add CDK nag for fmops

modules/fmops/sagemaker-jumpstart-fm-endpoint/index.ts

@@ -1,5 +1,6 @@
 import "source-map-support/register";
 import * as cdk from "aws-cdk-lib";
+import * as cdk_nag from "cdk-nag";
 import { SagemakerJumpStartFmEndpointStack } from "./lib/sagemaker-jumpstart-fm-endpoint-stack";
 
 const account = process.env.CDK_DEFAULT_ACCOUNT;
@@ -35,4 +36,6 @@ new cdk.CfnOutput(stack, "metadata", {
   }),
 });
 
+cdk.Aspects.of(app).add(new cdk_nag.AwsSolutionsChecks({ logIgnores: true }));
+
 app.synth();

modules/fmops/sagemaker-jumpstart-fm-endpoint/lib/sagemaker-jumpstart-fm-endpoint-stack.ts

@@ -8,6 +8,7 @@ import {
   SageMakerInstanceType,
   JumpStartSageMakerEndpoint,
 } from "@cdklabs/generative-ai-cdk-constructs";
+import * as cdk_nag from "cdk-nag";
 
 interface SagemakerJumpStartFmEndpointStackProps extends cdk.StackProps {
   projectName?: string;
@@ -91,5 +92,12 @@ export class SagemakerJumpStartFmEndpointStack extends cdk.Stack {
       role: this.role,
       vpcConfig: vpcConfig,
     });
+
+    cdk_nag.NagSuppressions.addResourceSuppressions(this.role, [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Resource access restriced to S3 buckets (with a prefix) and ECR images",
+      },
+    ]);
   }
 }

modules/fmops/sagemaker-jumpstart-fm-endpoint/package.json

@@ -18,6 +18,7 @@
     "@types/jest": "^29.5.5",
     "@types/node": "20.7.1",
     "aws-cdk": "2.130.0",
+    "cdk-nag": "^2.28.55",
     "cypress": "^13.6.1",
     "jest": "^29.7.0",
     "prettier": "^3.1.1",