fix ast error; fix deployment to multi-region bug

Author: cyphronix

aws_sra_examples/solutions/genai/bedrock_org/README.md

@@ -85,7 +85,7 @@ aws cloudformation create-stack \
         ParameterKey=pBedrockOrgLambdaRoleName,ParameterValue=sra-bedrock-org-lambda-role \
         ParameterKey=pBedrockAccounts,ParameterValue='["123456789012","234567890123"]' \
         ParameterKey=pBedrockRegions,ParameterValue='["us-east-1","us-west-2"]' \
-        ParameterKey=pBedrockModelEvalBucketRuleParams,ParameterValue='{"deploy": "true", "accounts": ["123456789012"], "regions": ["us-east-1"], "input_params": {"BucketName": "evaluation-bucket"}}' \
+        ParameterKey=pBedrockModelEvalBucketRuleParams,ParameterValue='{"deploy": "true", "accounts": ["123456789012"], "regions": ["us-east-1"], "input_params": {"BucketNamePrefix": "evaluation-bucket","CheckRetention": "true", "CheckEncryption": "true", "CheckLogging": "true", "CheckObjectLocking": "true", "CheckVersioning": "true"}}' \
         ParameterKey=pBedrockIAMUserAccessRuleParams,ParameterValue='{"deploy": "true", "accounts": ["123456789012"], "regions": ["us-east-1"], "input_params": {}}' \
         ParameterKey=pBedrockGuardrailsRuleParams,ParameterValue='{"deploy": "true", "accounts": ["123456789012"], "regions": ["us-east-1"], "input_params": {"content_filters": "true", "denied_topics": "true", "word_filters": "true", "sensitive_info_filters": "true", "contextual_grounding": "true"}}' \
         ParameterKey=pBedrockVPCEndpointsRuleParams,ParameterValue='{"deploy": "true", "accounts": ["123456789012"], "regions": ["us-east-1"], "input_params": {"check_bedrock": "true", "check_bedrock_agent": "true", "check_bedrock_agent_runtime": "true", "check_bedrock_runtime": "true"}}' \
@@ -109,6 +109,7 @@ aws cloudformation create-stack \
 - Always validate the JSON parameters for correctness to avoid deployment errors.
 - Ensure the --capabilities CAPABILITY_NAMED_IAM flag is included to allow CloudFormation to create the necessary IAM resources.
 - An example test fork URL for `pSRARepoZipUrl` is - `https://github.com/liamschn/aws-security-reference-architecture-examples/archive/refs/heads/sra-genai.zip`
+- The eval job bucket config rule will append `-<ACCOUNTID>-<REGION>` to the `BucketNamePrefix` parameter provided to get the existing bucket name(s).  Ensure any S3 eval job bucket names to be checked match this naming convention.
 
 
 2. Monitor the stack creation progress in the AWS CloudFormation Console or via CLI commands.
@@ -132,14 +133,20 @@ Once the stack is deployed, the Bedrock Lambda function (`sra-bedrock-org`) will
 This section explains the parameters in the CloudFormation template that require JSON string values. Each parameter's structure and purpose are described in detail to assist in their configuration.
 
 ### `pBedrockModelEvalBucketRuleParams`
-- **Purpose**: Configures a rule to validate a Bedrock Model Evaluation bucket.
+- **Purpose**: Configures a rule to validate a Bedrock Model Evaluation bucket. NOTE: `-<ACCOUNTID>-<REGION>` will be appended to get the existing bucket name(s).  Ensure any S3 eval job bucket names to be checked match this naming convention.
 - **Structure**:
   {
     "deploy": "true|false",
     "accounts": ["account_id1", "account_id2"],
     "regions": ["region1", "region2"],
     "input_params": {
-      "BucketName": "bucket-name"
+      "BucketNamePrefix": "bucket-name"
+      "CheckRetention": "true|false",
+      "CheckEncryption": "true|false",
+      "CheckLogging": "true|false",
+      "CheckObjectLocking": "true|false",
+      "CheckVersioning": "true|false",
+
     }
   }
 - **Fields**:

aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_eval_job_bucket/app.py

@@ -31,7 +31,6 @@
 SERVICE_NAME = "bedrock.amazonaws.com"
 BUCKET_NAME = ""
 
-
 def evaluate_compliance(event: dict, context: Any) -> tuple[str, str]:  # noqa: U100, CCR001, C901
     """Evaluate the S3 bucket for the compliance.
 
