Amazon Bedrock
Amazon Bedrock integration setup for Arnica
Arnica uses Amazon Bedrock to provide code fix suggestions for SAST and IaC findings. Unlike the direct OpenAI or Anthropic integrations, Bedrock runs in your own AWS account.
In Arnica, navigate to the Integrations page and click Connect next to Amazon Bedrock.
Select the AWS Region where your Bedrock models are available.
Recommended: IAM Role (CloudFormation)
We strongly recommend using an IAM Role instead of access keys. It is more secure (no long‑lived keys) and easier to manage.
If you have AWS access:
In the integration dialog, keep the IAM Role tab selected.
Click Deploy CloudFormation Template.
In the AWS Console, click Create Stack to deploy the template. Any region works because IAM roles are global.
After the stack finishes, open the Outputs tab.
Copy the
RoleArnvalue. You do not need to copy theExternalIdif you left it unchanged in Arnica.Back in Arnica, paste the
RoleArninto the Role ARN field (if you changed theExternal IDearlier, enter the updated value here).(Optional) Enter an alias to help you recognize the integration.
Click Validate, then OK.
If you do not have AWS access:
Copy the Direct template link and your External ID from the integration dialog:
Template URL:
https://arnica-integration-templates.s3.amazonaws.com/bedrock-integration-role.yamlExternal ID: use the value shown in Arnica. Keep this External ID so you can complete the integration later.
Ask your AWS administrator to deploy the template using that External ID (any region is fine) and to send you the
RoleArnfrom the stack's Outputs.When you receive the
RoleArn, paste it into the Role ARN field in Arnica. If your admin used a different External ID, update the External ID field to match.(Optional) Enter an alias, click Validate, then OK.
What permissions does the CloudFormation template grant?
The template creates an IAM role (ArnicaBedrockIntegrationRole) with the following permissions:
bedrock:ListFoundationModels
List models so Arnica can populate the model picker
bedrock:GetFoundationModel
Read model metadata
bedrock:ListInferenceProfiles
List inference profiles (cross-region)
bedrock:GetInferenceProfile
Read inference profile metadata
bedrock:InvokeModel
Call the selected model
bedrock:InvokeModelWithResponseStream
Call the selected model (streaming)
The role can only be assumed by Arnica's AWS account, and the External ID is required to prevent confused deputy attacks.
Alternative: Access Key (not recommended)
Only use this method if you cannot use the IAM Role approach above.
Create an IAM user with the following permissions:
In Arnica, switch to the Access Key tab, enter the Access Key ID and Secret Access Key, click Validate, then OK.
Model selection
After connecting, Arnica pulls the list of models available in your account and selects a default model. To switch models, go to the AI Model Configuration page in the Admin menu.
Most Bedrock models are accessible out of the box — you don't need to enable them one by one. If a model doesn't show up, see the Amazon Bedrock model access docs for any provider-specific or regional requirements.
Usage
Recommendations are generated on demand rather than automatically for every finding, so you only pay for what you use.
To request a recommendation, go to the Code Risks page and select a SAST or IaC finding. Click the AI icon in the top-right corner of the details pane. The icon spins while Arnica generates and validates the recommendation.
To generate an alternative recommendation, click the AI icon again.
Each recommendation includes a code example followed by an explanation, so the fix is clear for both developers and Arnica operators.
Last updated
Was this helpful?