README
¶
cdk-nag
Check CDK applications or CloudFormation templates for best practices using a combination of available rule packs. Inspired by cfn_nag.
Check out this blog post for a guided overview!
Available Rules and Packs
See RULES for more information on all the available packs.
RULES also includes a collection of additional rules that are not currently included in any of the pre-built NagPacks, but are still available for inclusion in custom NagPacks.
Read the NagPack developer docs if you are interested in creating your own pack.
Usage
For a full list of options See NagPackProps in the API.md
Including in an application
import { App, Aspects } from 'aws-cdk-lib';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { AwsSolutionsChecks } from 'cdk-nag';
const app = new App();
new CdkTestStack(app, 'CdkNagDemo');
// Simple rule informational messages
Aspects.of(app).add(new AwsSolutionsChecks());
// Additional explanations on the purpose of triggered rules
// Aspects.of(stack).add(new AwsSolutionsChecks({ verbose: true }));
Suppressing a Rule
Example 1) Default Construct
import { SecurityGroup, Vpc, Peer, Port } from 'aws-cdk-lib/aws-ec2';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { NagSuppressions } from 'cdk-nag';
export class CdkTestStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const test = new SecurityGroup(this, 'test', {
vpc: new Vpc(this, 'vpc'),
});
test.addIngressRule(Peer.anyIpv4(), Port.allTraffic());
NagSuppressions.addResourceSuppressions(test, [
{ id: 'AwsSolutions-EC23', reason: 'lorem ipsum' },
]);
}
}
Example 2) On Multiple Constructs
import { SecurityGroup, Vpc, Peer, Port } from 'aws-cdk-lib/aws-ec2';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { NagSuppressions } from 'cdk-nag';
export class CdkTestStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const vpc = new Vpc(this, 'vpc');
const test1 = new SecurityGroup(this, 'test', { vpc });
test1.addIngressRule(Peer.anyIpv4(), Port.allTraffic());
const test2 = new SecurityGroup(this, 'test', { vpc });
test2.addIngressRule(Peer.anyIpv4(), Port.allTraffic());
NagSuppressions.addResourceSuppressions(
[test1, test2],
[{ id: 'AwsSolutions-EC23', reason: 'lorem ipsum' }]
);
}
}
Example 3) Child Constructs
import { User, PolicyStatement } from 'aws-cdk-lib/aws-iam';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { NagSuppressions } from 'cdk-nag';
export class CdkTestStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const user = new User(this, 'rUser');
user.addToPolicy(
new PolicyStatement({
actions: ['s3:PutObject'],
resources: ['arn:aws:s3:::bucket_name/*'],
})
);
// Enable adding suppressions to child constructs
NagSuppressions.addResourceSuppressions(
user,
[
{
id: 'AwsSolutions-IAM5',
reason: 'lorem ipsum',
appliesTo: ['Resource::arn:aws:s3:::bucket_name/*'], // optional
},
],
true
);
}
}
Example 4) Stack Level
import { App, Aspects } from 'aws-cdk-lib';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { AwsSolutionsChecks, NagSuppressions } from 'cdk-nag';
const app = new App();
const stack = new CdkTestStack(app, 'CdkNagDemo');
Aspects.of(app).add(new AwsSolutionsChecks());
NagSuppressions.addStackSuppressions(stack, [
{ id: 'AwsSolutions-EC23', reason: 'lorem ipsum' },
]);
Example 5) Construct path
If you received the following error on synth/deploy
[Error at /StackName/Custom::CDKBucketDeployment8675309/ServiceRole/Resource] AwsSolutions-IAM4: The IAM user, role, or group uses AWS managed policies
import { Bucket } from 'aws-cdk-lib/aws-s3';
import { BucketDeployment } from 'aws-cdk-lib/aws-s3-deployment';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { NagSuppressions } from 'cdk-nag';
export class CdkTestStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new BucketDeployment(this, 'rDeployment', {
sources: [],
destinationBucket: Bucket.fromBucketName(this, 'rBucket', 'foo'),
});
NagSuppressions.addResourceSuppressionsByPath(
this,
'/StackName/Custom::CDKBucketDeployment8675309/ServiceRole/Resource',
[{ id: 'AwsSolutions-IAM4', reason: 'at least 10 characters' }]
);
}
}
Example 6) Granular Suppressions of findings
