Direct security risk - IAM/access control gaps, missing audit trails, guardrail bypasses that could lead to unauthorized access or data exposure
Remediate within 7 days
Medium
Defense-in-depth gaps - encryption, logging, or configuration issues that reduce security posture
Remediate within 30 days
Low
Best practice deviations - optimization opportunities that improve security hygiene
Remediate within 90 days
Informational
No resources found or advisory recommendations - check does not apply or suggests optional improvements
No action required
All Security Findings
Account ID
Check ID
Finding
Details
Resolution
Reference
Severity
Status
111111111111
BR-01
AmazonBedrockFullAccess role check
No roles found with AmazonBedrockFullAccess policy
No action required
Informational
N/A
111111111111
BR-02
Amazon Bedrock private connectivity not used
No Bedrock service VPC endpoints found in VPCs: vpc-09ec83232d654f8fa, vpc-06a6d251af33c42a0, vpc-025fe1e4e68ee9fd8, vpc-7324e40e
Create a VPC endpoint in your VPC with any of the following Bedrock service endpoints that your application may be using:
- com.amazonaws.region.bedrock
- com.amazonaws.region.bedrock-runtime
- com.amazonaws.region.bedrock-agent
- com.amazonaws.region.bedrock-agent-runtime
Informational
N/A
111111111111
BR-03
Marketplace Subscription Access Check
No identities found with overly permissive marketplace subscription access
No action required
Informational
N/A
111111111111
BR-04
Bedrock Model Invocation Logging Check
Model invocation logging is not enabled. This limits your ability to track and audit model usage.
Enable model invocation logging to collect invocation logs, model input data, and model output data. Configure logging to deliver to Amazon S3, CloudWatch Logs, or both for comprehensive monitoring.
Medium
Failed
111111111111
BR-05
Bedrock Guardrails Check
No Amazon Bedrock Guardrails are configured. This may expose your application to potential risks such as harmful content, sensitive information disclosure, or hallucinations.
Configure Bedrock Guardrails to implement safeguards such as:
- Content filters to block harmful content
- Denied topics to prevent undesirable discussions
- Sensitive information filters to protect PII
- Contextual grounding checks to prevent hallucinations
Medium
Failed
111111111111
BR-06
Bedrock CloudTrail Logging Check
CloudTrail is not configured to log Amazon Bedrock API calls. This limits your ability to audit and monitor Bedrock usage.
Enable CloudTrail logging for Bedrock by :
1. Configuring an advanced event selector for Bedrock events
2. Enabling management events logging in a multi-region trail
High
Failed
111111111111
BR-07
Bedrock Prompt Management Check
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
Implement Prompt Management to:
1. Create and version your prompts
2. Test different prompt variants
3. Share prompts across your organization
4. Maintain consistent prompt templates
Informational
N/A
111111111111
BR-08
Bedrock Agent IAM Roles Check
No Bedrock agents found in the account
No action required
Informational
N/A
111111111111
BR-10
Bedrock Guardrail IAM Enforcement Check
No guardrails configured - IAM enforcement check not applicable
Configure Bedrock Guardrails first, then enforce their use via IAM policies
Informational
N/A
111111111111
BR-11
Bedrock Custom Model Encryption Check
No custom/fine-tuned models found in the account
No action required
Informational
N/A
111111111111
BR-12
Bedrock Invocation Log Encryption Check
Model invocation logging to S3 is not configured
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
Informational
N/A
111111111111
BR-13
Bedrock Flows Guardrails Check
No Bedrock Flows found in the account
No action required
Informational
N/A
111111111111
SM-01
SageMaker Internet Access Check
All SageMaker resources are properly configured to use VPC connectivity
No action required
Informational
Passed
111111111111
SM-02
SageMaker IAM Permissions Check
No issues found with IAM permissions, SSO is enabled, and no stale access detected
No action required
Informational
Passed
111111111111
SM-03
Data Protection Check
All resources use appropriate encryption configurations
No action required
Informational
Passed
111111111111
SM-04
GuardDuty Enabled
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
No action required
Informational
Passed
111111111111
SM-05
SageMaker Model Registry Issue
No model package groups found
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
Medium
Failed
111111111111
SM-05
SageMaker Feature Store Issue
No feature groups found
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
Informational
N/A
111111111111
SM-05
SageMaker Pipelines Issue
No ML pipelines found
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
Informational
N/A
111111111111
SM-06
SageMaker Clarify No Clarify Usage
No SageMaker Clarify jobs found
Implement SageMaker Clarify for model explainability and bias detection
Informational
