feat(aws): add bedrock_prompt_have_multiple_variants security check

[danibarranqueroo]

Context

A Bedrock prompt configured with only a single variant creates a single point of failure in AI/ML pipelines — if the underlying model experiences degradation or outage, there is no fallback available. Additionally, without multiple variants, teams cannot perform A/B testing to compare prompt performance across different models, templates, or inference parameters, limiting their ability to optimize prompt quality and resilience.

Description

This check evaluates each Amazon Bedrock prompt to verify it has more than one variant configured. A prompt with two or more variants receives a PASS status, while a prompt with zero or one variant receives a FAIL. The recommended remediation is to add additional variants to each prompt using different models or configurations, enabling A/B testing and ensuring fallback options are available in case of model degradation.

Steps to review

1. Review the check implementation at prowler/providers/aws/services/bedrock/bedrock_prompt_have_multiple_variants/
2. Review the metadata file for correct severity, remediation, and compliance mappings
3. Review compliance framework mappings in prowler/compliance/aws/ to ensure the check is correctly mapped to relevant requirements
4. Run the check tests: poetry run pytest tests/providers/aws/services/bedrock/bedrock_prompt_have_multiple_variants/ -v
5. Run the check against a real environment (if possible):

   prowler aws --check bedrock_prompt_have_multiple_variants

Related Issues

https://prowlerpro.atlassian.net/browse/PROWLER-636

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes
  • If so, do we need to update permissions for the provider? Please review this carefully.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

Compliance Mapping Review

This PR adds new checks. Please verify that they have been mapped to the relevant compliance framework requirements.

New checks already mapped in this PR

• bedrock_prompt_have_multiple_variants (aws): iso27001_2022_aws, kisa_isms_p_2023_aws, kisa_isms_p_2023_korean_aws, nist_csf_2.0_aws

Use the no-compliance-check label to skip this check.

[codecov]

Codecov Report

❌ Patch coverage is 95.34884% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 7.62%. Comparing base (e252058) to head (2854a74).

❗ There is a different number of reports uploaded between BASE (e252058) and HEAD (2854a74). Click for more details.

HEAD has 3 uploads less than BASE

Flag	BASE (e252058)	HEAD (2854a74)
prowler-py3.10-m365	1	0
prowler-py3.12-m365	1	0
prowler-py3.11-m365	1	0

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #10905       +/-   ##
===========================================
- Coverage   88.14%    7.62%   -80.53%     
===========================================
  Files         131      849      +718     
  Lines        5542    24572    +19030     
===========================================
- Hits         4885     1873     -3012     
- Misses        657    22699    +22042     

Flag	Coverage Δ
prowler-py3.10-aws	7.62% <95.34%> (?)
prowler-py3.10-m365	?
prowler-py3.11-aws	7.62% <95.34%> (?)
prowler-py3.11-m365	?
prowler-py3.12-aws	7.62% <95.34%> (?)
prowler-py3.12-m365	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	7.62% <95.34%> (-80.53%)	⬇️
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔒 Container Security Scan

Image: prowler:70e7bb9
Last scan: 2026-04-28 08:36:43 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	4
Total	4

4 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy