Guardrail Enforcement Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Bedrock Guardrails policy type is not enabled at the organization level. Cross-account guardrails cannot be enforced without enabling this policy type.
+
Resolution
Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.
+
Reference
+
+
+
+
High
+
Failed
+
+
+
123456789012
+
us-east-1
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
+
+
Agentic AI Adversarial Evaluation Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Resolution
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
+
+
Agentic AI Prompt Flow Validation
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Resolution
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
+
+
Agentic AI Tool Execution Least Privilege
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Resolution
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
+
+
Agentic AI Invocation Abuse Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Resolution
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
+
+
Agentic AI Harmful Content Guardrail Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Resolution
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
+
Agentic AI Automated Reasoning Guardrails
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Resolution
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
+
+
Agentic AI Sensitive Information Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Resolution
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
+
+
Agentic AI Grounding Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Resolution
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
+
+
Agentic AI Agent Guardrail Association
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Resolution
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
+
+
Agentic AI Session Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Resolution
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
+
us-east-1
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
+
+
Agentic AI Operational Abuse Alarms
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Resolution
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
+
+
Amazon Bedrock private connectivity check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess private connectivity
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
+
+
Bedrock Model Invocation Logging Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to monitor with invocation logging
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
+
+
Bedrock Guardrails Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to protect with guardrails
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
+
+
Bedrock CloudTrail Logging Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
+
+
Bedrock Prompt Management Check
+
+ Details and remediation
+
+
Details
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
+
Resolution
Implement Prompt Management to:
1. Create and version your prompts
2. Test different prompt variants
3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
+4. Maintain consistent prompt templates
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
+
+
Bedrock Agent IAM Roles Check
+
+ Details and remediation
+
+
Details
No Bedrock agents found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
+
+
Bedrock Knowledge Base Encryption Check
+
+ Details and remediation
+
+
Details
No Knowledge Bases found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
+
+
Bedrock Guardrail IAM Enforcement Check
+
+ Details and remediation
+
+
Details
No guardrails configured - IAM enforcement check not applicable
+
Resolution
Configure Bedrock Guardrails first, then enforce their use via IAM policies
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
+
+
Bedrock Custom Model Encryption Check
+
+ Details and remediation
+
+
Details
No custom/fine-tuned models found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
+
+
Bedrock Invocation Log Encryption Check
+
+ Details and remediation
+
+
Details
Model invocation logging to S3 is not configured
+
Resolution
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
+
+
Bedrock Flows Guardrails Check
+
+ Details and remediation
+
+
Details
No Bedrock Flows found in the account
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
+
+
Guardrail Tier Validation Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
+
Reference
+
+
+
Medium
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
+
+
Custom Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No custom (fine-tuned) Bedrock models found in this region
+
Resolution
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
Reference
+
+
+
High
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
+
+
Model Evaluation Implementation Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess with model evaluation jobs
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
+
+
Prompt Flow Validation Check
+
+ Details and remediation
+
+
Details
No Bedrock prompt flows configured in this region
+
Resolution
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
+
Reference
+
+
+
Medium
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
+
+
Knowledge Base Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No Bedrock knowledge bases found in this region
+
Resolution
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
+
Reference
+
+
+
High
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
+
+
Agent Action Group IAM Least Privilege Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
+
Reference
+
+
+
High
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
+
+
Model Invocation Throttling Limits Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to assess model invocation throttling quotas
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
+
+
Guardrail Content Filter Coverage Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
+
Reference
+
+
+
High
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
+
+
Automated Reasoning Policy Implementation Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with Automated Reasoning policies for formal verification of model responses
+
Reference
+
+
+
Medium
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
+
+
RAG Evaluation Jobs Check
+
+ Details and remediation
+
+
Details
No Bedrock knowledge bases found in this region
+
Resolution
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
+
Reference
+
+
+
Low
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
+
+
Guardrail Sensitive Information Filter Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
+
Reference
+
+
+
High
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
+
+
Guardrail Contextual Grounding Check
+
+ Details and remediation
+
+
Details
No Bedrock guardrails configured in this region
+
Resolution
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
+
Reference
+
+
+
Medium
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
+
+
Agent Guardrail Association Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
+
Reference
+
+
+
High
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
+
+
Agent Idle Session TTL Check
+
+ Details and remediation
+
+
Details
No Bedrock agents configured in this region
+
Resolution
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
+
Reference
+
+
+
Low
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
+
+
Imported Model Customer-Managed KMS Encryption Check
+
+ Details and remediation
+
+
Details
No imported custom Bedrock models found in this region
+
Resolution
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
+
Reference
+
+
+
+
High
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
+
+
Batch Inference Output Encryption Check
+
+ Details and remediation
+
+
Details
No Bedrock batch inference (model invocation) jobs found in this region
+
Resolution
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
+
Reference
+
+
+
Medium
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
+
+
Bedrock CloudWatch Alarm Check
+
+ Details and remediation
+
+
Details
No regional Bedrock resources found to monitor with CloudWatch alarms
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
+
+
Agentic AI Model Invocation Logging
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
+
Resolution
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
+
+
Agentic AI API Audit Trail
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
+
Resolution
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
+
+
Agentic AI Adversarial Evaluation Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
+
Resolution
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
+
+
Agentic AI Prompt Flow Validation
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
+
Resolution
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
+
+
Agentic AI Tool Execution Least Privilege
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
+
Resolution
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
+
+
Agentic AI Invocation Abuse Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
+
Resolution
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
+
+
Agentic AI Harmful Content Guardrail Coverage
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
+
Resolution
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
+
Agentic AI Automated Reasoning Guardrails
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
+
Resolution
Configure automated reasoning policies on guardrails where formal response validation is required.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
+
+
Agentic AI Sensitive Information Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
+
Resolution
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
+
+
Agentic AI Grounding Controls
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
+
Resolution
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
+
+
Agentic AI Agent Guardrail Association
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
+
Resolution
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
+
+
Agentic AI Session Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
+
Resolution
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
+
us-west-2
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
+
+
Agentic AI Operational Abuse Alarms
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
+
Resolution
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
+
Reference
+
+
+
Informational
N/A
-
-
123456789012
-
Global
-
BR-01
-
AmazonBedrockFullAccess role check
-
No roles found with AmazonBedrockFullAccess policy
-
No action required
-
-
High
-
Passed
-
-
-
123456789012
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'aws-elasticbeanstalk-ec2-role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
123456789012
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'RescoAppStack-Ec2Role2FD9A272-UB7xzDXt03Lg' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
123456789012
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'xray-sample-SampleInstanceProfileRole-1WB21O2X8T7ZV' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
123456789012
-
us-east-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
Global
-
BR-15
-
Cross-Account Guardrails Enforcement Check
-
Bedrock Guardrails policy type is not enabled at the organization level. Cross-account guardrails cannot be enforced without enabling this policy type.
-
Enable Bedrock Guardrails policy type in AWS Organizations to enforce consistent safety controls across all accounts. Use AWS Organizations console or CLI to enable the policy type.
