Merge pull request #1788 from fatima99s/modelInvocationloggingenabled

Model invocationloggingenabled

exports.js

@@ -52,6 +52,7 @@ module.exports = {
         'workgroupEncrypted'            : require(__dirname + '/plugins/aws/athena/workgroupEncrypted.js'),
         'workgroupEnforceConfiguration' : require(__dirname + '/plugins/aws/athena/workgroupEnforceConfiguration.js'),
 
+        'modelInvocationLoggingEnabled' :require(__dirname + '/plugins/aws/bedrock/modelInvocationLoggingEnabled.js'),
         'customModelEncrypted'          :require(__dirname + '/plugins/aws/bedrock/customModelEncryptionEnabled.js'),
 
         'infraConfigNotificationEnabled': require(__dirname + '/plugins/aws/imagebuilder/infraConfigNotificationEnabled.js'),

plugins/aws/bedrock/modelInvocationLoggingEnabled.js

@@ -0,0 +1,43 @@
+var async = require('async');
+var helpers = require('../../../helpers/aws');
+
+module.exports = {
+    title: 'Bedrock Model Invocation Logging Enabled',
+    category: 'Amazon Bedrock',
+    domain: 'Machine Learning',
+    description: 'Ensure that Amazon Bedrock model invocation logging is enabled.',
+    more_info: 'With invocation logging enabled, you can collect the full request data, response data, and metadata associated with all calls performed in account. This detailed logging provides valuable insights into model usage patterns, helps in troubleshooting, and enhances security by allowing for thorough analysis of model interactions. It also facilitates compliance with auditing requirements, offering a comprehensive record of model invocations.',
+    recommended_action: 'Enable invocation logging for Amazon Bedrock models.',
+    link: 'https://docs.aws.amazon.com/bedrock/latest/userguide/settings.html#model-invocation-logging',
+    apis: ['Bedrock:getModelInvocationLoggingConfiguration'],
+
+    run: function(cache, settings, callback) {
+        var results = [];
+        var source = {};
+        var regions = helpers.regions(settings);
+
+        async.each(regions.bedrock, function(region, rcb){
+            var invocationLoggingConfiguration = helpers.addSource(cache, source,
+                ['bedrock', 'getModelInvocationLoggingConfiguration', region]);
+
+            if (!invocationLoggingConfiguration) return rcb();
+
+            if (invocationLoggingConfiguration.err) {
+                helpers.addResult(results, 3,
+                    `Unable to query for Bedrock custom model list: ${helpers.addError(invocationLoggingConfiguration)}`, region);
+                return rcb();
+            }
+
+
+            if (!invocationLoggingConfiguration.data) {
+                helpers.addResult(results, 2, 'Invocation logging is not enabled for bedrock models', region);
+            } else {
+                helpers.addResult(results, 0, 'Invocation logging is enabled for bedrock models', region);
+            }
+
+            rcb();
+        }, function(){
+            callback(null, results, source);
+        });
+    }
+};

plugins/aws/bedrock/modelInvocationLoggingEnabled.spec.js

@@ -0,0 +1,61 @@
+var expect = require('chai').expect;
+var modelInvocationLoggingEnabled = require('./modelInvocationLoggingEnabled');
+
+const invocationLoggingConfiguration = {
+    "loggingConfig": {
+        "s3Config": {
+            "bucketName": "bedrockbuckettest",
+            "keyPrefix": ""
+        },
+        "textDataDeliveryEnabled": true,
+        "imageDataDeliveryEnabled": true,
+        "embeddingDataDeliveryEnabled": true
+    }
+}
+
+const createCache = (invocationLoggingConfiguration, invocationLoggingConfigurationErr) => {
+    return {
+        bedrock: {
+            getModelInvocationLoggingConfiguration: {
+                'us-east-1': {
+                    err: invocationLoggingConfigurationErr,
+                    data: invocationLoggingConfiguration
+                },
+            },
+        }
+    };
+};
+
+describe('modelInvocationLoggingEnabled', function () {
+    describe('run', function () {
+        it('should PASS if model invocation logging is enabled for bedrock models', function (done) {
+            const cache = createCache(invocationLoggingConfiguration);
+            modelInvocationLoggingEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].region).to.equal('us-east-1');
+                done();
+            });
+        });
+
+        it('should FAIL if model invocation logging is disabled for bedrock models', function (done) {
+            const cache = createCache();
+            modelInvocationLoggingEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].region).to.equal('us-east-1');
+                done();
+            });
+        });
+
+        it('should UNKNOWN if unable to query for model invocation logging', function (done) {
+            const cache = createCache(null, { message: "Unable to list model invocation logging config"});
+            modelInvocationLoggingEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].region).to.equal('us-east-1');
+                done();
+            });
+        });
+     });
+})