Skip to content

Commit cd08a5e

Browse files
author
Bob Strahan
committed
Add copyright headers and configure log retention for CloudWatch logs
1 parent 2e920b4 commit cd08a5e

File tree

188 files changed

+1640723
-0
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

188 files changed

+1640723
-0
lines changed

.dsr/.aws-sam-build-BDASAMPLEPROJECT-template/checkov-scan.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
{"check_type": "cloudformation", "results": {"failed_checks": [{"check_id": "CKV_AWS_116", "bc_check_id": "BC_AWS_GENERAL_64", "check_name": "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)", "check_result": {"result": "FAILED", "evaluated_keys": ["Properties/DeadLetterQueue/TargetArn"]}, "code_block": [[82, " BDAProjectLambda:\n"], [83, " Type: AWS::Serverless::Function\n"], [84, " Metadata:\n"], [85, " SamResourceId: BDAProjectLambda\n"], [86, " cfn_nag:\n"], [87, " rules_to_suppress:\n"], [88, " - id: W89\n"], [89, " reason: This Lambda function does not require VPC access as it only interacts\n"], [90, " with AWS services via AWS APIs\n"], [91, " - id: W92\n"], [92, " reason: Function does not require concurrent execution limits as it is designed\n"], [93, " to scale based on demand\n"], [94, " Properties:\n"], [95, " CodeUri: s3://bobs-artifacts-us-west-2/idp-dev-private/0.3.12-wip/91ebd3e583d7bd86a029e827e40034b2\n"], [96, " Handler: index.handler\n"], [97, " Role:\n"], [98, " Fn::GetAtt:\n"], [99, " - LambdaExecutionRole\n"], [100, " - Arn\n"], [101, " Runtime: python3.12\n"], [102, " Timeout: 300\n"], [103, " MemorySize: 256\n"], [104, " Environment:\n"], [105, " Variables:\n"], [106, " LOG_LEVEL:\n"], [107, " Ref: LogLevel\n"]], "file_path": "/template.yaml", "file_abs_path": "/home/ec2-user/projects/genaiic-idp-accelerator-2/.aws-sam/build/BDASAMPLEPROJECT/template.yaml", "repo_file_path": "/template.yaml", "file_line_range": [82, 107], "resource": "AWS::Serverless::Function.BDAProjectLambda", "evaluations": {}, "check_class": "checkov.cloudformation.checks.resource.aws.LambdaDLQConfigured", "fixed_definition": null, "entity_tags": null, "caller_file_path": null, "caller_file_line_range": null, "resource_address": null, "severity": null, "bc_category": null, "benchmarks": null, "description": null, "short_description": null, "vulnerability_details": null, "connected_node": null, "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq", "details": [], "check_len": null, "definition_context_file_path": null, "breadcrumbs": {"Environment.Variables.LOG_LEVEL": [{"type": "parameters", "name": "LogLevel", "path": "/home/ec2-user/projects/genaiic-idp-accelerator-2/.aws-sam/build/BDASAMPLEPROJECT/template.yaml", "attribute_key": "Default"}], "Environment.Variables": [{"type": "parameters", "name": "LogLevel", "path": "/home/ec2-user/projects/genaiic-idp-accelerator-2/.aws-sam/build/BDASAMPLEPROJECT/template.yaml", "attribute_key": "Default"}]}}, {"check_id": "CKV_AWS_173", "bc_check_id": "BC_AWS_SERVERLESS_5", "check_name": "Check encryption settings for Lambda environment variable", "check_result": {"result": "FAILED", "evaluated_keys": ["Properties/KmsKeyArn"]}, "code_block": [[82, " BDAProjectLambda:\n"], [83, " Type: AWS::Serverless::Function\n"], [84, " Metadata:\n"], [85, " SamResourceId: BDAProjectLambda\n"], [86, " cfn_nag:\n"], [87, " rules_to_suppress:\n"], [88, " - id: W89\n"], [89, " reason: This Lambda function does not require VPC access as it only interacts\n"], [90, " with