Skip to content

Restructure use cases#1653

Open
BharathiSrini wants to merge 7 commits into
awslabs:mainfrom
BharathiSrini:restructure-use-cases
Open

Restructure use cases#1653
BharathiSrini wants to merge 7 commits into
awslabs:mainfrom
BharathiSrini:restructure-use-cases

Conversation

@BharathiSrini

@BharathiSrini BharathiSrini commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Amazon Bedrock AgentCore Samples Pull Request

Important

  1. We strictly follow a issue-first approach, please first open an issue relating to this Pull Request.
  2. Once this Pull Request is ready for review please attach review ready label to it. Only PRs with review ready will be reviewed.

Issue number:

Concise description of the PR

Restructures 02-use-cases/ into three category subfolders aligned with
the AgentCore GTM workload definitions, removes slimmer samples that
are not comprehensive enough, and moves identity pattern demos to the correct
location.

Folder restructure

  • 02-use-cases/01-conversational-agents/ — 11 samples (user-facing agents with streaming, user OAuth, session and long-term memory)
  • 02-use-cases/02-workflow-automation-agents/ — 4 samples (event-driven agents with service identity and stateless execution)
  • 02-use-cases/03-coding-assistants/ — 2 samples (developer tools with sandboxed execution and project-scoped memory)

Samples removed (9) — no blog post reference, actual AgentCore feature usage far below required count, or implementation did not meet the bar for a standalone use case:
gateway-schema-support-agent, slide-deck-generator-memory-agent, local-prototype-to-agentcore, role-based-hr-data-agent, A2A-realestate-agentcore-multiagents, cost-optimization-agent,
DB-performance-analyzer, farm-management-advisor

Samples moved to 01-features/05-authenticate-and-authorize/ (2) — these are identity pattern demos, not use cases:
auth0-multi-agent-obo, okta-auth-three-tier-end-to-end-demo

READMEs added/updated

  • New 02-use-cases/README.md with full category index and sample table
  • New category README for each subfolder, aligned with GTM workload definitions, no em-dashes
  • Updated 01-features/05-authenticate-and-authorize/README.md to include the two moved identity samples
  • Fixed all cross-folder relative links (LICENSE, LOCAL_DEVELOPMENT.md, AGENTCORE_DEPLOYMENT.md) broken by the restructure

User experience

Developers browsing the repo can now navigate directly to the agent type that matches their workload (conversational, automation, or coding) rather than scanning a flat list of 27 unorganised
samples. Each category README explains the workload definition, the recommended AgentCore service configuration, and which sample to start with. Samples that were retained are higher quality on
average — fewer misleading feature claims, no deprecated starter toolkit samples without a migration path.

Please share what the user experience looks like before and after this change

Checklist

If your change doesn't seem to apply, please leave them unchecked.

  • I have reviewed the contributing guidelines
  • Add your name to CONTRIBUTORS.md
  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?
  • Are you uploading a dataset?
  • Have you documented Introduction, Architecture Diagram, Prerequisites, Usage, Sample Prompts, and Clean Up steps in your example README?
  • I agree to resolve any issues created for this example in the future.
  • I have performed a self-review of this change
  • Changes have been tested
  • Changes are documented

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.

@BharathiSrini
restructure 02-use-cases into three agent-type categories
d17f207 
Reorganizes all 27 use case samples into category subfolders aligned
with the AgentCore GTM workload definitions:

- 01-conversational-agents/ (19 samples): user-facing agents with
  streaming, user OAuth, and session/long-term memory
- 02-automation-agents/ (4 samples): event-driven agents with service
  identity and stateless execution
- 03-coding-assistants/ (3 samples): developer tools with sandboxed
  execution and project-scoped memory

Other changes:
- Moves okta-auth-three-tier-end-to-end-demo to
  01-features/05-authenticate-and-authorize (identity pattern, not a
  use case)
- Adds 02-use-cases/README.md with category index and sample table
- Adds category README for each subfolder, aligned with GTM definitions,
  no em-dashes
- Adds use-case-assessment.md with per-sample scoring, recommendations,
  and a starter toolkit migration list (18 of 27 samples need migrating)
- Fixes all cross-folder relative links broken by the restructure
  (LICENSE, LOCAL_DEVELOPMENT.md, AGENTCORE_DEPLOYMENT.md)
@BharathiSrini
cull low-quality conversational agent samples and reorganise identity…
05df568 
… demos

Reviewed all 19 conversational agent samples against actual AgentCore
feature usage, blog post references, and code quality. Removed 9 samples
that did not meet the bar and moved 2 identity-pattern demos to the
correct location.

