AI/ML Security Assessment Report

Security Checks

Evaluated across 3 regions

Total Findings

172

Across 3 regions

Actionable Findings

High, Medium, and Low severity

High Severity

3/6

50.0% passed · Immediate action required

Medium Severity

9/28

32.1% passed · Should be addressed

Low Severity
3/3
100.0% passed · Best practices

Priority Recommendations

Marketplace Subscription Access Check

Bedrock

Stale Bedrock Access Check

Bedrock

Severity Legend

View full methodology

Severity	Meaning	Recommended Action
High	Direct security risk - IAM/access control gaps, missing audit trails, guardrail bypasses that could lead to unauthorized access or data exposure	Remediate within 7 days
Medium	Defense-in-depth gaps - encryption, logging, or configuration issues that reduce security posture	Remediate within 30 days
Low	Best practice deviations - optimization opportunities that improve security hygiene	Remediate within 90 days
Informational	No resources found or advisory recommendations - check does not apply or suggests optional improvements	No action required

All Security Findings

Account ID	Region	Check ID	Finding	Details	Resolution	Severity	Status
`111111111111`	`ap-southeast-2`	`BR-02`	Amazon Bedrock private connectivity check	No regional Bedrock resources found to assess private connectivity	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`BR-04`	Bedrock Model Invocation Logging Check	No regional Bedrock resources found to monitor with invocation logging	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`BR-05`	Bedrock Guardrails Check	No regional Bedrock resources found to protect with guardrails	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`BR-06`	Bedrock CloudTrail Logging Check	No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`BR-07`	Bedrock Prompt Management Check	Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.	Implement Prompt Management to: 1. Create and version your prompts 2. Test different prompt variants 3. Share prompts across your organization 4. Maintain consistent prompt templates	Informational	N/A
`111111111111`	`ap-southeast-2`	`BR-08`	Bedrock Agent IAM Roles Check	No Bedrock agents found in the account	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`BR-09`	Bedrock Knowledge Base Encryption Check	Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-sec-111111111111-BedrockSecurityAssessmentFunc-188U9EAkRKkw/aiml-security-aiml-sec-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:ap-southeast-2:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action	Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.	Informational	N/A
`111111111111`	`ap-southeast-2`	`BR-10`	Bedrock Guardrail IAM Enforcement Check	No guardrails configured - IAM enforcement check not applicable	Configure Bedrock Guardrails first, then enforce their use via IAM policies	Informational	N/A
`111111111111`	`ap-southeast-2`	`BR-11`	Bedrock Custom Model Encryption Check	No custom/fine-tuned models found in the account	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`BR-12`	Bedrock Invocation Log Encryption Check	Model invocation logging to S3 is not configured	If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption	Informational	N/A
`111111111111`	`ap-southeast-2`	`BR-13`	Bedrock Flows Guardrails Check	No Bedrock Flows found in the account	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`BR-02`	Amazon Bedrock private connectivity check	No regional Bedrock resources found to assess private connectivity	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`BR-04`	Bedrock Model Invocation Logging Check	No regional Bedrock resources found to monitor with invocation logging	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`BR-05`	Bedrock Guardrails Check	No regional Bedrock resources found to protect with guardrails	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`BR-06`	Bedrock CloudTrail Logging Check	No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`BR-07`	Bedrock Prompt Management Check	Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.	Implement Prompt Management to: 1. Create and version your prompts 2. Test different prompt variants 3. Share prompts across your organization 4. Maintain consistent prompt templates	Informational	N/A
`111111111111`	`eu-west-1`	`BR-08`	Bedrock Agent IAM Roles Check	No Bedrock agents found in the account	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`BR-09`	Bedrock Knowledge Base Encryption Check	Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-sec-111111111111-BedrockSecurityAssessmentFunc-188U9EAkRKkw/aiml-security-aiml-sec-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:eu-west-1:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action	Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.	Informational	N/A
`111111111111`	`eu-west-1`	`BR-10`	Bedrock Guardrail IAM Enforcement Check	No guardrails configured - IAM enforcement check not applicable	Configure Bedrock Guardrails first, then enforce their use via IAM policies	Informational	N/A
`111111111111`	`eu-west-1`	`BR-11`	Bedrock Custom Model Encryption Check	No custom/fine-tuned models found in the account	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`BR-12`	Bedrock Invocation Log Encryption Check	Model invocation logging to S3 is not configured	If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption	Informational	N/A
`111111111111`	`eu-west-1`	`BR-13`	Bedrock Flows Guardrails Check	No Bedrock Flows found in the account	No action required	Informational	N/A
`111111111111`	`Global`	`BR-01`	AmazonBedrockFullAccess role check	No roles found with AmazonBedrockFullAccess policy	No action required	High	Passed
`111111111111`	`Global`	`BR-03`	Marketplace Subscription Access Check	Role 'aws-elasticbeanstalk-ec2-role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'	Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.	High	Failed
`111111111111`	`Global`	`BR-03`	Marketplace Subscription Access Check	Role 'RescoAppStack-Ec2Role2FD9A272-UB7xzDXt03Lg' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'	Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.	High	Failed
