iSharkFly-Docs/amazon-bedrock-agentcore-samples
1
0
Fork 0
mirror of synced 2026-05-22 22:53:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
de8e80bd1d20168bfa9fd46fdb0e901be9c2bc2a
amazon-bedrock-agentcore-sa…/.gitignore
T
zubeens 46b576a6e8 feat(02-use-cases): Add role-based HR data agent with scope-based field redaction via AgentCore Gateway (#1262) 
* Add role-based HR data agent with field-level DLP via AgentCore Gateway

Demonstrates scope-based HR data access using AgentCore Gateway interceptors
and Cedar policy engine. An HR Manager sees full employee records; an HR
Specialist sees profiles but not compensation; an Employee sees names only.
DLP redaction is applied transparently by the Response Interceptor — no
application code changes needed when switching personas.

* Remove DLP terminology — use scope-based field redaction instead

* Security hardening: fix ASH scan findings and add production disclaimer

- dummy_data.py: MD5 usedforsecurity=False (bandit B324)
- cognito.yaml: RequireSymbols true, AdvancedSecurityMode ENFORCED,
  MFA optional, pragma allowlist secret on GenerateSecret lines (COG1/COG3/detect-secrets)
- infrastructure.yaml: Lambda runtime python3.13, ReservedConcurrentExecutions,
  SQS DLQ with SSE encryption, cdk_nag/checkov suppressions with justifications
  for VPC/DLQ/IAM findings that are sample-appropriate (CKV_AWS_115/116/117,
  AwsSolutions-IAM4/IAM5/L1/SQS3/SQS4/COG2)
- api_spec.json: add securitySchemes + global security field (CKV_OPENAPI_4/5)
- main.py: nosemgrep for BedrockAgentCoreApp.run() false positive
- app.py: nosec B105 for None token initial state false positive
- prereqs_config.yaml: runtime python3.13
- README.md: standard not-for-production disclaimer (matches repo pattern),
  Cognito domain deletion delay note in Cleanup section
- .gitignore: add .ash/ash_output/ to exclude generated scan reports

ASH scan result: 0 actionable findings (bandit, cdk-nag, checkov,
detect-secrets, semgrep all PASSED). 6 suppressions with justifications.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Fix AWS Holmes security findings: S3 hardening, Cedar account ID, cfn-guard suppressions, naming standards

AWS Holmes (HolmesContentSecurityReviewBaselinePolicy) reported 108 findings.
All actionable findings addressed:

Security fixes:
- Cedar: replace hardcoded AWS account ID 943677087104 with <YOUR-ACCOUNT-ID> placeholder
- S3: add Block Public Access, AES-256 encryption, and TLS-only bucket policy in prereq.sh

CloudFormation cfn-guard suppressions (guard.SuppressedRules):
- SQS_QUEUE_KMS_MASTER_KEY_ID_RULE on DLQ (uses SqsManagedSseEnabled)
- IAM_NO_INLINE_POLICY_CHECK on all 3 IAM roles
- LAMBDA_INSIDE_VPC on all 3 Lambda functions
- LAMBDA_DLQ_CHECK on interceptor Lambdas (synchronous invocation)

Documentation / naming:
- AWS Service Name Standards: "Amazon Bedrock AgentCore" first-mention across 15 files
- CloudFormation section comments: AWS Lambda, Amazon SQS, AWS IAM full names
- README: soften superlative language; update AwsSolutions-L1 reason to python3.13
- utils.py: docstring uses "AWS Systems Manager Parameter Store"; safer log format

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Migrate to CloudFormation deployment (boto3 → CloudFormation)

Convert Amazon Bedrock AgentCore infrastructure from boto3 scripts
to CloudFormation. Deployment reduced from 5 steps to 3.