@@ -47,15 +46,16 @@ def evaluate_compliance(event: dict, context: Any) -> tuple[str, str]:  # noqa:
     # Initialize AWS clients
     s3 = boto3.client("s3")
     sts = boto3.client("sts")
+    session = boto3.Session()
+    region = session.region_name
     account = sts.get_caller_identity().get("Account")
     # Get rule parameters
     params = ast.literal_eval(event["ruleParameters"])
     LOGGER.info(f"Parameters: {params}")
     LOGGER.info(f"Account: {account}")
-    buckets = params.get("Buckets", {account: ""})
-    LOGGER.info(f"Buckets: {buckets}")
-    buckets = ast.literal_eval(buckets)
-    bucket_name = buckets.get(account, "")
+    bucket_prefix = params.get("BucketNamePrefix", "")
+    LOGGER.info(f"Bucket Prefix: {bucket_prefix}")
+    bucket_name = bucket_prefix + "-" + account + "-" + region
     LOGGER.info(f"Bucket Name: {bucket_name}")
     BUCKET_NAME = bucket_name
 

aws_sra_examples/solutions/genai/bedrock_org/templates/sra-bedrock-org-main.yaml

@@ -96,14 +96,24 @@ Parameters:
 
   pBedrockModelEvalBucketRuleParams:
     Type: String
-    Default: '{"deploy": "true", "accounts": ["444455556666"], "regions": ["us-west-2"], "input_params": {"Buckets": {"444455556666": "model-invocation-log-bucket-444455556666"},"CheckRetention": "true", "CheckEncryption": "true", "CheckLogging": "true", "CheckObjectLocking": "true", "CheckVersioning": "true"}}'
+    Default: '{"deploy": "true", "accounts": ["444455556666"], "regions": ["us-west-2"], "input_params": {"BucketNamePrefix": "model-invocation-log-bucket","CheckRetention": "true", "CheckEncryption": "true", "CheckLogging": "true", "CheckObjectLocking": "true", "CheckVersioning": "true"}}'
     Description: Bedrock Model Evaluation Job Config Rule Parameters
-    AllowedPattern: ^\{"deploy"\s*:\s*"(true|false)",\s*"accounts"\s*:\s*\[((?:"[0-9]+"(?:\s*,\s*)?)*)\],\s*"regions"\s*:\s*\[((?:"[a-z0-9-]+"(?:\s*,\s*)?)*)\],\s*"input_params"\s*:\s*(\{\s*(?:"Buckets"\s*:\s*\{(\s*"[0-9]+"\s*:\s*"[a-zA-Z0-9-]*"\s*,?\s*)*\},\s*"CheckRetention"\s*:\s*"(true|false)",\s*"CheckEncryption"\s*:\s*"(true|false)",\s*"CheckLogging"\s*:\s*"(true|false)",\s*"CheckObjectLocking"\s*:\s*"(true|false)",\s*"CheckVersioning"\s*:\s*"(true|false)"\s*)}})$
+    AllowedPattern: ^\{"deploy"\s*:\s*"(true|false)",\s*"accounts"\s*:\s*\[((?:"[0-9]+"(?:\s*,\s*)?)*)\],\s*"regions"\s*:\s*\[((?:"[a-z0-9-]+"(?:\s*,\s*)?)*)\],\s*"input_params"\s*:\s*(\{\s*(?:"BucketNamePrefix"\s*:\s*(\s*"[a-zA-Z0-9-]+"\s*),\s*"CheckRetention"\s*:\s*"(true|false)",\s*"CheckEncryption"\s*:\s*"(true|false)",\s*"CheckLogging"\s*:\s*"(true|false)",\s*"CheckObjectLocking"\s*:\s*"(true|false)",\s*"CheckVersioning"\s*:\s*"(true|false)"\s*)}})$
     ConstraintDescription: 
-      "Must be a valid JSON string containing: 'deploy' (true/false), 'accounts' (array of account numbers), 
-      'regions' (array of region names), and 'input_params' object/dict. Arrays can be empty. 
-      Example: {\"deploy\": \"true\", \"accounts\": [\"123456789012\"], \"regions\": [\"us-east-1\"], \"input_params\": {\"Buckets\": {\"123456789012\": \"model-invocation-log-bucket-123456789012\"}, \"CheckRetention\": \"true\", \"CheckEncryption\": \"true\", \"CheckLogging\": \"true\", \"CheckObjectLocking\": \"true\", \"CheckVersioning\": \"true\"}} or
-      {\"deploy\": \"false\", \"accounts\": [], \"regions\": [], \"input_params\": {\"Buckets\": {}, \"CheckRetention\": \"true\", \"CheckEncryption\": \"true\", \"CheckLogging\": \"true\", \"CheckObjectLocking\": \"true\", \"CheckVersioning\": \"true\"}}"
+      "The parameter value must be a valid JSON object with the following structure: 
+      { 
+        'deploy': 'true' or 'false', 
+        'accounts': an array of numeric AWS account IDs, 
+        'regions': an array of valid AWS region identifiers, 
+        'input_params': {
+          'BucketNamePrefix': a valid bucket name prefix,
+          'CheckRetention': 'true' or 'false',
+          'CheckEncryption': 'true' or 'false',
+          'CheckLogging': 'true' or 'false',
+          'CheckObjectLocking': 'true' or 'false',
+          'CheckVersioning': 'true' or 'false'
+        }
+      }. Ensure all keys and values conform to the specified types and format."
 
   pBedrockIAMUserAccessRuleParams:
     Type: String