README
¶
cdk-nag
Check CDK applications or CloudFormation templates for best practices using a combination of available rule packs. Inspired by cfn_nag.
Check out this blog post for a guided overview!
Available Rules and Packs
See RULES for more information on all the available packs.
RULES also includes a collection of additional rules that are not currently included in any of the pre-built NagPacks, but are still available for inclusion in custom NagPacks.
Read the NagPack developer docs if you are interested in creating your own pack.
Usage
For a full list of options See NagPackProps in the API.md
Including in an application
import { App, Aspects } from 'aws-cdk-lib';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { AwsSolutionsChecks } from 'cdk-nag';
const app = new App();
new CdkTestStack(app, 'CdkNagDemo');
// Simple rule informational messages
Aspects.of(app).add(new AwsSolutionsChecks());
// Additional explanations on the purpose of triggered rules
// Aspects.of(stack).add(new AwsSolutionsChecks({ verbose: true }));
Suppressing a Rule
Example 1) Default Construct
import { SecurityGroup, Vpc, Peer, Port } from 'aws-cdk-lib/aws-ec2';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { NagSuppressions } from 'cdk-nag';
export class CdkTestStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const test = new SecurityGroup(this, 'test', {
vpc: new Vpc(this, 'vpc'),
});
test.addIngressRule(Peer.anyIpv4(), Port.allTraffic());
NagSuppressions.addResourceSuppressions(test, [
{ id: 'AwsSolutions-EC23', reason: 'lorem ipsum' },
]);
}
}
Example 2) On Multiple Constructs
import { SecurityGroup, Vpc, Peer, Port } from 'aws-cdk-lib/aws-ec2';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { NagSuppressions } from 'cdk-nag';
export class CdkTestStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const vpc = new Vpc(this, 'vpc');
const test1 = new SecurityGroup(this, 'test', { vpc });
test1.addIngressRule(Peer.anyIpv4(), Port.allTraffic());
const test2 = new SecurityGroup(this, 'test', { vpc });
test2.addIngressRule(Peer.anyIpv4(), Port.allTraffic());
NagSuppressions.addResourceSuppressions(
[test1, test2],
[{ id: 'AwsSolutions-EC23', reason: 'lorem ipsum' }]
);
}
}
Example 3) Child Constructs
import { User, PolicyStatement } from 'aws-cdk-lib/aws-iam';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { NagSuppressions } from 'cdk-nag';
export class CdkTestStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const user = new User(this, 'rUser');
user.addToPolicy(
new PolicyStatement({
actions: ['s3:PutObject'],
resources: ['arn:aws:s3:::bucket_name/*'],
})
);
// Enable adding suppressions to child constructs
NagSuppressions.addResourceSuppressions(
user,
[
{
id: 'AwsSolutions-IAM5',
reason: 'lorem ipsum',
appliesTo: ['Resource::arn:aws:s3:::bucket_name/*'], // optional
},
],
true
);
}
}
Example 4) Stack Level
import { App, Aspects } from 'aws-cdk-lib';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { AwsSolutionsChecks, NagSuppressions } from 'cdk-nag';
const app = new App();
const stack = new CdkTestStack(app, 'CdkNagDemo');
Aspects.of(app).add(new AwsSolutionsChecks());
NagSuppressions.addStackSuppressions(stack, [
{ id: 'AwsSolutions-EC23', reason: 'lorem ipsum' },
]);
Example 5) Construct path
If you received the following error on synth/deploy
[Error at /StackName/Custom::CDKBucketDeployment8675309/ServiceRole/Resource] AwsSolutions-IAM4: The IAM user, role, or group uses AWS managed policies
import { Bucket } from 'aws-cdk-lib/aws-s3';
import { BucketDeployment } from 'aws-cdk-lib/aws-s3-deployment';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { NagSuppressions } from 'cdk-nag';
export class CdkTestStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new BucketDeployment(this, 'rDeployment', {
sources: [],
destinationBucket: Bucket.fromBucketName(this, 'rBucket', 'foo'),
});
NagSuppressions.addResourceSuppressionsByPath(
this,
'/StackName/Custom::CDKBucketDeployment8675309/ServiceRole/Resource',
[{ id: 'AwsSolutions-IAM4', reason: 'at least 10 characters' }]
);
}
}
Example 6) Granular Suppressions of findings
Certain rules support granular suppressions of findings. If you received the following errors on synth/deploy
[Error at /StackName/rFirstUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Action::s3:*]: The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
[Error at /StackName/rFirstUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Resource::*]: The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
[Error at /StackName/rSecondUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Action::s3:*]: The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
[Error at /StackName/rSecondUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Resource::*]: The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
By applying the following suppressions
import { User } from 'aws-cdk-lib/aws-iam';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { NagSuppressions } from 'cdk-nag';
export class CdkTestStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const firstUser = new User(this, 'rFirstUser');
firstUser.addToPolicy(
new PolicyStatement({
actions: ['s3:*'],
resources: ['*'],
})
);
const secondUser = new User(this, 'rSecondUser');
secondUser.addToPolicy(
new PolicyStatement({
actions: ['s3:*'],
resources: ['*'],
})
);
const thirdUser = new User(this, 'rSecondUser');
thirdUser.addToPolicy(
new PolicyStatement({
actions: ['sqs:CreateQueue'],
resources: [`arn:aws:sqs:${this.region}:${this.account}:*`],
})
);
NagSuppressions.addResourceSuppressions(
firstUser,
[
{
id: 'AwsSolutions-IAM5',
reason:
"Only suppress AwsSolutions-IAM5 's3:*' finding on First User.",
appliesTo: ['Action::s3:*'],
},
],
true
);
NagSuppressions.addResourceSuppressions(
secondUser,
[
{
id: 'AwsSolutions-IAM5',
reason: 'Suppress all AwsSolutions-IAM5 findings on Second User.',
},
],
true
);
NagSuppressions.addResourceSuppressions(
thirdUser,
[
{
id: 'AwsSolutions-IAM5',
reason: 'Suppress AwsSolutions-IAM5 on the SQS resource.',
appliesTo: [
{
regex: '/^Resource::arn:aws:sqs:(.*):\\*$/g',
},
],
},
],
true
);
}
}
You would see the following error on synth/deploy
[Error at /StackName/rFirstUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Resource::*]: The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
Suppressing Rule Validation Failures
When a rule validation fails it is handled similarly to a rule violation, and can be suppressed in the same manner. The ID for a rule failure is CdkNagValidationFailure.
