@cdklabs/cdk-validator-cfnguard
Project description
CDK CFN Guard Validator Plugin
---The APIs of higher level constructs in this module are experimental and under active development. They are subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model and breaking changes will be announced in the release notes. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.
Installing
TypeScript/JavaScript
npm install @cdklabs/cdk-validator-cfnguard
Python
pip install cdklabs.cdk-validator-cfnguard
Java
// add this to your pom.xml
<dependency>
<groupId>io.github.cdklabs</groupId>
<artifactId>cdk-validator-cfnguard</artifactId>
<version>0.0.0</version> // replace with version
</dependency>
.NET
dotnet add package Cdklabs.CdkValidatorCfnGuard --version X.X.X
Usage
To use this plugin in your CDK application add it to the CDK App.
App(
policy_validation_beta1=[
CfnGuardValidator()
]
)
By default the CfnGuardValidator
plugin comes with the Control Tower
proactive
controls
enabled. In order to disable these rules you can use the
controlTowerRulesEnabled: false
property.
CfnGuardValidator(
control_tower_rules_enabled=False
)
It is also possible to disable individual rules.
CfnGuardValidator(
disabled_rules=["ct-s3-pr-1"
]
)
Additional rules
To provide additional rules to the plugin, provide a list of local file or directory paths.
CfnGuardValidator(
rules=["path/to/local-rules-directory", "path/to/s3/local-rules/my-rule.guard"
]
)
If the path provided is a directory then the directory must only contain guard rule files, and all rules within the directory will be used.
Using the bundled Control Tower proactive controls in CDK
The bundled Control Tower proactive controls use CloudFormation Guard policies that are also used in managed controls from the Control Tower service. You can use these CDK bundled controls without having a Control Tower environment in AWS, but there are many benefits to using the two together.
When you enable Control Tower proactive controls in your Control Tower environment, the controls can stop the deployment of non-compliant resources deployed via CloudFormation. For more information about managed proactive controls and how they work, see the Control Tower documentation.
These CDK bundled controls and managed Control Tower proactive controls are best used together. In this scenario you can configure this validation plugin with the same proactive controls that are active in your Control Tower cloud environment. You can then quickly gain confidence that your CDK application will pass the Control Tower controls by running cdk synth locally or in a pipeline as described above.
Regardless of whether you or your organization use Control Tower, however, you should understand the following things about these bundled controls when run locally using this plugin:
- These CloudFormation guard policies accept a limited subset of CloudFormation syntax for the properties they evaluate. For instance, a property called EncryptionEnabled may pass if it is specified with the literal value true, but it may fail if it is specified with a reference to a CloudFormation stack parameter instead. Similarly, if a rule checks for a string value, it may fail for Fn::Join objects. If you discover that a rule can be bypassed with a particular configuration of a resource, please file an issue.
- Some rules may check references to other resources, but this reference checking is limited. For instance, a rule may require that an access logging bucket is specified for each S3 bucket. In this case, the rule can check whether you have passed a reference to a bucket in the same template, but it cannot verify that a hardcoded bucket name like "examplebucket" actually refers to a real bucket or a bucket you own.
You can add a layer of security protection by enabling the same proactive controls in your Control Tower cloud environment. There are different considerations for using these controls since they operate in a different way. For more information, see the Control Tower proactive controls documentation.
If you do not yet have a Control Tower environment, see What is AWS Control Tower?.
Bundled Rules
Control Tower rule ID | Control Tower docs link | Description |
---|---|---|
CT.IAM.PR.2 | docs | This control checks whether AWS Identity and Access Management (IAM) customer managed policies do not include "Effect": "Allow" with "Action": "" over "Resource": ""." |
CT.EC2.PR.5 | docs | This control checks whether the Amazon EC2 network ACL inbound entry allows unrestricted incoming traffic (0.0.0.0/0 or ::/0) for SSH or RDP. |
CT.EC2.PR.7 | docs | This control checks whether your standalone Amazon EC2 EBS volumes and new Amazon EBS volumes created through EC2 instance Block Device Mappings are encrypted at rest. |
CT.RDS.PR.16 | docs | This control checks whether the storage encryption is configured on Amazon Relational Database Service (RDS) database (DB) clusters that are not being restored from an existing cluster. |
CT.S3.PR.1 | docs | This control checks whether your Amazon Simple Storage Service (Amazon S3) bucket has a bucket-level Block Public Access (BPA) configuration. |
CT.S3.PR.2 | docs | This control checks whether server access logging is enabled for your Amazon S3 bucket. |
CT.S3.PR.7 | docs | This control checks whether default server-side encryption is enabled on your Amazon S3 bucket. |
CT.S3.PR.8 | docs | This control checks whether Amazon S3 bucket policies require requests to use Secure Socket Layer (SSL). |
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for cdklabs.cdk-validator-cfnguard-0.0.21.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | f487bf550c6ba7688f5aa88594271acd60cf43de1b4b0b0c0cb91b5cddacd2e0 |
|
MD5 | aa414f2fcea5584aca147f96348393a8 |
|
BLAKE2b-256 | 3417cf96f7bdf844ed590bc2fc5ab48da86197f915c07b096838ec636ba904c4 |
Hashes for cdklabs.cdk_validator_cfnguard-0.0.21-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | d9408ec21ed0a241d591633a67c1c28a77b33d2c5354a76c8183091919b50f60 |
|
MD5 | 2841aac78ec7883042eb2fa0f384e647 |
|
BLAKE2b-256 | 11bb99b39290b611bf3f77c1debd851e2781c61adc2bfe5fbc9b0b680bb6394a |