Dropped from 01-conversational-agents/:
- gateway-schema-support-agent: misclassified coding agent, 82-line README,
  only 1 real feature, no blog post
- slide-deck-generator-memory-agent: narrow use case, no blog post,
  deprecated starter toolkit, 5 features
- local-prototype-to-agentcore: claimed 9 features, only 3 in code,
  tutorial format belongs in 01-tutorials/
- role-based-hr-data-agent: no blog post, deprecated starter toolkit,
  Cedar pattern needs full rebuild to be useful
- A2A-realestate-agentcore-multiagents: claimed 10 features, only 3 in
  code (Runtime, Cognito, A2A), no blog post
- cost-optimization-agent: only Runtime in code, notebook-driven, no
  blog post
- DB-performance-analyzer: only Gateway + Cognito in code, no blog post
- farm-management-advisor: notebook-only, mixed deprecated/native SDK,
  191-line README, no blog post

Moved to 01-features/05-authenticate-and-authorize/:
- auth0-multi-agent-obo: RFC 8693 OBO token exchange is an identity
  pattern, not a use case; sits alongside okta and entra OBO samples
- okta-auth-three-tier-end-to-end-demo: (previous commit)

Other changes:
- Rename 02-automation-agents/ to 02-workflow-automation-agents/
- Update use-case-assessment.md with DROPPED/MOVED entries for all
  removed samples
- Update all README counts and sample tables
- Add auth0-multi-agent-obo to identity README folder table and
  auth pattern quick reference
@BharathiSrini
update use-case-assessment with decisions, actual features, and autho…
efb65c1 
…rs contacted
@BharathiSrini
untrack use-case-assessment.md (local only)
9829145
@review-notebook-app

review-notebook-app Bot commented Jun 11, 2026

Copy link
Copy Markdown

Check out this pull request on  ReviewNB

See visual diffs & provide feedback on Jupyter Notebooks.

Powered by ReviewNB

@BharathiSrini BharathiSrini requested a review from mttanke June 11, 2026 22:15
@github-actions github-actions Bot added 02-use-cases 02-use-cases DB-performance-analyzer 02-use-cases/DB-performance-analyzer local-prototype-to-agentcore 02-use-cases/local-prototype-to-agentcore labels Jun 11, 2026
@github-actions

github-actions Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown

Latest scan for commit: 9314dfd | Updated: 2026-06-11 23:58:40 UTC

Security Scan Results

Scan Metadata

  • Project: ASH
  • Scan executed: 2026-06-11T23:58:27+00:00
  • ASH version: 3.0.0

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

Column Explanations:

Severity Levels (S/C/H/M/L/I):

  • Suppressed (S): Security findings that have been explicitly suppressed/ignored and don't affect the scanner's pass/fail status
  • Critical (C): The most severe security vulnerabilities requiring immediate remediation (e.g., SQL injection, remote code execution)
  • High (H): Serious security vulnerabilities that should be addressed promptly (e.g., authentication bypasses, privilege escalation)
  • Medium (M): Moderate security risks that should be addressed in normal development cycles (e.g., weak encryption, input validation issues)
  • Low (L): Minor security concerns with limited impact (e.g., information disclosure, weak recommendations)
  • Info (I): Informational findings for awareness with minimal security risk (e.g., code quality suggestions, best practice recommendations)

Other Columns:

  • Time: Duration taken by each scanner to complete its analysis
  • Action: Total number of actionable findings at or above the configured severity threshold that require attention

Scanner Results:

  • PASSED: Scanner found no security issues at or above the configured severity threshold - code is clean for this scanner
  • FAILED: Scanner found security vulnerabilities at or above the threshold that require attention and remediation
  • MISSING: Scanner could not run because required dependencies/tools are not installed or available
  • SKIPPED: Scanner was intentionally disabled or excluded from this scan
  • ERROR: Scanner encountered an execution error and could not complete successfully