N/A
111111111111
SM-07
SageMaker Model Monitor No Model Monitoring
No Model Monitor schedules found
Configure comprehensive model monitoring schedules
Informational
N/A
111111111111
SM-08
Model Registry Registry Not Used
Model Registry is not being utilized
Implement proper model versioning and approval workflows
Informational
N/A
111111111111
SM-09
SageMaker Notebook Root Access Check
No notebook instances found
No action required
Informational
N/A
111111111111
SM-10
SageMaker Notebook VPC Deployment Check
No notebook instances found
No action required
Informational
N/A
111111111111
SM-11
SageMaker Model Network Isolation Check
No models found
No action required
Informational
N/A
111111111111
SM-12
SageMaker Endpoint Instance Count Check
No InService endpoints found
No action required
Informational
N/A
111111111111
SM-13
SageMaker Monitoring Network Isolation Check
No monitoring schedules found
No action required
Informational
N/A
111111111111
SM-14
SageMaker Model Repository Access Check
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
Informational
N/A
111111111111
SM-23
Model Drift Detection Check
No InService endpoints found to monitor.
No action required
Informational
Passed
111111111111
SM-24
A/B Testing and Shadow Deployment Check
No InService endpoints found.
No action required
Informational
Passed
111111111111
SM-25
ML Lineage Tracking - Experiments Not Used
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
Informational
N/A
111111111111
AC-01
AgentCore VPC Configuration Check
No AgentCore resources found or all resources have proper VPC configuration
No action required
Informational
N/A
111111111111
AC-02
AgentCore IAM Full Access Check
No roles with overly permissive AgentCore access found
No action required
Informational
N/A
111111111111
AC-03
AgentCore Unused Permissions
The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'ReSCOAIMLMemberRole'
Review and remove unused AgentCore permissions following least privilege principle
Medium
Failed
111111111111
AC-04
AgentCore Observability Check
No AgentCore resources found or all resources have proper observability configuration
No action required
Informational
N/A
111111111111
AC-05
AgentCore Encryption Check
No AgentCore resources found or all resources have proper encryption configuration
No action required
Informational
N/A
111111111111
AC-06
AgentCore Browser Tool Recording Check
No AgentCore Runtimes found to check browser tool configuration
No action required
Informational
N/A
111111111111
AC-07
AgentCore Memory Configuration Check
No Memory resources found
No action required
Informational
N/A
111111111111
AC-13
AgentCore Gateway Configuration Check
No Gateway resources found
No action required
Informational
N/A
111111111111
AC-08
AgentCore VPC Endpoints Missing
No AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.
Create VPC interface endpoints for AgentCore services:
1. com.amazonaws.region.bedrock-agentcore
2. com.amazonaws.region.bedrock-agentcore-control
3. com.amazonaws.region.bedrock-agentcore-runtime
This enables private connectivity via AWS PrivateLink
High
Failed
111111111111
AC-09
AgentCore Service-Linked Role Missing
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
Medium
Failed
111111111111
AC-10
AgentCore Resource-Based Policies Check
No AgentCore resources found to check for resource-based policies
No action required
Informational
N/A
111111111111
AC-11
AgentCore Policy Engine Encryption Check
No Policy Engines found
No action required
Informational
N/A
111111111111
AC-12
AgentCore Gateway Encryption Check
No Gateways found
No action required
Informational
N/A
Risk Distribution
Pass Rate by Severity
HIGH
0.0%
0 of 2 checks passed
MEDIUM
0.0%
0 of 5 checks passed
LOW
0%
0 of 0 checks passed
Overall
0.0%
0 of 7 actionable checks
Findings by Service
Bedrock
3
3 Failed · 0 Passed
SageMaker
7
1 Failed · 6 Passed
AgentCore
3
3 Failed · 0 Passed
Amazon Bedrock Findings
Account ID
Check ID
Finding
Details
Resolution
Reference
Severity
Status
111111111111
BR-01
AmazonBedrockFullAccess role check
No roles found with AmazonBedrockFullAccess policy
No action required
Informational
N/A
111111111111
BR-02
Amazon Bedrock private connectivity not used
No Bedrock service VPC endpoints found in VPCs: vpc-09ec83232d654f8fa, vpc-06a6d251af33c42a0, vpc-025fe1e4e68ee9fd8, vpc-7324e40e
Create a VPC endpoint in your VPC with any of the following Bedrock service endpoints that your application may be using:
- com.amazonaws.region.bedrock
- com.amazonaws.region.bedrock-runtime
- com.amazonaws.region.bedrock-agent
- com.amazonaws.region.bedrock-agent-runtime
Informational
N/A
111111111111
BR-03
Marketplace Subscription Access Check
No identities found with overly permissive marketplace subscription access
No action required
Informational
N/A
111111111111
BR-04
Bedrock Model Invocation Logging Check
Model invocation logging is not enabled. This limits your ability to track and audit model usage.
