Merge branch 'fix/security-fixes' into 'develop'

Add security suppressions for cfn_nag and checkov findings

See merge request genaiic-reusable-assets/engagement-artifacts/genaiic-idp-accelerator!574

Author: rstrahan

.github/workflows/deploy-docs.yml

@@ -1,5 +1,7 @@
 name: Deploy Documentation to GitHub Pages
 
+# checkov:skip=CKV2_GHA_1: "Permissions are properly scoped - contents:read, pages:write, id-token:write for GitHub Pages deployment"
+
 on:
   push:
     branches: [main, develop]

iam-roles/cloudformation-management/IDP-Cloudformation-Service-Role.yaml

@@ -24,6 +24,8 @@ Resources:
             reason: "Suppressing W76: SPCM for IAM policy document is higher than 25"
           - id: F3
             reason: "Suppressing F3: wildcard action on named services required for cloudformation service role, to allow CRUD on stack respources"
+          - id: AwsSolutions-IAM5
+            reason: "Broad permissions required for non-admin users to deploy IDP stacks via delegated CloudFormation service role"
     # checkov:skip=CKV_AWS_110: "CloudFormation service role requires IAM permissions to create Lambda execution roles and service-linked roles during stack deployment. Trust policy restricts to cloudformation.amazonaws.com service principal."
     # checkov:skip=CKV_AWS_109: "CloudFormation service role requires IAM policy management permissions to attach policies to created roles during infrastructure deployment. Constrained by trust policy."
     # checkov:skip=CKV_AWS_108: "CloudFormation service role requires S3/KMS permissions to create and configure encrypted data buckets for the IDP solution. All buckets use customer-managed KMS encryption."

samples/lambda-hook-inference/GENAIIDP-bedrock-proxy/template.yaml

@@ -29,6 +29,10 @@ Conditions:
 Resources:
   BedrockProxyFunction:
     Type: AWS::Serverless::Function
+    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration values (model ID and log level)"
+    # checkov:skip=CKV_AWS_116: "DLQ not required for sample Lambda hook function - errors handled by IDP pipeline"
+    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
+    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency - sample function for demonstration purposes"
     Properties:
       FunctionName: GENAIIDP-bedrock-proxy
       Runtime: python3.12

samples/lambda-hook-inference/GENAIIDP-sagemaker-hook/template.yaml

@@ -28,6 +28,10 @@ Conditions:
 Resources:
   SageMakerHookFunction:
     Type: AWS::Serverless::Function
+    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration values (endpoint name and log level)"
+    # checkov:skip=CKV_AWS_116: "DLQ not required for sample Lambda hook function - errors handled by IDP pipeline"
+    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
+    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency - sample function for demonstration purposes"
     Properties:
       FunctionName: GENAIIDP-sagemaker-hook
       Runtime: python3.12

samples/lambda-hook-inference/template.yaml

@@ -30,6 +30,10 @@ Resources:
   # =========================================================================
   BedrockProxyFunction:
     Type: AWS::Serverless::Function
+    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration values (model ID and log level)"
+    # checkov:skip=CKV_AWS_116: "DLQ not required for sample Lambda hook function - errors handled by IDP pipeline"
+    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
+    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency - sample function for demonstration purposes"
     Properties:
       FunctionName: GENAIIDP-bedrock-proxy
       Runtime: python3.12
@@ -64,6 +68,10 @@ Resources:
   # =========================================================================
   SageMakerHookFunction:
     Type: AWS::Serverless::Function
+    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration values (endpoint name and log level)"
+    # checkov:skip=CKV_AWS_116: "DLQ not required for sample Lambda hook function - errors handled by IDP pipeline"
+    # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
+    # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency - sample function for demonstration purposes"
     Properties:
       FunctionName: GENAIIDP-sagemaker-hook
       Runtime: python3.12

scripts/dsr/setup.py

@@ -13,7 +13,7 @@
 def run_command(cmd, cwd=None):
     """Run shell command and return result."""
     try:
-        result = subprocess.run(cmd, shell=True, cwd=cwd, capture_output=True, text=True)
+        result = subprocess.run(cmd, shell=True, cwd=cwd, capture_output=True, text=True) # nosemgrep: python.lang.security.audit.subprocess-shell-true.subprocess-shell-true - command is hardcoded constant from config file, no user input possible
         if result.returncode != 0:
             print(f"Error running command: {cmd}")
             print(f"Error: {result.stderr}")

scripts/sdlc/cfn/codepipeline-s3.yml

@@ -390,8 +390,10 @@ Resources:
     Metadata:
       cfn_nag:
         rules_to_suppress:
+          - id: F4
+            reason: "logs:* used for CodeBuild to manage logs across multiple stacks with dynamic log group names"
           - id: W12
-            reason: "Logs policy requires * resource to create log groups dynamically"
+            reason: "Wildcard resource required for CloudWatch Logs to create log groups dynamically across different stacks"
     # checkov:skip=CKV_AWS_111: "CloudWatch Logs policies require write access for log creation"
     Properties:
       PolicyName: CodeBuildLogs
@@ -422,6 +424,15 @@ Resources:
 