-
-
High
-
Failed
-
-
-
123456789012
-
us-east-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
No imported custom Bedrock models found in this region
-
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
-
Informational
-
N/A
-
-
-
123456789012
-
Global
-
AG-09
-
Agentic AI Guardrail Enforcement Boundary
-
Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Bedrock Guardrails policy type is not enabled at the organization level. Cross-account guardrails cannot be enforced without enabling this policy type.
-
Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.
-
-
High
-
Failed
-
-
-
123456789012
-
us-east-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
No imported custom Bedrock models found in this region
-
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
ap-south-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
ap-south-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
ap-south-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
123456789012
-
ap-south-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
eu-west-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
eu-west-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
eu-west-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
123456789012
-
eu-west-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
sa-east-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
sa-east-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
sa-east-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
123456789012
-
sa-east-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
123456789012
-
Global
-
SM-02
-
SageMaker IAM Permissions Check
-
No issues found with IAM permissions and no stale access detected
-
No action required
-
-
High
-
Passed
-
-
-
123456789012
-
us-east-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
us-east-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
us-east-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
us-east-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
123456789012
-
us-east-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
us-west-2
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
us-west-2
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
us-west-2
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
123456789012
-
us-west-2
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
123456789012
-
Global
-
AC-02
-
AgentCore IAM Full Access Check
-
No roles with overly permissive AgentCore access found
-
No action required
-
-
High
-
Passed
-
-
-
123456789012
-
Global
-
AC-03
-
AgentCore Unused Permissions
-
The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Informational
-
N/A
-
-
-
123456789012
-
Global
-
AC-09
-
AgentCore Service-Linked Role Missing
-
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
-
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
-
-
Medium
-
Failed
-
-
-
123456789012
-
us-east-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
Global
-
AG-16
-
Agentic AI AgentCore Least Privilege
-
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: No roles with overly permissive AgentCore access found
-
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
-
-
High
-
Passed
-
-
-
123456789012
-
Global
-
AG-17
-
Agentic AI Stale AgentCore Access
-
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
-
Remove or restrict stale AgentCore permissions for principals that no longer need access.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
-
Risk Distribution
-
Pass Rate by Severity
-
-
HIGH
9.8%
4 of 41 checks passed
-
MEDIUM
36.6%
15 of 41 checks passed
-
LOW
27.8%
5 of 18 checks passed
-
Overall
24.0%
24 of 100 actionable checks
-
-
-
Risk by Region
-
ap-south-1
0
0 High · 0 Med · 0 Low
eu-west-1
0
0 High · 0 Med · 0 Low
sa-east-1
0
0 High · 0 Med · 0 Low
us-east-1
0
0 High · 0 Med · 0 Low
us-west-2
0
0 High · 0 Med · 0 Low
-
Findings by Assessment Area
-
-
Bedrock
145
4 Failed · 1 Passed
-
SageMaker
136
0 Failed · 21 Passed
-
AgentCore
53
1 Failed · 1 Passed
-
Agentic AI Security
123
1 Failed · 1 Passed
-
Financial Services Risk
5
0 Failed · 0 Passed
-
-
-
-
Amazon Bedrock Findings
-
-
-
-
-
-
-
-
-
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
-
123456789012
-
ap-south-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
123456789012
-
ap-south-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
123456789012
-
eu-west-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
Unable to check Imported model encryption check: An error occurred (AccessDeniedException) when calling the ListImportedModels operation: Your account is not authorized to invoke this API operation.
-
Amazon Bedrock Custom Model Import is not enabled or available for this account in this region. No IAM change is required; the check applies only once model import is in use.
-
-
Low
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
123456789012
-
sa-east-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
Global
-
BR-01
-
AmazonBedrockFullAccess role check
-
No roles found with AmazonBedrockFullAccess policy
-
No action required
-
-
High
-
Passed
-
-
-
123456789012
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'aws-elasticbeanstalk-ec2-role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
123456789012
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'RescoAppStack-Ec2Role2FD9A272-UB7xzDXt03Lg' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
123456789012
-
Global
-
BR-03
-
Marketplace Subscription Access Check
-
Role 'xray-sample-SampleInstanceProfileRole-1WB21O2X8T7ZV' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'
-
Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.
-
-
High
-
Failed
-
-
-
123456789012
-
us-east-1
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
Global
-
BR-15
-
Cross-Account Guardrails Enforcement Check
-
Bedrock Guardrails policy type is not enabled at the organization level. Cross-account guardrails cannot be enforced without enabling this policy type.
-
Enable Bedrock Guardrails policy type in AWS Organizations to enforce consistent safety controls across all accounts. Use AWS Organizations console or CLI to enable the policy type.
-
-
High
-
Failed
-
-
-
123456789012
-
us-east-1
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
No imported custom Bedrock models found in this region
-
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
123456789012
-
us-east-1
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-02
-
Amazon Bedrock private connectivity check
-
No regional Bedrock resources found to assess private connectivity
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-04
-
Bedrock Model Invocation Logging Check
-
No regional Bedrock resources found to monitor with invocation logging
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-05
-
Bedrock Guardrails Check
-
No regional Bedrock resources found to protect with guardrails
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-06
-
Bedrock CloudTrail Logging Check
-
No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-07
-
Bedrock Prompt Management Check
-
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
-
Implement Prompt Management to:
-1. Create and version your prompts
-2. Test different prompt variants
-3. Share prompts across your organization
-4. Maintain consistent prompt templates
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-08
-
Bedrock Agent IAM Roles Check
-
No Bedrock agents found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-09
-
Bedrock Knowledge Base Encryption Check
-
No Knowledge Bases found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-10
-
Bedrock Guardrail IAM Enforcement Check
-
No guardrails configured - IAM enforcement check not applicable
-
Configure Bedrock Guardrails first, then enforce their use via IAM policies
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-11
-
Bedrock Custom Model Encryption Check
-
No custom/fine-tuned models found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-12
-
Bedrock Invocation Log Encryption Check
-
Model invocation logging to S3 is not configured
-
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-13
-
Bedrock Flows Guardrails Check
-
No Bedrock Flows found in the account
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-16