Certain rules support granular suppressions of findings. If you received the following errors on synth/deploy
[Error at /StackName/rFirstUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Action::s3:*]: The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
[Error at /StackName/rFirstUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Resource::*]: The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
[Error at /StackName/rSecondUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Action::s3:*]: The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
[Error at /StackName/rSecondUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Resource::*]: The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
By applying the following suppressions
import { User } from 'aws-cdk-lib/aws-iam';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { NagSuppressions } from 'cdk-nag';
export class CdkTestStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const firstUser = new User(this, 'rFirstUser');
firstUser.addToPolicy(
new PolicyStatement({
actions: ['s3:*'],
resources: ['*'],
})
);
const secondUser = new User(this, 'rSecondUser');
secondUser.addToPolicy(
new PolicyStatement({
actions: ['s3:*'],
resources: ['*'],
})
);
const thirdUser = new User(this, 'rSecondUser');
thirdUser.addToPolicy(
new PolicyStatement({
actions: ['sqs:CreateQueue'],
resources: [`arn:aws:sqs:${this.region}:${this.account}:*`],
})
);
NagSuppressions.addResourceSuppressions(
firstUser,
[
{
id: 'AwsSolutions-IAM5',
reason:
"Only suppress AwsSolutions-IAM5 's3:*' finding on First User.",
appliesTo: ['Action::s3:*'],
},
],
true
);
NagSuppressions.addResourceSuppressions(
secondUser,
[
{
id: 'AwsSolutions-IAM5',
reason: 'Suppress all AwsSolutions-IAM5 findings on Second User.',
},
],
true
);
NagSuppressions.addResourceSuppressions(
thirdUser,
[
{
id: 'AwsSolutions-IAM5',
reason: 'Suppress AwsSolutions-IAM5 on the SQS resource.',
appliesTo: [
{
regex: '/^Resource::arn:aws:sqs:(.*):\\*$/g',
},
],
},
],
true
);
}
}
You would see the following error on synth/deploy
[Error at /StackName/rFirstUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Resource::*]: The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
Suppressing aws-cdk-lib/pipelines Violations
The aws-cdk-lib/pipelines.CodePipeline construct and its child constructs are not guaranteed to be "Visited" by Aspects, as they are not added during the "Construction" phase of the cdk lifecycle. Because of this behavior, you may experience problems such as rule violations not appearing or the inability to suppress violations on these constructs.
You can remediate these rule violation and suppression problems by forcing the pipeline construct creation forward by calling .buildPipeline() on your CodePipeline object. Otherwise you may see errors such as:
Error: Suppression path "/this/construct/path" did not match any resource. This can occur when a resource does not exist or if a suppression is applied before a resource is created.
See this issue for more information.
Example) Supressing Violations in Pipelines
example-app.ts
import { App, Aspects } from 'aws-cdk-lib';
import { AwsSolutionsChecks } from 'cdk-nag';
import { ExamplePipeline } from '../lib/example-pipeline';
const app = new App();
new ExamplePipeline(app, 'example-cdk-pipeline');
Aspects.of(app).add(new AwsSolutionsChecks({ verbose: true }));
app.synth();
example-pipeline.ts
import { Stack, StackProps } from 'aws-cdk-lib';
import { Repository } from 'aws-cdk-lib/aws-codecommit';
import { CodePipeline, CodePipelineSource, ShellStep } from 'aws-cdk-lib/pipelines';
import { NagSuppressions } from 'cdk-nag';
import { Construct } from 'constructs';
export class ExamplePipeline extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const exampleSynth = new ShellStep('ExampleSynth', {
commands: ['yarn build --frozen-lockfile'],
input: CodePipelineSource.codeCommit(new Repository(this, 'ExampleRepo', { repositoryName: 'ExampleRepo' }), 'main'),
});
const ExamplePipeline = new CodePipeline(this, 'ExamplePipeline', {
synth: exampleSynth,
});
// Force the pipeline construct creation forward before applying suppressions.