Severity Thresholds (Thresh Column):

  • CRITICAL: Only Critical severity findings cause scanner to fail
  • HIGH: High and Critical severity findings cause scanner to fail
  • MEDIUM (MED): Medium, High, and Critical severity findings cause scanner to fail
  • LOW: Low, Medium, High, and Critical severity findings cause scanner to fail
  • ALL: Any finding of any severity level causes scanner to fail

Threshold Source: Values in parentheses indicate where the threshold is configured:

  • (g) = global: Set in the global_settings section of ASH configuration
  • (c) = config: Set in the individual scanner configuration section
  • (s) = scanner: Default threshold built into the scanner itself

Statistics calculation:

  • All statistics are calculated from the final aggregated SARIF report
  • Suppressed findings are counted separately and do not contribute to actionable findings
  • Scanner status is determined by comparing actionable findings to the threshold
Scanner S C H M L I Time Action Result Thresh
bandit 0 58 0 0 1391 0 1m 5s 58 FAILED MED
(g)
cdk-nag 0 101 0 5 0 62 45.7s 106 FAILED MED
(g)
cfn-nag 0 7 0 69 0 0 38.4s 76 FAILED MED
(g)
checkov 4 86 0 0 0 0 38.7s 86 FAILED MED
(g)
detect… 0 86 0 0 0 0 40.1s 86 FAILED MED
(g)
grype 0 151 0 154 60 0 1m 12s 305 FAILED MED
(g)
npm-au… 0 0 0 0 0 0 5.0s 0 PASSED MED
(g)
opengr… 0 0 0 0 0 0 <1ms 0 SKIPPED MED
(g)
semgrep 0 0 0 0 0 0 <1ms 0 MISSING MED
(g)
syft 0 0 0 0 0 0 7.4s 0 PASSED MED
(g)

Detailed Findings

Show 717 actionable findings

Finding 1: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/cognito.yaml:286

Description:
Lambda functions should be deployed inside a VPC

Finding 2: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/cognito.yaml:439

Description:
Lambda functions should be deployed inside a VPC

Finding 3: CFN_NAG_W92

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W92
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/cognito.yaml:286

Description:
Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions

Finding 4: CFN_NAG_W92

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W92
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/cognito.yaml:439

Description:
Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions

Finding 5: CFN_NAG_W77

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W77
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/cognito.yaml:203

Description:
Secrets Manager Secret should explicitly specify KmsKeyId. Besides control of the key this will allow the secret to be shared cross-account

Finding 6: CFN_NAG_W77

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W77
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/cognito.yaml:219

Description:
Secrets Manager Secret should explicitly specify KmsKeyId. Besides control of the key this will allow the secret to be shared cross-account

Finding 7: CFN_NAG_W77

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W77
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/cognito.yaml:235

Description:
Secrets Manager Secret should explicitly specify KmsKeyId. Besides control of the key this will allow the secret to be shared cross-account

Finding 8: CFN_NAG_W32

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W32
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/monitoring_agent.yaml:231

Description:
CodeBuild project should specify an EncryptionKey value

Finding 9: CFN_NAG_F38

  • Severity: HIGH
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_F38
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/monitoring_agent.yaml:1466

Description:
IAM role should not allow * resource with PassRole action on its permissions policy

Finding 10: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/monitoring_agent.yaml:36

Description:
IAM role should not allow * resource on its permissions policy

Finding 11: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/monitoring_agent.yaml:186

Description:
IAM role should not allow * resource on its permissions policy

Finding 12: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/monitoring_agent.yaml:313

Description:
IAM role should not allow * resource on its permissions policy

Finding 13: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/monitoring_agent.yaml:504

Description:
IAM role should not allow * resource on its permissions policy

Finding 14: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/monitoring_agent.yaml:1466

Description:
IAM role should not allow * resource on its permissions policy

Finding 15: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/monitoring_agent.yaml:1212

Description:
IAM role should not allow * resource on its permissions policy

Finding 16: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/monitoring_agent.yaml:1395

Description:
IAM role should not allow * resource on its permissions policy

Finding 17: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/monitoring_agent.yaml:362