`111111111111`	`Global`	`BR-03`	Marketplace Subscription Access Check	Role 'xray-sample-SampleInstanceProfileRole-1WB21O2X8T7ZV' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'	Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.	High	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'AIMLSecurityMemberRole' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'AmazonQInvestigationRole-DefaultInvestigationGroup-ma74at' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'aws-elasticbeanstalk-ec2-role' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'AwsSecurityAudit' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'AWSServiceRoleForAuditManager' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'AWSServiceRoleForSupport' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'cdk-hnb659fds-lookup-role-111111111111-us-east-1' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'CloudSecAuditRole' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'CloudSeerTrustedServiceRole' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'IibsAdminAccess-DO-NOT-DELETE' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'InternalAuditInternal' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'Nova-DO-NOT-DELETE' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'ReSCOAIMLMemberRole' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'RescoAppStack-Ec2Role2FD9A272-UB7xzDXt03Lg' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'ScoutSuiteRole' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'SecurityHubGenAISummary-IAMRolefnCreateSummary-ulVA50wgXCG3' last accessed Bedrock on 2024-09-06	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'xray-sample-SampleInstanceProfileRole-1WB21O2X8T7ZV' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`us-east-1`	`BR-02`	Amazon Bedrock private connectivity check	No regional Bedrock resources found to assess private connectivity	No action required	Informational	N/A
`111111111111`	`us-east-1`	`BR-04`	Bedrock Model Invocation Logging Check	No regional Bedrock resources found to monitor with invocation logging	No action required	Informational	N/A
`111111111111`	`us-east-1`	`BR-05`	Bedrock Guardrails Check	No regional Bedrock resources found to protect with guardrails	No action required	Informational	N/A
`111111111111`	`us-east-1`	`BR-06`	Bedrock CloudTrail Logging Check	No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage	No action required	Informational	N/A
`111111111111`	`us-east-1`	`BR-07`	Bedrock Prompt Management Check	Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.	Implement Prompt Management to: 1. Create and version your prompts 2. Test different prompt variants 3. Share prompts across your organization 4. Maintain consistent prompt templates	Informational	N/A
`111111111111`	`us-east-1`	`BR-08`	Bedrock Agent IAM Roles Check	No Bedrock agents found in the account	No action required	Informational	N/A
`111111111111`	`us-east-1`	`BR-09`	Bedrock Knowledge Base Encryption Check	Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-sec-111111111111-BedrockSecurityAssessmentFunc-188U9EAkRKkw/aiml-security-aiml-sec-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:us-east-1:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action	Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.	Informational	N/A
`111111111111`	`us-east-1`	`BR-10`	Bedrock Guardrail IAM Enforcement Check	No guardrails configured - IAM enforcement check not applicable	Configure Bedrock Guardrails first, then enforce their use via IAM policies	Informational	N/A
`111111111111`	`us-east-1`	`BR-11`	Bedrock Custom Model Encryption Check	No custom/fine-tuned models found in the account	No action required	Informational	N/A
`111111111111`	`us-east-1`	`BR-12`	Bedrock Invocation Log Encryption Check	Model invocation logging to S3 is not configured	If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption	Informational	N/A
`111111111111`	`us-east-1`	`BR-13`	Bedrock Flows Guardrails Check	No Bedrock Flows found in the account	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-01`	SageMaker Internet Access Check	No SageMaker notebook instances or domains found to check	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-02`	SageMaker SSO Configuration Check	No SageMaker domains found, or all domains use SSO with IAM Identity Center configured	No action required	Medium	Passed
`111111111111`	`ap-southeast-2`	`SM-03`	Data Protection Check	No SageMaker resources found to check for data protection	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-04`	GuardDuty Enabled	Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.	No action required	Medium	Passed
`111111111111`	`ap-southeast-2`	`SM-05`	SageMaker Model Registry Issue	No model package groups found	Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-05`	SageMaker Feature Store Issue	No feature groups found	Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-05`	SageMaker Pipelines Issue	No ML pipelines found	Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-06`	SageMaker Clarify No Clarify Usage	No SageMaker Clarify jobs found	Implement SageMaker Clarify for model explainability and bias detection	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-07`	SageMaker Model Monitor No Model Monitoring	No Model Monitor schedules found	Configure comprehensive model monitoring schedules	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-08`	Model Registry Registry Not Used	Model Registry is not being utilized	Implement proper model versioning and approval workflows	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-09`	SageMaker Notebook Root Access Check	No notebook instances found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-10`	SageMaker Notebook VPC Deployment Check	No notebook instances found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-11`	SageMaker Model Network Isolation Check	No models found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-12`	SageMaker Endpoint Instance Count Check	No InService endpoints found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-13`	SageMaker Monitoring Network Isolation Check	No monitoring schedules found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-14`	SageMaker Model Repository Access Check	No models found or all use default Platform access	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-15`	SageMaker Feature Store Encryption Check	No feature groups with offline stores found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-16`	SageMaker Data Quality Job Encryption Check	No data quality job definitions found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-17`	SageMaker Processing Job Encryption Check	No processing jobs found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-18`	SageMaker Transform Job Encryption Check	No transform jobs found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-19`	SageMaker Hyperparameter Tuning Job Encryption Check	No hyperparameter tuning jobs found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-20`	SageMaker Compilation Job Encryption Check	No compilation jobs found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-21`	SageMaker AutoML Job Network Isolation Check	No AutoML jobs found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-22`	Model Approval Workflow Check	No model package groups found. Model Registry is not being used for model governance.	Implement Model Registry to track model versions and enforce approval workflows before production deployment.	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-23`	Model Drift Detection Check	No InService endpoints found to monitor.	No action required	Medium	Passed