If a rule is suppressed in a non-granular manner (i.e. appliesTo is not set, see example 1 above) then validation failures on that rule are also suppressed.
Validation failure suppression respects any applied Suppression Ignore Conditions
Example 1) Suppress all Validation Failures on a Resource
import { SecurityGroup, Vpc, Peer, Port } from 'aws-cdk-lib/aws-ec2';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { NagSuppressions } from 'cdk-nag';
export class CdkTestStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const test = new SecurityGroup(this, 'test', {
vpc: new Vpc(this, 'vpc'),
});
test.addIngressRule(Peer.anyIpv4(), Port.allTraffic());
NagSuppressions.addResourceSuppressions(test, [
{ id: 'CdkNagValidationFailure', reason: 'lorem ipsum' },
]);
}
}
Example 2) Granular Suppression of Validation Failures
Validation failures can be suppressed for individual rules by using `appliesTo` to list the desired rulesimport { SecurityGroup, Vpc, Peer, Port } from 'aws-cdk-lib/aws-ec2';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { NagSuppressions } from 'cdk-nag';
export class CdkTestStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const test = new SecurityGroup(this, 'test', {
vpc: new Vpc(this, 'vpc'),
});
test.addIngressRule(Peer.anyIpv4(), Port.allTraffic());
NagSuppressions.addResourceSuppressions(test, [
{
id: 'CdkNagValidationFailure',
reason: 'lorem ipsum',
appliesTo: ['AwsSolutions-L1'],
},
]);
}
}
Suppressing aws-cdk-lib/pipelines Violations
The aws-cdk-lib/pipelines.CodePipeline construct and its child constructs are not guaranteed to be "Visited" by Aspects, as they are not added during the "Construction" phase of the cdk lifecycle. Because of this behavior, you may experience problems such as rule violations not appearing or the inability to suppress violations on these constructs.
You can remediate these rule violation and suppression problems by forcing the pipeline construct creation forward by calling .buildPipeline() on your CodePipeline object. Otherwise you may see errors such as:
Error: Suppression path "/this/construct/path" did not match any resource. This can occur when a resource does not exist or if a suppression is applied before a resource is created.
See this issue for more information.
Example) Suppressing Violations in Pipelines
example-app.ts
import { App, Aspects } from 'aws-cdk-lib';
import { AwsSolutionsChecks } from 'cdk-nag';
import { ExamplePipeline } from '../lib/example-pipeline';
const app = new App();
new ExamplePipeline(app, 'example-cdk-pipeline');
Aspects.of(app).add(new AwsSolutionsChecks({ verbose: true }));
app.synth();
example-pipeline.ts
import { Stack, StackProps } from 'aws-cdk-lib';
import { Repository } from 'aws-cdk-lib/aws-codecommit';
import {
CodePipeline,
CodePipelineSource,
ShellStep,
} from 'aws-cdk-lib/pipelines';
import { NagSuppressions } from 'cdk-nag';
import { Construct } from 'constructs';
export class ExamplePipeline extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const exampleSynth = new ShellStep('ExampleSynth', {
commands: ['yarn build --frozen-lockfile'],
input: CodePipelineSource.codeCommit(
new Repository(this, 'ExampleRepo', { repositoryName: 'ExampleRepo' }),
'main'
),
});
const ExamplePipeline = new CodePipeline(this, 'ExamplePipeline', {
synth: exampleSynth,
});
// Force the pipeline construct creation forward before applying suppressions.
// @See https://github.com/aws/aws-cdk/issues/18440
ExamplePipeline.buildPipeline();
// The path suppression will error if you comment out "ExamplePipeline.buildPipeline();""
NagSuppressions.addResourceSuppressionsByPath(
this,
'/example-cdk-pipeline/ExamplePipeline/Pipeline/ArtifactsBucket/Resource',
[
{
id: 'AwsSolutions-S1',
reason: 'Because I said so',
},
]
);
}
}
Rules and Property Overrides
In some cases L2 Constructs do not have a native option to remediate an issue and must be fixed via Raw Overrides. Since raw overrides take place after template synthesis these fixes are not caught by cdk-nag. In this case you should remediate the issue and suppress the issue like in the following example.
Example) Property Overrides
import {
Instance,
InstanceType,
InstanceClass,
MachineImage,
Vpc,
CfnInstance,
} from 'aws-cdk-lib/aws-ec2';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { NagSuppressions } from 'cdk-nag';
export class CdkTestStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const instance = new Instance(this, 'rInstance', {
vpc: new Vpc(this, 'rVpc'),
instanceType: new InstanceType(InstanceClass.T3),
machineImage: MachineImage.latestAmazonLinux(),
});
const cfnIns = instance.node.defaultChild as CfnInstance;
cfnIns.addPropertyOverride('DisableApiTermination', true);
NagSuppressions.addResourceSuppressions(instance, [
{
id: 'AwsSolutions-EC29',
reason: 'Remediated through property override.',
},
]);
}
}
Conditionally Ignoring Suppressions
You can optionally create a condition that prevents certain rules from being suppressed. You can create conditions for any variety of reasons. Examples include a condition that always ignores a suppression, a condition that ignores a suppression based on the date, a condition that ignores a suppression based on the reason. You can read the developer docs for more information on creating your own conditions.
Example) Using the pre-built `SuppressionIgnoreErrors` class to ignore suppressions on any `Error` level rules.
import { App, Aspects } from 'aws-cdk-lib';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { AwsSolutionsChecks, SuppressionIgnoreErrors } from 'cdk-nag';
const app = new App();
new CdkTestStack(app, 'CdkNagDemo');
// Ignore Suppressions on any errors
Aspects.of(app).add(
new AwsSolutionsChecks({
suppressionIgnoreCondition: new SuppressionIgnoreErrors(),
})
);
Customizing Logging
NagLoggers give NagPack authors and users the ability to create their own custom reporting mechanisms. All pre-built NagPackscome with the AnnotationsLoggerand the NagReportLogger (with CSV reports) enabled by default.
See the NagLogger developer docs for more information.
