⭐ Add Bedrock, Control Tower, Security Lake, Verified Access, Private CA resources (#7136)

* ⭐ Add aws.bedrock, aws.controltower, aws.securitylake, aws.verifiedaccess, aws.privateca resources

Add 5 new high-impact AWS services for security querying, covering GenAI
governance, multi-account governance, security telemetry, zero-trust
networking, and private PKI.

New resources (22 total):
- aws.bedrock: foundationModel, customModel, guardrail,
  modelInvocationLoggingConfiguration, provisionedModelThroughput
- aws.controltower: landingZone, enabledBaseline
- aws.securitylake: dataLake, subscriber
- aws.verifiedaccess: instance, trustProvider, group, endpoint,
  instanceLoggingConfiguration
- aws.privateca: certificateAuthority

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* 🐛 Add missing service-availability checks and fix log levels

Add IsServiceNotAvailableInRegionError handling to all four Verified
Access methods so queries don't fail in unsupported regions. Downgrade
service-unavailable log messages from Warn to Debug across all new
providers since these are expected and not actionable.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix spellcheck failure

Signed-off-by: Tim Smith <tsmith84@gmail.com>

* 🐛 Fix foundation model duplicates and privateca tags N+1

Foundation models: query once from default region instead of all regions,
since ListFoundationModels returns a global catalog. Private CA tags:
lazy-load via computed method to avoid N+1 ListTags calls during listing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* 🐛 Fix error handling, KMS key resolution, and typed security groups

- Add access-denied/service-unavailable handling to foundationModels()
- Guard Security Lake encryptionKmsKey() against non-ARN KMS key IDs
- Add access-denied handling to Verified Access loggingConfiguration()
- Add access-denied handling to Private CA tags() and policy()
- Replace double-conversion with enumSliceToAny for subscriber accessTypes
- Change endpoint securityGroupIds to typed securityGroups() references
- Optimize landing zone query to use default region instead of all-region scan
- Expose Region() on AwsConnection for default region access

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* 🧹 Address review comments: driftStatus as dict, use NewSecurityGroupArn

- Change enabledBaseline driftStatus from extracted string to full dict,
  surfacing all drift information instead of only Types.Inheritance.Status
- Use NewSecurityGroupArn helper instead of raw fmt.Sprintf for endpoint
  security group ARN construction

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* 🐛 Fix service-availability errors and timestamp parsing for new resources

Fix four bugs found during live verification of the new aws.bedrock,
aws.verifiedaccess, aws.controltower, and aws.privateca resources:

- IsServiceNotAvailableInRegionError now catches InvalidAction (EC2 Verified
  Access in unsupported regions), UnknownOperationException and "Unknown
  operation" (Bedrock in unsupported regions)
- parseAwsTimestamp falls back to parsing timestamps without timezone suffix
  (e.g. "2026-04-09T05:40:04" from EC2 Verified Access), assuming UTC
- Control Tower APIs now handle the "AWSControlTowerAdmin" ValidationException
  gracefully when CT is not configured, returning empty results instead of
  erroring
- Add unit tests for all fixes (24 test cases across 4 new test files)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Signed-off-by: Tim Smith <tsmith84@gmail.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tas50

.github/actions/spelling/expect.txt

@@ -41,6 +41,7 @@ ciscocatalyst
 clcerts
 chokepoint
 cloudflare
+claude
 Clusterwide
 cmdline
 cmek
@@ -50,6 +51,7 @@ cname
 compressratio
 cooldown
 cpe
+crowdstrike
 cryptokey
 ctx
 customresources
@@ -136,6 +138,7 @@ ipsetforwardedipconfig
 ipsetreferencestatement
 istio
 jira
+jamf
 jsonbody
 junos
 kerberoastable
@@ -224,6 +227,7 @@ posix
 postgre
 POWERUSER
 priorityclass
+privateca
 processingjob
 psc
 PTn
@@ -289,6 +293,7 @@ targetgroup
 tde
 testutils
 tgw
+throughputs
 timestream
 toplevel
 toport
@@ -306,6 +311,7 @@ Utc
 valkey
 VAULTNAME
 Vcpus
+verifiedaccess
 vdcs
 vdev
 vertexai