-
Guardrail Tier Validation Check
-
No Bedrock guardrails configured in this region
-
Create Bedrock guardrails with Standard tier for enhanced content filtering and protection
-
-
Medium
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-17
-
Custom Model Customer-Managed KMS Encryption Check
-
No custom (fine-tuned) Bedrock models found in this region
-
When creating custom models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-18
-
Model Evaluation Implementation Check
-
No regional Bedrock resources found to assess with model evaluation jobs
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-19
-
Prompt Flow Validation Check
-
No Bedrock prompt flows configured in this region
-
When creating prompt flows, use the ValidateFlowDefinition API to validate flow definitions before deployment
-
-
Medium
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-20
-
Knowledge Base Customer-Managed KMS Encryption Check
-
No Bedrock knowledge bases found in this region
-
When creating knowledge bases, specify customer-managed KMS keys for both vector store and data source encryption
-
-
High
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-21
-
Agent Action Group IAM Least Privilege Check
-
No Bedrock agents configured in this region
-
When creating agents with action groups, ensure Lambda execution roles follow least privilege principles
-
-
High
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-22
-
Model Invocation Throttling Limits Check
-
No regional Bedrock resources found to assess model invocation throttling quotas
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-23
-
Guardrail Content Filter Coverage Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with all content filters enabled (hate, insults, sexual, violence) with appropriate thresholds
-
-
High
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-24
-
Automated Reasoning Policy Implementation Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with Automated Reasoning policies for formal verification of model responses
-
-
Medium
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-25
-
RAG Evaluation Jobs Check
-
No Bedrock knowledge bases found in this region
-
When implementing RAG applications, configure evaluation jobs to assess context relevance, response correctness, and prevent hallucinations
-
-
Low
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-26
-
Guardrail Sensitive Information Filter Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with sensitive-information filters (PII entities and/or regex patterns) to detect and redact sensitive data in prompts and model responses
-
-
High
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-27
-
Guardrail Contextual Grounding Check
-
No Bedrock guardrails configured in this region
-
Create guardrails with contextual grounding checks to detect hallucinations (ungrounded responses) and irrelevant answers, especially for RAG applications
-
-
Medium
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-28
-
Agent Guardrail Association Check
-
No Bedrock agents configured in this region
-
When creating agents, associate a Bedrock guardrail so agent inputs and responses are filtered for harmful content, PII, and denied topics
-
-
High
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-29
-
Agent Idle Session TTL Check
-
No Bedrock agents configured in this region
-
When creating agents, set a conservative idleSessionTTLInSeconds to limit how long an idle session remains resumable
-
-
Low
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-30
-
Imported Model Customer-Managed KMS Encryption Check
-
No imported custom Bedrock models found in this region
-
When importing models, specify a customer-managed KMS key for encryption to maintain control over encryption keys
-
-
High
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-31
-
Batch Inference Output Encryption Check
-
No Bedrock batch inference (model invocation) jobs found in this region
-
When creating batch inference jobs, set outputDataConfig.s3OutputDataConfig.s3EncryptionKeyId to a customer-managed KMS key to encrypt the job output
-
-
Medium
-
N/A
-
-
-
123456789012
-
us-west-2
-
BR-32
-
Bedrock CloudWatch Alarm Check
-
No regional Bedrock resources found to monitor with CloudWatch alarms
-
No action required
-
-
Informational
-
N/A
-
-
-
-
Amazon SageMaker Findings
-
-
-
-
-
-
-
-
-
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
-
123456789012
-
ap-south-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
ap-south-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
ap-south-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
ap-south-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
123456789012
-
ap-south-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
eu-west-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
eu-west-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
eu-west-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
123456789012
-
eu-west-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
sa-east-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
sa-east-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
sa-east-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
123456789012
-
sa-east-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
123456789012
-
Global
-
SM-02
-
SageMaker IAM Permissions Check
-
No issues found with IAM permissions and no stale access detected
-
No action required
-
-
High
-
Passed
-
-
-
123456789012
-
us-east-1
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
us-east-1
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
us-east-1
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
us-east-1
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
123456789012
-
us-east-1
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-01
-
SageMaker Internet Access Check
-
No SageMaker notebook instances or domains found to check
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-02
-
SageMaker SSO Configuration Check
-
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
us-west-2
-
SM-03
-
Data Protection Check
-
No SageMaker resources found to check for data protection
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-04
-
GuardDuty Enabled
-
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
us-west-2
-
SM-05
-
SageMaker Model Registry Issue
-
No model package groups found
-
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-05
-
SageMaker Feature Store Issue
-
No feature groups found
-
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-05
-
SageMaker Pipelines Issue
-
No ML pipelines found
-
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-06
-
SageMaker Clarify No Clarify Usage
-
No SageMaker Clarify jobs found
-
Implement SageMaker Clarify for model explainability and bias detection
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-07
-
SageMaker Model Monitor No Model Monitoring
-
No Model Monitor schedules found
-
Configure comprehensive model monitoring schedules
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-08
-
Model Registry Registry Not Used
-
Model Registry is not being utilized
-
Implement proper model versioning and approval workflows
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-09
-
SageMaker Notebook Root Access Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-10
-
SageMaker Notebook VPC Deployment Check
-
No notebook instances found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-11
-
SageMaker Model Network Isolation Check
-
No models found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-12
-
SageMaker Endpoint Instance Count Check
-
No InService endpoints found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-13
-
SageMaker Monitoring Network Isolation Check
-
No monitoring schedules found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-14
-
SageMaker Model Repository Access Check
-
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
-
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
SM-23
-
Model Drift Detection Check
-
No InService endpoints found to monitor.
-
No action required
-
-
Medium
-
Passed
-
-
-
123456789012
-
us-west-2
-
SM-24
-
A/B Testing and Shadow Deployment Check
-
No InService endpoints found.