`111111111111`	`ap-southeast-2`	`SM-24`	A/B Testing and Shadow Deployment Check	No InService endpoints found.	No action required	Low	Passed
`111111111111`	`ap-southeast-2`	`SM-25`	ML Lineage Tracking - Experiments Not Used	No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.	Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.	Informational	N/A
`111111111111`	`eu-west-1`	`SM-01`	SageMaker Internet Access Check	No SageMaker notebook instances or domains found to check	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-02`	SageMaker SSO Configuration Check	No SageMaker domains found, or all domains use SSO with IAM Identity Center configured	No action required	Medium	Passed
`111111111111`	`eu-west-1`	`SM-03`	Data Protection Check	No SageMaker resources found to check for data protection	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-04`	GuardDuty Enabled	Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.	No action required	Medium	Passed
`111111111111`	`eu-west-1`	`SM-05`	SageMaker Model Registry Issue	No model package groups found	Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment	Informational	N/A
`111111111111`	`eu-west-1`	`SM-05`	SageMaker Feature Store Issue	No feature groups found	Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production	Informational	N/A
`111111111111`	`eu-west-1`	`SM-05`	SageMaker Pipelines Issue	No ML pipelines found	Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment	Informational	N/A
`111111111111`	`eu-west-1`	`SM-06`	SageMaker Clarify No Clarify Usage	No SageMaker Clarify jobs found	Implement SageMaker Clarify for model explainability and bias detection	Informational	N/A
`111111111111`	`eu-west-1`	`SM-07`	SageMaker Model Monitor No Model Monitoring	No Model Monitor schedules found	Configure comprehensive model monitoring schedules	Informational	N/A
`111111111111`	`eu-west-1`	`SM-08`	Model Registry Registry Not Used	Model Registry is not being utilized	Implement proper model versioning and approval workflows	Informational	N/A
`111111111111`	`eu-west-1`	`SM-09`	SageMaker Notebook Root Access Check	No notebook instances found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-10`	SageMaker Notebook VPC Deployment Check	No notebook instances found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-11`	SageMaker Model Network Isolation Check	No models found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-12`	SageMaker Endpoint Instance Count Check	No InService endpoints found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-13`	SageMaker Monitoring Network Isolation Check	No monitoring schedules found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-14`	SageMaker Model Repository Access Check	No models found or all use default Platform access	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-15`	SageMaker Feature Store Encryption Check	No feature groups with offline stores found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-16`	SageMaker Data Quality Job Encryption Check	No data quality job definitions found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-17`	SageMaker Processing Job Encryption Check	No processing jobs found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-18`	SageMaker Transform Job Encryption Check	No transform jobs found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-19`	SageMaker Hyperparameter Tuning Job Encryption Check	No hyperparameter tuning jobs found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-20`	SageMaker Compilation Job Encryption Check	No compilation jobs found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-21`	SageMaker AutoML Job Network Isolation Check	No AutoML jobs found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-22`	Model Approval Workflow Check	No model package groups found. Model Registry is not being used for model governance.	Implement Model Registry to track model versions and enforce approval workflows before production deployment.	Informational	N/A
`111111111111`	`eu-west-1`	`SM-23`	Model Drift Detection Check	No InService endpoints found to monitor.	No action required	Medium	Passed
`111111111111`	`eu-west-1`	`SM-24`	A/B Testing and Shadow Deployment Check	No InService endpoints found.	No action required	Low	Passed
`111111111111`	`eu-west-1`	`SM-25`	ML Lineage Tracking - Experiments Not Used	No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.	Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.	Informational	N/A
`111111111111`	`Global`	`SM-02`	SageMaker IAM Permissions Check	No issues found with IAM permissions and no stale access detected	No action required	High	Passed
`111111111111`	`us-east-1`	`SM-01`	SageMaker Internet Access Check	No SageMaker notebook instances or domains found to check	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-02`	SageMaker SSO Configuration Check	No SageMaker domains found, or all domains use SSO with IAM Identity Center configured	No action required	Medium	Passed
`111111111111`	`us-east-1`	`SM-03`	Data Protection Check	No SageMaker resources found to check for data protection	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-04`	GuardDuty Enabled	Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.	No action required	Medium	Passed
`111111111111`	`us-east-1`	`SM-05`	SageMaker Model Registry Issue	No model package groups found	Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment	Informational	N/A
`111111111111`	`us-east-1`	`SM-05`	SageMaker Feature Store Issue	No feature groups found	Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production	Informational	N/A
`111111111111`	`us-east-1`	`SM-05`	SageMaker Pipelines Issue	No ML pipelines found	Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment	Informational	N/A
`111111111111`	`us-east-1`	`SM-06`	SageMaker Clarify No Clarify Usage	No SageMaker Clarify jobs found	Implement SageMaker Clarify for model explainability and bias detection	Informational	N/A
`111111111111`	`us-east-1`	`SM-07`	SageMaker Model Monitor No Model Monitoring	No Model Monitor schedules found	Configure comprehensive model monitoring schedules	Informational	N/A
`111111111111`	`us-east-1`	`SM-08`	Model Registry Registry Not Used	Model Registry is not being utilized	Implement proper model versioning and approval workflows	Informational	N/A