Enable model invocation logging to collect invocation logs, model input data, and model output data. Configure logging to deliver to Amazon S3, CloudWatch Logs, or both for comprehensive monitoring.
Medium
Failed
111111111111
BR-05
Bedrock Guardrails Check
No Amazon Bedrock Guardrails are configured. This may expose your application to potential risks such as harmful content, sensitive information disclosure, or hallucinations.
Configure Bedrock Guardrails to implement safeguards such as:
- Content filters to block harmful content
- Denied topics to prevent undesirable discussions
- Sensitive information filters to protect PII
- Contextual grounding checks to prevent hallucinations
Medium
Failed
111111111111
BR-06
Bedrock CloudTrail Logging Check
CloudTrail is not configured to log Amazon Bedrock API calls. This limits your ability to audit and monitor Bedrock usage.
Enable CloudTrail logging for Bedrock by :
1. Configuring an advanced event selector for Bedrock events
2. Enabling management events logging in a multi-region trail
High
Failed
111111111111
BR-07
Bedrock Prompt Management Check
Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.
Implement Prompt Management to:
1. Create and version your prompts
2. Test different prompt variants
3. Share prompts across your organization
4. Maintain consistent prompt templates
Informational
N/A
111111111111
BR-08
Bedrock Agent IAM Roles Check
No Bedrock agents found in the account
No action required
Informational
N/A
111111111111
BR-10
Bedrock Guardrail IAM Enforcement Check
No guardrails configured - IAM enforcement check not applicable
Configure Bedrock Guardrails first, then enforce their use via IAM policies
Informational
N/A
111111111111
BR-11
Bedrock Custom Model Encryption Check
No custom/fine-tuned models found in the account
No action required
Informational
N/A
111111111111
BR-12
Bedrock Invocation Log Encryption Check
Model invocation logging to S3 is not configured
If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption
Informational
N/A
111111111111
BR-13
Bedrock Flows Guardrails Check
No Bedrock Flows found in the account
No action required
Informational
N/A
Amazon SageMaker Findings
Account ID
Check ID
Finding
Details
Resolution
Reference
Severity
Status
111111111111
SM-01
SageMaker Internet Access Check
All SageMaker resources are properly configured to use VPC connectivity
No action required
Informational
Passed
111111111111
SM-02
SageMaker IAM Permissions Check
No issues found with IAM permissions, SSO is enabled, and no stale access detected
No action required
Informational
Passed
111111111111
SM-03
Data Protection Check
All resources use appropriate encryption configurations
No action required
Informational
Passed
111111111111
SM-04
GuardDuty Enabled
Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.
No action required
Informational
Passed
111111111111
SM-05
SageMaker Model Registry Issue
No model package groups found
Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment
Medium
Failed
111111111111
SM-05
SageMaker Feature Store Issue
No feature groups found
Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production
Informational
N/A
111111111111
SM-05
SageMaker Pipelines Issue
No ML pipelines found
Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment
Informational
N/A
111111111111
SM-06
SageMaker Clarify No Clarify Usage
No SageMaker Clarify jobs found
Implement SageMaker Clarify for model explainability and bias detection
Informational
N/A
111111111111
SM-07
SageMaker Model Monitor No Model Monitoring
No Model Monitor schedules found
Configure comprehensive model monitoring schedules
Informational
N/A
111111111111
SM-08
Model Registry Registry Not Used
Model Registry is not being utilized
Implement proper model versioning and approval workflows
Informational
N/A
111111111111
SM-09
SageMaker Notebook Root Access Check
No notebook instances found
No action required
Informational
N/A
111111111111
SM-10
SageMaker Notebook VPC Deployment Check
No notebook instances found
No action required
Informational
N/A
111111111111
SM-11
SageMaker Model Network Isolation Check
No models found
No action required
Informational
N/A
111111111111
SM-12
SageMaker Endpoint Instance Count Check
No InService endpoints found
No action required
Informational
N/A
111111111111
SM-13
SageMaker Monitoring Network Isolation Check
No monitoring schedules found
No action required
Informational
N/A
111111111111
SM-14
SageMaker Model Repository Access Check
No models found or all use default Platform access
No model package groups found. Model Registry is not being used for model governance.