Description:
Lambda functions should be deployed inside a VPC

Finding 18: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/monitoring_agent.yaml:591

Description:
Lambda functions should be deployed inside a VPC

Finding 19: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/monitoring_agent.yaml:1542

Description:
Lambda functions should be deployed inside a VPC

Finding 20: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/monitoring_agent.yaml:1272

Description:
Lambda functions should be deployed inside a VPC

Finding 21: CFN_NAG_W92

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W92
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/monitoring_agent.yaml:362

Description:
Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions

Finding 22: CFN_NAG_W92

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W92
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/monitoring_agent.yaml:591

Description:
Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions

Finding 23: CFN_NAG_W92

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W92
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/monitoring_agent.yaml:1542

Description:
Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions

Finding 24: CFN_NAG_W92

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W92
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/monitoring_agent.yaml:1272

Description:
Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions

Finding 25: CFN_NAG_W84

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W84
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/monitoring_agent.yaml:936

Description:
CloudWatchLogs LogGroup should specify a KMS Key Id to encrypt the log data

Finding 26: CFN_NAG_W84

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W84
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/monitoring_agent.yaml:1688

Description:
CloudWatchLogs LogGroup should specify a KMS Key Id to encrypt the log data

Finding 27: CFN_NAG_W86

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W86
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/monitoring_agent.yaml:936

Description:
CloudWatchLogs LogGroup should specify RetentionInDays to expire the log data

Finding 28: CFN_NAG_W86

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W86
  • Location: 02-use-cases/01-conversational-agents/A2A-multi-agent-incident-response/cloudformation/monitoring_agent.yaml:1688

Description:
CloudWatchLogs LogGroup should specify RetentionInDays to expire the log data

Finding 29: CFN_NAG_F3

  • Severity: HIGH
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_F3
  • Location: 02-use-cases/01-conversational-agents/AWS-operations-agent/mcp-tool-lambda/mcp-tool-template-zip.yaml:78

Description:
IAM role should not allow * action on its permissions policy

Finding 30: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 02-use-cases/01-conversational-agents/AWS-operations-agent/mcp-tool-lambda/mcp-tool-template-zip.yaml:130

Description:
IAM role should not allow * resource on its permissions policy

Finding 31: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 02-use-cases/01-conversational-agents/AWS-operations-agent/mcp-tool-lambda/mcp-tool-template-zip.yaml:245

Description:
Lambda functions should be deployed inside a VPC

Finding 32: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 02-use-cases/01-conversational-agents/AWS-operations-agent/mcp-tool-lambda/mcp-tool-template-zip.yaml:78

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 33: CFN_NAG_F3

  • Severity: HIGH
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_F3
  • Location: 02-use-cases/01-conversational-agents/AWS-operations-agent/mcp-tool-lambda/mcp-tool-template.yaml:79

Description:
IAM role should not allow * action on its permissions policy

Finding 34: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 02-use-cases/01-conversational-agents/AWS-operations-agent/mcp-tool-lambda/mcp-tool-template.yaml:149

Description:
IAM role should not allow * resource on its permissions policy

Finding 35: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 02-use-cases/01-conversational-agents/AWS-operations-agent/mcp-tool-lambda/mcp-tool-template.yaml:238

Description:
Lambda functions should be deployed inside a VPC

Finding 36: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 02-use-cases/01-conversational-agents/AWS-operations-agent/mcp-tool-lambda/mcp-tool-template.yaml:79

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 37: CFN_NAG_W32

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W32
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant-vpc/cloudformation/aurora-postgres-stack.yaml:364

Description:
CodeBuild project should specify an EncryptionKey value

Finding 38: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant-vpc/cloudformation/aurora-postgres-stack.yaml:504

Description:
Lambda functions should be deployed inside a VPC

Finding 39: CFN_NAG_W92

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W92
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant-vpc/cloudformation/aurora-postgres-stack.yaml:504

Description:
Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions

Finding 40: CFN_NAG_W92

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W92
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant-vpc/cloudformation/aurora-postgres-stack.yaml:661

Description:
Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions

Finding 41: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant-vpc/cloudformation/aurora-postgres-stack.yaml:286

