update config rule annotation wording

cyphronix · cyphronix · commit 8f7ef7e9d31c · 2025-01-31T14:47:14.000-07:00
diff --git a/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_eval_job_bucket/app.py b/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_eval_job_bucket/app.py
@@ -94,10 +94,10 @@ def evaluate_compliance(event: dict, context: Any) -> tuple[str, str]:  # noqa:
             encryption = s3.get_bucket_encryption(Bucket=bucket_name)
             if "ServerSideEncryptionConfiguration" not in encryption:
                 compliance_type = "NON_COMPLIANT"
-                annotation.append("KMS CMK encryption not enabled")
+                annotation.append("KMS customer-managed key encryption not enabled")
         except ClientError:
             compliance_type = "NON_COMPLIANT"
-            annotation.append("KMS CMK encryption not enabled")
+            annotation.append("KMS customer-managed key encryption not enabled")
 
     # Check logging
     if check_logging:
diff --git a/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_guardrails/app.py b/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_guardrails/app.py
@@ -110,13 +110,13 @@ def lambda_handler(event: dict, context: Any) -> dict:  # noqa: CCR001, C901, U1
     if compliant_guardrails:
         compliance_type = "COMPLIANT"
         if len(compliant_guardrails) == 1:
-            annotation = f"The following Bedrock guardrail contains all required features: {compliant_guardrails[0]}"
+            annotation = f"The following Bedrock Guardrail contains all required features: {compliant_guardrails[0]}"
         else:
-            annotation = f"The following Bedrock guardrails contain all required features: {', '.join(compliant_guardrails)}"
+            annotation = f"The following Bedrock Guardrails contain all required features: {', '.join(compliant_guardrails)}"
         LOGGER.info(f"Account is COMPLIANT. {annotation}")
     else:
         compliance_type = "NON_COMPLIANT"
-        annotation = "No Bedrock guardrails contain all required features. "
+        annotation = "No Bedrock Guardrails exist in this account that meet all required features. "
         for guardrail, missing in non_compliant_guardrails.items():  # type: ignore
             annotation += f" [{guardrail} is missing {', '.join(missing)}]"
         LOGGER.info(f"Account is NON_COMPLIANT. {annotation}")
diff --git a/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_iam_user_access/app.py b/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_iam_user_access/app.py
@@ -93,7 +93,10 @@ def evaluate_compliance(event: dict, context: Any) -> dict:  # noqa: CCR001, U10
     # Prepare the evaluation result
     if non_compliant_users:
         compliance_type = "NON_COMPLIANT"
-        annotation = "The following IAM users have access to the Amazon Bedrock service: " + ", ".join(non_compliant_users)
+        annotation = (
+            "IAM users should not have direct access to Amazon Bedrock. These users have access and should use roles instead: "
+            + ", ".join(non_compliant_users)
+        )
     else:
         compliance_type = "COMPLIANT"
         annotation = "No IAM users have access to the Amazon Bedrock service."
diff --git a/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_invocation_log_s3/app.py b/aws_sra_examples/solutions/genai/bedrock_org/lambda/rules/sra_bedrock_check_invocation_log_s3/app.py
@@ -63,7 +63,7 @@ def evaluate_compliance(rule_parameters: dict) -> tuple[str, str]:  # noqa: CFQ0
         LOGGER.info(f"Bedrock Model Invocation S3 bucketName: {bucket_name}")
         BUCKET_NAME = bucket_name
         if not s3_config or not bucket_name:
-            return "NON_COMPLIANT", "S3 logging is not enabled for Bedrock Model Invocation Logging"
+            return "NON_COMPLIANT", "S3 logging destination is not enabled for Bedrock Model Invocation Logging"
 
         # Check S3 bucket configurations
         issues = []
@@ -107,8 +107,8 @@ def evaluate_compliance(rule_parameters: dict) -> tuple[str, str]:  # noqa: CFQ0
                 return "INSUFFICIENT_DATA", f"Error evaluating Object Lock configuration: {str(error)}"
 
         if issues:
-            return "NON_COMPLIANT", f"S3 logging to {BUCKET_NAME} enabled but {', '.join(issues)}"
-        return "COMPLIANT", f"S3 logging properly configured for Bedrock Model Invocation Logging. Bucket: {bucket_name}"
+            return "NON_COMPLIANT", f"S3 logging destination to {BUCKET_NAME} enabled but {', '.join(issues)}"
+        return "COMPLIANT", f"S3 logging destination properly configured for Bedrock Model Invocation Logging. Bucket: {bucket_name}"
     except botocore.exceptions.ClientError as client_error:
         LOGGER.error(f"Error evaluating Bedrock Model Invocation Logging configuration: {str(client_error)}")
         return "INSUFFICIENT_DATA", f"Error evaluating compliance: {str(client_error)}"