Example) Adding the `ExtremelyHelpfulConsoleLogger` example from the NagLogger docs
import { App, Aspects } from 'aws-cdk-lib';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { ExtremelyHelpfulConsoleLogger } from './docs/NagLogger';
import { AwsSolutionsChecks } from 'cdk-nag';
const app = new App();
new CdkTestStack(app, 'CdkNagDemo');
Aspects.of(app).add(
new AwsSolutionsChecks({
additionalLoggers: [new ExtremelyHelpfulConsoleLogger()],
})
);
Using on CloudFormation templates
You can use cdk-nag on existing CloudFormation templates by using the cloudformation-include module.
Example 1) CloudFormation template with suppression
Sample CloudFormation template with suppression
{
"Resources": {
"rBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "some-bucket-name"
},
"Metadata": {
"cdk_nag": {
"rules_to_suppress": [
{
"id": "AwsSolutions-S1",
"reason": "at least 10 characters"
}
]
}
}
}
}
}
Sample App
import { App, Aspects } from 'aws-cdk-lib';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { AwsSolutionsChecks } from 'cdk-nag';
const app = new App();
new CdkTestStack(app, 'CdkNagDemo');
Aspects.of(app).add(new AwsSolutionsChecks());
Sample Stack with imported template
import { CfnInclude } from 'aws-cdk-lib/cloudformation-include';
import { NagSuppressions } from 'cdk-nag';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
export class CdkTestStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new CfnInclude(this, 'Template', {
templateFile: 'my-template.json',
});
// Add any additional suppressions
NagSuppressions.addResourceSuppressionsByPath(
this,
'/CdkNagDemo/Template/rBucket',
[
{
id: 'AwsSolutions-S2',
reason: 'at least 10 characters',
},
]
);
}
}
Example 2) CloudFormation template with granular suppressions
Sample CloudFormation template with suppression
{
"Resources": {
"myPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": ["some-key-arn"]
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"cdk_nag": {
"rules_to_suppress": [
{
"id": "AwsSolutions-IAM5",
"reason": "Allow key data access",
"applies_to": [
"Action::kms:ReEncrypt*",
"Action::kms:GenerateDataKey*"
]
}
]
}
}
}
}
}
Sample App
import { App, Aspects } from 'aws-cdk-lib';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { AwsSolutionsChecks } from 'cdk-nag';
const app = new App();
new CdkTestStack(app, 'CdkNagDemo');
Aspects.of(app).add(new AwsSolutionsChecks());
Sample Stack with imported template
import { CfnInclude } from 'aws-cdk-lib/cloudformation-include';
import { NagSuppressions } from 'cdk-nag';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
export class CdkTestStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new CfnInclude(this, 'Template', {
templateFile: 'my-template.json',
});
// Add any additional suppressions
NagSuppressions.addResourceSuppressionsByPath(
this,
'/CdkNagDemo/Template/myPolicy',
[
{
id: 'AwsSolutions-IAM5',
reason: 'Allow key data access',
appliesTo: ['Action::kms:ReEncrypt*', 'Action::kms:GenerateDataKey*'],
},
]
);
}
}
Contributing
See CONTRIBUTING for more information.
License
This project is licensed under the Apache-2.0 License.
Documentation
¶
Overview ¶
Check CDK v2 applications for best practices using a combination on available rule packs.
Index ¶
- func NagRules_ResolveIfPrimitive(node awscdk.CfnResource, parameter interface{}) interface{}
- func NagRules_ResolveResourceFromInstrinsic(node awscdk.CfnResource, parameter interface{}) interface{}
- func NagSuppressions_AddResourceSuppressions(construct interface{}, suppressions *[]*NagPackSuppression, ...)
- func NagSuppressions_AddResourceSuppressionsByPath(stack awscdk.Stack, path interface{}, suppressions *[]*NagPackSuppression, ...)
- func NagSuppressions_AddStackSuppressions(stack awscdk.Stack, suppressions *[]*NagPackSuppression, ...)
- func NewAnnotationLogger_Override(a AnnotationLogger, props *AnnotationLoggerProps)
- func NewAwsSolutionsChecks_Override(a AwsSolutionsChecks, props *NagPackProps)
- func NewHIPAASecurityChecks_Override(h HIPAASecurityChecks, props *NagPackProps)
- func NewNIST80053R4Checks_Override(n NIST80053R4Checks, props *NagPackProps)
- func NewNIST80053R5Checks_Override(n NIST80053R5Checks, props *NagPackProps)
- func NewNagPack_Override(n NagPack, props *NagPackProps)
- func NewNagReportLogger_Override(n NagReportLogger, props *NagReportLoggerProps)
- func NewNagRules_Override(n NagRules)
- func NewNagSuppressions_Override(n NagSuppressions)
- func NewPCIDSS321Checks_Override(p PCIDSS321Checks, props *NagPackProps)
- func NewSuppressionIgnoreAlways_Override(s SuppressionIgnoreAlways, triggerMessage *string)
- func NewSuppressionIgnoreAnd_Override(s SuppressionIgnoreAnd, SuppressionIgnoreAnds ...INagSuppressionIgnore)
- func NewSuppressionIgnoreErrors_Override(s SuppressionIgnoreErrors)
- func NewSuppressionIgnoreNever_Override(s SuppressionIgnoreNever)
- func NewSuppressionIgnoreOr_Override(s SuppressionIgnoreOr, orSuppressionIgnores ...INagSuppressionIgnore)
- type AnnotationLogger
- type AnnotationLoggerProps
- type AwsSolutionsChecks
- type HIPAASecurityChecks
- type IApplyRule
- type INagLogger
- type INagSuppressionIgnore
- type NIST80053R4Checks
- type NIST80053R5Checks
- type NagLoggerBaseData
- type NagLoggerComplianceData
- type NagLoggerErrorData
- type NagLoggerNonComplianceData
- type NagLoggerNotApplicableData
- type NagLoggerSuppressedData
- type NagLoggerSuppressedErrorData
- type NagMessageLevel
- type NagPack
- type NagPackProps
- type NagPackSuppression
- type NagReportFormat
- type NagReportLine
- type NagReportLogger
- type NagReportLoggerProps
- type NagReportSchema
- type NagRuleCompliance
- type NagRulePostValidationStates
- type NagRules
- type NagSuppressions
- type PCIDSS321Checks
- type RegexAppliesTo
- type SuppressionIgnoreAlways
- type SuppressionIgnoreAnd
- type SuppressionIgnoreErrors
- type SuppressionIgnoreInput
- type SuppressionIgnoreNever
- type SuppressionIgnoreOr
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NagRules_ResolveIfPrimitive ¶
func NagRules_ResolveIfPrimitive(node awscdk.CfnResource, parameter interface{}) interface{}
Use in cases where a primitive value must be known to pass a rule.
https://developer.mozilla.org/en-US/docs/Glossary/Primitive
Returns: Return a value if resolves to a primitive data type, otherwise throw an error.
func NagRules_ResolveResourceFromInstrinsic ¶
func NagRules_ResolveResourceFromInstrinsic(node awscdk.CfnResource, parameter interface{}) interface{}
Use in cases where a token resolves to an intrinsic function and the referenced resource must be known to pass a rule.