AWS services via AWS APIs\n"], [91, " - id: W92\n"], [92, " reason: Function does not require concurrent execution limits as it is designed\n"], [93, " to scale based on demand\n"], [94, " Properties:\n"], [95, " CodeUri: s3://bobs-artifacts-us-west-2/idp-dev-private/0.3.12-wip/91ebd3e583d7bd86a029e827e40034b2\n"], [96, " Handler: index.handler\n"], [97, " Role:\n"], [98, " Fn::GetAtt:\n"], [99, " - LambdaExecutionRole\n"], [100, " - Arn\n"], [101, " Runtime: python3.12\n"], [102, " Timeout: 300\n"], [103, " MemorySize: 256\n"], [104, " Environment:\n"], [105, " Variables:\n"], [106, " LOG_LEVEL:\n"], [107, " Ref: LogLevel\n"]], "file_path": "/template.yaml", "file_abs_path": "/home/ec2-user/projects/genaiic-idp-accelerator-2/.aws-sam/build/BDASAMPLEPROJECT/template.yaml", "repo_file_path": "/template.yaml", "file_line_range": [82, 107], "resource": "AWS::Serverless::Function.BDAProjectLambda", "evaluations": {}, "check_class": "checkov.cloudformation.checks.resource.aws.LambdaEnvironmentEncryptionSettings", "fixed_definition": null, "entity_tags": null, "caller_file_path": null, "caller_file_line_range": null, "resource_address": null, "severity": null, "bc_category": null, "benchmarks": null, "description": null, "short_description": null, "vulnerability_details": null, "connected_node": null, "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5", "details": [], "check_len": null, "definition_context_file_path": null, "breadcrumbs": {"Environment.Variables.LOG_LEVEL": [{"type": "parameters", "name": "LogLevel", "path": "/home/ec2-user/projects/genaiic-idp-accelerator-2/.aws-sam/build/BDASAMPLEPROJECT/template.yaml", "attribute_key": "Default"}], "Environment.Variables": [{"type": "parameters", "name": "LogLevel", "path": "/home/ec2-user/projects/genaiic-idp-accelerator-2/.aws-sam/build/BDASAMPLEPROJECT/template.yaml", "attribute_key": "Default"}]}}, {"check_id": "CKV_AWS_115", "bc_check_id": "BC_AWS_GENERAL_63", "check_name": "Ensure that AWS Lambda function is configured for function-level concurrent execution limit", "check_result": {"result": "FAILED", "evaluated_keys": ["Properties/ReservedConcurrentExecutions"]}, "code_block": [[82, " BDAProjectLambda:\n"], [83, " Type: AWS::Serverless::Function\n"], [84, " Metadata:\n"], [85, " SamResourceId: BDAProjectLambda\n"], [86, " cfn_nag:\n"], [87, " rules_to_suppress:\n"], [88, " - id: W89\n"], [89, " reason: This Lambda function does not require VPC access as it only interacts\n"], [90, " with AWS services via AWS APIs\n"], [91, " - id: W92\n"], [92, " reason: Function does not require concurrent execution limits as it is designed\n"], [93, " to scale based on demand\n"], [94, " Properties:\n"], [95, " CodeUri: s3://bobs-artifacts-us-west-2/idp-dev-private/0.3.12-wip/91ebd3e583d7bd86a029e827e40034b2\n"], [96, " Handler: index.handler\n"], [97, " Role:\n"], [98, " Fn::GetAtt:\n"], [99, " - LambdaExecutionRole\n"], [100, " - Arn\n"], [101, " Runtime: python3.12\n"], [102, " Timeout: 300\n"], [103, " MemorySize: 256\n"], [104, " Environment:\n"], [105, " Variables:\n"], [106, " LOG_LEVEL:\n"], [107, " Ref: LogLevel\n"]], "file_path": "/template.yaml", "file_abs_path": "/home/ec2-user/projects/genaiic-idp-accelerator-2/.aws-sam/build/BDASAMPLEPROJECT/template.yaml", "repo_file_path": "/template.yaml", "file_line_range": [82, 