Check CDK applications for best practices using a combination on available rule packs.
Project description
cdk-nag
Language | cdk-nag | monocdk-nag |
---|---|---|
Python | ||
TypeScript |
- If your project uses cdk version 1.x.x use
cdk-nag
^1.0.0 - If your project uses cdk version 2.x.x use
cdk-nag
^2.0.0 - If your project uses monocdk use
monocdk-nag
^1.0.0
Check CDK applications or CloudFormation templates for best practices using a combination of available rule packs. Inspired by cfn_nag
Available Packs
See RULES for more information on all the available packs.
Usage
For a full list of options See NagPackProps
in the API.md
cdk
# Example automatically generated from non-compiling source. May contain errors.
from aws_cdk.core import App, Aspects
from ...lib.cdk_test_stack import CdkTestStack
from cdk_nag import AwsSolutionsChecks
app = App()
CdkTestStack(app, "CdkNagDemo")
# Simple rule informational messages
Aspects.of(app).add(AwsSolutionsChecks())
cdk v2
# Example automatically generated from non-compiling source. May contain errors.
from aws_cdk_lib import App, Aspects
from ...lib.cdk_test_stack import CdkTestStack
from cdk_nag import AwsSolutionsChecks
app = App()
CdkTestStack(app, "CdkNagDemo")
# Simple rule informational messages
Aspects.of(app).add(AwsSolutionsChecks())
monocdk
# Example automatically generated from non-compiling source. May contain errors.
from monocdk import App, Aspects
from ...lib.my_stack import CdkTestStack
from monocdk_nag import AwsSolutionsChecks
app = App()
CdkTestStack(app, "CdkNagDemo")
# Simple rule informational messages
Aspects.of(app).add(AwsSolutionsChecks())
Suppressing a Rule
Example 1) Default Construct
# Example automatically generated from non-compiling source. May contain errors.
from aws_cdk.aws_ec2 import SecurityGroup, Vpc, Peer, Port
from aws_cdk.core import Construct, Stack, StackProps
from cdk_nag import NagSuppressions
class CdkTestStack(Stack):
def __init__(self, scope, id, *, description=None, env=None, stackName=None, tags=None, synthesizer=None, terminationProtection=None, analyticsReporting=None):
super().__init__(scope, id, description=description, env=env, stackName=stackName, tags=tags, synthesizer=synthesizer, terminationProtection=terminationProtection, analyticsReporting=analyticsReporting)
test = SecurityGroup(self, "test",
vpc=Vpc(self, "vpc")
)
test.add_ingress_rule(Peer.any_ipv4(), Port.all_traffic())
NagSuppressions.add_resource_suppressions(test, [id="AwsSolutions-EC23", reason="lorem ipsum"
])
Example 2) Child Constructs
# Example automatically generated from non-compiling source. May contain errors.
from aws_cdk.aws_iam import User, PolicyStatement
from aws_cdk.core import Construct, Stack, StackProps
from cdk_nag import NagSuppressions
class CdkTestStack(Stack):
def __init__(self, scope, id, *, description=None, env=None, stackName=None, tags=None, synthesizer=None, terminationProtection=None, analyticsReporting=None):
super().__init__(scope, id, description=description, env=env, stackName=stackName, tags=tags, synthesizer=synthesizer, terminationProtection=terminationProtection, analyticsReporting=analyticsReporting)
user = User(self, "rUser")
user.add_to_policy(
PolicyStatement(
actions=["s3:PutObject"],
resources=["arn:aws:s3:::bucket_name/*"]
))
# Enable adding suppressions to child constructs
NagSuppressions.add_resource_suppressions(user, [{"id": "AwsSolutions-IAM5", "reason": "lorem ipsum"}], True)
Example 3) Stack Level
# Example automatically generated from non-compiling source. May contain errors.
from aws_cdk.core import App, Aspects
from ...lib.cdk_test_stack import CdkTestStack
from cdk_nag import AwsSolutionsChecks, NagSuppressions
app = App()
stack = CdkTestStack(app, "CdkNagDemo")
Aspects.of(app).add(AwsSolutionsChecks())
NagSuppressions.add_stack_suppressions(stack, [id="AwsSolutions-EC23", reason="lorem ipsum"
])
Example 4) Construct path
If you received the following error on synth/deploy
[Error at /StackName/Custom::CDKBucketDeployment8675309/ServiceRole/Resource] AwsSolutions-IAM4: The IAM user, role, or group uses AWS managed policies
