The 17 Amazon Bedrock security checks Black Cat runs
Black Cat SSPM evaluates 17 security policies against your Amazon Bedrock configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
autonomy
Review if code interpreter capability is necessary
Remove or restrict computer use and bash execution capabilities
Review custom orchestration logic for security implications
Review the supervisor's sub-agent delegation and scope
Block or restrict high-risk agents with scores above 70
data access
Review data exposure from multiple knowledge bases
Configure a customer-managed KMS key for the agent
Review if session memory is appropriate for this agent's data sensitivity
Reduce idle session TTL to 30 minutes or less
lifecycle
Investigate and fix the agent failure
Prepare the agent or delete if no longer needed
Review and update or delete agents with no recent updates
Reassign the agent to an active owner
permission
Apply least-privilege policies to the agent execution role
Remove cross-account resource references from the execution role
Attach a Bedrock Guardrail to this agent
Reduce the number of action groups to 3 or fewer