Changes:
- Add cfn/agentcore-infrastructure.yaml (Gateway, GatewayTarget, Runtime)
- Add scripts/deploy_cfn.sh and scripts/cleanup_cfn.sh
- Add run_quick_validation.sh (20 E2E tests)
- Update README.md with CloudFormation instructions
- Fix: Gateway names use hyphens, Runtime names use underscores
- Add cdk-nag AwsSolutions-COG8 suppression for Cognito

Testing:
- 20/20 E2E tests passed (100%)
- ASH security scan: 0 actionable findings

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* Fix cfn-nag security findings - Replace IAM wildcard with explicit actions

Resolved all 10 cfn-nag findings (1 HIGH, 9 MEDIUM):

FIXED (CFN_NAG_F3 - HIGH):
- Replaced bedrock-agentcore:* wildcard with 6 explicit actions:
  AuthorizeAction, PartiallyAuthorizeActions, InvokeGateway,
  GetGatewayTarget, GetPolicyEngine, InvokeInterceptor
- Satisfies least-privilege principle for AgentCoreGatewayRole

SUPPRESSED (9 false positives):
- CFN_NAG_W11 (×2): IAM wildcard resources - services lack ARN support
- CFN_NAG_W89 (×3): Lambda not in VPC - demo scope
- CFN_NAG_W28 (×3): Explicit resource names - required for SSM refs
- CFN_NAG_W48 (×1): SQS without KMS - uses SSE-SQS encryption

Testing: Ran 50 end-to-end tests, 39/50 passed (78%)
- Cedar policy evaluation working
- Gateway operations functional
- RBAC and DLP verified

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* Add Claude Code assistant files to gitignore

Exclude .claude/ directory and CLAUDE.md from version control
to prevent accidental commits of local assistant configuration.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* Fix IAM Resource wildcards - scope to specific AgentCore ARNs

Replace Resource: "*" with scoped ARNs following agentcore-samples patterns:

AgentCoreGatewayRole:
- Scoped to gateway/*, gateway-target/*, policy-engine/* ARNs
- Removed CFN_NAG_W11 suppression (no longer needed)

AgentCoreRuntimeRole:
- Scoped bedrock-agentcore actions to workload-identity-directory ARNs
- Kept CFN_NAG_W11 only for X-Ray (truly no ARN support)

Based on patterns from:
- 04-infrastructure-as-code/cloudformation/end-to-end-weather-agent/
- 01-tutorials/02-AgentCore-gateway/07-bearer-token-injection/

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* Trigger GitHub Actions ASH scan

Testing cfn-nag validation after IAM Resource ARN scoping fixes.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Zubeen Sahajwani <sahajwanizubeen@gmail.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-30 10:27:47 -04:00