Returns: Return the Logical resource Id if resolves to a intrinsic function, otherwise the resolved provided value.
func NagSuppressions_AddResourceSuppressions ¶
func NagSuppressions_AddResourceSuppressions(construct interface{}, suppressions *[]*NagPackSuppression, applyToChildren *bool)
Add cdk-nag suppressions to a CfnResource and optionally its children.
func NagSuppressions_AddResourceSuppressionsByPath ¶
func NagSuppressions_AddResourceSuppressionsByPath(stack awscdk.Stack, path interface{}, suppressions *[]*NagPackSuppression, applyToChildren *bool)
Add cdk-nag suppressions to a CfnResource and optionally its children via its path.
func NagSuppressions_AddStackSuppressions ¶
func NagSuppressions_AddStackSuppressions(stack awscdk.Stack, suppressions *[]*NagPackSuppression, applyToNestedStacks *bool)
Apply cdk-nag suppressions to a Stack and optionally nested stacks.
func NewAnnotationLogger_Override ¶ added in v2.24.0
func NewAnnotationLogger_Override(a AnnotationLogger, props *AnnotationLoggerProps)
func NewAwsSolutionsChecks_Override ¶
func NewAwsSolutionsChecks_Override(a AwsSolutionsChecks, props *NagPackProps)
func NewHIPAASecurityChecks_Override ¶
func NewHIPAASecurityChecks_Override(h HIPAASecurityChecks, props *NagPackProps)
func NewNIST80053R4Checks_Override ¶
func NewNIST80053R4Checks_Override(n NIST80053R4Checks, props *NagPackProps)
func NewNIST80053R5Checks_Override ¶
func NewNIST80053R5Checks_Override(n NIST80053R5Checks, props *NagPackProps)
func NewNagPack_Override ¶
func NewNagPack_Override(n NagPack, props *NagPackProps)
func NewNagReportLogger_Override ¶ added in v2.24.0
func NewNagReportLogger_Override(n NagReportLogger, props *NagReportLoggerProps)
func NewNagRules_Override ¶
func NewNagRules_Override(n NagRules)
func NewNagSuppressions_Override ¶
func NewNagSuppressions_Override(n NagSuppressions)
func NewPCIDSS321Checks_Override ¶
func NewPCIDSS321Checks_Override(p PCIDSS321Checks, props *NagPackProps)
func NewSuppressionIgnoreAlways_Override ¶ added in v2.23.0
func NewSuppressionIgnoreAlways_Override(s SuppressionIgnoreAlways, triggerMessage *string)
func NewSuppressionIgnoreAnd_Override ¶ added in v2.23.0
func NewSuppressionIgnoreAnd_Override(s SuppressionIgnoreAnd, SuppressionIgnoreAnds ...INagSuppressionIgnore)
func NewSuppressionIgnoreErrors_Override ¶ added in v2.23.0
func NewSuppressionIgnoreErrors_Override(s SuppressionIgnoreErrors)
func NewSuppressionIgnoreNever_Override ¶ added in v2.23.0
func NewSuppressionIgnoreNever_Override(s SuppressionIgnoreNever)
func NewSuppressionIgnoreOr_Override ¶ added in v2.23.0
func NewSuppressionIgnoreOr_Override(s SuppressionIgnoreOr, orSuppressionIgnores ...INagSuppressionIgnore)
Types ¶
type AnnotationLogger ¶ added in v2.24.0
type AnnotationLogger interface {
INagLogger
LogIgnores() *bool
SuppressionId() *string
SetSuppressionId(val *string)
Verbose() *bool
CreateMessage(ruleId *string, findingId *string, ruleInfo *string, ruleExplanation *string, verbose *bool) *string
// Called when a CfnResource passes the compliance check for a given rule.
OnCompliance(_data *NagLoggerComplianceData)
// Called when a rule throws an error during while validating a CfnResource for compliance.
OnError(data *NagLoggerErrorData)
// Called when a CfnResource does not pass the compliance check for a given rule and the the rule violation is not suppressed by the user.
OnNonCompliance(data *NagLoggerNonComplianceData)
// Called when a rule does not apply to the given CfnResource.
OnNotApplicable(_data *NagLoggerNotApplicableData)
// Called when a CfnResource does not pass the compliance check for a given rule and the rule violation is suppressed by the user.
OnSuppressed(data *NagLoggerSuppressedData)
// Called when a rule throws an error during while validating a CfnResource for compliance and the error is suppressed.
OnSuppressedError(data *NagLoggerSuppressedErrorData)
}
A NagLogger that outputs to the CDK Annotations system.
func NewAnnotationLogger ¶ added in v2.24.0
func NewAnnotationLogger(props *AnnotationLoggerProps) AnnotationLogger
type AnnotationLoggerProps ¶ added in v2.24.0
type AnnotationLoggerProps struct {
// Whether or not to log suppressed rule violations as informational messages (default: false).
LogIgnores *bool `field:"optional" json:"logIgnores" yaml:"logIgnores"`
// Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages.
Verbose *bool `field:"optional" json:"verbose" yaml:"verbose"`
}
Props for the AnnotationLogger.
type AwsSolutionsChecks ¶
type AwsSolutionsChecks interface {
NagPack
Loggers() *[]INagLogger
SetLoggers(val *[]INagLogger)
PackGlobalSuppressionIgnore() INagSuppressionIgnore
SetPackGlobalSuppressionIgnore(val INagSuppressionIgnore)
PackName() *string
SetPackName(val *string)
ReadPackName() *string
UserGlobalSuppressionIgnore() INagSuppressionIgnore
SetUserGlobalSuppressionIgnore(val INagSuppressionIgnore)
// Create a rule to be used in the NagPack.
ApplyRule(params IApplyRule)
// Check whether a specific rule should be ignored.
//
// Returns: The reason the rule was ignored, or an empty string.