   CodeBuildKMSPolicy:
     Type: 'AWS::IAM::Policy'
+    Metadata:
+      cfn_nag:
+        rules_to_suppress:
+          - id: F4
+            reason: "Broad KMS permissions required for stack life cycle in pipeline account"
+          - id: W12
+            reason: "KMS operations require wildcard resource for key discovery during stack deployment."
+    # checkov:skip=CKV_AWS_111: "Write access required for KMS key management during stack deployment and teardown in SDLC pipeline"
+    # checkov:skip=CKV_AWS_109: "Wildcard KMS permissions required for dynamic key discovery and management across multiple stacks in pipeline account"
     Properties:
       PolicyName: CodeBuildKMSAccess
       Roles: 

template.yaml

@@ -970,6 +970,12 @@ Resources:
             reason: "Function does not require VPC access as it only interacts with AWS services via APIs"
           - id: W92
             reason: "Function does not require reserved concurrency as it scales based on demand"
+          - id: F38
+            reason: "PassRole permission is required to delegate the execution role to the Bedrock AgentCore Gateway service securely"
+          - id: F3
+            reason: "Wildcard actions required for AgentCore Gateway lifecycle management (create, update, delete) and CloudWatch Logs delivery configuration"
+          - id: W11
+            reason: "Wildcard resource required as AgentCore Gateway ARNs are dynamically generated and unknown at deployment time"
     # checkov:skip=CKV_AWS_116: "DLQ not required for Cfn Custom Resource function"
     # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
     # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
@@ -1092,6 +1098,7 @@ Resources:
     # checkov:skip=CKV_AWS_116: "DLQ not required for Cfn Custom Resource function"
     # checkov:skip=CKV_AWS_117: "Function does not require VPC access"
     # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency"
+    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration values (log level only)"
     Properties:
       PermissionsBoundary:
         !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
@@ -3031,6 +3038,7 @@ Resources:
     # checkov:skip=CKV_AWS_116: "DLQ not required for Custom Resource function"
     # checkov:skip=CKV_AWS_117: "Function does not require VPC access"
     # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency"
+    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration values (log level only)"
     Properties:
       PermissionsBoundary:
         !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
@@ -4920,6 +4928,7 @@ Resources:
     # checkov:skip=CKV_AWS_116: "DLQ not required for capacity planning function"
     # checkov:skip=CKV_AWS_117: "Function does not require VPC access"
     # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency"
+    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration values (log level and feature flags)"
     Properties:
       PermissionsBoundary:
         !If [
@@ -4998,6 +5007,7 @@ Resources:
     # checkov:skip=CKV_AWS_116: "DLQ not required"
     # checkov:skip=CKV_AWS_117: "VPC not required"
     # checkov:skip=CKV_AWS_115: "Reserved concurrency not required"
+    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration values (log level only)"
     Properties:
       PermissionsBoundary:
         !If [
@@ -6205,6 +6215,7 @@ Resources:
     # checkov:skip=CKV_AWS_116: "DLQ configured for SQS triggered function"
     # checkov:skip=CKV_AWS_117: "Function does not require VPC access as it only interacts with AWS services via APIs"
     # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency as it scales based on demand"
+    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration values (bucket names and log level)"
     Properties:
       PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
       Handler: index.handler
@@ -6749,6 +6760,7 @@ Resources:
     # checkov:skip=CKV_AWS_116: "DLQ not required for AppSync resolver"
     # checkov:skip=CKV_AWS_117: "Function does not require VPC access"
     # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency"
+    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration values (Cognito pool and group IDs)"
     Properties:
       PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
       Handler: index.handler
@@ -6806,6 +6818,7 @@ Resources:
     # checkov:skip=CKV_AWS_116: "DLQ not required for DynamoDB stream processing"
     # checkov:skip=CKV_AWS_117: "Function does not require VPC access"
     # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency"
+    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration values (Cognito pool and group IDs)"
     Properties:
       PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
       Handler: index.handler
@@ -6857,6 +6870,7 @@ Resources:
     # checkov:skip=CKV_AWS_116: "DLQ not required for AppSync resolver"
     # checkov:skip=CKV_AWS_117: "Function does not require VPC access"
     # checkov:skip=CKV_AWS_115: "Function does not require reserved concurrency"
+    # checkov:skip=CKV_AWS_173: "Environment variables contain non-sensitive configuration values (DynamoDB table name)"
     Properties:
       PermissionsBoundary: !If [HasPermissionsBoundary, !Ref PermissionsBoundaryArn, !Ref AWS::NoValue]
       Handler: index.handler