.github/actions/spelling/line_forbidden.patterns

@@ -387,7 +387,7 @@
 
 # s.b. CrowdStrike
 \bCrowd Strike\b
-\b[Cc]rowdstrike\b
+# \b[Cc]rowdstrike\b # false positive with enum in aws provider
 
 # s.b. Zendesk
 \bZenDesk\b

providers/aws/config/config.go

@@ -14,7 +14,7 @@ import (
 var Config = plugin.Provider{
 	Name:            "aws",
 	ID:              "go.mondoo.com/cnquery/v9/providers/aws",
-	Version:         "13.9.0",
+	Version:         "13.10.0",
 	ConnectionTypes: []string{provider.DefaultConnectionType, string(awsec2ebsconn.EBSConnectionType)},
 	Connectors: []plugin.Connector{
 		{

providers/aws/connection/clients.go

@@ -9,6 +9,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/accessanalyzer"
 	"github.com/aws/aws-sdk-go-v2/service/account"
 	"github.com/aws/aws-sdk-go-v2/service/acm"
+	"github.com/aws/aws-sdk-go-v2/service/acmpca"
 	"github.com/aws/aws-sdk-go-v2/service/apigateway"
 	"github.com/aws/aws-sdk-go-v2/service/applicationautoscaling"
 	"github.com/aws/aws-sdk-go-v2/service/appmesh"
@@ -17,6 +18,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/autoscaling"
 	"github.com/aws/aws-sdk-go-v2/service/backup"
 	"github.com/aws/aws-sdk-go-v2/service/batch"
+	"github.com/aws/aws-sdk-go-v2/service/bedrock"
 	"github.com/aws/aws-sdk-go-v2/service/cloudformation"
 	"github.com/aws/aws-sdk-go-v2/service/cloudfront"
 	"github.com/aws/aws-sdk-go-v2/service/cloudtrail"
@@ -27,6 +29,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/cognitoidentity"
 	"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
 	"github.com/aws/aws-sdk-go-v2/service/configservice"
+	"github.com/aws/aws-sdk-go-v2/service/controltower"
 	"github.com/aws/aws-sdk-go-v2/service/databasemigrationservice"
 	"github.com/aws/aws-sdk-go-v2/service/dax"
 	"github.com/aws/aws-sdk-go-v2/service/directoryservice"
@@ -77,6 +80,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/scheduler"
 	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
 	"github.com/aws/aws-sdk-go-v2/service/securityhub"
+	"github.com/aws/aws-sdk-go-v2/service/securitylake"
 	"github.com/aws/aws-sdk-go-v2/service/sfn"
 	"github.com/aws/aws-sdk-go-v2/service/shield"
 	"github.com/aws/aws-sdk-go-v2/service/sns"
@@ -2057,3 +2061,71 @@ func (t *AwsConnection) SsoAdmin(region string) *ssoadmin.Client {
 	t.clientcache.Store(cacheVal, &CacheEntry{Data: client})
 	return client
 }
+
+func (t *AwsConnection) Acmpca(region string) *acmpca.Client {
+	if len(region) == 0 {
+		region = t.cfg.Region
+	}
+	cacheVal := "_acmpca_" + region
+	c, ok := t.clientcache.Load(cacheVal)
+	if ok {
+		log.Debug().Msg("use cached acmpca client")
+		return c.Data.(*acmpca.Client)
+	}
+	cfg := t.cfg.Copy()
+	cfg.Region = region
+	client := acmpca.NewFromConfig(cfg)
+	t.clientcache.Store(cacheVal, &CacheEntry{Data: client})
+	return client
+}
+
+func (t *AwsConnection) Bedrock(region string) *bedrock.Client {
+	if len(region) == 0 {
+		region = t.cfg.Region
+	}
+	cacheVal := "_bedrock_" + region
+	c, ok := t.clientcache.Load(cacheVal)
+	if ok {
+		log.Debug().Msg("use cached bedrock client")
+		return c.Data.(*bedrock.Client)
+	}
+	cfg := t.cfg.Copy()
+	cfg.Region = region
+	client := bedrock.NewFromConfig(cfg)
+	t.clientcache.Store(cacheVal, &CacheEntry{Data: client})
+	return client
+}
+
+func (t *AwsConnection) Controltower(region string) *controltower.Client {
+	if len(region) == 0 {
+		region = t.cfg.Region
+	}
+	cacheVal := "_controltower_" + region
+	c, ok := t.clientcache.Load(cacheVal)
+	if ok {
+		log.Debug().Msg("use cached controltower client")
+		return c.Data.(*controltower.Client)
+	}
+	cfg := t.cfg.Copy()
+	cfg.Region = region
+	client := controltower.NewFromConfig(cfg)
+	t.clientcache.Store(cacheVal, &CacheEntry{Data: client})
+	return client
+}
+
+func (t *AwsConnection) Securitylake(region string) *securitylake.Client {
+	if len(region) == 0 {
+		region = t.cfg.Region
+	}
+	cacheVal := "_securitylake_" + region
+	c, ok := t.clientcache.Load(cacheVal)
+	if ok {
+		log.Debug().Msg("use cached securitylake client")
+		return c.Data.(*securitylake.Client)
+	}
+	cfg := t.cfg.Copy()
+	cfg.Region = region
+	client := securitylake.NewFromConfig(cfg)
+	t.clientcache.Store(cacheVal, &CacheEntry{Data: client})
+	return client
+}