IgnoreRule(suppressions *[]*NagPackSuppression, ruleId *string, findingId *string, resource awscdk.CfnResource, level NagMessageLevel, ignoreSuppressionCondition INagSuppressionIgnore, validationFailure *bool) *string
// All aspects can visit an IConstruct.
Visit(node constructs.IConstruct)
}
Check Best practices based on AWS Solutions Security Matrix.
func NewAwsSolutionsChecks ¶
func NewAwsSolutionsChecks(props *NagPackProps) AwsSolutionsChecks
type HIPAASecurityChecks ¶
type HIPAASecurityChecks interface {
NagPack
Loggers() *[]INagLogger
SetLoggers(val *[]INagLogger)
PackGlobalSuppressionIgnore() INagSuppressionIgnore
SetPackGlobalSuppressionIgnore(val INagSuppressionIgnore)
PackName() *string
SetPackName(val *string)
ReadPackName() *string
UserGlobalSuppressionIgnore() INagSuppressionIgnore
SetUserGlobalSuppressionIgnore(val INagSuppressionIgnore)
// Create a rule to be used in the NagPack.
ApplyRule(params IApplyRule)
// Check whether a specific rule should be ignored.
//
// Returns: The reason the rule was ignored, or an empty string.
IgnoreRule(suppressions *[]*NagPackSuppression, ruleId *string, findingId *string, resource awscdk.CfnResource, level NagMessageLevel, ignoreSuppressionCondition INagSuppressionIgnore, validationFailure *bool) *string
// All aspects can visit an IConstruct.
Visit(node constructs.IConstruct)
}
Check for HIPAA Security compliance.
Based on the HIPAA Security AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-hipaa_security.html
func NewHIPAASecurityChecks ¶
func NewHIPAASecurityChecks(props *NagPackProps) HIPAASecurityChecks
type IApplyRule ¶
type IApplyRule interface {
// The callback to the rule.
Rule(node awscdk.CfnResource) interface{}
// Why the rule exists.
Explanation() *string
SetExplanation(e *string)
// A condition in which a suppression should be ignored.
IgnoreSuppressionCondition() INagSuppressionIgnore
SetIgnoreSuppressionCondition(i INagSuppressionIgnore)
// Why the rule was triggered.
Info() *string
SetInfo(i *string)
// The annotations message level to apply to the rule if triggered.
Level() NagMessageLevel
SetLevel(l NagMessageLevel)
// The CfnResource to check.
Node() awscdk.CfnResource
SetNode(n awscdk.CfnResource)
// Override for the suffix of the Rule ID for this rule.
RuleSuffixOverride() *string
SetRuleSuffixOverride(r *string)
}
Interface for JSII interoperability for passing parameters and the Rule Callback to @applyRule method.
type INagLogger ¶ added in v2.24.0
type INagLogger interface {
// Called when a CfnResource passes the compliance check for a given rule.
OnCompliance(data *NagLoggerComplianceData)
// Called when a rule throws an error during while validating a CfnResource for compliance.
OnError(data *NagLoggerErrorData)
// Called when a CfnResource does not pass the compliance check for a given rule and the the rule violation is not suppressed by the user.
OnNonCompliance(data *NagLoggerNonComplianceData)
// Called when a rule does not apply to the given CfnResource.
OnNotApplicable(data *NagLoggerNotApplicableData)
// Called when a CfnResource does not pass the compliance check for a given rule and the rule violation is suppressed by the user.
OnSuppressed(data *NagLoggerSuppressedData)
// Called when a rule throws an error during while validating a CfnResource for compliance and the error is suppressed.
OnSuppressedError(data *NagLoggerSuppressedErrorData)
}
Interface for creating NagSuppression Ignores.
type INagSuppressionIgnore ¶ added in v2.23.0
type INagSuppressionIgnore interface {
CreateMessage(input *SuppressionIgnoreInput) *string
}
Interface for creating NagSuppression Ignores.
type NIST80053R4Checks ¶
type NIST80053R4Checks interface {
NagPack
Loggers() *[]INagLogger
SetLoggers(val *[]INagLogger)
PackGlobalSuppressionIgnore() INagSuppressionIgnore
SetPackGlobalSuppressionIgnore(val INagSuppressionIgnore)
PackName() *string
SetPackName(val *string)
ReadPackName() *string
UserGlobalSuppressionIgnore() INagSuppressionIgnore
SetUserGlobalSuppressionIgnore(val INagSuppressionIgnore)
// Create a rule to be used in the NagPack.
ApplyRule(params IApplyRule)
// Check whether a specific rule should be ignored.
//
// Returns: The reason the rule was ignored, or an empty string.
IgnoreRule(suppressions *[]*NagPackSuppression, ruleId *string, findingId *string, resource awscdk.CfnResource, level NagMessageLevel, ignoreSuppressionCondition INagSuppressionIgnore, validationFailure *bool) *string
// All aspects can visit an IConstruct.
Visit(node constructs.IConstruct)
}
Check for NIST 800-53 rev 4 compliance.
Based on the NIST 800-53 rev 4 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_4.html
func NewNIST80053R4Checks ¶
func NewNIST80053R4Checks(props *NagPackProps) NIST80053R4Checks
type NIST80053R5Checks ¶
type NIST80053R5Checks interface {
NagPack
Loggers() *[]INagLogger
SetLoggers(val *[]INagLogger)
PackGlobalSuppressionIgnore() INagSuppressionIgnore
SetPackGlobalSuppressionIgnore(val INagSuppressionIgnore)
PackName() *string
SetPackName(val *string)
ReadPackName() *string
UserGlobalSuppressionIgnore() INagSuppressionIgnore
SetUserGlobalSuppressionIgnore(val INagSuppressionIgnore)
// Create a rule to be used in the NagPack.
ApplyRule(params IApplyRule)
// Check whether a specific rule should be ignored.
//
// Returns: The reason the rule was ignored, or an empty string.
IgnoreRule(suppressions *[]*NagPackSuppression, ruleId *string, findingId *string, resource awscdk.CfnResource, level NagMessageLevel, ignoreSuppressionCondition INagSuppressionIgnore, validationFailure *bool) *string
// All aspects can visit an IConstruct.
Visit(node constructs.IConstruct)
}
Check for NIST 800-53 rev 5 compliance.
