From df7c2dc2558a742f86ef3d81e037ced9fae1782a Mon Sep 17 00:00:00 2001
From: fatima99s <fatimasarfraz15@gmail.com>
Date: Mon, 4 Dec 2023 22:01:51 +0500
Subject: [PATCH 1/3] Bedrock Model Invocation Logging Enabled

---
 exports.js                                    |  2 +
 .../bedrock/modelInvocationLoggingEnabled.js  | 45 ++++++++++++++
 .../modelInvocationLoggingEnabled.spec.js     | 61 +++++++++++++++++++
 3 files changed, 108 insertions(+)
 create mode 100644 plugins/aws/bedrock/modelInvocationLoggingEnabled.js
 create mode 100644 plugins/aws/bedrock/modelInvocationLoggingEnabled.spec.js

diff --git a/exports.js b/exports.js
index 53c1523d03..4cd15f6182 100644
--- a/exports.js
+++ b/exports.js
@@ -52,6 +52,8 @@ module.exports = {
         'workgroupEncrypted'            : require(__dirname + '/plugins/aws/athena/workgroupEncrypted.js'),
         'workgroupEnforceConfiguration' : require(__dirname + '/plugins/aws/athena/workgroupEnforceConfiguration.js'),
 
+        'modelInvocationLoggingEnabled' :require(__dirname + '/plugins/aws/bedrock/modelInvocationLoggingEnabled.js'),
+
         'infraConfigNotificationEnabled': require(__dirname + '/plugins/aws/imagebuilder/infraConfigNotificationEnabled.js'),
         'publicS3Origin'                : require(__dirname + '/plugins/aws/cloudfront/publicS3Origin.js'),
         'secureOrigin'                  : require(__dirname + '/plugins/aws/cloudfront/secureOrigin.js'),
diff --git a/plugins/aws/bedrock/modelInvocationLoggingEnabled.js b/plugins/aws/bedrock/modelInvocationLoggingEnabled.js
new file mode 100644
index 0000000000..7025578be7
--- /dev/null
+++ b/plugins/aws/bedrock/modelInvocationLoggingEnabled.js
@@ -0,0 +1,45 @@
+var async = require('async');
+var helpers = require('../../../helpers/aws');
+
+module.exports = {
+    title: 'Bedrock Model Invocation Logging Enabled',
+    category: 'BedRock',
+    domain: 'Machine Learning',
+    description: 'Ensure that Amazon Bedrock model invocation logging is enabled.',
+    more_info: 'With invocation logging enabled, you can collect the full request data, response data, and metadata associated with all calls performed in account. This detailed logging provides valuable insights into model usage patterns, helps in troubleshooting, and enhances security by allowing for thorough analysis of model interactions. It also facilitates compliance with auditing requirements, offering a comprehensive record of model invocations.',
+    recommended_action: 'Enable invocation logging for Amazon Bedrock models.',
+    link: 'https://docs.aws.amazon.com/bedrock/latest/userguide/settings.html#model-invocation-logging',
+    apis: ['Bedrock:getModelInvocationLoggingConfiguration'],
+
+    run: function(cache, settings, callback) {
+        var results = [];
+        var source = {};
+        var regions = helpers.regions(settings);
+
+        async.each(regions.bedrock, function(region, rcb){
+            var invocationLoggingConfiguration = helpers.addSource(cache, source,
+                ['bedrock', 'getModelInvocationLoggingConfiguration', region]);
+
+            if (!invocationLoggingConfiguration) return rcb();
+
+            if (invocationLoggingConfiguration.err && invocationLoggingConfiguration.err.message.includes('This service may not be available in')) {
+                helpers.addResult(results, 0, 'Bedrock service is not available in this region', region);
+                return rcb();
+            } else if (invocationLoggingConfiguration.err ) {
+                helpers.addResult(results, 3,
+                    `Unable to query for Invocation Logging Configuration: ${helpers.addError(invocationLoggingConfiguration)}`, region); 
+                return rcb();   
+            }
+
+            if (!invocationLoggingConfiguration.data) {
+                helpers.addResult(results, 2, 'Invocation logging is not enabled for bedrock models', region);
+            } else {
+                helpers.addResult(results, 0, 'Invocation logging is enabled for bedrock models', region);
+            }
+
+            rcb();
+        }, function(){
+            callback(null, results, source);
+        });
+    }
+};
diff --git a/plugins/aws/bedrock/modelInvocationLoggingEnabled.spec.js b/plugins/aws/bedrock/modelInvocationLoggingEnabled.spec.js
new file mode 100644
index 0000000000..6468498532
--- /dev/null
+++ b/plugins/aws/bedrock/modelInvocationLoggingEnabled.spec.js
@@ -0,0 +1,61 @@
+var expect = require('chai').expect;
+var modelInvocationLoggingEnabled = require('./modelInvocationLoggingEnabled');
+
+const invocationLoggingConfiguration = {
+    "loggingConfig": {
+        "s3Config": {
+            "bucketName": "bedrockbuckettest",
+            "keyPrefix": ""
+        },
+        "textDataDeliveryEnabled": true,
+        "imageDataDeliveryEnabled": true,
+        "embeddingDataDeliveryEnabled": true
+    }
+}
+
+const createCache = (invocationLoggingConfiguration, invocationLoggingConfigurationErr) => {
+    return {
+        bedrock: {
+            getModelInvocationLoggingConfiguration: {
+                'us-east-1': {
+                    err: invocationLoggingConfigurationErr,
+                    data: invocationLoggingConfiguration
+                },
+            },
+        }
+    };
+};
+
+describe('modelInvocationLoggingEnabled', function () {
+    describe('run', function () {
+        it('should PASS if model invocation logging is enabled for bedrock models', function (done) {
+            const cache = createCache(invocationLoggingConfiguration);
+            modelInvocationLoggingEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].region).to.equal('us-east-1');
+                done();
+            });
+        });
+
+        it('should FAIL if model invocation logging is disabled for bedrock models', function (done) {
+            const cache = createCache();
+            modelInvocationLoggingEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].region).to.equal('us-east-1');
+                done();
+            });
+        });
+
+        it('should UNKNOWN if unable to query for model invocation logging', function (done) {
+            const cache = createCache(null, { message: "Unable to list model invocation logging config"});
+            modelInvocationLoggingEnabled.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].region).to.equal('us-east-1');
+                done();
+            });
+        });
+     });
+})
\ No newline at end of file