-
No action required
-
-
Low
-
Passed
-
-
-
123456789012
-
us-west-2
-
SM-25
-
ML Lineage Tracking - Experiments Not Used
-
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
-
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
-
-
Informational
-
N/A
-
-
-
-
Amazon Bedrock AgentCore Findings
-
-
-
-
-
-
-
-
-
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
-
123456789012
-
ap-south-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
eu-west-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
+
123456789012
eu-west-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
+
SM-01
+
+
SageMaker Internet Access Check
+
+ Details and remediation
+
+
Details
No SageMaker notebook instances or domains found to check
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
eu-west-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
Global
-
AC-02
-
AgentCore IAM Full Access Check
-
No roles with overly permissive AgentCore access found
-
No action required
-
-
High
-
Passed
-
-
-
123456789012
-
Global
-
AC-03
-
AgentCore Unused Permissions
-
The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
-
Review and remove unused AgentCore permissions following least privilege principle
-
-
Informational
-
N/A
-
-
-
123456789012
-
Global
-
AC-09
-
AgentCore Service-Linked Role Missing
-
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
-
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
-
+
SM-02
+
+
SageMaker SSO Configuration Check
+
+ Details and remediation
+
+
Details
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
Resolution
No action required
+
Reference
+
+
+
Medium
-
Failed
-
-
-
123456789012
-
us-east-1
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-east-1
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AC-01
-
AgentCore VPC Configuration Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AC-04
-
AgentCore Observability Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AC-05
-
AgentCore Encryption Check
-
No AgentCore resources found
-
No action required
-
-
Informational
-
N/A
-
-
-
123456789012
-
us-west-2
-
AC-06
-
AgentCore Browser Tool Recording Check
-
No AgentCore Runtimes found to check browser tool configuration
-
No action required
-
-
Informational
-
N/A
+
Passed
-
+
123456789012
-
us-west-2
-
AC-07
-
AgentCore Memory Configuration Check
-
No Memory resources found
-
No action required
-
+
eu-west-1
+
SM-03
+
+
Data Protection Check
+
+ Details and remediation
+
+
Details
No SageMaker resources found to check for data protection
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
us-west-2
-
AC-13
-
AgentCore Gateway Configuration Check
-
No Gateway resources found
-
No action required
-
-
Informational
-
N/A
+
eu-west-1
+
SM-04
+
+
GuardDuty Enabled
+
+ Details and remediation
+
+
Details
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
-
+
123456789012
-
us-west-2
-
AC-08
-
AgentCore VPC Endpoints Check
-
No AgentCore resources found
-
No action required
-
+
eu-west-1
+
SM-05
+
+
SageMaker Model Registry Issue
+
+ Details and remediation
+
+
Details
No model package groups found
+
Resolution
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
us-west-2
-
AC-10
-
AgentCore Resource-Based Policies Check
-
No AgentCore resources found to check for resource-based policies
-
No action required
-
+
eu-west-1
+
SM-05
+
+
SageMaker Feature Store Issue
+
+ Details and remediation
+
+
Details
No feature groups found
+
Resolution
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
us-west-2
-
AC-11
-
AgentCore Policy Engine Encryption Check
-
No Policy Engines found
-
No action required
-
+
eu-west-1
+
SM-05
+
+
SageMaker Pipelines Issue
+
+ Details and remediation
+
+
Details
No ML pipelines found
+
Resolution
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
us-west-2
-
AC-12
-
AgentCore Gateway Encryption Check
-
No Gateways found
-
No action required
-
+
eu-west-1
+
SM-06
+
+
SageMaker Clarify No Clarify Usage
+
+ Details and remediation
+
+
Details
No SageMaker Clarify jobs found
+
Resolution
Implement SageMaker Clarify for model explainability and bias detection
+
Reference
+
+
+
Informational
N/A
-
-
-
Agentic AI Security Findings
Scope: API-provable Agentic AI security controls mapped to the AWS Well-Architected Agentic AI Lens security guidance. Human-in-the-loop governance is referenced in methodology but not scored automatically unless an AWS API can prove the control.
Account ID
Region
Check ID
Finding
Details
Resolution
Reference
Severity
Status
+
+
123456789012
-
ap-south-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
+
eu-west-1
+
SM-07
+
+
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation
+
+
Details
No Model Monitor schedules found
+
Resolution
Configure comprehensive model monitoring schedules
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
+
eu-west-1
+
SM-08
+
+
Model Registry Registry Not Used
+
+ Details and remediation
+
+
Details
Model Registry is not being utilized
+
Resolution
Implement proper model versioning and approval workflows
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
+
eu-west-1
+
SM-09
+
+
SageMaker Notebook Root Access Check
+
+ Details and remediation
+
+
Details
No notebook instances found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
+
eu-west-1
+
SM-10
+
+
SageMaker Notebook VPC Deployment Check
+
+ Details and remediation
+
+
Details
No notebook instances found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
+
eu-west-1
+
SM-11
+
+
SageMaker Model Network Isolation Check
+
+ Details and remediation
+
+
Details
No models found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
+
eu-west-1
+
SM-12
+
+
SageMaker Endpoint Instance Count Check
+
+ Details and remediation
+
+
Details
No InService endpoints found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
+
eu-west-1
+
SM-13
+
+
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation
+
+
Details
No monitoring schedules found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
eu-west-1
+
SM-14
+
+
SageMaker Model Repository Access Check
+
+ Details and remediation
+
+
Details
No models found or all use default Platform access
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
+
eu-west-1
+
SM-15
+
+
SageMaker Feature Store Encryption Check
+
+ Details and remediation
+
+
Details
No feature groups with offline stores found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
+
eu-west-1
+
SM-16
+
+
SageMaker Data Quality Job Encryption Check
+
+ Details and remediation
+
+
Details
No data quality job definitions found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
+
eu-west-1
+
SM-17
+
+
SageMaker Processing Job Encryption Check
+
+ Details and remediation
+
+
Details
No processing jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
+
eu-west-1
+
SM-18
+
+
SageMaker Transform Job Encryption Check
+
+ Details and remediation
+
+
Details
No transform jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
+
SM-20
+
+
SageMaker Compilation Job Encryption Check
+
+ Details and remediation
+
+
Details
No compilation jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
eu-west-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
+
SM-21
+
+
SageMaker AutoML Job Network Isolation Check
+
+ Details and remediation
+
+
Details
No AutoML jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
eu-west-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
+
SM-22
+
+
Model Approval Workflow Check
+
+ Details and remediation
+
+
Details
No model package groups found. Model Registry is not being used for model governance.
+
Resolution
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
eu-west-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
-
Informational
-
N/A
+
SM-23
+
+
Model Drift Detection Check
+
+ Details and remediation
+
+
Details
No InService endpoints found to monitor.
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
-
+
123456789012
eu-west-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
-
Informational
-
N/A
+
SM-24
+
+
A/B Testing and Shadow Deployment Check
+
+ Details and remediation
+
+
Details
No InService endpoints found.