Based on the NIST 800-53 rev 5 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_5.html
func NewNIST80053R5Checks ¶
func NewNIST80053R5Checks(props *NagPackProps) NIST80053R5Checks
type NagLoggerBaseData ¶ added in v2.24.0
type NagLoggerBaseData struct {
NagPackName *string `field:"required" json:"nagPackName" yaml:"nagPackName"`
Resource awscdk.CfnResource `field:"required" json:"resource" yaml:"resource"`
RuleExplanation *string `field:"required" json:"ruleExplanation" yaml:"ruleExplanation"`
RuleId *string `field:"required" json:"ruleId" yaml:"ruleId"`
RuleInfo *string `field:"required" json:"ruleInfo" yaml:"ruleInfo"`
RuleLevel NagMessageLevel `field:"required" json:"ruleLevel" yaml:"ruleLevel"`
RuleOriginalName *string `field:"required" json:"ruleOriginalName" yaml:"ruleOriginalName"`
}
Shared data for all INagLogger methods.
type NagLoggerComplianceData ¶ added in v2.24.0
type NagLoggerComplianceData struct {
NagPackName *string `field:"required" json:"nagPackName" yaml:"nagPackName"`
Resource awscdk.CfnResource `field:"required" json:"resource" yaml:"resource"`
RuleExplanation *string `field:"required" json:"ruleExplanation" yaml:"ruleExplanation"`
RuleId *string `field:"required" json:"ruleId" yaml:"ruleId"`
RuleInfo *string `field:"required" json:"ruleInfo" yaml:"ruleInfo"`
RuleLevel NagMessageLevel `field:"required" json:"ruleLevel" yaml:"ruleLevel"`
RuleOriginalName *string `field:"required" json:"ruleOriginalName" yaml:"ruleOriginalName"`
}
Data for onCompliance method of an INagLogger.
type NagLoggerErrorData ¶ added in v2.24.0
type NagLoggerErrorData struct {
NagPackName *string `field:"required" json:"nagPackName" yaml:"nagPackName"`
Resource awscdk.CfnResource `field:"required" json:"resource" yaml:"resource"`
RuleExplanation *string `field:"required" json:"ruleExplanation" yaml:"ruleExplanation"`
RuleId *string `field:"required" json:"ruleId" yaml:"ruleId"`
RuleInfo *string `field:"required" json:"ruleInfo" yaml:"ruleInfo"`
RuleLevel NagMessageLevel `field:"required" json:"ruleLevel" yaml:"ruleLevel"`
RuleOriginalName *string `field:"required" json:"ruleOriginalName" yaml:"ruleOriginalName"`
ErrorMessage *string `field:"required" json:"errorMessage" yaml:"errorMessage"`
}
Data for onError method of an INagLogger.
type NagLoggerNonComplianceData ¶ added in v2.24.0
type NagLoggerNonComplianceData struct {
NagPackName *string `field:"required" json:"nagPackName" yaml:"nagPackName"`
Resource awscdk.CfnResource `field:"required" json:"resource" yaml:"resource"`
RuleExplanation *string `field:"required" json:"ruleExplanation" yaml:"ruleExplanation"`
RuleId *string `field:"required" json:"ruleId" yaml:"ruleId"`
RuleInfo *string `field:"required" json:"ruleInfo" yaml:"ruleInfo"`
RuleLevel NagMessageLevel `field:"required" json:"ruleLevel" yaml:"ruleLevel"`
RuleOriginalName *string `field:"required" json:"ruleOriginalName" yaml:"ruleOriginalName"`
FindingId *string `field:"required" json:"findingId" yaml:"findingId"`
}
Data for onNonCompliance method of an INagLogger.
type NagLoggerNotApplicableData ¶ added in v2.24.0
type NagLoggerNotApplicableData struct {
NagPackName *string `field:"required" json:"nagPackName" yaml:"nagPackName"`
Resource awscdk.CfnResource `field:"required" json:"resource" yaml:"resource"`
RuleExplanation *string `field:"required" json:"ruleExplanation" yaml:"ruleExplanation"`
RuleId *string `field:"required" json:"ruleId" yaml:"ruleId"`
RuleInfo *string `field:"required" json:"ruleInfo" yaml:"ruleInfo"`
RuleLevel NagMessageLevel `field:"required" json:"ruleLevel" yaml:"ruleLevel"`
RuleOriginalName *string `field:"required" json:"ruleOriginalName" yaml:"ruleOriginalName"`
}
Data for onNotApplicable method of an INagLogger.
type NagLoggerSuppressedData ¶ added in v2.24.0
type NagLoggerSuppressedData struct {
NagPackName *string `field:"required" json:"nagPackName" yaml:"nagPackName"`
Resource awscdk.CfnResource `field:"required" json:"resource" yaml:"resource"`
RuleExplanation *string `field:"required" json:"ruleExplanation" yaml:"ruleExplanation"`
RuleId *string `field:"required" json:"ruleId" yaml:"ruleId"`
RuleInfo *string `field:"required" json:"ruleInfo" yaml:"ruleInfo"`
RuleLevel NagMessageLevel `field:"required" json:"ruleLevel" yaml:"ruleLevel"`
RuleOriginalName *string `field:"required" json:"ruleOriginalName" yaml:"ruleOriginalName"`
FindingId *string `field:"required" json:"findingId" yaml:"findingId"`
SuppressionReason *string `field:"required" json:"suppressionReason" yaml:"suppressionReason"`
}
Data for onSuppressed method of an INagLogger.
type NagLoggerSuppressedErrorData ¶ added in v2.24.0
type NagLoggerSuppressedErrorData struct {
NagPackName *string `field:"required" json:"nagPackName" yaml:"nagPackName"`
Resource awscdk.CfnResource `field:"required" json:"resource" yaml:"resource"`
RuleExplanation *string `field:"required" json:"ruleExplanation" yaml:"ruleExplanation"`
RuleId *string `field:"required" json:"ruleId" yaml:"ruleId"`
RuleInfo *string `field:"required" json:"ruleInfo" yaml:"ruleInfo"`
RuleLevel NagMessageLevel `field:"required" json:"ruleLevel" yaml:"ruleLevel"`
RuleOriginalName *string `field:"required" json:"ruleOriginalName" yaml:"ruleOriginalName"`
ErrorMessage *string `field:"required" json:"errorMessage" yaml:"errorMessage"`
ErrorSuppressionReason *string `field:"required" json:"errorSuppressionReason" yaml:"errorSuppressionReason"`
}
Data for onSuppressedError method of an INagLogger.
type NagMessageLevel ¶
type NagMessageLevel string
The severity level of the rule.
const ( NagMessageLevel_WARN NagMessageLevel = "WARN" NagMessageLevel_ERROR NagMessageLevel = "ERROR" )
type NagPack ¶
type NagPack interface {
awscdk.IAspect
Loggers() *[]INagLogger
SetLoggers(val *[]INagLogger)
PackGlobalSuppressionIgnore() INagSuppressionIgnore
SetPackGlobalSuppressionIgnore(val INagSuppressionIgnore)
PackName() *string
SetPackName(val *string)
ReadPackName() *string
UserGlobalSuppressionIgnore() INagSuppressionIgnore
SetUserGlobalSuppressionIgnore(val INagSuppressionIgnore)
// Create a rule to be used in the NagPack.