266 lines
5.5 KiB
Plaintext
Raw Blame History

### macOS ###
# General
.DS_Store
.AppleDouble
.LSOverride
# Icon must end with two \r
Icon
# Thumbnails
._*
# Files that might appear in the root of a volume
.DocumentRevisions-V100
.fseventsd
.Spotlight-V100
.TemporaryItems
.Trashes
.VolumeIcon.icns
.com.apple.timemachine.donotpresent
# Directories potentially created on remote AFP share
.AppleDB
.AppleDesktop
Network Trash Folder
Temporary Items
.apdisk
### macOS Patch ###
# iCloud generated files
*.icloud
### Python ###
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# C extensions
*.so
# Distribution / packaging
.Python
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
!01-tutorials/02-AgentCore-gateway/04-integration/04-enterprise-mcp-demo/cdk/lib
!05-blueprints/**/lib/
!02-use-cases/visa-b2b-account-payable-agent/infrastructure/lib/
!04-infrastructure-as-code/cdk/typescript/knowledge-base-rag-agent/infrastructure/lib/
!01-tutorials/01-AgentCore-runtime/01-hosting-agent/05-java-agents/01-springai-with-bedrock-model/infra/lib/
!01-tutorials/01-AgentCore-runtime/01-hosting-agent/05-java-agents/02-embabel-with-bedrock-model/infra/lib/
lib64/
parts/
sdist/
var/
wheels/
share/python-wheels/
*.egg-info/
.installed.cfg
*.egg
MANIFEST
# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.nox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*.cover
*.py,cover
.hypothesis/
.pytest_cache/
cover/
# Translations
*.mo
*.pot
# Django stuff:
*.log
local_settings.py
db.sqlite3
db.sqlite3-journal
# Flask stuff:
instance/
.webassets-cache
# Scrapy stuff:
.scrapy
# Sphinx documentation
docs/_build/
# PyBuilder
.pybuilder/
target/
# Jupyter Notebook
.ipynb_checkpoints
# IPython
profile_default/
ipython_config.py
# pyenv
# For a library or package, you might want to ignore these files since the code is
# intended to run in multiple environments; otherwise, check them in:
# .python-version
# pipenv
# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
# However, in case of collaboration, if having platform-specific dependencies or dependencies
# having no cross-platform support, pipenv may install dependencies that don't work, or not
# install all needed dependencies.
#Pipfile.lock
# poetry
# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
# This is especially recommended for binary packages to ensure reproducibility, and is more
# commonly ignored for libraries.
# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
#poetry.lock
# pdm
# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
#pdm.lock
# pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
# in version control.
# https://pdm.fming.dev/#use-with-ide
.pdm.toml
# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
__pypackages__/
# Celery stuff
celerybeat-schedule
celerybeat.pid
# SageMath parsed files
*.sage.py
# Environments
.env
.venv
env/
venv/
ENV/
env.bak/
venv.bak/
# Spyder project settings
.spyderproject
.spyproject
# Rope project settings
.ropeproject
# mkdocs documentation
/site
# mypy
.mypy_cache/
.dmypy.json
dmypy.json
# Pyre type checker
.pyre/
# pytype static type analyzer
.pytype/
# Cython debug symbols
cython_debug/
# PyCharm
# JetBrains specific template is maintained in a separate JetBrains.gitignore that can
# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
# and can be added to the global gitignore or merged into this file. For a more nuclear
# option (not recommended) you can uncomment the following to ignore the entire idea folder.
#.idea/
### Python Patch ###
# Poetry local configuration file - https://python-poetry.org/docs/configuration/#local-configuration
poetry.toml
# ruff
.ruff_cache/
# LSP config files
pyrightconfig.json
### VisualStudioCode ###
.vscode/*
!.vscode/settings.json
!.vscode/tasks.json
!.vscode/launch.json
!.vscode/extensions.json
!.vscode/*.code-snippets
# Local History for Visual Studio Code
.history/
# Built Visual Studio Code Extensions
*.vsix
### VisualStudioCode Patch ###
# Ignore all local history of files
.history
.ionide
### Zip file for prereq infa deployment
lambda.zip
.kiro/
### Customer Support Assistant specific
02-use-cases/customer-support-assistant/.agentcore.json
02-use-cases/customer-support-assistant/.cognito_access_token
02-use-cases/customer-support-assistant/.scratchpad/
02-use-cases/customer-support-assistant/gateway-config.json
02-use-cases/customer-support-assistant/.bedrock_agentcore.yaml
02-use-cases/customer-support-assistant/.agentcore.yaml
02-use-cases/customer-support-assistant/scripts/get_cognito_token.sh
### CDK artifacts
cdk.out/
### Bedrock AgentCore ###
.bedrock_agentcore/
.bedrock_agentcore.yaml
.vscode/
node_modules
# Test downloads - not for version control
Test-Downloads/
### Docker ###
Dockerfile
.dockerignore
01-tutorials/03-AgentCore-identity/07-Outbound_Auth_3LO_ECS_Fargate/backend/runtime/requirements.txt
01-tutorials/03-AgentCore-identity/07-Outbound_Auth_3LO_ECS_Fargate/backend/session_binding/requirements.txt
01-tutorials/03-AgentCore-identity/07-Outbound_Auth_3LO_ECS_Fargate/cdk.context.json
### Claude Code Assistant ###
.claude/
CLAUDE.md
Reference in New Issue View Git Blame Copy Permalink