cdk-nag icon indicating copy to clipboard operation
cdk-nag copied to clipboard
verified publisher icon cdklabs

feat: Add Bedrock security rules

Open sebastianplesciuc opened this issue 4 weeks ago • 0 comments

Description

Add security rules for AWS Bedrock resources (Agents, Knowledge Bases, Guardrails). Bedrock is used more and more in production but cdk-nag currently has no coverage. Other tools like Checkov already implement Bedrock checks (CKV_AWS_373, CKV_AWS_383).

Use Case

Organizations using Bedrock should enforce security best practices for:

  • Encryption at rest with customer-managed KMS keys (compliance requirement for HIPAA, PCI-DSS, NIST)
  • Model invocation logging for audit trails
  • Guardrails to prevent harmful AI outputs

Proposed Solution

Add rules following existing cdk-nag patterns, for example:

  • BedrockAgentKMSKeyConfigured - Check AWS::Bedrock::Agent uses CMK (like SageMakerEndpointConfigurationKMSKeyConfigured)
  • BedrockKnowledgeBaseKMSKeyConfigured - Check AWS::Bedrock::KnowledgeBase uses CMK (like DynamoDB/RDS encryption rules)
  • BedrockGuardrailConfigured - Check agents have guardrails attached (Checkov CKV_AWS_383 equivalent)
  • BedrockModelInvocationLoggingEnabled - Check logging enabled (like CloudTrail/API Gateway logging rules)

These align with:

  • Existing cdk-nag patterns (40+ encryption rules, 30+ logging rules)
  • Compliance frameworks already supported (HIPAA 164.312, PCI-DSS 3.4/10.2, NIST 800-53 SC-28/AU-2)
  • AWS Bedrock security best practices documentation

Other information

No response

Acknowledge

  • [x] I may be able to implement this feature request
  • [ ] This feature might incur a breaking change

sebastianplesciuc avatar Nov 27 '25 11:11 sebastianplesciuc