Bug fixes

• Fixed SCP Allow Boundary discovery incorrectly flagging every AWS service as blocked on organizational units that have FullAWSAccess plus deny-only SCPs attached. The discovery control was dropping AWS-managed SCPs (including FullAWSAccess) from its input query, which prevented the FullAWSAccess-aware code paths from running and made every such OU fall into the restrictive-boundary path.
• Fixed SCP allow boundary prevention discovery so it updates correctly when SCPs are attached, modified, or detached from an organizational unit, account, or organization root. Also fixed prevention discovery for EC2 account attributes, IAM password policy, S3 public access, SCP deny, RCP deny, and SCP allow boundary so that existing preventions are removed when the underlying AWS configuration is cleared.

Prevention Objectives

Added

• Enforce VPC endpoint for AWS Bedrock invocations
• Enforce approved foundation models for AWS Bedrock
• Restrict AWS Bedrock Marketplace model endpoints to approved vendors
• Restrict AWS Bedrock agent action groups to approved sources
• Restrict AWS Bedrock third-party knowledge bases to approved secret ARNs

Prevention Examples

Added

• Enforce approved foundation models for AWS Bedrock agents
• Require VPC endpoint for AWS Bedrock invocations
• Require approved foundation models for AWS Bedrock invocations
• Restrict AWS Bedrock Marketplace model endpoints
• Restrict AWS Bedrock agent action groups to approved sources
• Restrict AWS Bedrock third-party knowledge base integrations to approved secret ARNs