// @See https://github.com/aws/aws-cdk/issues/18440
ExamplePipeline.buildPipeline();
// The path suppression will error if you comment out "ExamplePipeline.buildPipeline();""
NagSuppressions.addResourceSuppressionsByPath(this, '/example-cdk-pipeline/ExamplePipeline/Pipeline/ArtifactsBucket/Resource', [
{
id: 'AwsSolutions-S1',
reason: 'Because I said so',
},
]);
}
}
Rules and Property Overrides
In some cases L2 Constructs do not have a native option to remediate an issue and must be fixed via Raw Overrides. Since raw overrides take place after template synthesis these fixes are not caught by cdk-nag. In this case you should remediate the issue and suppress the issue like in the following example.
Example) Property Overrides
import {
Instance,
InstanceType,
InstanceClass,
MachineImage,
Vpc,
CfnInstance,
} from 'aws-cdk-lib/aws-ec2';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { NagSuppressions } from 'cdk-nag';
export class CdkTestStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const instance = new Instance(this, 'rInstance', {
vpc: new Vpc(this, 'rVpc'),
instanceType: new InstanceType(InstanceClass.T3),
machineImage: MachineImage.latestAmazonLinux(),
});
const cfnIns = instance.node.defaultChild as CfnInstance;
cfnIns.addPropertyOverride('DisableApiTermination', true);
NagSuppressions.addResourceSuppressions(instance, [
{
id: 'AwsSolutions-EC29',
reason: 'Remediated through property override.',
},
]);
}
}
Conditionally Ignoring Suppressions
You can optionally create a condition that prevents certain rules from being suppressed. You can create conditions for any variety of reasons. Examples include a condition that always ignores a suppression, a condition that ignores a suppression based on the date, a condition that ignores a suppression based on the reason. You can read the developer docs for more information on creating your own conditions.
Example) Using the pre-built `SuppressionIgnoreErrors` class to ignore suppressions on any `Error` level rules.
import { App, Aspects } from 'aws-cdk-lib';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { AwsSolutionsChecks, SuppressionIgnoreErrors } from 'cdk-nag';
const app = new App();
new CdkTestStack(app, 'CdkNagDemo');
// Ignore Suppressions on any errors
Aspects.of(app).add(
new AwsSolutionsChecks({
suppressionIgnoreCondition: new SuppressionIgnoreErrors(),
})
);
Using on CloudFormation templates
You can use cdk-nag on existing CloudFormation templates by using the cloudformation-include module.