+
Resolution
No action required
+
Reference
+
+
+
+
Low
+
Passed
-
+
123456789012
eu-west-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
+
SM-25
+
+
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation
+
+
Details
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Resolution
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
+
Global
+
SM-02
+
+
SageMaker IAM Permissions Check
+
+ Details and remediation
+
+
Details
No issues found with IAM permissions and no stale access detected
+
Resolution
No action required
+
Reference
+
+
+
+
High
+
Passed
+
+
+
123456789012
+
us-east-1
+
SM-01
+
+
SageMaker Internet Access Check
+
+ Details and remediation
+
+
Details
No SageMaker notebook instances or domains found to check
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
us-east-1
+
SM-02
+
+
SageMaker SSO Configuration Check
+
+ Details and remediation
+
+
Details
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
+
+
+
123456789012
+
us-east-1
+
SM-03
+
+
Data Protection Check
+
+ Details and remediation
+
+
Details
No SageMaker resources found to check for data protection
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
+
us-east-1
+
SM-04
+
+
GuardDuty Enabled
+
+ Details and remediation
+
+
Details
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
+
+
+
123456789012
+
us-east-1
+
SM-05
+
+
SageMaker Model Registry Issue
+
+ Details and remediation
+
+
Details
No model package groups found
+
Resolution
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
+
us-east-1
+
SM-05
+
+
SageMaker Feature Store Issue
+
+ Details and remediation
+
+
Details
No feature groups found
+
Resolution
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
+
us-east-1
+
SM-05
+
+
SageMaker Pipelines Issue
+
+ Details and remediation
+
+
Details
No ML pipelines found
+
Resolution
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
+
us-east-1
+
SM-06
+
+
SageMaker Clarify No Clarify Usage
+
+ Details and remediation
+
+
Details
No SageMaker Clarify jobs found
+
Resolution
Implement SageMaker Clarify for model explainability and bias detection
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
eu-west-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
+
us-east-1
+
SM-07
+
+
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation
+
+
Details
No Model Monitor schedules found
+
Resolution
Configure comprehensive model monitoring schedules
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
+
us-east-1
+
SM-08
+
+
Model Registry Registry Not Used
+
+ Details and remediation
+
+
Details
Model Registry is not being utilized
+
Resolution
Implement proper model versioning and approval workflows
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
+
us-east-1
+
SM-09
+
+
SageMaker Notebook Root Access Check
+
+ Details and remediation
+
+
Details
No notebook instances found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
+
us-east-1
+
SM-10
+
+
SageMaker Notebook VPC Deployment Check
+
+ Details and remediation
+
+
Details
No notebook instances found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
+
us-east-1
+
SM-11
+
+
SageMaker Model Network Isolation Check
+
+ Details and remediation
+
+
Details
No models found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
+
us-east-1
+
SM-12
+
+
SageMaker Endpoint Instance Count Check
+
+ Details and remediation
+
+
Details
No InService endpoints found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
+
us-east-1
+
SM-13
+
+
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation
+
+
Details
No monitoring schedules found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
+
us-east-1
+
SM-14
+
+
SageMaker Model Repository Access Check
+
+ Details and remediation
+
+
Details
No models found or all use default Platform access
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
us-east-1
+
SM-15
+
+
SageMaker Feature Store Encryption Check
+
+ Details and remediation
+
+
Details
No feature groups with offline stores found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
+
us-east-1
+
SM-16
+
+
SageMaker Data Quality Job Encryption Check
+
+ Details and remediation
+
+
Details
No data quality job definitions found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
+
us-east-1
+
SM-17
+
+
SageMaker Processing Job Encryption Check
+
+ Details and remediation
+
+
Details
No processing jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
+
us-east-1
+
SM-18
+
+
SageMaker Transform Job Encryption Check
+
+ Details and remediation
+
+
Details
No transform jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
+
us-east-1
+
SM-20
+
+
SageMaker Compilation Job Encryption Check
+
+ Details and remediation
+
+
Details
No compilation jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
us-east-1
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
+
SM-21
+
+
SageMaker AutoML Job Network Isolation Check
+
+ Details and remediation
+
+
Details
No AutoML jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
us-east-1
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
+
SM-22
+
+
Model Approval Workflow Check
+
+ Details and remediation
+
+
Details
No model package groups found. Model Registry is not being used for model governance.
+
Resolution
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
Global
-
AG-09
-
Agentic AI Guardrail Enforcement Boundary
-
Agentic AI security domain: Guardrail Enforcement. Organization-level guardrail enforcement helps prevent agents from bypassing required safety controls across accounts. Source check BR-15: Bedrock Guardrails policy type is not enabled at the organization level. Cross-account guardrails cannot be enforced without enabling this policy type.
-
Use IAM and organization controls to require approved guardrails for model and agent invocations where supported.
-
-
High
-
Failed
+
us-east-1
+
SM-23
+
+
Model Drift Detection Check
+
+ Details and remediation
+
+
Details
No InService endpoints found to monitor.
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
-
+
123456789012
us-east-1
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
-
Informational
-
N/A
+
SM-24
+
+
A/B Testing and Shadow Deployment Check
+
+ Details and remediation
+
+
Details
No InService endpoints found.
+
Resolution
No action required
+
Reference
+
+
+
+
Low
+
Passed
-
+
123456789012
us-east-1
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
+
SM-25
+
+
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation
+
+
Details
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Resolution
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
us-east-1
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
+
us-west-2
+
SM-01
+
+
SageMaker Internet Access Check
+
+ Details and remediation
+
+
Details
No SageMaker notebook instances or domains found to check
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
us-east-1
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
+
us-west-2
+
SM-02
+
+
SageMaker SSO Configuration Check
+
+ Details and remediation
+
+
Details
No SageMaker domains found, or all domains use SSO with IAM Identity Center configured
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
+
+
+
123456789012
+
us-west-2
+
SM-03
+
+
Data Protection Check
+
+ Details and remediation
+
+
Details
No SageMaker resources found to check for data protection
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
us-east-1
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
+
us-west-2
+
SM-04
+
+
GuardDuty Enabled
+
+ Details and remediation
+
+
Details
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
+
+
+
123456789012
+
us-west-2
+
SM-05
+
+
SageMaker Model Registry Issue
+
+ Details and remediation
+
+
Details
No model package groups found
+
Resolution
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
us-east-1
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
us-west-2
+
SM-05
+
+
SageMaker Feature Store Issue
+
+ Details and remediation
+
+
Details
No feature groups found
+
Resolution
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
us-east-1
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
+
us-west-2
+
SM-05
+
+
SageMaker Pipelines Issue
+
+ Details and remediation
+
+
Details
No ML pipelines found
+
Resolution
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
us-east-1
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
-
+
us-west-2
+
SM-06
+
+
SageMaker Clarify No Clarify Usage
+
+ Details and remediation
+
+
Details
No SageMaker Clarify jobs found
+
Resolution
Implement SageMaker Clarify for model explainability and bias detection
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
us-east-1
-
AG-01
-
Agentic AI Agent Guardrail Association
-
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
+
us-west-2
+
SM-07
+
+
SageMaker Model Monitor No Model Monitoring
+
+ Details and remediation
+
+
Details
No Model Monitor schedules found
+
Resolution
Configure comprehensive model monitoring schedules
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
us-east-1
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
+
us-west-2
+
SM-08
+
+
Model Registry Registry Not Used
+
+ Details and remediation
+
+
Details
Model Registry is not being utilized
+
Resolution
Implement proper model versioning and approval workflows
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
us-east-1
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
+
us-west-2
+
SM-09
+
+
SageMaker Notebook Root Access Check
+
+ Details and remediation
+
+
Details
No notebook instances found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
us-west-2
-
AG-07
-
Agentic AI Model Invocation Logging
-
Agentic AI security domain: Auditability & Observability. Agents can take multi-step actions, so prompt, response, and guardrail traces need to be available for investigation. Source check BR-04: No regional Bedrock resources found to monitor with invocation logging
-
Enable Amazon Bedrock model invocation logging and retain logs according to your incident response and data governance requirements.
-
+
SM-10
+
+
SageMaker Notebook VPC Deployment Check
+
+ Details and remediation
+
+
Details
No notebook instances found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
us-west-2
-
AG-08
-
Agentic AI API Audit Trail
-
Agentic AI security domain: Auditability & Observability. Agent activity must be attributable through CloudTrail events for Bedrock control plane and runtime operations. Source check BR-06: No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage
-
Enable CloudTrail trails with management event logging and validate that Bedrock API activity is captured.