providers/aws/connection/connection.go

@@ -145,6 +145,10 @@ func (p *AwsConnection) AccountId() string {
 	return p.accountId
 }
 
+func (p *AwsConnection) Region() string {
+	return p.cfg.Region
+}
+
 func parseFlagsForConnectionOptions(m map[string]string, creds []*vault.Credential) []ConnectionOption {
 	o := make([]ConnectionOption, 0)
 	if apiEndpoint, ok := m["endpoint-url"]; ok {

providers/aws/go.mod

@@ -12,6 +12,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.47.0
 	github.com/aws/aws-sdk-go-v2/service/account v1.30.5
 	github.com/aws/aws-sdk-go-v2/service/acm v1.38.1
+	github.com/aws/aws-sdk-go-v2/service/acmpca v1.46.12
 	github.com/aws/aws-sdk-go-v2/service/apigateway v1.39.1
 	github.com/aws/aws-sdk-go-v2/service/applicationautoscaling v1.41.14
 	github.com/aws/aws-sdk-go-v2/service/appmesh v1.35.12
@@ -20,6 +21,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/autoscaling v1.65.0
 	github.com/aws/aws-sdk-go-v2/service/backup v1.55.0
 	github.com/aws/aws-sdk-go-v2/service/batch v1.63.2
+	github.com/aws/aws-sdk-go-v2/service/bedrock v1.59.0
 	github.com/aws/aws-sdk-go-v2/service/cloudformation v1.71.9
 	github.com/aws/aws-sdk-go-v2/service/cloudfront v1.61.0
 	github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.55.9
@@ -30,6 +32,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/cognitoidentity v1.33.22
 	github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.59.3
 	github.com/aws/aws-sdk-go-v2/service/configservice v1.62.1
+	github.com/aws/aws-sdk-go-v2/service/controltower v1.28.9
 	github.com/aws/aws-sdk-go-v2/service/databasemigrationservice v1.62.0
 	github.com/aws/aws-sdk-go-v2/service/dax v1.29.16
 	github.com/aws/aws-sdk-go-v2/service/directoryservice v1.38.16
@@ -80,6 +83,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/scheduler v1.17.22
 	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.5
 	github.com/aws/aws-sdk-go-v2/service/securityhub v1.68.3
+	github.com/aws/aws-sdk-go-v2/service/securitylake v1.25.13
 	github.com/aws/aws-sdk-go-v2/service/sfn v1.40.10
 	github.com/aws/aws-sdk-go-v2/service/shield v1.34.21
 	github.com/aws/aws-sdk-go-v2/service/sns v1.39.15

providers/aws/go.sum

@@ -171,6 +171,8 @@ github.com/aws/aws-sdk-go-v2/service/account v1.30.5 h1:mBCX+sC+HpY0uvgGjBKlUaRo
 github.com/aws/aws-sdk-go-v2/service/account v1.30.5/go.mod h1:0Yr7MY5U8hHfqLWVyzcs+MrkmcVlNqgXijaK3ryIHLc=
 github.com/aws/aws-sdk-go-v2/service/acm v1.38.1 h1:41vgMbK0HvVfv5+549nVLMDWIsWFP/0FNAYDos5lKGA=
 github.com/aws/aws-sdk-go-v2/service/acm v1.38.1/go.mod h1:0XoAyD03Stvqf8e/vVCk/1FP2aaF+xUluP7K9MrHWcQ=
+github.com/aws/aws-sdk-go-v2/service/acmpca v1.46.12 h1:jnLzSmGRlTl7SYhecRKMgeKeg8lkCkOzRLT1B3GSpSY=
+github.com/aws/aws-sdk-go-v2/service/acmpca v1.46.12/go.mod h1:6o9TY7hinjyo61EUZSJN9IX+IcKe3DDjbTyFcH8GxlI=
 github.com/aws/aws-sdk-go-v2/service/apigateway v1.39.1 h1:r3dXvi6tMfv4D48pyantOgDL48ifV6Ibj1eU1ca0C3k=
 github.com/aws/aws-sdk-go-v2/service/apigateway v1.39.1/go.mod h1:nhYOLBwQu7P3ckR+L4gZkY0DT0nAhrQuZkI51jR1vTE=
 github.com/aws/aws-sdk-go-v2/service/applicationautoscaling v1.41.14 h1:0aYQ2UaSB1ccXZXUQ4a5XanrHEykKNzMLFgLEDhf8PU=
@@ -187,6 +189,8 @@ github.com/aws/aws-sdk-go-v2/service/backup v1.55.0 h1:p/1UY5ijuHkzGNTmRyvfU5t/f
 github.com/aws/aws-sdk-go-v2/service/backup v1.55.0/go.mod h1:H59xrHDDsJO4OMJ9bznKryHxZdMOvoZb+4dKW+A9TKo=
 github.com/aws/aws-sdk-go-v2/service/batch v1.63.2 h1:9bsy0RFJYSspgVBhJ9rArmHOMS9XYYHdg1IgpuZqUO4=
 github.com/aws/aws-sdk-go-v2/service/batch v1.63.2/go.mod h1:T/6gED/2b8Qh8ZOOke4oG/JCjUewh+YFkTDF7GODXQ0=
+github.com/aws/aws-sdk-go-v2/service/bedrock v1.59.0 h1:iddGKq5eJ8ABEDE543752cUuI0mSAJOBDuoC1RcS+bQ=
+github.com/aws/aws-sdk-go-v2/service/bedrock v1.59.0/go.mod h1:C8KxG3IPteAlDQUCBVIXfkn81kDh9iIBZ4SS8B5UbDE=
 github.com/aws/aws-sdk-go-v2/service/cloudformation v1.71.9 h1:AISf54dn2oMUmhoWt4UH80xC8GqlZectZIcffiJzp6U=
 github.com/aws/aws-sdk-go-v2/service/cloudformation v1.71.9/go.mod h1:YWA53lezhB2wltdgeVvDQEIwGVKWh/n+yU5Wh0YTxCw=
 github.com/aws/aws-sdk-go-v2/service/cloudfront v1.61.0 h1:Yx6+Np7TIPx2/j15dWnuGadv+w11ysw5KHgKpaiZsYM=
@@ -207,6 +211,8 @@ github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.59.3 h1:iO0QRVlR
 github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.59.3/go.mod h1:XPkppF4ijOR6oZvwXB2tjQDLjkTEGCFn8Onl26v4GHQ=
 github.com/aws/aws-sdk-go-v2/service/configservice v1.62.1 h1:0kqK/rGcsuDGDyLLBjLSH95zC3k8lIkW0nksCYEU72g=
 github.com/aws/aws-sdk-go-v2/service/configservice v1.62.1/go.mod h1:9dXB7G3BUakIT/aCgH8si8fCl//iWvR8wpkWuVKY22A=
+github.com/aws/aws-sdk-go-v2/service/controltower v1.28.9 h1:FKQ4VPl2Vp3qrfEQ1DA7CrBXVbMW9axovux13CbLtaY=
+github.com/aws/aws-sdk-go-v2/service/controltower v1.28.9/go.mod h1:BV/X4lbe2tx+pUSdSoDp/oJEVSakBFkdBo0nwnmPKDc=
 github.com/aws/aws-sdk-go-v2/service/databasemigrationservice v1.62.0 h1:aGmD/oKKz23xhUe7xA8Fij4wLdcgLIEPfCLwCRvVsQ0=
 github.com/aws/aws-sdk-go-v2/service/databasemigrationservice v1.62.0/go.mod h1:RTEJQr3mkkqxxLUgBhmN5sc9ASrdGMlI+Gmv2CQhbDM=
 github.com/aws/aws-sdk-go-v2/service/dax v1.29.16 h1:QscUGVecME2laCqDmkUwK/Vp0xri5Ymujq3+NGLUn3o=
@@ -319,6 +325,8 @@ github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.5 h1:z2ayoK3pOvf8ODj/v
 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.5/go.mod h1:mpZB5HAl4ZIISod9qCi12xZ170TbHX9CCJV5y7nb7QU=
 github.com/aws/aws-sdk-go-v2/service/securityhub v1.68.3 h1:Nz5/FeXnKq+7YtIeNtHIuDeX/ZeFWDETL0oaqf8V0VI=
 github.com/aws/aws-sdk-go-v2/service/securityhub v1.68.3/go.mod h1:wFhqYLcoMThnIKlNsl048lq9FmCA20hJV1GY0TvS7MI=
+github.com/aws/aws-sdk-go-v2/service/securitylake v1.25.13 h1:RfJQCcBl1LbCq0aiDXiB4cxrhOV7P+7YAytFnpa/ENI=
+github.com/aws/aws-sdk-go-v2/service/securitylake v1.25.13/go.mod h1:I4Wy1npPxCFEvynpbEM8orrnq5a34kGKY29DzGKeGqo=
 github.com/aws/aws-sdk-go-v2/service/sfn v1.40.10 h1:R6zfaJNZcopLNZujk02QwmE78cMOL1KRx08FtxTyI88=
 github.com/aws/aws-sdk-go-v2/service/sfn v1.40.10/go.mod h1:Csc9j7BBtxws0bI2Aj+ALQpDkWaySstkqB37+1XyyJ8=
 github.com/aws/aws-sdk-go-v2/service/shield v1.34.21 h1:mO+bATVTYarn2BlIWGoZ8i+X4+GEARDp940psUNh0f4=