ApplyRule(params IApplyRule)
// Check whether a specific rule should be ignored.
//
// Returns: The reason the rule was ignored, or an empty string.
IgnoreRule(suppressions *[]*NagPackSuppression, ruleId *string, findingId *string, resource awscdk.CfnResource, level NagMessageLevel, ignoreSuppressionCondition INagSuppressionIgnore, validationFailure *bool) *string
// All aspects can visit an IConstruct.
Visit(node constructs.IConstruct)
}
Base class for all rule packs.
type NagPackProps ¶
type NagPackProps struct {
// Additional NagLoggers for logging rule validation outputs.
AdditionalLoggers *[]INagLogger `field:"optional" json:"additionalLoggers" yaml:"additionalLoggers"`
// Whether or not to log suppressed rule violations as informational messages (default: false).
LogIgnores *bool `field:"optional" json:"logIgnores" yaml:"logIgnores"`
// If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV).
ReportFormats *[]NagReportFormat `field:"optional" json:"reportFormats" yaml:"reportFormats"`
// Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true).
Reports *bool `field:"optional" json:"reports" yaml:"reports"`
// Conditionally prevent rules from being suppressed (default: no user provided condition).
SuppressionIgnoreCondition INagSuppressionIgnore `field:"optional" json:"suppressionIgnoreCondition" yaml:"suppressionIgnoreCondition"`
// Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false).
Verbose *bool `field:"optional" json:"verbose" yaml:"verbose"`
}
Interface for creating a NagPack.
type NagPackSuppression ¶
type NagPackSuppression struct {
// The id of the rule to ignore.
Id *string `field:"required" json:"id" yaml:"id"`
// The reason to ignore the rule (minimum 10 characters).
Reason *string `field:"required" json:"reason" yaml:"reason"`
// Rule specific granular suppressions.
AppliesTo *[]interface{} `field:"optional" json:"appliesTo" yaml:"appliesTo"`
}
Interface for creating a rule suppression.
type NagReportFormat ¶ added in v2.24.0
type NagReportFormat string
Possible output formats of the NagReport.
const ( NagReportFormat_CSV NagReportFormat = "CSV" NagReportFormat_JSON NagReportFormat = "JSON" )
type NagReportLine ¶ added in v2.24.0
type NagReportLine struct {
Compliance *string `field:"required" json:"compliance" yaml:"compliance"`
ExceptionReason *string `field:"required" json:"exceptionReason" yaml:"exceptionReason"`
ResourceId *string `field:"required" json:"resourceId" yaml:"resourceId"`
RuleId *string `field:"required" json:"ruleId" yaml:"ruleId"`
RuleInfo *string `field:"required" json:"ruleInfo" yaml:"ruleInfo"`
RuleLevel *string `field:"required" json:"ruleLevel" yaml:"ruleLevel"`
}
type NagReportLogger ¶ added in v2.24.0
type NagReportLogger interface {
INagLogger
Formats() *[]NagReportFormat
GetFormatStacks(format NagReportFormat) *[]*string
// Initialize the report for the rule pack's compliance report for the resource's Stack if it doesn't exist.
InitializeStackReport(data *NagLoggerBaseData)
// Called when a CfnResource passes the compliance check for a given rule.
OnCompliance(data *NagLoggerComplianceData)
// Called when a rule throws an error during while validating a CfnResource for compliance.
OnError(data *NagLoggerErrorData)
// Called when a CfnResource does not pass the compliance check for a given rule and the the rule violation is not suppressed by the user.
OnNonCompliance(data *NagLoggerNonComplianceData)
// Called when a rule does not apply to the given CfnResource.
OnNotApplicable(data *NagLoggerNotApplicableData)
// Called when a CfnResource does not pass the compliance check for a given rule and the rule violation is suppressed by the user.
OnSuppressed(data *NagLoggerSuppressedData)
// Called when a rule throws an error during while validating a CfnResource for compliance and the error is suppressed.
OnSuppressedError(data *NagLoggerSuppressedErrorData)
WriteToStackComplianceReport(data *NagLoggerBaseData, compliance interface{})
}
A NagLogger that creates compliance reports.
func NewNagReportLogger ¶ added in v2.24.0
func NewNagReportLogger(props *NagReportLoggerProps) NagReportLogger
type NagReportLoggerProps ¶ added in v2.24.0
type NagReportLoggerProps struct {
Formats *[]NagReportFormat `field:"required" json:"formats" yaml:"formats"`
}
Props for the NagReportLogger.
type NagReportSchema ¶ added in v2.24.0
type NagReportSchema struct {
Lines *[]*NagReportLine `field:"required" json:"lines" yaml:"lines"`
}
type NagRuleCompliance ¶
type NagRuleCompliance string
The compliance level of a resource in relation to a rule.
const ( NagRuleCompliance_COMPLIANT NagRuleCompliance = "COMPLIANT" NagRuleCompliance_NON_COMPLIANT NagRuleCompliance = "NON_COMPLIANT" NagRuleCompliance_NOT_APPLICABLE NagRuleCompliance = "NOT_APPLICABLE" )
type NagRulePostValidationStates ¶ added in v2.24.0
type NagRulePostValidationStates string
Additional states a rule can be in post compliance validation.
const ( NagRulePostValidationStates_SUPPRESSED NagRulePostValidationStates = "SUPPRESSED" NagRulePostValidationStates_UNKNOWN NagRulePostValidationStates = "UNKNOWN" )
type NagRules ¶
type NagRules interface {
}
Helper class with methods for rule creation.
func NewNagRules ¶
func NewNagRules() NagRules
type NagSuppressions ¶
type NagSuppressions interface {
}
Helper class with methods to add cdk-nag suppressions to cdk resources.
func NewNagSuppressions ¶
func NewNagSuppressions() NagSuppressions
type PCIDSS321Checks ¶
type PCIDSS321Checks interface {
NagPack
Loggers() *[]INagLogger
SetLoggers(val *[]INagLogger)
PackGlobalSuppressionIgnore() INagSuppressionIgnore
SetPackGlobalSuppressionIgnore(val INagSuppressionIgnore)
PackName() *string
SetPackName(val *string)
ReadPackName() *string
UserGlobalSuppressionIgnore() INagSuppressionIgnore
SetUserGlobalSuppressionIgnore(val INagSuppressionIgnore)
// Create a rule to be used in the NagPack.
