Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bedrock checks should validate model usage for each regions #5674

Open
agasthik opened this issue Nov 7, 2024 · 2 comments
Open

Bedrock checks should validate model usage for each regions #5674

agasthik opened this issue Nov 7, 2024 · 2 comments
Assignees
Labels
bug provider/aws Issues/PRs related with the AWS provider severity/low Bug won't result in any noticeable breakdown of the execution.

Comments

@agasthik
Copy link

agasthik commented Nov 7, 2024

Steps to Reproduce

Execute Prowler scan using standard installation steps.
Version 4.5.0

Expected behavior

Ensure that the checks for bedrock_model_invocation_logging_enabled for Amazon Bedrock validate whether the models access has been requested in an AWS region before flagging the status of the check . Today the scans are reporting failures even from Regions where the Model Access has not been activated in the account(s). Typically, customers have to request for “Model Access” in each region separately from the Bedrock Configurations page (or CLI etc) . If a region does not have the model access requested, then the model invocation logging check for that particular region wouldn’t be possible as well. The current scan checks are delivering false positives in the regions where models are not being activated

Actual Result with Screenshots or Logs

image

How did you install Prowler?

From pip package (pip install prowler)

Environment Resource

Codebuild

OS used

Amazon Linux 2023

Prowler version

4.5.0

Pip version

24.0

Context

Amazon Bedrock check refinement

@agasthik agasthik added bug status/needs-triage Issue pending triage labels Nov 7, 2024
@agasthik
Copy link
Author

agasthik commented Nov 7, 2024

Please validate similarly for other checks

  • cloudtrail_threat_detection_llm_jacking
  • bedrock_agent_guardrail_enabled
  • bedrock_guardrail_prompt_attack_filter_enabled
  • bedrock_guardrail_sensitive_information_filter_enabled

@MrCloudSec
Copy link
Member

Thank you @agasthik for the heads up!
However, there is no API Call in boto3 to list the accessible models in Bedrock for each region. I created the following issue to request the support of ListFoundationModelAgreementOffers to get this information: boto/boto3#4336

@MrCloudSec MrCloudSec self-assigned this Nov 7, 2024
@MrCloudSec MrCloudSec added severity/low Bug won't result in any noticeable breakdown of the execution. provider/aws Issues/PRs related with the AWS provider and removed status/needs-triage Issue pending triage labels Nov 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug provider/aws Issues/PRs related with the AWS provider severity/low Bug won't result in any noticeable breakdown of the execution.
Projects
None yet
Development

No branches or pull requests

2 participants