From 4978726f0c2161755b8af64304fdaab0b99f4ada Mon Sep 17 00:00:00 2001
From: fatima99s <fatimasarfraz15@gmail.com>
Date: Mon, 4 Dec 2023 23:22:53 +0500
Subject: [PATCH 2/3] resolve issue

---
 plugins/aws/bedrock/modelInvocationLoggingEnabled.js | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/plugins/aws/bedrock/modelInvocationLoggingEnabled.js b/plugins/aws/bedrock/modelInvocationLoggingEnabled.js
index 7025578be7..216dfb05c0 100644
--- a/plugins/aws/bedrock/modelInvocationLoggingEnabled.js
+++ b/plugins/aws/bedrock/modelInvocationLoggingEnabled.js
@@ -22,15 +22,13 @@ module.exports = {
 
             if (!invocationLoggingConfiguration) return rcb();
 
-            if (invocationLoggingConfiguration.err && invocationLoggingConfiguration.err.message.includes('This service may not be available in')) {
-                helpers.addResult(results, 0, 'Bedrock service is not available in this region', region);
-                return rcb();
-            } else if (invocationLoggingConfiguration.err ) {
+            if (invocationLoggingConfiguration.err) {
                 helpers.addResult(results, 3,
-                    `Unable to query for Invocation Logging Configuration: ${helpers.addError(invocationLoggingConfiguration)}`, region); 
-                return rcb();   
+                    `Unable to query for Bedrock custom model list: ${helpers.addError(invocationLoggingConfiguration)}`, region);
+                return rcb();
             }
 
+
             if (!invocationLoggingConfiguration.data) {
                 helpers.addResult(results, 2, 'Invocation logging is not enabled for bedrock models', region);
             } else {

From 2f01b514ac59b019ea40ce2aaa043f6400de0031 Mon Sep 17 00:00:00 2001
From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com>
Date: Tue, 5 Dec 2023 20:09:08 +0500
Subject: [PATCH 3/3] Update
 plugins/aws/bedrock/modelInvocationLoggingEnabled.js

---
 plugins/aws/bedrock/modelInvocationLoggingEnabled.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/aws/bedrock/modelInvocationLoggingEnabled.js b/plugins/aws/bedrock/modelInvocationLoggingEnabled.js
index 216dfb05c0..978c2e90f3 100644
--- a/plugins/aws/bedrock/modelInvocationLoggingEnabled.js
+++ b/plugins/aws/bedrock/modelInvocationLoggingEnabled.js
@@ -3,7 +3,7 @@ var helpers = require('../../../helpers/aws');
 
 module.exports = {
     title: 'Bedrock Model Invocation Logging Enabled',
-    category: 'BedRock',
+    category: 'Amazon Bedrock',
     domain: 'Machine Learning',
     description: 'Ensure that Amazon Bedrock model invocation logging is enabled.',
     more_info: 'With invocation logging enabled, you can collect the full request data, response data, and metadata associated with all calls performed in account. This detailed logging provides valuable insights into model usage patterns, helps in troubleshooting, and enhances security by allowing for thorough analysis of model interactions. It also facilitates compliance with auditing requirements, offering a comprehensive record of model invocations.',