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 42: CFN_NAG_W35

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W35
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant-vpc/cloudformation/aurora-postgres-stack.yaml:65

Description:
S3 Bucket should have access logging configured

Finding 43: CFN_NAG_W40

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W40
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant-vpc/cloudformation/aurora-postgres-stack.yaml:120

Description:
Security Groups egress with an IpProtocol of -1 found

Finding 44: CFN_NAG_W5

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W5
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant-vpc/cloudformation/aurora-postgres-stack.yaml:120

Description:
Security Groups found with cidr open to world on egress

Finding 45: CFN_NAG_W9

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W9
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant-vpc/cloudformation/aurora-postgres-stack.yaml:137

Description:
Security Groups found with ingress cidr that is not /32

Finding 46: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant-vpc/cloudformation/cognito-stack.yaml:313

Description:
Lambda functions should be deployed inside a VPC

Finding 47: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant-vpc/cloudformation/cognito-stack.yaml:464

Description:
Lambda functions should be deployed inside a VPC

Finding 48: CFN_NAG_W92

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W92
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant-vpc/cloudformation/cognito-stack.yaml:313

Description:
Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions

Finding 49: CFN_NAG_W92

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W92
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant-vpc/cloudformation/cognito-stack.yaml:464

Description:
Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions

Finding 50: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant-vpc/cloudformation/dynamodb-stack.yaml:213

Description:
Lambda functions should be deployed inside a VPC

Finding 51: CFN_NAG_W92

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W92
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant-vpc/cloudformation/dynamodb-stack.yaml:213

Description:
Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions

Finding 52: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant-vpc/cloudformation/dynamodb-stack.yaml:59

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 53: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant-vpc/cloudformation/dynamodb-stack.yaml:116

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 54: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant-vpc/cloudformation/vpc-stack.yaml:134

Description:
IAM role should not allow * resource on its permissions policy

Finding 55: CFN_NAG_F78

  • Severity: HIGH
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_F78
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant/prerequisite/cognito.yaml:41

Description:
AWS Cognito UserPool should have MfaConfiguration set to 'ON' (MUST be wrapped in quotes) or at least 'OPTIONAL'

Finding 56: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant/prerequisite/cognito.yaml:197

Description:
Lambda functions should be deployed inside a VPC

Finding 57: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant/prerequisite/infrastructure.yaml:54

Description:
IAM role should not allow * resource on its permissions policy

Finding 58: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant/prerequisite/infrastructure.yaml:263

Description:
Lambda functions should be deployed inside a VPC

Finding 59: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant/prerequisite/infrastructure.yaml:648

Description:
Lambda functions should be deployed inside a VPC

Finding 60: CFN_NAG_W92

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W92
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant/prerequisite/infrastructure.yaml:648

Description:
Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions

Finding 61: CFN_NAG_W68

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W68
  • Location: 02-use-cases/01-conversational-agents/healthcare-appointment-agent/cloudformation/healthcare-cfn.yaml:406

Description:
AWS::ApiGateway::Deployment resources should be associated with an AWS::ApiGateway::UsagePlan.

Finding 62: CFN_NAG_W69

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W69
  • Location: 02-use-cases/01-conversational-agents/healthcare-appointment-agent/cloudformation/healthcare-cfn.yaml:415

Description:
AWS::ApiGateway::Stage should have the AccessLogSetting property defined.

Finding 63: CFN_NAG_W64

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W64
  • Location: 02-use-cases/01-conversational-agents/healthcare-appointment-agent/cloudformation/healthcare-cfn.yaml:415

Description:
AWS::ApiGateway::Stage resources should be associated with an AWS::ApiGateway::UsagePlan.