-
+
SM-11
+
+
SageMaker Model Network Isolation Check
+
+ Details and remediation
+
+
Details
No models found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
us-west-2
-
AG-10
-
Agentic AI Adversarial Evaluation Coverage
-
Agentic AI security domain: Prompt & Input Protection. Agentic applications should be tested for adversarial prompts and unsafe behaviors before production use. Source check BR-18: No regional Bedrock resources found to assess with model evaluation jobs
-
Configure model or application evaluations that include adversarial, safety, and security-relevant test cases.
-
+
SM-12
+
+
SageMaker Endpoint Instance Count Check
+
+ Details and remediation
+
+
Details
No InService endpoints found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
us-west-2
-
AG-11
-
Agentic AI Prompt Flow Validation
-
Agentic AI security domain: Prompt & Input Protection. Validated prompt flows reduce the risk that malformed orchestration logic causes unsafe agent behavior. Source check BR-19: No Bedrock prompt flows configured in this region
-
Validate Bedrock flow definitions before deployment and remediate validation findings before publishing new versions.
-
+
SM-13
+
+
SageMaker Monitoring Network Isolation Check
+
+ Details and remediation
+
+
Details
No monitoring schedules found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
us-west-2
-
AG-06
-
Agentic AI Tool Execution Least Privilege
-
Agentic AI security domain: Tool Authorization. Agent action groups are tool execution boundaries; over-permissive roles can let an agent perform unintended operations. Source check BR-21: No Bedrock agents configured in this region
-
Restrict action group Lambda roles and referenced IAM permissions to the specific tools, resources, and actions required.
-
+
SM-14
+
+
SageMaker Model Repository Access Check
+
+ Details and remediation
+
+
Details
No models found or all use default Platform access
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
us-west-2
-
AG-12
-
Agentic AI Invocation Abuse Controls
-
Agentic AI security domain: Abuse & Cost Protection. Autonomous agents can amplify token usage through retries, loops, or high-volume tool workflows. Source check BR-22: No regional Bedrock resources found to assess model invocation throttling quotas
-
Configure service quotas, throttling limits, and alerting to detect and limit abnormal model invocation patterns.
-
+
SM-15
+
+
SageMaker Feature Store Encryption Check
+
+ Details and remediation
+
+
Details
No feature groups with offline stores found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
us-west-2
-
AG-02
-
Agentic AI Harmful Content Guardrail Coverage
-
Agentic AI security domain: Guardrail Enforcement. Agents should use guardrails that filter harmful content in both intermediate and final responses. Source check BR-23: No Bedrock guardrails configured in this region
-
Configure guardrails with appropriate content filters and thresholds for all agent-facing workloads.
-
+
SM-16
+
+
SageMaker Data Quality Job Encryption Check
+
+ Details and remediation
+
+
Details
No data quality job definitions found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
us-west-2
-
AG-04
-
Agentic AI Automated Reasoning Guardrails
-
Agentic AI security domain: Guardrail Enforcement. Automated reasoning policies help verify agent responses against deterministic business or safety rules. Source check BR-24: No Bedrock guardrails configured in this region
-
Configure automated reasoning policies on guardrails where formal response validation is required.
-
+
SM-17
+
+
SageMaker Processing Job Encryption Check
+
+ Details and remediation
+
+
Details
No processing jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
us-west-2
-
AG-03
-
Agentic AI Sensitive Information Protection
-
Agentic AI security domain: Memory & Data Privacy. Agents can receive and produce sensitive data across conversations, tool calls, and retrieved context. Source check BR-26: No Bedrock guardrails configured in this region
-
Configure guardrail sensitive-information filters for PII entities and custom sensitive-data patterns.
-
+
SM-18
+
+
SageMaker Transform Job Encryption Check
+
+ Details and remediation
+
+
Details
No transform jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
us-west-2
-
AG-05
-
Agentic AI Grounding Controls
-
Agentic AI security domain: Prompt & Input Protection. Grounding checks reduce the chance that an agent acts on hallucinated or irrelevant context. Source check BR-27: No Bedrock guardrails configured in this region
-
Enable contextual grounding checks on guardrails for RAG and tool-using agent workflows.
Agentic AI security domain: Guardrail Enforcement. Bedrock agents should have guardrails associated so autonomous interactions are filtered consistently. Source check BR-28: No Bedrock agents configured in this region
-
Associate an approved Bedrock guardrail with each Bedrock agent and prepare the agent after updating.
-
+
SM-20
+
+
SageMaker Compilation Job Encryption Check
+
+ Details and remediation
+
+
Details
No compilation jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
us-west-2
-
AG-13
-
Agentic AI Session Boundary
-
Agentic AI security domain: Bounded Autonomy. Long-lived idle sessions widen the window for session reuse and unintended continuation of agent context. Source check BR-29: No Bedrock agents configured in this region
-
Set a conservative idleSessionTTLInSeconds value for agents based on application session requirements.
-
+
SM-21
+
+
SageMaker AutoML Job Network Isolation Check
+
+ Details and remediation
+
+
Details
No AutoML jobs found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
us-west-2
-
AG-14
-
Agentic AI Operational Abuse Alarms
-
Agentic AI security domain: Abuse & Cost Protection. CloudWatch alarms help detect anomalous invocation errors, throttling, or volume caused by autonomous workflows. Source check BR-32: No regional Bedrock resources found to monitor with CloudWatch alarms
-
Configure CloudWatch alarms for Bedrock invocation errors, throttles, latency, and token or request volume where metrics are available.
-
+
SM-22
+
+
Model Approval Workflow Check
+
+ Details and remediation
+
+
Details
No model package groups found. Model Registry is not being used for model governance.
+
Resolution
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
+
us-west-2
+
SM-23
+
+
Model Drift Detection Check
+
+ Details and remediation
+
+
Details
No InService endpoints found to monitor.
+
Resolution
No action required
+
Reference
+
+
+
+
Medium
+
Passed
+
+
+
123456789012
+
us-west-2
+
SM-24
+
+
A/B Testing and Shadow Deployment Check
+
+ Details and remediation
+
+
Details
No InService endpoints found.
