feat: enable Amazon Bedrock AgentCore services

Add bedrock-agent, bedrock-agent-runtime, and bedrock-agentcore to SCP
allowlist to enable sandbox users to deploy and manage Bedrock agents.

Upgrade aws-nuke from v3.60.1 to v3.62.0 which adds support for cleaning
up bedrock-agentcore resources during sandbox cleanup.

Author: marcpeiser

source/infrastructure/lib/components/account-cleaner/Dockerfile

@@ -2,7 +2,7 @@ FROM public.ecr.aws/amazonlinux/amazonlinux:2023-minimal@sha256:181f434838407aab
 
 RUN dnf install -y tar gzip awscli jq sed
 
-ADD https://github.com/ekristen/aws-nuke/releases/download/v3.60.1/aws-nuke-v3.60.1-linux-amd64.tar.gz nuke-binary.tar.gz
+ADD https://github.com/ekristen/aws-nuke/releases/download/v3.62.0/aws-nuke-v3.62.0-linux-amd64.tar.gz nuke-binary.tar.gz
 
 RUN mkdir /tmp/aws-nuke && \
     tar -xzvf nuke-binary.tar.gz -C /tmp/aws-nuke && \

source/infrastructure/lib/components/config/nuke-config.yaml

@@ -44,6 +44,7 @@ resource-types:
     - S3Object # Let the S3Bucket delete all Objects instead of individual objects (optimization)
     - ConfigServiceConfigurationRecorder
     - ConfigServiceDeliveryChannel
+    - BedrockAgentCoreWorkloadIdentity # Cannot be deleted directly - deleted when parent AgentRuntime is deleted
 blocklist:
   - "%HUB_ACCOUNT_ID%" # placeholder HUB_ACCOUNT_ID will be dynamically replaced during CodeBuild execution
 accounts:

source/infrastructure/lib/components/service-control-policies/isb-aws-nuke-supported-services-scp.json

@@ -23,6 +23,9 @@
         "backup:*",
         "batch:*",
         "bedrock:*",
+        "bedrock-agent:*",
+        "bedrock-agent-runtime:*",
+        "bedrock-agentcore:*",
         "budgets:*",
         "cloud9:*",
         "clouddirectory:*",