Example 1) CloudFormation template with suppression
Sample CloudFormation template with suppression
{
"Resources": {
"rBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "some-bucket-name"
},
"Metadata": {
"cdk_nag": {
"rules_to_suppress": [
{
"id": "AwsSolutions-S1",
"reason": "at least 10 characters"
}
]
}
}
}
}
}
Sample App
import { App, Aspects } from 'aws-cdk-lib';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { AwsSolutionsChecks } from 'cdk-nag';
const app = new App();
new CdkTestStack(app, 'CdkNagDemo');
Aspects.of(app).add(new AwsSolutionsChecks());
Sample Stack with imported template
import { CfnInclude } from 'aws-cdk-lib/cloudformation-include';
import { NagSuppressions } from 'cdk-nag';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
export class CdkTestStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new CfnInclude(this, 'Template', {
templateFile: 'my-template.json',
});
// Add any additional suppressions
NagSuppressions.addResourceSuppressionsByPath(
this,
'/CdkNagDemo/Template/rBucket',
[
{
id: 'AwsSolutions-S2',
reason: 'at least 10 characters',
},
]
);
}
}
Example 2) CloudFormation template with granular suppressions
Sample CloudFormation template with suppression
{
"Resources": {
"myPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Effect": "Allow",
"Resource": ["some-key-arn"]
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"cdk_nag": {
"rules_to_suppress": [
{
"id": "AwsSolutions-IAM5",
"reason": "Allow key data access",
"applies_to": [
"Action::kms:ReEncrypt*",
"Action::kms:GenerateDataKey*"
]
}
]
}
}
}
}
}
Sample App
import { App, Aspects } from 'aws-cdk-lib';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { AwsSolutionsChecks } from 'cdk-nag';
const app = new App();
new CdkTestStack(app, 'CdkNagDemo');
Aspects.of(app).add(new AwsSolutionsChecks());
Sample Stack with imported template
import { CfnInclude } from 'aws-cdk-lib/cloudformation-include';
import { NagSuppressions } from 'cdk-nag';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
export class CdkTestStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new CfnInclude(this, 'Template', {
templateFile: 'my-template.json',
});
// Add any additional suppressions
NagSuppressions.addResourceSuppressionsByPath(
this,
'/CdkNagDemo/Template/myPolicy',
[
{
id: 'AwsSolutions-IAM5',
reason: 'Allow key data access',
appliesTo: ['Action::kms:ReEncrypt*', 'Action::kms:GenerateDataKey*'],
},
]
);
}
}
Contributing
See CONTRIBUTING for more information.
License
This project is licensed under the Apache-2.0 License.
Documentation
¶
Overview ¶
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Check CDK v2 applications for best practices using a combination on available rule packs.
Index ¶
- func NagRules_ResolveIfPrimitive(node awscdk.CfnResource, parameter interface{}) interface{}
- func NagRules_ResolveResourceFromInstrinsic(node awscdk.CfnResource, parameter interface{}) interface{}
- func NagSuppressions_AddResourceSuppressions(construct interface{}, suppressions *[]*NagPackSuppression, ...)
- func NagSuppressions_AddResourceSuppressionsByPath(stack awscdk.Stack, path interface{}, suppressions *[]*NagPackSuppression, ...)
- func NagSuppressions_AddStackSuppressions(stack awscdk.Stack, suppressions *[]*NagPackSuppression, ...)
- func NewAwsSolutionsChecks_Override(a AwsSolutionsChecks, props *NagPackProps)
- func NewHIPAASecurityChecks_Override(h HIPAASecurityChecks, props *NagPackProps)
- func NewNIST80053R4Checks_Override(n NIST80053R4Checks, props *NagPackProps)
- func NewNIST80053R5Checks_Override(n NIST80053R5Checks, props *NagPackProps)
- func NewNagPack_Override(n NagPack, props *NagPackProps)
- func NewNagRules_Override(n NagRules)
- func NewNagSuppressions_Override(n NagSuppressions)
- func NewPCIDSS321Checks_Override(p PCIDSS321Checks, props *NagPackProps)
- func NewSuppressionIgnoreAlways_Override(s SuppressionIgnoreAlways, triggerMessage *string)
- func NewSuppressionIgnoreAnd_Override(s SuppressionIgnoreAnd, SuppressionIgnoreAnds ...INagSuppressionIgnore)
- func NewSuppressionIgnoreErrors_Override(s SuppressionIgnoreErrors)
- func NewSuppressionIgnoreNever_Override(s SuppressionIgnoreNever)
- func NewSuppressionIgnoreOr_Override(s SuppressionIgnoreOr, orSuppressionIgnores ...INagSuppressionIgnore)
- type AwsSolutionsChecks
- type HIPAASecurityChecks
- type IApplyRule
- type INagSuppressionIgnore
- type NIST80053R4Checks
- type NIST80053R5Checks
- type NagMessageLevel
- type NagPack
- type NagPackProps
- type NagPackSuppression
- type NagRuleCompliance
- type NagRules
- type NagSuppressions
- type PCIDSS321Checks
- type RegexAppliesTo
- type SuppressionIgnoreAlways
- type SuppressionIgnoreAnd
- type SuppressionIgnoreErrors
- type SuppressionIgnoreInput
- type SuppressionIgnoreNever
- type SuppressionIgnoreOr
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NagRules_ResolveIfPrimitive ¶
func NagRules_ResolveIfPrimitive(node awscdk.CfnResource, parameter interface{}) interface{}
Use in cases where a primitive value must be known to pass a rule.