`111111111111`	`us-east-1`	`SM-09`	SageMaker Notebook Root Access Check	No notebook instances found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-10`	SageMaker Notebook VPC Deployment Check	No notebook instances found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-11`	SageMaker Model Network Isolation Check	No models found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-12`	SageMaker Endpoint Instance Count Check	No InService endpoints found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-13`	SageMaker Monitoring Network Isolation Check	No monitoring schedules found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-14`	SageMaker Model Repository Access Check	No models found or all use default Platform access	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-15`	SageMaker Feature Store Encryption Check	No feature groups with offline stores found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-16`	SageMaker Data Quality Job Encryption Check	No data quality job definitions found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-17`	SageMaker Processing Job Encryption Check	No processing jobs found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-18`	SageMaker Transform Job Encryption Check	No transform jobs found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-19`	SageMaker Hyperparameter Tuning Job Encryption Check	No hyperparameter tuning jobs found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-20`	SageMaker Compilation Job Encryption Check	No compilation jobs found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-21`	SageMaker AutoML Job Network Isolation Check	No AutoML jobs found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-22`	Model Approval Workflow Check	No model package groups found. Model Registry is not being used for model governance.	Implement Model Registry to track model versions and enforce approval workflows before production deployment.	Informational	N/A
`111111111111`	`us-east-1`	`SM-23`	Model Drift Detection Check	No InService endpoints found to monitor.	No action required	Medium	Passed
`111111111111`	`us-east-1`	`SM-24`	A/B Testing and Shadow Deployment Check	No InService endpoints found.	No action required	Low	Passed
`111111111111`	`us-east-1`	`SM-25`	ML Lineage Tracking - Experiments Not Used	No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.	Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.	Informational	N/A
`111111111111`	`ap-southeast-2`	`AC-01`	AgentCore VPC Configuration Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`AC-04`	AgentCore Observability Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`AC-05`	AgentCore Encryption Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`AC-06`	AgentCore Browser Tool Recording Check	No AgentCore Runtimes found to check browser tool configuration	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`AC-07`	AgentCore Memory Configuration Check	No Memory resources found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`AC-13`	AgentCore Gateway Configuration Check	No Gateway resources found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`AC-08`	AgentCore VPC Endpoints Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`AC-10`	AgentCore Resource-Based Policies Check	No AgentCore resources found to check for resource-based policies	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`AC-11`	AgentCore Policy Engine Encryption Check	No Policy Engines found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`AC-12`	AgentCore Gateway Encryption Check	No Gateways found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`AC-01`	AgentCore VPC Configuration Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`AC-04`	AgentCore Observability Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`AC-05`	AgentCore Encryption Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`AC-06`	AgentCore Browser Tool Recording Check	No AgentCore Runtimes found to check browser tool configuration	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`AC-07`	AgentCore Memory Configuration Check	No Memory resources found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`AC-13`	AgentCore Gateway Configuration Check	No Gateway resources found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`AC-08`	AgentCore VPC Endpoints Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`AC-10`	AgentCore Resource-Based Policies Check	No AgentCore resources found to check for resource-based policies	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`AC-11`	AgentCore Policy Engine Encryption Check	No Policy Engines found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`AC-12`	AgentCore Gateway Encryption Check	No Gateways found	No action required	Informational	N/A
`111111111111`	`Global`	`AC-02`	AgentCore IAM Full Access Check	No roles with overly permissive AgentCore access found	No action required	High	Passed
`111111111111`	`Global`	`AC-03`	AgentCore Unused Permissions	The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'ReSCOAIMLMemberRole'	Review and remove unused AgentCore permissions following least privilege principle	Medium	Failed
`111111111111`	`Global`	`AC-09`	AgentCore Service-Linked Role Missing	Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.	The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.	Medium	Failed
`111111111111`	`us-east-1`	`AC-01`	AgentCore VPC Configuration Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`AC-04`	AgentCore Observability Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`AC-05`	AgentCore Encryption Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`AC-06`	AgentCore Browser Tool Recording Check	No AgentCore Runtimes found to check browser tool configuration	No action required	Informational	N/A
`111111111111`	`us-east-1`	`AC-07`	AgentCore Memory Configuration Check	No Memory resources found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`AC-13`	AgentCore Gateway Configuration Check	No Gateway resources found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`AC-08`	AgentCore VPC Endpoints Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`AC-10`	AgentCore Resource-Based Policies Check	No AgentCore resources found to check for resource-based policies	No action required	Informational	N/A
`111111111111`	`us-east-1`	`AC-11`	AgentCore Policy Engine Encryption Check	No Policy Engines found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`AC-12`	AgentCore Gateway Encryption Check	No Gateways found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`FS-00`	FinServ Regional Scope Not Applicable	No regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.	No action required unless GenAI workloads are expected in this region.	Informational	N/A
`111111111111`	`eu-west-1`	`FS-00`	FinServ Regional Scope Not Applicable	No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.	No action required unless GenAI workloads are expected in this region.	Informational	N/A
`111111111111`	`ap-southeast-2`	`FS-00`	FinServ Regional Scope Not Applicable	No regional Bedrock, AgentCore, or SageMaker resources were found in ap-southeast-2; FinServ GenAI risk checks were not applied to this region.	No action required unless GenAI workloads are expected in this region.	Informational	N/A

