|
| 1 | +# SRA Bedrock Organizations Solution |
| 2 | + |
| 3 | +## Table of Contents |
| 4 | +- [Introduction](#introduction) |
| 5 | +- [Deployed Resource Details](#deployed-resource-details) |
| 6 | +- [Implementation Instructions](#implementation-instructions) |
| 7 | +- [References](#references) |
| 8 | + |
| 9 | +--- |
| 10 | + |
| 11 | +## Introduction |
| 12 | + |
| 13 | +This solution provides an automated framework for deploying Bedrock organizational controls using AWS CloudFormation. It leverages a Lambda function to configure and deploy AWS Config rules, CloudWatch metrics, and other resources necessary to monitor and enforce governance policies across multiple AWS accounts and regions in an organization. |
| 14 | + |
| 15 | +The architecture follows best practices for security and scalability and is designed for easy extensibility. |
| 16 | + |
| 17 | +--- |
| 18 | + |
| 19 | +## Deployed Resource Details |
| 20 | + |
| 21 | + |
| 22 | + |
| 23 | +This section provides a detailed explanation of the resources shown in the architecture diagram: |
| 24 | + |
| 25 | +1. **CloudFormation**: Used to define and deploy all the resources in the solution. |
| 26 | +2. **CloudWatch Log Group**: Logs for Lambda functions to monitor execution details. |
| 27 | +3. **SNS Topic (Alarms)**: For publishing CloudWatch alarm notifications. |
| 28 | +4. **SNS Topic (DLQ)**: Dead-letter queue to handle failed Lambda invocations. |
| 29 | +5. **KMS Key**: Used to encrypt resources such as SNS topics and SQS queues. |
| 30 | +6. **CloudWatch Filters**: Monitors specific log events based on configured patterns. |
| 31 | +7. **CloudWatch Alarms**: Triggers notifications based on predefined thresholds. |
| 32 | +8. **CloudWatch Link**: Links metrics across accounts and regions. |
| 33 | +9. **Bedrock Lambda Function**: Core function responsible for deploying resources. |
| 34 | +10. **Audit (Security Tooling) Account**: |
| 35 | + - **CloudWatch Dashboard**: Provides an overview of the security state. |
| 36 | + - **CloudWatch Sink**: Receives metrics and logs from other accounts. |
| 37 | + - **Resource Table**: Maintains metadata for tracking deployed resources. |
| 38 | +11. **Bedrock Regions**: |
| 39 | + - **CloudWatch Filters**: Region-specific event monitoring. |
| 40 | + - **CloudWatch Alarms**: Region-specific alarm configurations. |
| 41 | + - **SNS Topic**: Publishes notifications within a region. |
| 42 | + - **Config Rules**: Enforces compliance policies. |
| 43 | + - **Config Lambdas**: Functions to evaluate and remediate non-compliance. |
| 44 | + - **KMS Key**: Encrypts resources in the region. |
| 45 | + |
| 46 | +--- |
| 47 | + |
| 48 | +## Implementation Instructions |
| 49 | + |
| 50 | +You can deploy this solution using the AWS Management Console or AWS CLI. |
| 51 | + |
| 52 | +### Deploying via AWS Management Console |
| 53 | +1. Open the [CloudFormation Console](https://console.aws.amazon.com/cloudformation). |
| 54 | +2. Create a new stack by uploading the `sra-bedrock-org-main.yaml` template located in the `./templates` directory. |
| 55 | +3. Provide the required parameters such as the email for SNS notifications and other configuration details. |
| 56 | +4. Review and confirm the stack creation. |
| 57 | + |
| 58 | +### Deploying via AWS CLI |
| 59 | +1. Run the following command to deploy the stack: |
| 60 | + |
| 61 | +```bash |
| 62 | +aws cloudformation create-stack \ |
| 63 | + --stack-name BedrockOrg \ |
| 64 | + --template-body file://templates/sra-bedrock-org-main.yaml \ |
| 65 | + --parameters \ |
| 66 | + ParameterKey=pSRARepoZipUrl,ParameterValue=https://github.com/aws-samples/aws-security-reference-architecture-examples/archive/refs/heads/main.zip \ |
| 67 | + ParameterKey=pDryRun,ParameterValue=false \ |
| 68 | + ParameterKey=pSRAExecutionRoleName,ParameterValue=sra-execution-role \ |
| 69 | + ParameterKey=pDeployLambdaLogGroup,ParameterValue=true \ |
| 70 | + ParameterKey=pLogGroupRetention,ParameterValue=30 \ |
| 71 | + ParameterKey=pLambdaLogLevel,ParameterValue=INFO \ |
| 72 | + ParameterKey=pSRASolutionName,ParameterValue=sra-bedrock-org \ |
| 73 | + ParameterKey=pSRASolutionVersion,ParameterValue=1.0.0 \ |
| 74 | + ParameterKey=pSRAAlarmEmail,ParameterValue=alerts@examplecorp.com \ |
| 75 | + ParameterKey=pSRAStagingS3BucketName,ParameterValue=staging-artifacts-bucket \ |
| 76 | + ParameterKey=pBedrockOrgLambdaRoleName,ParameterValue=sra-bedrock-org-lambda-role \ |
| 77 | + ParameterKey=pBedrockAccounts,ParameterValue='["123456789012","234567890123"]' \ |
| 78 | + ParameterKey=pBedrockRegions,ParameterValue='["us-east-1","us-west-2"]' \ |
| 79 | + ParameterKey=pBedrockModelEvalBucketRuleParams,ParameterValue='{"deploy": "true", "accounts": ["123456789012"], "regions": ["us-east-1"], "input_params": {"BucketName": "evaluation-bucket"}}' \ |