# Example automatically generated from non-compiling source. May contain errors.
from aws_cdk.aws_s3 import Bucket
from aws_cdk.aws_s3_deployment import BucketDeployment
from cdk_nag import NagSuppressions
from aws_cdk.core import Construct, Stack, StackProps
class CdkTestStack(Stack):
def __init__(self, scope, id, *, description=None, env=None, stackName=None, tags=None, synthesizer=None, terminationProtection=None, analyticsReporting=None):
super().__init__(scope, id, description=description, env=env, stackName=stackName, tags=tags, synthesizer=synthesizer, terminationProtection=terminationProtection, analyticsReporting=analyticsReporting)
BucketDeployment(self, "rDeployment",
sources=[],
destination_bucket=Bucket.from_bucket_name(self, "rBucket", "foo")
)
NagSuppressions.add_resource_suppressions_by_path(self, "/StackName/Custom::CDKBucketDeployment8675309/ServiceRole/Resource", [id="AwsSolutions-IAM4", reason="at least 10 characters"])
Rules and Property Overrides
In some cases L2 Constructs do not have a native option to remediate an issue and must be fixed via Raw Overrides. Since raw overrides take place after template synthesis these fixes are not caught by the cdk_nag. In this case you should remediate the issue and suppress the issue like in the following example.
Example) Property Overrides
# Example automatically generated from non-compiling source. May contain errors.
from aws_cdk.aws_ec2 import Instance, InstanceType, InstanceClass, MachineImage, Vpc, CfnInstance
from aws_cdk.core import Construct, Stack, StackProps
from cdk_nag import NagSuppressions
class CdkTestStack(Stack):
def __init__(self, scope, id, *, description=None, env=None, stackName=None, tags=None, synthesizer=None, terminationProtection=None, analyticsReporting=None):
super().__init__(scope, id, description=description, env=env, stackName=stackName, tags=tags, synthesizer=synthesizer, terminationProtection=terminationProtection, analyticsReporting=analyticsReporting)
instance = Instance(self, "rInstance",
vpc=Vpc(self, "rVpc"),
instance_type=InstanceType(InstanceClass.T3),
machine_image=MachineImage.latest_amazon_linux()
)
cfn_ins = instance.node.default_child
cfn_ins.add_property_override("DisableApiTermination", True)
NagSuppressions.add_resource_suppressions(instance, [
id="AwsSolutions-EC29",
reason="Remediated through property override."
])
Using on CloudFormation templates
You can use cdk-nag on existing CloudFormation templates by using the cloudformation-include module.
Example) CloudFormation template with suppression
Sample CloudFormation template with suppression
{
"Resources": {
"rBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "some-bucket-name"
},
"Metadata": {
"cdk_nag": {
"rules_to_suppress": [
{
"id": "AwsSolutions-S1",
"reason": "at least 10 characters"
}
]
}
}
}
}
}
Sample App
# Example automatically generated from non-compiling source. May contain errors.
from aws_cdk.core import App, Aspects
from ...lib.cdk_test_stack import CdkTestStack
from cdk_nag import AwsSolutionsChecks
app = App()
CdkTestStack(app, "CdkNagDemo")
Aspects.of(app).add(AwsSolutionsChecks())
Sample Stack with imported template
# Example automatically generated from non-compiling source. May contain errors.
from aws_cdk.cloudformation_include import CfnInclude
from cdk_nag import NagSuppressions
from aws_cdk.core import Construct, Stack, StackProps
class CdkTestStack(Stack):
def __init__(self, scope, id, *, description=None, env=None, stackName=None, tags=None, synthesizer=None, terminationProtection=None, analyticsReporting=None):
super().__init__(scope, id, description=description, env=env, stackName=stackName, tags=tags, synthesizer=synthesizer, terminationProtection=terminationProtection, analyticsReporting=analyticsReporting)
CfnInclude(self, "Template",
template_file="my-template.json"
)
# Add any additional suppressions
NagSuppressions.add_resource_suppressions_by_path(self, "/CdkNagDemo/Template/rBucket", [
id="AwsSolutions-S2",
reason="at least 10 characters"
])
Contributing
See CONTRIBUTING for more information.
License
This project is licensed under the Apache-2.0 License.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file monocdk-nag-1.3.4.tar.gz
.
File metadata
- Download URL: monocdk-nag-1.3.4.tar.gz
- Upload date:
- Size: 609.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.6.0 importlib_metadata/4.8.2 pkginfo/1.8.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.7.3
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 57ecc87622f670d1f766f205f4f8dedd45b0de6c4193184d23d535c5a062c2f6 |
|
MD5 | c078e2913264dbe8cf5a70478831acb6 |
|
BLAKE2b-256 | 37382fd629f5755113fe97bc87df9d75edb880e6005c3ca799f0b85e340d8444 |
File details
Details for the file monocdk_nag-1.3.4-py3-none-any.whl
.
File metadata
- Download URL: monocdk_nag-1.3.4-py3-none-any.whl
- Upload date:
- Size: 607.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.6.0 importlib_metadata/4.8.2 pkginfo/1.8.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.7.3
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 1393629f17476303719409b192ba41d0999d15c0e478503263249cc4ddeb8d1e |
|
MD5 | ba0cf45846aa3f8f8d260403cba7179e |
|
BLAKE2b-256 | b165f0061bb782c42ef171d7c6fa0f4c6ca6939a020191532174ff4af2e392b8 |