Risk Distribution

Pass Rate by Severity

HIGH

50.0%

3 of 6 checks passed

MEDIUM

32.1%

9 of 28 checks passed

LOW

100.0%

3 of 3 checks passed

Overall

40.5%

15 of 37 actionable checks

Risk by Region

ap-southeast-2

0 High · 0 Med · 0 Low

eu-west-1

0 High · 0 Med · 0 Low

us-east-1

0 High · 0 Med · 0 Low

Findings by Service

Bedrock

20 Failed · 1 Passed

SageMaker

0 Failed · 13 Passed

AgentCore

2 Failed · 1 Passed

Financial Services Risk

0 Failed · 0 Passed

Amazon Bedrock Findings

Account ID	Region	Check ID	Finding	Details	Resolution	Severity	Status
`111111111111`	`ap-southeast-2`	`BR-02`	Amazon Bedrock private connectivity check	No regional Bedrock resources found to assess private connectivity	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`BR-04`	Bedrock Model Invocation Logging Check	No regional Bedrock resources found to monitor with invocation logging	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`BR-05`	Bedrock Guardrails Check	No regional Bedrock resources found to protect with guardrails	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`BR-06`	Bedrock CloudTrail Logging Check	No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`BR-07`	Bedrock Prompt Management Check	Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.	Implement Prompt Management to: 1. Create and version your prompts 2. Test different prompt variants 3. Share prompts across your organization 4. Maintain consistent prompt templates	Informational	N/A
`111111111111`	`ap-southeast-2`	`BR-08`	Bedrock Agent IAM Roles Check	No Bedrock agents found in the account	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`BR-09`	Bedrock Knowledge Base Encryption Check	Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-sec-111111111111-BedrockSecurityAssessmentFunc-188U9EAkRKkw/aiml-security-aiml-sec-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:ap-southeast-2:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action	Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.	Informational	N/A
`111111111111`	`ap-southeast-2`	`BR-10`	Bedrock Guardrail IAM Enforcement Check	No guardrails configured - IAM enforcement check not applicable	Configure Bedrock Guardrails first, then enforce their use via IAM policies	Informational	N/A
`111111111111`	`ap-southeast-2`	`BR-11`	Bedrock Custom Model Encryption Check	No custom/fine-tuned models found in the account	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`BR-12`	Bedrock Invocation Log Encryption Check	Model invocation logging to S3 is not configured	If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption	Informational	N/A
`111111111111`	`ap-southeast-2`	`BR-13`	Bedrock Flows Guardrails Check	No Bedrock Flows found in the account	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`BR-02`	Amazon Bedrock private connectivity check	No regional Bedrock resources found to assess private connectivity	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`BR-04`	Bedrock Model Invocation Logging Check	No regional Bedrock resources found to monitor with invocation logging	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`BR-05`	Bedrock Guardrails Check	No regional Bedrock resources found to protect with guardrails	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`BR-06`	Bedrock CloudTrail Logging Check	No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`BR-07`	Bedrock Prompt Management Check	Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.	Implement Prompt Management to: 1. Create and version your prompts 2. Test different prompt variants 3. Share prompts across your organization 4. Maintain consistent prompt templates	Informational	N/A
`111111111111`	`eu-west-1`	`BR-08`	Bedrock Agent IAM Roles Check	No Bedrock agents found in the account	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`BR-09`	Bedrock Knowledge Base Encryption Check	Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-sec-111111111111-BedrockSecurityAssessmentFunc-188U9EAkRKkw/aiml-security-aiml-sec-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:eu-west-1:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action	Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.	Informational	N/A
`111111111111`	`eu-west-1`	`BR-10`	Bedrock Guardrail IAM Enforcement Check	No guardrails configured - IAM enforcement check not applicable	Configure Bedrock Guardrails first, then enforce their use via IAM policies	Informational	N/A
`111111111111`	`eu-west-1`	`BR-11`	Bedrock Custom Model Encryption Check	No custom/fine-tuned models found in the account	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`BR-12`	Bedrock Invocation Log Encryption Check	Model invocation logging to S3 is not configured	If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption	Informational	N/A
`111111111111`	`eu-west-1`	`BR-13`	Bedrock Flows Guardrails Check	No Bedrock Flows found in the account	No action required	Informational	N/A
`111111111111`	`Global`	`BR-01`	AmazonBedrockFullAccess role check	No roles found with AmazonBedrockFullAccess policy	No action required	High	Passed
`111111111111`	`Global`	`BR-03`	Marketplace Subscription Access Check	Role 'aws-elasticbeanstalk-ec2-role' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkMulticontainerDocker'	Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.	High	Failed
`111111111111`	`Global`	`BR-03`	Marketplace Subscription Access Check	Role 'RescoAppStack-Ec2Role2FD9A272-UB7xzDXt03Lg' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'	Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.	High	Failed
`111111111111`	`Global`	`BR-03`	Marketplace Subscription Access Check	Role 'xray-sample-SampleInstanceProfileRole-1WB21O2X8T7ZV' has overly permissive marketplace subscription access through policy 'AWSElasticBeanstalkWebTier'	Ensure that users have access to only the models that you want user to be able to subscribe to based on your organizational policies. For example, you may want users to have access to only text based models and not image and video generation model. This can also help to keep cost in check.	High	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'AIMLSecurityMemberRole' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'AmazonQInvestigationRole-DefaultInvestigationGroup-ma74at' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'aws-elasticbeanstalk-ec2-role' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'AwsSecurityAudit' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'AWSServiceRoleForAuditManager' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'AWSServiceRoleForSupport' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'cdk-hnb659fds-lookup-role-111111111111-us-east-1' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'CloudSecAuditRole' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'CloudSeerTrustedServiceRole' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'IibsAdminAccess-DO-NOT-DELETE' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'InternalAuditInternal' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'Nova-DO-NOT-DELETE' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'ReSCOAIMLMemberRole' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'RescoAppStack-Ec2Role2FD9A272-UB7xzDXt03Lg' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'ScoutSuiteRole' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'SecurityHubGenAISummary-IAMRolefnCreateSummary-ulVA50wgXCG3' last accessed Bedrock on 2024-09-06	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`Global`	`BR-14`	Stale Bedrock Access Check	Role 'xray-sample-SampleInstanceProfileRole-1WB21O2X8T7ZV' last accessed Bedrock on never	You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the best practice of least privilege.	Medium	Failed
`111111111111`	`us-east-1`	`BR-02`	Amazon Bedrock private connectivity check	No regional Bedrock resources found to assess private connectivity	No action required	Informational	N/A
`111111111111`	`us-east-1`	`BR-04`	Bedrock Model Invocation Logging Check	No regional Bedrock resources found to monitor with invocation logging	No action required	Informational	N/A
`111111111111`	`us-east-1`	`BR-05`	Bedrock Guardrails Check	No regional Bedrock resources found to protect with guardrails	No action required	Informational	N/A
`111111111111`	`us-east-1`	`BR-06`	Bedrock CloudTrail Logging Check	No regional Bedrock resources found to audit with Bedrock-specific CloudTrail coverage	No action required	Informational	N/A
`111111111111`	`us-east-1`	`BR-07`	Bedrock Prompt Management Check	Prompt Management feature is not being used. This may lead to inconsistent prompt handling and suboptimal model responses.	Implement Prompt Management to: 1. Create and version your prompts 2. Test different prompt variants 3. Share prompts across your organization 4. Maintain consistent prompt templates	Informational	N/A
`111111111111`	`us-east-1`	`BR-08`	Bedrock Agent IAM Roles Check	No Bedrock agents found in the account	No action required	Informational	N/A
`111111111111`	`us-east-1`	`BR-09`	Bedrock Knowledge Base Encryption Check	Unable to check Bedrock Knowledge Base API: An error occurred (AccessDeniedException) when calling the ListKnowledgeBases operation: User: arn:aws:sts::111111111111:assumed-role/aiml-sec-111111111111-BedrockSecurityAssessmentFunc-188U9EAkRKkw/aiml-security-aiml-sec-111111111111-BedrockAssessment is not authorized to perform: bedrock:ListKnowledgeBases on resource: arn:aws:bedrock:us-east-1:111111111111:knowledge-base/* because no identity-based policy allows the bedrock:ListKnowledgeBases action	Verify your AWS credentials and permissions to access Bedrock Knowledge Bases, then retry the assessment.	Informational	N/A
`111111111111`	`us-east-1`	`BR-10`	Bedrock Guardrail IAM Enforcement Check	No guardrails configured - IAM enforcement check not applicable	Configure Bedrock Guardrails first, then enforce their use via IAM policies	Informational	N/A
`111111111111`	`us-east-1`	`BR-11`	Bedrock Custom Model Encryption Check	No custom/fine-tuned models found in the account	No action required	Informational	N/A
`111111111111`	`us-east-1`	`BR-12`	Bedrock Invocation Log Encryption Check	Model invocation logging to S3 is not configured	If logging is enabled to CloudWatch only, ensure CloudWatch log group uses CMK encryption	Informational	N/A
`111111111111`	`us-east-1`	`BR-13`	Bedrock Flows Guardrails Check	No Bedrock Flows found in the account	No action required	Informational	N/A

