feat(terraform): - TF and CFN - Add a policy for ensuring AWS Bedrock…

… Agent is encrypted with a CMK (#6603)

Add a policy for ensuring AWS Bedrock Agent is encrypted with a CMK and focus cfn-lint for yaml/json files

.github/workflows/pr-test.yml

@@ -42,17 +42,20 @@ jobs:
         id: changed-files-specific
         uses: tj-actions/changed-files@eaf854ef0c266753e1abec356dcf17d92695b251 # v44
         with:
-          files: tests/cloudformation/checks/resource/aws/example*/**/*
-      - name: Install cfn-lint
+          files: tests/cloudformation/checks/resource/aws/**/*
+      - name: Filter YAML and JSON files
         if: steps.changed-files-specific.outputs.any_changed == 'true'
+        id: filter-files
         run: |
-          pip install -U cfn-lint
-      - name: Lint Cloudformation templates
-        if: steps.changed-files-specific.outputs.any_changed == 'true'
-        env:
-          ALL_CHANGED_FILES: ${{ steps.changed-files-specific.outputs.all_changed_files }}
+          YAML_JSON_FILES=$(echo ${{ steps.changed-files-specific.outputs.all_changed_files }} | tr ' ' '\n' | grep -E '\.ya?ml$|\.json$' | tr '\n' ' ')
+          if [ -n "$YAML_JSON_FILES" ]; then
+            echo "YAML_JSON_FILES=$YAML_JSON_FILES" >> "$GITHUB_ENV"
+          fi
+      - name: Install cfn-lint & Lint Cloudformation templates
+        if: env.YAML_JSON_FILES != ''
         run: |
-          for file in $ALL_CHANGED_FILES; do
+          pip install -U cfn-lint
+          for file in $YAML_JSON_FILES; do
             cfn-lint "$file" -i W
           done
 

checkov/cloudformation/checks/resource/aws/BedrockAgentEncrypted.py

@@ -0,0 +1,21 @@
+from checkov.cloudformation.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
+from checkov.common.models.consts import ANY_VALUE
+
+
+class BedrockAgentEncrypted(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure Bedrock Agent is encrypted with a CMK"
+        id = "CKV_AWS_373"
+        supported_resources = ['AWS::Bedrock::Agent']
+        categories = [CheckCategories.ENCRYPTION]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return 'Properties/CustomerEncryptionKeyArn'
+
+    def get_expected_value(self):
+        return ANY_VALUE
+
+
+check = BedrockAgentEncrypted()

checkov/terraform/checks/resource/aws/BedrockAgentEncrypted.py

@@ -0,0 +1,23 @@
+from typing import Any
+
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.consts import ANY_VALUE
+
+
+class BedrockAgentEncrypted(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure Bedrock Agent is encrypted with a CMK"
+        id = "CKV_AWS_373"
+        supported_resources = ("aws_bedrockagent_agent",)
+        categories = (CheckCategories.ENCRYPTION,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "customer_encryption_key_arn"
+
+    def get_expected_value(self) -> Any:
+        return ANY_VALUE
+
+
+check = BedrockAgentEncrypted()

tests/cloudformation/checks/resource/aws/example_BedrockAgentEncrypted/FAIL.yaml

@@ -0,0 +1,6 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Resources:
+  Fail:
+    Type: AWS::Bedrock::Agent
+    Properties:
+      AgentName: test

tests/cloudformation/checks/resource/aws/example_BedrockAgentEncrypted/PASS.yaml

@@ -0,0 +1,7 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Resources:
+  Pass:
+    Type: AWS::Bedrock::Agent
+    Properties:
+      AgentName: test
+      CustomerEncryptionKeyArn: arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

tests/cloudformation/checks/resource/aws/test_BedrockAgentEncrypted.py

@@ -0,0 +1,45 @@
+import os
+import unittest
+
+from checkov.cloudformation.checks.resource.aws.BedrockAgentEncrypted import check
+from checkov.cloudformation.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestBedrockAgentEncrypted(unittest.TestCase):
+
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+        test_files_dir = current_dir + "/example_BedrockAgentEncrypted"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        for record in report.failed_checks:
+            self.assertEqual(record.check_id, check.id)
+
+        for record in report.passed_checks:
+            self.assertEqual(record.check_id, check.id)
+
+        passing_resources = {
+            "AWS::Bedrock::Agent.Pass",
+        }
+
+        failing_resources = {
+            "AWS::Bedrock::Agent.Fail",
+
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], 1)
+        self.assertEqual(summary['failed'], 1)
+        self.assertEqual(summary['skipped'], 0)
+        self.assertEqual(summary['parsing_errors'], 0)
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()

tests/terraform/checks/resource/aws/example_BedrockAgentEncrypted/main.tf

@@ -0,0 +1,10 @@
+# fail
+resource "aws_bedrockagent_agent" "bedrock_agent" {
+  agent_name = "example_agent_name"
+}
+
+# pass
+resource "aws_bedrockagent_agent" "bedrock_agent_with_kms_key" {
+  agent_name                  = "example_agent_name"
+  customer_encryption_key_arn = aws_kms_key.example.arn
+}

tests/terraform/checks/resource/aws/test_BedrockAgentEncrypted.py

@@ -0,0 +1,38 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.aws.BedrockAgentEncrypted import check
+from checkov.terraform.runner import Runner
+
+
+class TestBedrockAgentEncrypted(unittest.TestCase):
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_BedrockAgentEncrypted"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "aws_bedrockagent_agent.bedrock_agent_with_kms_key",
+        }
+        failing_resources = {
+            "aws_bedrockagent_agent.bedrock_agent",
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 1)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()