chore: resolve comments

prowler/providers/aws/services/bedrock/bedrock_prompt_encrypted_with_cmk/bedrock_prompt_encrypted_with_cmk.metadata.json

@@ -1,7 +1,7 @@
 {
   "Provider": "aws",
   "CheckID": "bedrock_prompt_encrypted_with_cmk",
-  "CheckTitle": "Bedrock prompt is encrypted at rest with a customer-managed KMS key",
+  "CheckTitle": "Amazon Bedrock prompt is encrypted at rest with a customer-managed KMS key",
   "CheckType": [
     "Software and Configuration Checks/AWS Security Best Practices"
   ],
@@ -36,6 +36,8 @@
     "encryption"
   ],
   "DependsOn": [],
-  "RelatedTo": [],
+  "RelatedTo": [
+    "bedrock_prompt_management_exists"
+  ],
   "Notes": ""
 }

prowler/providers/aws/services/bedrock/bedrock_prompt_management_exists/bedrock_prompt_management_exists.metadata.json

@@ -34,6 +34,8 @@
     "gen-ai"
   ],
   "DependsOn": [],
-  "RelatedTo": [],
+  "RelatedTo": [
+    "bedrock_prompt_encrypted_with_cmk"
+  ],
   "Notes": "Results are generated per scanned region. Regions where `ListPrompts` cannot be queried are omitted from the findings."
 }

prowler/providers/aws/services/bedrock/bedrock_service.py

@@ -175,23 +175,22 @@ class BedrockAgent(AWSService):
             )
 
     def _list_prompts(self, regional_client):
-        """List all prompts in a region.
-
-        Prompt Management is evaluated as a region-level adoption signal, so
-        prompt collection is intentionally not filtered by audit_resources.
-        """
+        """List all prompts in a region."""
         logger.info("Bedrock Agent - Listing Prompts...")
         try:
             paginator = regional_client.get_paginator("list_prompts")
             for page in paginator.paginate():
                 for prompt in page.get("promptSummaries", []):
                     prompt_arn = prompt.get("arn", "")
-                    self.prompts[prompt_arn] = Prompt(
-                        id=prompt.get("id", ""),
-                        name=prompt.get("name", ""),
-                        arn=prompt_arn,
-                        region=regional_client.region,
-                    )
+                    if not self.audit_resources or (
+                        is_resource_filtered(prompt_arn, self.audit_resources)
+                    ):
+                        self.prompts[prompt_arn] = Prompt(
+                            id=prompt.get("id", ""),
+                            name=prompt.get("name", ""),
+                            arn=prompt_arn,
+                            region=regional_client.region,
+                        )
             self.prompt_scanned_regions.add(regional_client.region)
         except Exception as error:
             logger.error(

tests/providers/aws/services/bedrock/bedrock_service_test.py

@@ -406,12 +406,14 @@ class TestBedrockPromptPagination:
         regional_client.get_paginator.assert_called_once_with("list_prompts")
         paginator.paginate.assert_called_once()
 
-    def test_list_prompts_ignores_audit_resources_filter(self):
-        """Prompt collection is region-scoped and must ignore audit_resources."""
+    def test_list_prompts_filters_audit_resources(self):
+        """Prompt collection must honor audit_resources when resource ARNs are scoped."""
         audit_info = MagicMock()
         audit_info.audited_partition = "aws"
         audit_info.audited_account = "123456789012"
-        audit_info.audit_resources = ["arn:aws:s3:::unrelated-resource"]
+        audit_info.audit_resources = [
+            "arn:aws:bedrock:us-east-1:123456789012:prompt/prompt-1"
+        ]
 
         regional_client = MagicMock()
         regional_client.region = "us-east-1"
@@ -424,7 +426,12 @@ class TestBedrockPromptPagination:
                         "id": "prompt-1",
                         "name": "prompt-name-1",
                         "arn": "arn:aws:bedrock:us-east-1:123456789012:prompt/prompt-1",
-                    }
+                    },
+                    {
+                        "id": "prompt-2",
+                        "name": "prompt-name-2",
+                        "arn": "arn:aws:bedrock:us-east-1:123456789012:prompt/prompt-2",
+                    },
                 ]
             }
         ]
@@ -438,6 +445,14 @@ class TestBedrockPromptPagination:
         bedrock_agent_service._list_prompts(regional_client)
 
         assert len(bedrock_agent_service.prompts) == 1
+        assert (
+            "arn:aws:bedrock:us-east-1:123456789012:prompt/prompt-1"
+            in bedrock_agent_service.prompts
+        )
+        assert (
+            "arn:aws:bedrock:us-east-1:123456789012:prompt/prompt-2"
+            not in bedrock_agent_service.prompts
+        )
         assert "us-east-1" in bedrock_agent_service.prompt_scanned_regions
 
     def test_list_prompts_error_does_not_mark_region_scanned(self):