+
Resolution
No action required
+
Reference
+
+
+
+
Low
+
Passed
+
+
+
123456789012
+
us-west-2
+
SM-25
+
+
ML Lineage Tracking - Experiments Not Used
+
+ Details and remediation
+
+
Details
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
+
Resolution
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
+
eu-west-1
+
AC-01
+
+
AgentCore VPC Configuration Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
+
eu-west-1
+
AC-04
+
+
AgentCore Observability Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
+
eu-west-1
+
AC-05
+
+
AgentCore Encryption Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
+
eu-west-1
+
AC-06
+
+
AgentCore Browser Tool Recording Check
+
+ Details and remediation
+
+
Details
No AgentCore Runtimes found to check browser tool configuration
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
+
eu-west-1
+
AC-07
+
+
AgentCore Memory Configuration Check
+
+ Details and remediation
+
+
Details
No Memory resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
+
eu-west-1
+
AC-13
+
+
AgentCore Gateway Configuration Check
+
+ Details and remediation
+
+
Details
No Gateway resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
+
eu-west-1
+
AC-08
+
+
AgentCore VPC Endpoints Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
+
eu-west-1
+
AC-10
+
+
AgentCore Resource-Based Policies Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found to check for resource-based policies
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
+
eu-west-1
+
AC-11
+
+
AgentCore Policy Engine Encryption Check
+
+ Details and remediation
+
+
Details
No Policy Engines found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
ap-south-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
+
eu-west-1
+
AC-12
+
+
AgentCore Gateway Encryption Check
+
+ Details and remediation
+
+
Details
No Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -9990,10 +4310,17 @@
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway Inbound Authorization
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -10001,10 +4328,17 @@
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway Tool Policy Enforcement
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -10012,10 +4346,17 @@
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -10023,10 +4364,17 @@
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway WAF Protection
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -10034,10 +4382,17 @@
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
+
+
Agentic AI Runtime Network Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Resolution
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Reference
+
+
+
Informational
N/A
@@ -10045,10 +4400,17 @@
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
+
+
Agentic AI AgentCore Observability
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Resolution
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Reference
+
+
+
Informational
N/A
@@ -10056,10 +4418,17 @@
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
+
+
Agentic AI Memory Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Resolution
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Reference
+
+
+
Informational
N/A
@@ -10067,10 +4436,17 @@
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
+
+
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Resolution
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Reference
+
+
+
Informational
N/A
@@ -10078,10 +4454,17 @@
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
+
+
Agentic AI Resource Policy Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Resolution
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Reference
+
+
+
Informational
N/A
@@ -10089,10 +4472,17 @@
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
+
+
Agentic AI Policy Engine Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Resolution
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
Informational
N/A
@@ -10100,131 +4490,251 @@
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
+
+
Agentic AI Gateway Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Resolution
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-24
-
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
+
Global
+
AC-02
+
+
AgentCore IAM Full Access Check
+
+ Details and remediation
+
+
Details
No roles with overly permissive AgentCore access found
+
Resolution
No action required
+
Reference
+
+
+
+
High
+
Passed
+
+
+
123456789012
+
Global
+
AC-03
+
+
AgentCore Unused Permissions
+
+ Details and remediation
+
+
Details
The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
+
Resolution
Review and remove unused AgentCore permissions following least privilege principle
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-25
-
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
+
Global
+
AC-09
+
+
AgentCore Service-Linked Role Missing
+
+ Details and remediation
+
+
Details
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
+
Resolution
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
+
Reference
+
+
+
+
Medium
+
Failed
+
+
+
123456789012
+
us-east-1
+
AC-01
+
+
AgentCore VPC Configuration Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-26
-
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
+
us-east-1
+
AC-04
+
+
AgentCore Observability Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-27
-
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
+
us-east-1
+
AC-05
+
+
AgentCore Encryption Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-15
-
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
+
us-east-1
+
AC-06
+
+
AgentCore Browser Tool Recording Check
+
+ Details and remediation
+
+
Details
No AgentCore Runtimes found to check browser tool configuration
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-18
-
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
+
us-east-1
+
AC-07
+
+
AgentCore Memory Configuration Check
+
+ Details and remediation
+
+
Details
No Memory resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-19
-
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
+
us-east-1
+
AC-13
+
+
AgentCore Gateway Configuration Check
+
+ Details and remediation
+
+
Details
No Gateway resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-20
-
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
+
us-east-1
+
AC-08
+
+
AgentCore VPC Endpoints Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-21
-
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
+
us-east-1
+
AC-10
+
+
AgentCore Resource-Based Policies Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found to check for resource-based policies
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-22
-
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
+
us-east-1
+
AC-11
+
+
AgentCore Policy Engine Encryption Check
+
+ Details and remediation
+
+
Details
No Policy Engines found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
-
+
123456789012
-
sa-east-1
-
AG-23
-
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
+
us-east-1
+
AC-12
+
+
AgentCore Gateway Encryption Check
+
+ Details and remediation
+
+
Details
No Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -10232,10 +4742,17 @@
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway Inbound Authorization
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -10243,10 +4760,17 @@
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway Tool Policy Enforcement
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -10254,10 +4778,17 @@
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -10265,10 +4796,17 @@
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway WAF Protection
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -10276,10 +4814,17 @@
Agentic AI AgentCore Least Privilege
-
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: No roles with overly permissive AgentCore access found
-
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
-
+
+
Agentic AI AgentCore Least Privilege
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Over-permissive AgentCore principals can let agents or operators bypass intended autonomy and tool boundaries. Source check AC-02: No roles with overly permissive AgentCore access found
+
Resolution
Replace full-access AgentCore permissions with least-privilege IAM policies scoped to required resources and actions.
+
Reference
+
+
+
High
Passed
@@ -10287,10 +4832,17 @@
Agentic AI Stale AgentCore Access
-
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
-
Remove or restrict stale AgentCore permissions for principals that no longer need access.
-
+
+
Agentic AI Stale AgentCore Access
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Unused AgentCore permissions increase the blast radius of compromised principals. Source check AC-03: The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'CloudSeerTrustedServiceRole'
+
Resolution
Remove or restrict stale AgentCore permissions for principals that no longer need access.