Amazon SageMaker Findings

Account ID	Region	Check ID	Finding	Details	Resolution	Severity	Status
`111111111111`	`ap-southeast-2`	`SM-01`	SageMaker Internet Access Check	No SageMaker notebook instances or domains found to check	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-02`	SageMaker SSO Configuration Check	No SageMaker domains found, or all domains use SSO with IAM Identity Center configured	No action required	Medium	Passed
`111111111111`	`ap-southeast-2`	`SM-03`	Data Protection Check	No SageMaker resources found to check for data protection	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-04`	GuardDuty Enabled	Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.	No action required	Medium	Passed
`111111111111`	`ap-southeast-2`	`SM-05`	SageMaker Model Registry Issue	No model package groups found	Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-05`	SageMaker Feature Store Issue	No feature groups found	Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-05`	SageMaker Pipelines Issue	No ML pipelines found	Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-06`	SageMaker Clarify No Clarify Usage	No SageMaker Clarify jobs found	Implement SageMaker Clarify for model explainability and bias detection	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-07`	SageMaker Model Monitor No Model Monitoring	No Model Monitor schedules found	Configure comprehensive model monitoring schedules	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-08`	Model Registry Registry Not Used	Model Registry is not being utilized	Implement proper model versioning and approval workflows	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-09`	SageMaker Notebook Root Access Check	No notebook instances found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-10`	SageMaker Notebook VPC Deployment Check	No notebook instances found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-11`	SageMaker Model Network Isolation Check	No models found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-12`	SageMaker Endpoint Instance Count Check	No InService endpoints found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-13`	SageMaker Monitoring Network Isolation Check	No monitoring schedules found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-14`	SageMaker Model Repository Access Check	No models found or all use default Platform access	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-15`	SageMaker Feature Store Encryption Check	No feature groups with offline stores found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-16`	SageMaker Data Quality Job Encryption Check	No data quality job definitions found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-17`	SageMaker Processing Job Encryption Check	No processing jobs found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-18`	SageMaker Transform Job Encryption Check	No transform jobs found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-19`	SageMaker Hyperparameter Tuning Job Encryption Check	No hyperparameter tuning jobs found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-20`	SageMaker Compilation Job Encryption Check	No compilation jobs found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-21`	SageMaker AutoML Job Network Isolation Check	No AutoML jobs found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-22`	Model Approval Workflow Check	No model package groups found. Model Registry is not being used for model governance.	Implement Model Registry to track model versions and enforce approval workflows before production deployment.	Informational	N/A
`111111111111`	`ap-southeast-2`	`SM-23`	Model Drift Detection Check	No InService endpoints found to monitor.	No action required	Medium	Passed
`111111111111`	`ap-southeast-2`	`SM-24`	A/B Testing and Shadow Deployment Check	No InService endpoints found.	No action required	Low	Passed
`111111111111`	`ap-southeast-2`	`SM-25`	ML Lineage Tracking - Experiments Not Used	No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.	Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.	Informational	N/A
`111111111111`	`eu-west-1`	`SM-01`	SageMaker Internet Access Check	No SageMaker notebook instances or domains found to check	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-02`	SageMaker SSO Configuration Check	No SageMaker domains found, or all domains use SSO with IAM Identity Center configured	No action required	Medium	Passed
`111111111111`	`eu-west-1`	`SM-03`	Data Protection Check	No SageMaker resources found to check for data protection	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-04`	GuardDuty Enabled	Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.	No action required	Medium	Passed
`111111111111`	`eu-west-1`	`SM-05`	SageMaker Model Registry Issue	No model package groups found	Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment	Informational	N/A
`111111111111`	`eu-west-1`	`SM-05`	SageMaker Feature Store Issue	No feature groups found	Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production	Informational	N/A
`111111111111`	`eu-west-1`	`SM-05`	SageMaker Pipelines Issue	No ML pipelines found	Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment	Informational	N/A
`111111111111`	`eu-west-1`	`SM-06`	SageMaker Clarify No Clarify Usage	No SageMaker Clarify jobs found	Implement SageMaker Clarify for model explainability and bias detection	Informational	N/A
`111111111111`	`eu-west-1`	`SM-07`	SageMaker Model Monitor No Model Monitoring	No Model Monitor schedules found	Configure comprehensive model monitoring schedules	Informational	N/A
`111111111111`	`eu-west-1`	`SM-08`	Model Registry Registry Not Used	Model Registry is not being utilized	Implement proper model versioning and approval workflows	Informational	N/A