providers/aws/resources/aws.go

@@ -118,16 +118,22 @@ func Is400InstanceNotFoundError(err error) bool {
 	return false
 }
 
-// IsServiceNotAvailableInRegionError checks if the error indicates the service is not available in the region.
-// This typically happens with DNS lookup failures for regional services like MemoryDB.
+// IsServiceNotAvailableInRegionError checks if the error indicates the service or API action
+// is not available in the region. This includes DNS lookup failures for regional services,
+// InvalidAction errors for EC2 actions not yet deployed to a region (e.g., Verified Access),
+// and UnknownOperationException for services like Bedrock in unsupported regions.
 func IsServiceNotAvailableInRegionError(err error) bool {
 	if err == nil {
 		return false
 	}
 	errStr := err.Error()
 	return strings.Contains(errStr, "no such host") ||
 		strings.Contains(errStr, "UnknownEndpoint") ||
-		strings.Contains(errStr, "could not resolve endpoint")
+		strings.Contains(errStr, "could not resolve endpoint") ||
+		strings.Contains(errStr, "InvalidAction") ||
+		strings.Contains(errStr, "UnknownOperationException") ||
+		strings.Contains(errStr, "Unknown operation") ||
+		strings.Contains(errStr, "Unknown Operation")
 }
 
 func toInterfaceMap(m map[string]string) map[string]any {