Finding 64: CFN_NAG_F78

  • Severity: HIGH
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_F78
  • Location: 02-use-cases/01-conversational-agents/healthcare-appointment-agent/cloudformation/healthcare-cfn.yaml:461

Description:
AWS Cognito UserPool should have MfaConfiguration set to 'ON' (MUST be wrapped in quotes) or at least 'OPTIONAL'

Finding 65: CFN_NAG_F38

  • Severity: HIGH
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_F38
  • Location: 02-use-cases/01-conversational-agents/healthcare-appointment-agent/cloudformation/healthcare-cfn.yaml:95

Description:
IAM role should not allow * resource with PassRole action on its permissions policy

Finding 66: CFN_NAG_F3

  • Severity: HIGH
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_F3
  • Location: 02-use-cases/01-conversational-agents/healthcare-appointment-agent/cloudformation/healthcare-cfn.yaml:95

Description:
IAM role should not allow * action on its permissions policy

Finding 67: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 02-use-cases/01-conversational-agents/healthcare-appointment-agent/cloudformation/healthcare-cfn.yaml:27

Description:
IAM role should not allow * resource on its permissions policy

Finding 68: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 02-use-cases/01-conversational-agents/healthcare-appointment-agent/cloudformation/healthcare-cfn.yaml:95

Description:
IAM role should not allow * resource on its permissions policy

Finding 69: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 02-use-cases/01-conversational-agents/healthcare-appointment-agent/cloudformation/healthcare-cfn.yaml:147

Description:
Lambda functions should be deployed inside a VPC

Finding 70: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 02-use-cases/01-conversational-agents/healthcare-appointment-agent/cloudformation/healthcare-cfn.yaml:172

Description:
Lambda functions should be deployed inside a VPC

Finding 71: CFN_NAG_W92

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W92
  • Location: 02-use-cases/01-conversational-agents/healthcare-appointment-agent/cloudformation/healthcare-cfn.yaml:147

Description:
Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions

Finding 72: CFN_NAG_W92

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W92
  • Location: 02-use-cases/01-conversational-agents/healthcare-appointment-agent/cloudformation/healthcare-cfn.yaml:172

Description:
Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions

Finding 73: CFN_NAG_W84

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W84
  • Location: 02-use-cases/01-conversational-agents/healthcare-appointment-agent/cloudformation/healthcare-cfn.yaml:430

Description:
CloudWatchLogs LogGroup should specify a KMS Key Id to encrypt the log data

Finding 74: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 02-use-cases/01-conversational-agents/healthcare-appointment-agent/cloudformation/healthcare-cfn.yaml:27

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 75: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 02-use-cases/01-conversational-agents/healthcare-appointment-agent/cloudformation/healthcare-cfn.yaml:71

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 76: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 02-use-cases/01-conversational-agents/healthcare-appointment-agent/cloudformation/healthcare-cfn.yaml:95

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 77: CKV_AWS_116

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_116
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant/prerequisite/infrastructure.yaml:647-659

Description:
Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)

Code Snippet:

CustomerSupportLambda:
    Type: AWS::Lambda::Function
    Properties:
      Description: "Lambda function for Customer Support Assistant"
      Handler: lambda_function.lambda_handler
      Code:
        S3Bucket: !Ref LambdaS3Bucket
        S3Key: !Ref LambdaS3Key
      Role: !GetAtt CustomerSupportLambdaRole.Arn
      Runtime: python3.12
      PackageType: Zip
      Architectures:
        - x86_64

Finding 78: CKV_AWS_117

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_117
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant/prerequisite/infrastructure.yaml:647-659

Description:
Ensure that AWS Lambda function is configured inside a VPC

Code Snippet:

CustomerSupportLambda:
    Type: AWS::Lambda::Function
    Properties:
      Description: "Lambda function for Customer Support Assistant"
      Handler: lambda_function.lambda_handler
      Code:
        S3Bucket: !Ref LambdaS3Bucket
        S3Key: !Ref LambdaS3Key
      Role: !GetAtt CustomerSupportLambdaRole.Arn
      Runtime: python3.12
      PackageType: Zip
      Architectures:
        - x86_64

Finding 79: CKV_AWS_115

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_115
  • Location: 02-use-cases/01-conversational-agents/customer-support-assistant/prerequisite/infrastructure.yaml:647-659

Description:
Ensure that AWS Lambda function is configured for function-level concurrent execution limit

Code Snippet:

CustomerSupportLambda:
    Type: AWS::Lambda::Function
    Properties:
      Description: "Lambda function for Customer Support Assistant"
      Handler: lambda_function.lambda_handler
      Code:
        S3Bucket: !Ref LambdaS3Bucket
        S3Key: !Ref LambdaS3Key
      Role: !GetAtt CustomerSupportLambdaRole.Arn
      Runtime: python3.12
      PackageType: Zip
      Architectures:
        - x86_64