`111111111111`	`eu-west-1`	`SM-09`	SageMaker Notebook Root Access Check	No notebook instances found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-10`	SageMaker Notebook VPC Deployment Check	No notebook instances found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-11`	SageMaker Model Network Isolation Check	No models found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-12`	SageMaker Endpoint Instance Count Check	No InService endpoints found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-13`	SageMaker Monitoring Network Isolation Check	No monitoring schedules found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-14`	SageMaker Model Repository Access Check	No models found or all use default Platform access	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-15`	SageMaker Feature Store Encryption Check	No feature groups with offline stores found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-16`	SageMaker Data Quality Job Encryption Check	No data quality job definitions found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-17`	SageMaker Processing Job Encryption Check	No processing jobs found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-18`	SageMaker Transform Job Encryption Check	No transform jobs found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-19`	SageMaker Hyperparameter Tuning Job Encryption Check	No hyperparameter tuning jobs found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-20`	SageMaker Compilation Job Encryption Check	No compilation jobs found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-21`	SageMaker AutoML Job Network Isolation Check	No AutoML jobs found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`SM-22`	Model Approval Workflow Check	No model package groups found. Model Registry is not being used for model governance.	Implement Model Registry to track model versions and enforce approval workflows before production deployment.	Informational	N/A
`111111111111`	`eu-west-1`	`SM-23`	Model Drift Detection Check	No InService endpoints found to monitor.	No action required	Medium	Passed
`111111111111`	`eu-west-1`	`SM-24`	A/B Testing and Shadow Deployment Check	No InService endpoints found.	No action required	Low	Passed
`111111111111`	`eu-west-1`	`SM-25`	ML Lineage Tracking - Experiments Not Used	No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.	Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.	Informational	N/A
`111111111111`	`Global`	`SM-02`	SageMaker IAM Permissions Check	No issues found with IAM permissions and no stale access detected	No action required	High	Passed
`111111111111`	`us-east-1`	`SM-01`	SageMaker Internet Access Check	No SageMaker notebook instances or domains found to check	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-02`	SageMaker SSO Configuration Check	No SageMaker domains found, or all domains use SSO with IAM Identity Center configured	No action required	Medium	Passed
`111111111111`	`us-east-1`	`SM-03`	Data Protection Check	No SageMaker resources found to check for data protection	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-04`	GuardDuty Enabled	Amazon GuardDuty is properly enabled and monitoring for security threats in SageMaker workloads.	No action required	Medium	Passed
`111111111111`	`us-east-1`	`SM-05`	SageMaker Model Registry Issue	No model package groups found	Implement model versioning using SageMaker Model Registry to track model lineage, approve model versions, and manage model deployment	Informational	N/A
`111111111111`	`us-east-1`	`SM-05`	SageMaker Feature Store Issue	No feature groups found	Utilize SageMaker Feature Store to create, share, and manage features for machine learning development and production	Informational	N/A
`111111111111`	`us-east-1`	`SM-05`	SageMaker Pipelines Issue	No ML pipelines found	Implement SageMaker Pipelines to automate and manage ML workflows, including data preparation, training, and model deployment	Informational	N/A
`111111111111`	`us-east-1`	`SM-06`	SageMaker Clarify No Clarify Usage	No SageMaker Clarify jobs found	Implement SageMaker Clarify for model explainability and bias detection	Informational	N/A
`111111111111`	`us-east-1`	`SM-07`	SageMaker Model Monitor No Model Monitoring	No Model Monitor schedules found	Configure comprehensive model monitoring schedules	Informational	N/A
`111111111111`	`us-east-1`	`SM-08`	Model Registry Registry Not Used	Model Registry is not being utilized	Implement proper model versioning and approval workflows	Informational	N/A
`111111111111`	`us-east-1`	`SM-09`	SageMaker Notebook Root Access Check	No notebook instances found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-10`	SageMaker Notebook VPC Deployment Check	No notebook instances found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-11`	SageMaker Model Network Isolation Check	No models found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-12`	SageMaker Endpoint Instance Count Check	No InService endpoints found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-13`	SageMaker Monitoring Network Isolation Check	No monitoring schedules found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-14`	SageMaker Model Repository Access Check	No models found or all use default Platform access	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-15`	SageMaker Feature Store Encryption Check	No feature groups with offline stores found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-16`	SageMaker Data Quality Job Encryption Check	No data quality job definitions found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-17`	SageMaker Processing Job Encryption Check	No processing jobs found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-18`	SageMaker Transform Job Encryption Check	No transform jobs found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-19`	SageMaker Hyperparameter Tuning Job Encryption Check	No hyperparameter tuning jobs found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-20`	SageMaker Compilation Job Encryption Check	No compilation jobs found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-21`	SageMaker AutoML Job Network Isolation Check	No AutoML jobs found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`SM-22`	Model Approval Workflow Check	No model package groups found. Model Registry is not being used for model governance.	Implement Model Registry to track model versions and enforce approval workflows before production deployment.	Informational	N/A
`111111111111`	`us-east-1`	`SM-23`	Model Drift Detection Check	No InService endpoints found to monitor.	No action required	Medium	Passed
`111111111111`	`us-east-1`	`SM-24`	A/B Testing and Shadow Deployment Check	No InService endpoints found.	No action required	Low	Passed
`111111111111`	`us-east-1`	`SM-25`	ML Lineage Tracking - Experiments Not Used	No SageMaker Experiments found. ML Lineage tracking through Experiments is not being utilized.	Implement SageMaker Experiments to track ML training runs, hyperparameters, metrics, and model artifacts. This enables reproducibility and auditability.	Informational	N/A