107], "resource": "AWS::Serverless::Function.BDAProjectLambda", "evaluations": {}, "check_class": "checkov.cloudformation.checks.resource.aws.LambdaFunctionLevelConcurrentExecutionLimit", "fixed_definition": null, "entity_tags": null, "caller_file_path": null, "caller_file_line_range": null, "resource_address": null, "severity": null, "bc_category": null, "benchmarks": null, "description": null, "short_description": null, "vulnerability_details": null, "connected_node": null, "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit", "details": [], "check_len": null, "definition_context_file_path": null, "breadcrumbs": {"Environment.Variables.LOG_LEVEL": [{"type": "parameters", "name": "LogLevel", "path": "/home/ec2-user/projects/genaiic-idp-accelerator-2/.aws-sam/build/BDASAMPLEPROJECT/template.yaml", "attribute_key": "Default"}], "Environment.Variables": [{"type": "parameters", "name": "LogLevel", "path": "/home/ec2-user/projects/genaiic-idp-accelerator-2/.aws-sam/build/BDASAMPLEPROJECT/template.yaml", "attribute_key": "Default"}]}}, {"check_id": "CKV_AWS_117", "bc_check_id": "BC_AWS_GENERAL_65", "check_name": "Ensure that AWS Lambda function is configured inside a VPC", "check_result": {"result": "FAILED", "evaluated_keys": ["Properties/VpcConfig"]}, "code_block": [[82, " BDAProjectLambda:\n"], [83, " Type: AWS::Serverless::Function\n"], [84, " Metadata:\n"], [85, " SamResourceId: BDAProjectLambda\n"], [86, " cfn_nag:\n"], [87, " rules_to_suppress:\n"], [88, " - id: W89\n"], [89, " reason: This Lambda function does not require VPC access as it only interacts\n"], [90, " with AWS services via AWS APIs\n"], [91, " - id: W92\n"], [92, " reason: Function does not require concurrent execution limits as it is designed\n"], [93, " to scale based on demand\n"], [94, " Properties:\n"], [95, " CodeUri: s3://bobs-artifacts-us-west-2/idp-dev-private/0.3.12-wip/91ebd3e583d7bd86a029e827e40034b2\n"], [96, " Handler: index.handler\n"], [97, " Role:\n"], [98, " Fn::GetAtt:\n"], [99, " - LambdaExecutionRole\n"], [100, " - Arn\n"], [101, " Runtime: python3.12\n"], [102, " Timeout: 300\n"], [103, " MemorySize: 256\n"], [104, " Environment:\n"], [105, " Variables:\n"], [106, " LOG_LEVEL:\n"], [107, " Ref: LogLevel\n"]], "file_path": "/template.yaml", "file_abs_path": "/home/ec2-user/projects/genaiic-idp-accelerator-2/.aws-sam/build/BDASAMPLEPROJECT/template.yaml", "repo_file_path": "/template.yaml", "file_line_range": [82, 107], "resource": "AWS::Serverless::Function.BDAProjectLambda", "evaluations": {}, "check_class": "checkov.cloudformation.checks.resource.aws.LambdaInVPC", "fixed_definition": null, "entity_tags": null, "caller_file_path": null, "caller_file_line_range": null, "resource_address": null, "severity": null, "bc_category": null, "benchmarks": null, "description": null, "short_description": null, "vulnerability_details": null, "connected_node": null, "guideline": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1", "details": [], "check_len": null, "definition_context_file_path": null, "breadcrumbs": {"Environment.Variables.LOG_LEVEL": [{"type": "parameters", "name": "LogLevel", "path": "/home/ec2-user/projects/genaiic-idp-accelerator-2/.aws-sam/build/BDASAMPLEPROJECT/template.yaml", "attribute_key": "Default"}], "Environment.Variables": [{"type": "parameters", "name": "LogLevel", "path": "/home/ec2-user/projects/genaiic-idp-accelerator-2/.aws-sam/build/BDASAMPLEPROJECT/template.yaml", "attribute_key": "Default"}]}}]}, "summary": {"passed": 11, "failed": 4, "skipped": 0, "parsing_errors": 0, "resource_count": 3, "checkov_version": "3.2.461"}}

