Conversation
This comment has been minimized.
This comment has been minimized.
![mondoo-code-review[bot]](https://avatars.githubusercontent.com/in/2834902?s=60&v=4){kind=small}
Contributor
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
tas50
force-pushed
the
feat/add-bedrock-controltower-securitylake-verifiedaccess-privateca
branch
from
da298f7 to
1f2277d
Compare
…cess, aws.privateca resources Add 5 new high-impact AWS services for security querying, covering GenAI governance, multi-account governance, security telemetry, zero-trust networking, and private PKI. New resources (22 total): - aws.bedrock: foundationModel, customModel, guardrail, modelInvocationLoggingConfiguration, provisionedModelThroughput - aws.controltower: landingZone, enabledBaseline - aws.securitylake: dataLake, subscriber - aws.verifiedaccess: instance, trustProvider, group, endpoint, instanceLoggingConfiguration - aws.privateca: certificateAuthority Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add IsServiceNotAvailableInRegionError handling to all four Verified Access methods so queries don't fail in unsupported regions. Downgrade service-unavailable log messages from Warn to Debug across all new providers since these are expected and not actionable. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Tim Smith <tsmith84@gmail.com>
Foundation models: query once from default region instead of all regions, since ListFoundationModels returns a global catalog. Private CA tags: lazy-load via computed method to avoid N+1 ListTags calls during listing. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add access-denied/service-unavailable handling to foundationModels() - Guard Security Lake encryptionKmsKey() against non-ARN KMS key IDs - Add access-denied handling to Verified Access loggingConfiguration() - Add access-denied handling to Private CA tags() and policy() - Replace double-conversion with enumSliceToAny for subscriber accessTypes - Change endpoint securityGroupIds to typed securityGroups() references - Optimize landing zone query to use default region instead of all-region scan - Expose Region() on AwsConnection for default region access Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
tas50
force-pushed
the
feat/add-bedrock-controltower-securitylake-verifiedaccess-privateca
branch
from
b7e8544 to
a7c7218
Compare
- Change enabledBaseline driftStatus from extracted string to full dict, surfacing all drift information instead of only Types.Inheritance.Status - Use NewSecurityGroupArn helper instead of raw fmt.Sprintf for endpoint security group ARN construction Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…rces Fix four bugs found during live verification of the new aws.bedrock, aws.verifiedaccess, aws.controltower, and aws.privateca resources: - IsServiceNotAvailableInRegionError now catches InvalidAction (EC2 Verified Access in unsupported regions), UnknownOperationException and "Unknown operation" (Bedrock in unsupported regions) - parseAwsTimestamp falls back to parsing timestamps without timezone suffix (e.g. "2026-04-09T05:40:04" from EC2 Verified Access), assuming UTC - Control Tower APIs now handle the "AWSControlTowerAdmin" ValidationException gracefully when CT is not configured, returning empty results instead of erroring - Add unit tests for all fixes (24 test cases across 4 new test files) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
tas50
deleted the
feat/add-bedrock-controltower-securitylake-verifiedaccess-privateca
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
aws.bedrock,aws.controltower,aws.securitylake,aws.verifiedaccess,aws.privatecaTest plan
make providers/build/aws && make providers/install/awsmql run aws -c "aws.bedrock.foundationModels { modelId modelName providerName }"mql run aws -c "aws.bedrock.guardrails { name status }"mql run aws -c "aws.bedrock.modelInvocationLoggingConfigurations { region textDataDeliveryEnabled }"mql run aws -c "aws.privateca.certificateAuthorities { arn status type }"mql run aws -c "aws.verifiedaccess.instances { verifiedAccessInstanceId fipsEnabled }"mql run aws -c "aws.verifiedaccess.trustProviders { verifiedAccessTrustProviderId trustProviderType }"mql run aws -c "aws.controltower.landingZones { arn status }"mql run aws -c "aws.securitylake.dataLakes { dataLakeArn region createStatus }"🤖 Generated with Claude Code