@BharathiSrini
fix CONTRIBUTING.md relative paths broken by use-cases restructure
88db143 
Samples moved one level deeper (into category subfolders) so
../../CONTRIBUTING.md no longer resolves to the repo root.
Updated to ../../../CONTRIBUTING.md in three files:
- 01-conversational-agents/customer-support-assistant/README.md
- 02-workflow-automation-agents/event-driven-claims-agent/README.md
- 03-coding-assistants/claude-code-gateway-mcp-server/README.md
@BharathiSrini
fix: address checkov security findings in CloudFormation templates
f9981e7 
AWS-operations-agent mcp-tool-template.yaml and mcp-tool-template-zip.yaml:
- Scope IAM wildcard resources to account/region-specific ARNs
  (lambda:InvokeFunction, iam:PassRole, s3:*, logs:*)
- Split S3 permissions into bucket-level and object-level statements
- Scope bedrock:InvokeModel to foundation-model ARN pattern
- Add KMS keys for Lambda env var encryption (CKV_AWS_173) and CloudWatch
  log group encryption (CKV_AWS_158)
- Add SQS dead letter queue and DeadLetterQueue config (CKV_AWS_116)
- Add ReservedConcurrentExecutions (CKV_AWS_115)
- Add checkov:skip for VPC (CKV_AWS_117) - demo function, VPC not required

customer-support-assistant cognito.yaml:
- Scope logs resource to account/region ARN prefix
- Scope cognito-idp:AdminAddUserToGroup to UserPool ARN
- Add SQS DLQ and DeadLetterConfig to PostSignupFunction (CKV_AWS_116)
- Add ReservedConcurrentExecutions (CKV_AWS_115)
- Add checkov:skip for VPC (CKV_AWS_117) - Cognito trigger, VPC not needed

customer-support-assistant infrastructure.yaml:
- Add KMS CMK and SSESpecification to WarrantyTable and CustomerProfileTable
  (CKV_AWS_119)
- Scope logs resource to account/region ARN prefix
- Add SQS DLQ and DeadLetterConfig to PopulateDataFunction (CKV_AWS_116)
- Add ReservedConcurrentExecutions (CKV_AWS_115)
- Add checkov:skip for VPC (CKV_AWS_117) - CFn custom resource, VPC not needed
@BharathiSrini
style: apply ruff formatting across all Python files
9314dfd
@github-actions github-actions Bot added 01-AgentCore-runtime 01-tutorials/01-AgentCore-runtime 02-AgentCore-gateway 01-tutorials/02-AgentCore-gateway 03-AgentCore-identity 01-tutorials/03-AgentCore-identity 04-AgentCore-memory 01-tutorials/04-AgentCore-memory 05-AgentCore-tools 01-tutorials/05-AgentCore-tools 06-AgentCore-observability 01-tutorials/06-AgentCore-observability 03-integrations 03-integrations bedrock-agent 03-integrations/bedrock-agent agentic-frameworks 03-integrations/agentic-frameworks 06-workshops labels Jun 11, 2026
github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 11, 2026
View reviewed changes

@github-advanced-security github-advanced-security AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mttanke mttanke Awaiting requested review from mttanke

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

01-AgentCore-runtime 01-tutorials/01-AgentCore-runtime 02-AgentCore-gateway 01-tutorials/02-AgentCore-gateway 02-use-cases 02-use-cases 03-AgentCore-identity 01-tutorials/03-AgentCore-identity 03-integrations 03-integrations 04-AgentCore-memory 01-tutorials/04-AgentCore-memory 05-AgentCore-tools 01-tutorials/05-AgentCore-tools 06-AgentCore-observability 01-tutorials/06-AgentCore-observability 06-workshops agentic-frameworks 03-integrations/agentic-frameworks bedrock-agent 03-integrations/bedrock-agent DB-performance-analyzer 02-use-cases/DB-performance-analyzer local-prototype-to-agentcore 02-use-cases/local-prototype-to-agentcore

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BharathiSrini @github-advanced-security