+
Reference
+
+
+
Informational
N/A
@@ -10298,10 +4850,17 @@
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
+
+
Agentic AI Runtime Network Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Resolution
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Reference
+
+
+
Informational
N/A
@@ -10309,10 +4868,17 @@
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
+
+
Agentic AI AgentCore Observability
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Resolution
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Reference
+
+
+
Informational
N/A
@@ -10320,10 +4886,17 @@
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
+
+
Agentic AI Memory Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Resolution
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Reference
+
+
+
Informational
N/A
@@ -10331,10 +4904,17 @@
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
+
+
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Resolution
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Reference
+
+
+
Informational
N/A
@@ -10342,10 +4922,17 @@
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
+
+
Agentic AI Resource Policy Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Resolution
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Reference
+
+
+
Informational
N/A
@@ -10353,10 +4940,17 @@
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
+
+
Agentic AI Policy Engine Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Resolution
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
Informational
N/A
@@ -10364,10 +4958,197 @@
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
+
+
Agentic AI Gateway Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Resolution
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AC-01
+
+
AgentCore VPC Configuration Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AC-04
+
+
AgentCore Observability Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AC-05
+
+
AgentCore Encryption Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AC-06
+
+
AgentCore Browser Tool Recording Check
+
+ Details and remediation
+
+
Details
No AgentCore Runtimes found to check browser tool configuration
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AC-07
+
+
AgentCore Memory Configuration Check
+
+ Details and remediation
+
+
Details
No Memory resources found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AC-13
+
+
AgentCore Gateway Configuration Check
+
+ Details and remediation
+
+
Details
No Gateway resources found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AC-08
+
+
AgentCore VPC Endpoints Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AC-10
+
+
AgentCore Resource-Based Policies Check
+
+ Details and remediation
+
+
Details
No AgentCore resources found to check for resource-based policies
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AC-11
+
+
AgentCore Policy Engine Encryption Check
+
+ Details and remediation
+
+
Details
No Policy Engines found
+
Resolution
No action required
+
Reference
+
+
+
+
Informational
+
N/A
+
+
+
123456789012
+
us-west-2
+
AC-12
+
+
AgentCore Gateway Encryption Check
+
+ Details and remediation
+
+
Details
No Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -10375,10 +5156,17 @@
Agentic AI Gateway Inbound Authorization
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway Inbound Authorization
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -10386,10 +5174,17 @@
Agentic AI Gateway Tool Policy Enforcement
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway Tool Policy Enforcement
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -10397,10 +5192,17 @@
Agentic AI Gateway Error Detail Exposure
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway Error Detail Exposure
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -10408,10 +5210,17 @@
Agentic AI Gateway WAF Protection
-
No AgentCore Gateways found
-
No action required
-
+
+
Agentic AI Gateway WAF Protection
+
+ Details and remediation
+
+
Details
No AgentCore Gateways found
+
Resolution
No action required
+
Reference
+
+
+
Informational
N/A
@@ -10419,10 +5228,17 @@
Agentic AI Runtime Network Boundary
-
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
-
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
-
+
+
Agentic AI Runtime Network Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Agent runtimes should execute inside explicit network boundaries to reduce unintended external reachability. Source check AC-01: No AgentCore resources found
+
Resolution
Configure AgentCore runtimes with appropriate VPC settings and restrict network paths to required services.
+
Reference
+
+
+
Informational
N/A
@@ -10430,10 +5246,17 @@
Agentic AI AgentCore Observability
-
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
-
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
-
+
+
Agentic AI AgentCore Observability
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Auditability & Observability. AgentCore observability provides the telemetry needed to investigate runtime, tool, memory, and gateway behavior. Source check AC-04: No AgentCore resources found
+
Resolution
Enable CloudWatch Logs, tracing, and AgentCore observability for runtime and gateway resources where supported.
+
Reference
+
+
+
Informational
N/A
@@ -10441,10 +5264,17 @@
Agentic AI Memory Data Protection
-
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
-
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
-
+
+
Agentic AI Memory Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Memory & Data Privacy. Agent memory can contain sensitive user or business context and should use customer-controlled encryption where required. Source check AC-07: No Memory resources found
+
Resolution
Configure AgentCore memory resources with customer-managed KMS keys and review memory access permissions.
+
Reference
+
+
+
Informational
N/A
@@ -10452,10 +5282,17 @@
Agentic AI Private AgentCore Connectivity
-
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
-
Create required VPC endpoints for AgentCore services and validate endpoint availability.
-
+
+
Agentic AI Private AgentCore Connectivity
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Bounded Autonomy. Private service connectivity reduces exposure for agents that access AgentCore control or runtime services. Source check AC-08: No AgentCore resources found
+
Resolution
Create required VPC endpoints for AgentCore services and validate endpoint availability.
+
Reference
+
+
+
Informational
N/A
@@ -10463,10 +5300,17 @@
Agentic AI Resource Policy Boundary
-
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
-
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
-
+
+
Agentic AI Resource Policy Boundary
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Agent Identity & Access. Resource-based policies add a second authorization boundary for AgentCore runtimes and gateways. Source check AC-10: No AgentCore resources found to check for resource-based policies
+
Resolution
Attach resource-based policies to AgentCore resources to constrain principals, accounts, and network sources.
+
Reference
+
+
+
Informational
N/A
@@ -10474,10 +5318,17 @@
Agentic AI Policy Engine Data Protection
-
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
-
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
-
+
+
Agentic AI Policy Engine Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Policy engines contain authorization logic for tool calls and should be protected with appropriate encryption controls. Source check AC-11: No Policy Engines found
+
Resolution
Configure policy engines with customer-managed KMS keys where enhanced key control is required.
+
Reference
+
+
+
Informational
N/A
@@ -10485,21 +5336,35 @@
Agentic AI Gateway Data Protection
-
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
-
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
-
+
+
Agentic AI Gateway Data Protection
+
+ Details and remediation
+
+
Details
Agentic AI security domain: Tool Authorization. Gateway configuration can include tool schemas, target definitions, and integration metadata. Source check AC-12: No Gateways found
+
Resolution
Configure AgentCore gateways with customer-managed KMS keys where enhanced key control is required.
No regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
+
+
FinServ Regional Scope Not Applicable
+
+ Details and remediation
+
+
Details
No regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.
+
Resolution
No action required unless GenAI workloads are expected in this region.
+
Reference
+
+
+
Informational
N/A
@@ -10507,10 +5372,17 @@
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
+
+
FinServ Regional Scope Not Applicable
+
+ Details and remediation
+
+
Details
No regional Bedrock, AgentCore, or SageMaker resources were found in us-west-2; FinServ GenAI risk checks were not applied to this region.
+
Resolution
No action required unless GenAI workloads are expected in this region.
+
Reference
+
+
+
Informational
N/A
@@ -10518,39 +5390,97 @@
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
123456789012
-
ap-south-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in ap-south-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
-
Informational
-
N/A
-
-
-
123456789012
-
sa-east-1
-
FS-00
-
FinServ Regional Scope Not Applicable
-
No regional Bedrock, AgentCore, or SageMaker resources were found in sa-east-1; FinServ GenAI risk checks were not applied to this region.
-
No action required unless GenAI workloads are expected in this region.
-
+
+
FinServ Regional Scope Not Applicable
+
+ Details and remediation
+
+
Details
No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.
+
Resolution
No action required unless GenAI workloads are expected in this region.
+
Reference
+
+
+
Informational
N/A
-
+
+
+
+
Amazon Bedrock Findings
+
+
+
+
Failed
4
Open findings
+
Passed
1
Controls met
+
N/A
84
Not applicable
+
Total
89
Rows in report
+
+
+
+
+
+
+
+
+
Amazon SageMaker Findings
+
+
+
+
Failed
0
Open findings
+
Passed
13
Controls met
+
N/A
69
Not applicable
+
Total
82
Rows in report
+
+
+
+
+
+
+
+
+
Amazon Bedrock AgentCore Findings
+
+
+
+
Failed
1
Open findings
+
Passed
1
Controls met
+
N/A
31
Not applicable
+
Total
33
Rows in report
+
+
+
+
+
+
+
+
Agentic AI Security Findings
+
Scope: API-provable Agentic AI security controls mapped to the AWS Well-Architected Agentic AI Lens security guidance. Human-in-the-loop governance is referenced in methodology but not scored automatically unless an AWS API can prove the control.