Checks/Aws/Test-BedrockModelInvocationLogsEncryptionEnabled.ps1
|
function Test-BedrockModelInvocationLogsEncryptionEnabled { <# .SYNOPSIS Amazon Bedrock model invocation logs are encrypted in the S3 bucket and KMS-encrypted in the CloudWatch log group .DESCRIPTION **Bedrock model invocation logs** are stored in encrypted destinations: **S3 buckets** with bucket encryption and **CloudWatch Logs** groups protected by an AWS KMS key. This evaluates whether configured log targets enforce encryption at rest for request/response content and associated metadata. .PARAMETER Check CIEMCheck object containing check metadata. #> [CmdletBinding()] [OutputType([PSCustomObject[]])] param( [Parameter(Mandatory)] [CIEMCheck]$Check ) $ErrorActionPreference = 'Stop' # TODO: Implement check logic based on Prowler check: bedrock_model_invocation_logs_encryption_enabled [CIEMScanResult]::Create($Check, 'MANUAL', 'This check requires manual implementation. See Prowler check bedrock_model_invocation_logs_encryption_enabled for reference.', 'N/A', 'bedrock Resources') } |