ApplyRule(params IApplyRule)
// Check whether a specific rule should be ignored.
//
// Returns: The reason the rule was ignored, or an empty string.
IgnoreRule(suppressions *[]*NagPackSuppression, ruleId *string, findingId *string, resource awscdk.CfnResource, level NagMessageLevel, ignoreSuppressionCondition INagSuppressionIgnore, validationFailure *bool) *string
// All aspects can visit an IConstruct.
Visit(node constructs.IConstruct)
}
Check for PCI DSS 3.2.1 compliance. Based on the PCI DSS 3.2.1 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-pci-dss.html.
func NewPCIDSS321Checks ¶
func NewPCIDSS321Checks(props *NagPackProps) PCIDSS321Checks
type RegexAppliesTo ¶
type RegexAppliesTo struct {
// An ECMA-262 regex string.
Regex *string `field:"required" json:"regex" yaml:"regex"`
}
A regular expression to apply to matching findings.
type SuppressionIgnoreAlways ¶ added in v2.23.0
type SuppressionIgnoreAlways interface {
INagSuppressionIgnore
CreateMessage(_input *SuppressionIgnoreInput) *string
}
Always ignore the suppression.
func NewSuppressionIgnoreAlways ¶ added in v2.23.0
func NewSuppressionIgnoreAlways(triggerMessage *string) SuppressionIgnoreAlways
type SuppressionIgnoreAnd ¶ added in v2.23.0
type SuppressionIgnoreAnd interface {
INagSuppressionIgnore
CreateMessage(input *SuppressionIgnoreInput) *string
}
Ignore the suppression if all of the given INagSuppressionIgnore return a non-empty message.
func NewSuppressionIgnoreAnd ¶ added in v2.23.0
func NewSuppressionIgnoreAnd(SuppressionIgnoreAnds ...INagSuppressionIgnore) SuppressionIgnoreAnd
type SuppressionIgnoreErrors ¶ added in v2.23.0
type SuppressionIgnoreErrors interface {
INagSuppressionIgnore
CreateMessage(input *SuppressionIgnoreInput) *string
}
Ignore Suppressions for Rules with a NagMessageLevel.ERROR.
func NewSuppressionIgnoreErrors ¶ added in v2.23.0
func NewSuppressionIgnoreErrors() SuppressionIgnoreErrors
type SuppressionIgnoreInput ¶ added in v2.23.0
type SuppressionIgnoreInput struct {
FindingId *string `field:"required" json:"findingId" yaml:"findingId"`
Reason *string `field:"required" json:"reason" yaml:"reason"`
Resource awscdk.CfnResource `field:"required" json:"resource" yaml:"resource"`
RuleId *string `field:"required" json:"ruleId" yaml:"ruleId"`
RuleLevel NagMessageLevel `field:"required" json:"ruleLevel" yaml:"ruleLevel"`
}
Information about the NagRule and the relevant NagSuppression for the INagSuppressionIgnore.
type SuppressionIgnoreNever ¶ added in v2.23.0
type SuppressionIgnoreNever interface {
INagSuppressionIgnore
CreateMessage(_input *SuppressionIgnoreInput) *string
}
Don't ignore the suppression.
func NewSuppressionIgnoreNever ¶ added in v2.23.0
func NewSuppressionIgnoreNever() SuppressionIgnoreNever
type SuppressionIgnoreOr ¶ added in v2.23.0
type SuppressionIgnoreOr interface {
INagSuppressionIgnore
CreateMessage(input *SuppressionIgnoreInput) *string
}
Ignore the suppression if any of the given INagSuppressionIgnore return a non-empty message.
func NewSuppressionIgnoreOr ¶ added in v2.23.0
func NewSuppressionIgnoreOr(orSuppressionIgnores ...INagSuppressionIgnore) SuppressionIgnoreOr
Source Files
¶
- AnnotationLogger.go
- AnnotationLoggerProps.go
- AnnotationLogger__checks.go
- AwsSolutionsChecks.go
- AwsSolutionsChecks__checks.go
- HIPAASecurityChecks.go
- HIPAASecurityChecks__checks.go
- IApplyRule.go
- IApplyRule__checks.go
- INagLogger.go
- INagLogger__checks.go
- INagSuppressionIgnore.go
- INagSuppressionIgnore__checks.go
- NIST80053R4Checks.go
- NIST80053R4Checks__checks.go
- NIST80053R5Checks.go
- NIST80053R5Checks__checks.go
- NagLoggerBaseData.go
- NagLoggerComplianceData.go
- NagLoggerErrorData.go
- NagLoggerNonComplianceData.go
- NagLoggerNotApplicableData.go
- NagLoggerSuppressedData.go
- NagLoggerSuppressedErrorData.go
- NagMessageLevel.go
- NagPack.go
- NagPackProps.go
- NagPackSuppression.go
- NagPack__checks.go
- NagReportFormat.go
- NagReportLine.go
- NagReportLogger.go
- NagReportLoggerProps.go
- NagReportLogger__checks.go
- NagReportSchema.go
- NagRuleCompliance.go
- NagRulePostValidationStates.go
- NagRules.go
- NagRules__checks.go
- NagSuppressions.go
- NagSuppressions__checks.go
- PCIDSS321Checks.go
- PCIDSS321Checks__checks.go
- RegexAppliesTo.go
- SuppressionIgnoreAlways.go
- SuppressionIgnoreAlways__checks.go
- SuppressionIgnoreAnd.go
- SuppressionIgnoreAnd__checks.go
- SuppressionIgnoreErrors.go
- SuppressionIgnoreErrors__checks.go
- SuppressionIgnoreInput.go
- SuppressionIgnoreNever.go
- SuppressionIgnoreNever__checks.go
- SuppressionIgnoreOr.go
- SuppressionIgnoreOr__checks.go
- main.go
Directories
Click to show internal directories.
Click to hide internal directories.