Amazon Bedrock AgentCore Findings

Account ID	Region	Check ID	Finding	Details	Resolution	Severity	Status
`111111111111`	`ap-southeast-2`	`AC-01`	AgentCore VPC Configuration Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`AC-04`	AgentCore Observability Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`AC-05`	AgentCore Encryption Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`AC-06`	AgentCore Browser Tool Recording Check	No AgentCore Runtimes found to check browser tool configuration	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`AC-07`	AgentCore Memory Configuration Check	No Memory resources found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`AC-13`	AgentCore Gateway Configuration Check	No Gateway resources found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`AC-08`	AgentCore VPC Endpoints Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`AC-10`	AgentCore Resource-Based Policies Check	No AgentCore resources found to check for resource-based policies	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`AC-11`	AgentCore Policy Engine Encryption Check	No Policy Engines found	No action required	Informational	N/A
`111111111111`	`ap-southeast-2`	`AC-12`	AgentCore Gateway Encryption Check	No Gateways found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`AC-01`	AgentCore VPC Configuration Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`AC-04`	AgentCore Observability Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`AC-05`	AgentCore Encryption Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`AC-06`	AgentCore Browser Tool Recording Check	No AgentCore Runtimes found to check browser tool configuration	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`AC-07`	AgentCore Memory Configuration Check	No Memory resources found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`AC-13`	AgentCore Gateway Configuration Check	No Gateway resources found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`AC-08`	AgentCore VPC Endpoints Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`AC-10`	AgentCore Resource-Based Policies Check	No AgentCore resources found to check for resource-based policies	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`AC-11`	AgentCore Policy Engine Encryption Check	No Policy Engines found	No action required	Informational	N/A
`111111111111`	`eu-west-1`	`AC-12`	AgentCore Gateway Encryption Check	No Gateways found	No action required	Informational	N/A
`111111111111`	`Global`	`AC-02`	AgentCore IAM Full Access Check	No roles with overly permissive AgentCore access found	No action required	High	Passed
`111111111111`	`Global`	`AC-03`	AgentCore Unused Permissions	The following principals have AgentCore permissions but have never accessed the service: role 'AIMLSecurityMemberRole', role 'ReSCOAIMLMemberRole'	Review and remove unused AgentCore permissions following least privilege principle	Medium	Failed
`111111111111`	`Global`	`AC-09`	AgentCore Service-Linked Role Missing	Service-linked role 'AWSServiceRoleForBedrockAgentCoreNetwork' does not exist. VPC configuration for AgentCore Runtimes will fail without this role.	The service-linked role is automatically created when you configure VPC for an AgentCore Runtime. Ensure IAM permissions allow service-linked role creation.	Medium	Failed
`111111111111`	`us-east-1`	`AC-01`	AgentCore VPC Configuration Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`AC-04`	AgentCore Observability Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`AC-05`	AgentCore Encryption Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`AC-06`	AgentCore Browser Tool Recording Check	No AgentCore Runtimes found to check browser tool configuration	No action required	Informational	N/A
`111111111111`	`us-east-1`	`AC-07`	AgentCore Memory Configuration Check	No Memory resources found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`AC-13`	AgentCore Gateway Configuration Check	No Gateway resources found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`AC-08`	AgentCore VPC Endpoints Check	No AgentCore resources found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`AC-10`	AgentCore Resource-Based Policies Check	No AgentCore resources found to check for resource-based policies	No action required	Informational	N/A
`111111111111`	`us-east-1`	`AC-11`	AgentCore Policy Engine Encryption Check	No Policy Engines found	No action required	Informational	N/A
`111111111111`	`us-east-1`	`AC-12`	AgentCore Gateway Encryption Check	No Gateways found	No action required	Informational	N/A

Financial Services GenAI Risk Findings

Scope: this assessment records findings against each resolved CloudFormation TargetRegions entry. These checks are based on the AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption. Severities follow a documented Likelihood × Impact methodology (see docs).

Account ID	Region	Check ID	Finding	Details	Resolution	Severity	Status
`111111111111`	`us-east-1`	`FS-00`	FinServ Regional Scope Not Applicable	No regional Bedrock, AgentCore, or SageMaker resources were found in us-east-1; FinServ GenAI risk checks were not applied to this region.	No action required unless GenAI workloads are expected in this region.	Informational	N/A
`111111111111`	`eu-west-1`	`FS-00`	FinServ Regional Scope Not Applicable	No regional Bedrock, AgentCore, or SageMaker resources were found in eu-west-1; FinServ GenAI risk checks were not applied to this region.	No action required unless GenAI workloads are expected in this region.	Informational	N/A
`111111111111`	`ap-southeast-2`	`FS-00`	FinServ Regional Scope Not Applicable	No regional Bedrock, AgentCore, or SageMaker resources were found in ap-southeast-2; FinServ GenAI risk checks were not applied to this region.	No action required unless GenAI workloads are expected in this region.	Informational	N/A

Assessment Methodology

Severity Levels & Status Values

High	Direct security risk	Failed	Remediation needed
Medium	Defense-in-depth gap	Passed	Meets requirements
Low	Best practice	N/A	Not applicable
Informational	No action required

Remediation Guidance

High	7 days	Address immediately; block deployment if unresolved
Medium	30 days	Schedule in next sprint; may require change window
Low	90 days	Include in backlog; address during regular maintenance

Assessment Notes

Point-in-time: Security posture changes as resources are modified. Scope limited: Passed checks verify tested controls only. Context matters: Adjust severity for compliance requirements and environment type.

Assessment Scope

Amazon Bedrock

Amazon SageMaker

Amazon Bedrock AgentCore

Industry

Financial Services GenAI Risk

Bedrock, SageMaker, and AgentCore checks are based on the AWS Well-Architected Framework Generative AI Lens. Financial Services GenAI Risk checks are based on the AWS User Guide to Governance, Risk, and Compliance for Responsible AI Adoption.

Security Assessment Overview

Priority Recommendations

Severity Legend

Pass Rate by Severity

Risk by Region

Findings by Service

Severity Levels & Status Values

Remediation Guidance

Assessment Notes

Assessment Scope