Implement Model Registry to track model versions and enforce approval workflows before production deployment.
Informational
N/A
111111111111
SM-23
Model Drift Detection Check
No InService endpoints found to monitor.
No action required
Informational
Passed
111111111111
SM-24
A/B Testing and Shadow Deployment Check
No InService endpoints found.
No action required
Informational
Passed
111111111111
SM-25
ML Lineage Tracking - Experiments Not Used
No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.
Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.
Informational
N/A
Amazon Bedrock AgentCore Findings
Account ID
Check ID
Finding
Details
Resolution
Reference
Severity
Status
111111111111
AC-01
AgentCore VPC Configuration Check
No AgentCore resources found or all resources have proper VPC configuration
No action required
Informational
N/A
111111111111
AC-02
AgentCore IAM Full Access Check
No roles with overly permissive AgentCore access found
No action required
Informational
N/A
111111111111
AC-03
AgentCore Unused Permissions
The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'ReSCOAIMLMemberRole'
Review and remove unused AgentCore permissions following least privilege principle
Medium
Failed
111111111111
AC-04
AgentCore Observability Check
No AgentCore resources found or all resources have proper observability configuration
No action required
Informational
N/A
111111111111
AC-05
AgentCore Encryption Check
No AgentCore resources found or all resources have proper encryption configuration
No action required
Informational
N/A
111111111111
AC-06
AgentCore Browser Tool Recording Check
No AgentCore Runtimes found to check browser tool configuration
No action required
Informational
N/A
111111111111
AC-07
AgentCore Memory Configuration Check
No Memory resources found
No action required
Informational
N/A
111111111111
AC-13
AgentCore Gateway Configuration Check
No Gateway resources found
No action required
Informational
N/A
111111111111
AC-08
AgentCore VPC Endpoints Missing
No AgentCore VPC endpoints found in 4 VPCs. AgentCore API traffic traverses public internet, exposing it to interception.
Create VPC interface endpoints for AgentCore services:
1. com.amazonaws.region.bedrock-agentcore
2. com.amazonaws.region.bedrock-agentcore-control
3. com.amazonaws.region.bedrock-agentcore-runtime
This enables private connectivity via AWS PrivateLink
High
Failed
111111111111
AC-09
AgentCore Service-Linked Role Missing
Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.
The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.
Medium
Failed
111111111111
AC-10
AgentCore Resource-Based Policies Check
No AgentCore resources found to check for resource-based policies
No action required
Informational
N/A
111111111111
AC-11
AgentCore Policy Engine Encryption Check
No Policy Engines found
No action required
Informational
N/A
111111111111
AC-12
AgentCore Gateway Encryption Check
No Gateways found
No action required
Informational
N/A
Assessment Methodology
Severity Levels & Status Values
High
Direct security risk
Failed
Remediation needed
Medium
Defense-in-depth gap
Passed
Meets requirements
Low
Best practice
N/A
Not applicable
Informational
No action required
Remediation Guidance
High
7 days
Address immediately; block deployment if unresolved
Medium
30 days
Schedule in next sprint; may require change window
Low
90 days
Include in backlog; address during regular maintenance
Assessment Notes
Point-in-time: Security posture changes as resources are modified. Scope limited: Passed checks verify tested controls only. Context matters: Adjust severity for compliance requirements and environment type.
Assessment Scope
Amazon Bedrock
Amazon SageMaker
Amazon Bedrock AgentCore
Based on AWS Well-Architected Framework (Generative AI Lens) and service-specific security documentation.