| 80 | + ParameterKey=pBedrockIAMUserAccessRuleParams,ParameterValue='{"deploy": "true", "accounts": ["123456789012"], "regions": ["us-east-1"], "input_params": {}}' \ |
| 81 | + ParameterKey=pBedrockGuardrailsRuleParams,ParameterValue='{"deploy": "true", "accounts": ["123456789012"], "regions": ["us-east-1"], "input_params": {"content_filters": "true", "denied_topics": "true", "word_filters": "true", "sensitive_info_filters": "true", "contextual_grounding": "true"}}' \ |
| 82 | + ParameterKey=pBedrockVPCEndpointsRuleParams,ParameterValue='{"deploy": "true", "accounts": ["123456789012"], "regions": ["us-east-1"], "input_params": {"check_bedrock": "true", "check_bedrock_agent": "true", "check_bedrock_agent_runtime": "true", "check_bedrock_runtime": "true"}}' \ |
| 83 | + ParameterKey=pBedrockInvocationLogCWRuleParams,ParameterValue='{"deploy": "true", "accounts": ["123456789012"], "regions": ["us-east-1"], "input_params": {"check_retention": "true", "check_encryption": "true"}}' \ |
| 84 | + ParameterKey=pBedrockInvocationLogS3RuleParams,ParameterValue='{"deploy": "true", "accounts": ["123456789012"], "regions": ["us-east-1"], "input_params": {"check_retention": "true", "check_encryption": "true", "check_access_logging": "true", "check_object_locking": "true", "check_versioning": "true"}}' \ |
| 85 | + ParameterKey=pBedrockCWEndpointsRuleParams,ParameterValue='{"deploy": "true", "accounts": ["123456789012"], "regions": ["us-east-1"], "input_params": {}}' \ |
| 86 | + ParameterKey=pBedrockS3EndpointsRuleParams,ParameterValue='{"deploy": "true", "accounts": ["123456789012"], "regions": ["us-east-1"], "input_params": {}}' \ |
| 87 | + ParameterKey=pBedrockGuardrailEncryptionRuleParams,ParameterValue='{"deploy": "true", "accounts": ["123456789012"], "regions": ["us-east-1"], "input_params": {}}' \ |
| 88 | + ParameterKey=pBedrockServiceChangesFilterParams,ParameterValue='{"deploy": "true", "accounts": ["123456789012"], "regions": ["us-east-1"], "filter_params": {"log_group_name": "aws-controltower/CloudTrailLogs"}}' \ |
| 89 | + ParameterKey=pBedrockBucketChangesFilterParams,ParameterValue='{"deploy": "true", "accounts": ["123456789012"], "regions": ["us-east-1"], "filter_params": {"log_group_name": "aws-controltower/CloudTrailLogs", "bucket_names": ["my-bucket-name"]}}' \ |
| 90 | + ParameterKey=pBedrockPromptInjectionFilterParams,ParameterValue='{"deploy": "true", "accounts": ["123456789012"], "regions": ["us-east-1"], "filter_params": {"log_group_name": "invocation-log-group", "input_path": "input.inputBodyJson.messages[0].content"}}' \ |
| 91 | + ParameterKey=pBedrockSensitiveInfoFilterParams,ParameterValue='{"deploy": "true", "accounts": ["123456789012"], "regions": ["us-east-1"], "filter_params": {"log_group_name": "invocation-log-group", "input_path": "input.inputBodyJson.messages[0].content"}}' \ |
| 92 | + ParameterKey=pBedrockCentralObservabilityParams,ParameterValue='{"deploy": "true", "bedrock_accounts": ["123456789012"], "regions": ["us-east-1"]}' \ |
| 93 | + --capabilities CAPABILITY_NAMED_IAM |
| 94 | +``` |
| 95 | + |
| 96 | +#### Notes: |
| 97 | +- Replace alerts@examplecorp.com, my-staging-bucket, and other parameter values with your specific settings. |
| 98 | +- Ensure the JSON strings (e.g., pBedrockAccounts, pBedrockModelEvalBucketRuleParams) are formatted correctly and match your deployment requirements. |
| 99 | +- This example assumes the CloudFormation template file is saved in the templates directory. Adjust the --template-body path if necessary. |
| 100 | +- Always validate the JSON parameters for correctness to avoid deployment errors. |
| 101 | +- Ensure the --capabilities CAPABILITY_NAMED_IAM flag is included to allow CloudFormation to create the necessary IAM resources. |
| 102 | +- An example test fork URL for `pSRARepoZipUrl` is - `https://github.com/liamschn/aws-security-reference-architecture-examples/archive/refs/heads/sra-genai.zip` |
| 103 | + |
| 104 | + |
| 105 | +2. Monitor the stack creation progress in the AWS CloudFormation Console or via CLI commands. |
| 106 | + |
| 107 | +### Post-Deployment |
| 108 | +Once the stack is deployed, the Bedrock Lambda function (`sra-bedrock-org`) will automatically deploy all the resources and configurations across the accounts and regions specified in the parameters. |
| 109 | + |
| 110 | +--- |
| 111 | + |
| 112 | +## References |
| 113 | +- [AWS SRA Generative AI Deep-Dive](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/gen-ai-sra.html) |
| 114 | +- [AWS CloudFormation Documentation](https://docs.aws.amazon.com/cloudformation/index.html) |
| 115 | +- [AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) |
| 116 | +- [CloudWatch Metrics and Alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html) |
| 117 | +- [AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) |
| 118 | +- [AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) |
0 commit comments