.dsr/.aws-sam-build-BDASAMPLEPROJECT-template/checkov-summary.json

Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
[
2+
{
3+
"source": "Checkov",
4+
"path": "/template.yaml",
5+
"line": 82,
6+
"issue": "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)",
7+
"check_id": "CKV_AWS_116",
8+
"priority": "High",
9+
"references": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq",
10+
"status": "Open",
11+
"stack": ".aws-sam-build-BDASAMPLEPROJECT-template",
12+
"resourceType": "Serverless Function",
13+
"resourceName": "BDAProjectLambda"
14+
},
15+
{
16+
"source": "Checkov",
17+
"path": "/template.yaml",
18+
"line": 82,
19+
"issue": "Check encryption settings for Lambda environment variable",
20+
"check_id": "CKV_AWS_173",
21+
"priority": "High",
22+
"references": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5",
23+
"status": "Open",
24+
"stack": ".aws-sam-build-BDASAMPLEPROJECT-template",
25+
"resourceType": "Serverless Function",
26+
"resourceName": "BDAProjectLambda"
27+
},
28+
{
29+
"source": "Checkov",
30+
"path": "/template.yaml",
31+
"line": 82,
32+
"issue": "Ensure that AWS Lambda function is configured for function-level concurrent execution limit",
33+
"check_id": "CKV_AWS_115",
34+
"priority": "High",
35+
"references": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit",
36+
"status": "Open",
37+
"stack": ".aws-sam-build-BDASAMPLEPROJECT-template",
38+
"resourceType": "Serverless Function",
39+
"resourceName": "BDAProjectLambda"
40+
},
41+
{
42+
"source": "Checkov",
43+
"path": "/template.yaml",
44+
"line": 82,
45+
"issue": "Ensure that AWS Lambda function is configured inside a VPC",
46+
"check_id": "CKV_AWS_117",
47+
"priority": "High",
48+
"references": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1",
49+
"status": "Open",
50+
"stack": ".aws-sam-build-BDASAMPLEPROJECT-template",
51+
"resourceType": "Serverless Function",
52+
"resourceName": "BDAProjectLambda"
53+
}
54+
]

.dsr/.aws-sam-build-BDASAMPLEPROJECT-template/diagram.md

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
```mermaid
2+
flowchart TD
3+
User([User])
4+
CFN([CloudFormation])
5+
BDALambda([BDAProjectLambda])
6+
BDAProject([BDAProject])
7+
Bedrock([Amazon Bedrock])
8+
Blueprints[(Blueprints)]
9+
10+
User -->|Deploy Template| CFN
11+
CFN -->|Create Custom Resource| BDALambda
12+
BDALambda -->|Create Project| Bedrock
13+
BDALambda -->|Add Blueprints| Bedrock
14+
Bedrock -->|Create Data Automation Project| BDAProject
15+
Bedrock -->|Associate| Blueprints
16+
BDAProject -->|Process Documents| Blueprints
17+
Blueprints -->|Extract Data| BDAProject
18+
BDALambda -->|Return Project ARN| CFN
19+
BDALambda -->|Return Blueprint ARNs| CFN
20+
CFN -->|Outputs| User
21+
```

.dsr/.aws-sam-build-BDASAMPLEPROJECT-template/security-matrix.json

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
[
2+
{
3+
"source": "security-matrix",
4+
"stack": "AWS GenAI IDP Accelerator - Sample BDA lending package project",
5+
"resourceType": "IAM Policy",
6+
"resourceName": "BedrockDataAutomationAccess",
7+
"issue": "IAM policy uses wildcard resource ('*') which violates principle of least privilege",
8+
"priority": "High",
9+
"status": "Open"
10+
},
11+
{
12+
"source": "security-matrix",
13+
"stack": "AWS GenAI IDP Accelerator - Sample BDA lending package project",
14+
"resourceType": "Lambda Function",
15+
"resourceName": "BDAProjectLambda",
16+
"issue": "Lambda function not configured with VPC access, exposing it to potential network-based attacks",
17+
"priority": "Medium",
18+
"status": "Open"
19+
},
20+
{
21+
"source": "security-matrix",
22+
"stack": "AWS GenAI IDP Accelerator - Sample BDA lending package project",
23+
"resourceType": "Lambda Function",
24+
"resourceName": "BDAProjectLambda",
25+
"issue": "Lambda function has no concurrency limits configured, potentially allowing resource exhaustion",
26+
"priority": "Medium",
27+
"status": "Open"
28+
},
29+
{
30+
"source": "security-matrix",
31+
"stack": "AWS GenAI IDP Accelerator - Sample BDA lending package project",
32+
"resourceType": "Lambda Function",
33+
"resourceName": "BDAProjectLambda",
34+
"issue": "X-Ray tracing not enabled for Lambda function",
35+
"priority": "High",
36+
"status": "Open"
37+
},
38+
{
39+
"source": "security-matrix",
40+
"stack": "AWS GenAI IDP Accelerator - Sample BDA lending package project",
41+
"resourceType": "Lambda Function",
42+
"resourceName": "BDAProjectLambda",
43+
"issue": "Dead letter queue not configured for Lambda function",
44+
"priority": "Medium",
45+
"status": "Open"
46+
}
47+
]

0 commit comments

Comments
 (0)