https://developer.mozilla.org/en-US/docs/Glossary/Primitive
Returns: Return a value if resolves to a primitive data type, otherwise throw an error.
func NagRules_ResolveResourceFromInstrinsic ¶
func NagRules_ResolveResourceFromInstrinsic(node awscdk.CfnResource, parameter interface{}) interface{}
Use in cases where a token resolves to an intrinsic function and the referenced resource must be known to pass a rule.
Returns: Return the Logical resource Id if resolves to a intrinsic function, otherwise the resolved provided value.
func NagSuppressions_AddResourceSuppressions ¶
func NagSuppressions_AddResourceSuppressions(construct interface{}, suppressions *[]*NagPackSuppression, applyToChildren *bool)
Add cdk-nag suppressions to a CfnResource and optionally its children.
func NagSuppressions_AddResourceSuppressionsByPath ¶
func NagSuppressions_AddResourceSuppressionsByPath(stack awscdk.Stack, path interface{}, suppressions *[]*NagPackSuppression, applyToChildren *bool)
Add cdk-nag suppressions to a CfnResource and optionally its children via its path.
func NagSuppressions_AddStackSuppressions ¶
func NagSuppressions_AddStackSuppressions(stack awscdk.Stack, suppressions *[]*NagPackSuppression, applyToNestedStacks *bool)
Apply cdk-nag suppressions to a Stack and optionally nested stacks.
func NewAwsSolutionsChecks_Override ¶
func NewAwsSolutionsChecks_Override(a AwsSolutionsChecks, props *NagPackProps)
func NewHIPAASecurityChecks_Override ¶
func NewHIPAASecurityChecks_Override(h HIPAASecurityChecks, props *NagPackProps)
func NewNIST80053R4Checks_Override ¶
func NewNIST80053R4Checks_Override(n NIST80053R4Checks, props *NagPackProps)
func NewNIST80053R5Checks_Override ¶
func NewNIST80053R5Checks_Override(n NIST80053R5Checks, props *NagPackProps)
func NewNagPack_Override ¶
func NewNagPack_Override(n NagPack, props *NagPackProps)
func NewNagRules_Override ¶
func NewNagRules_Override(n NagRules)
func NewNagSuppressions_Override ¶
func NewNagSuppressions_Override(n NagSuppressions)
func NewPCIDSS321Checks_Override ¶
func NewPCIDSS321Checks_Override(p PCIDSS321Checks, props *NagPackProps)
func NewSuppressionIgnoreAlways_Override ¶ added in v2.23.0
func NewSuppressionIgnoreAlways_Override(s SuppressionIgnoreAlways, triggerMessage *string)
func NewSuppressionIgnoreAnd_Override ¶ added in v2.23.0
func NewSuppressionIgnoreAnd_Override(s SuppressionIgnoreAnd, SuppressionIgnoreAnds ...INagSuppressionIgnore)
func NewSuppressionIgnoreErrors_Override ¶ added in v2.23.0
func NewSuppressionIgnoreErrors_Override(s SuppressionIgnoreErrors)
func NewSuppressionIgnoreNever_Override ¶ added in v2.23.0
func NewSuppressionIgnoreNever_Override(s SuppressionIgnoreNever)
func NewSuppressionIgnoreOr_Override ¶ added in v2.23.0
func NewSuppressionIgnoreOr_Override(s SuppressionIgnoreOr, orSuppressionIgnores ...INagSuppressionIgnore)
Types ¶
type AwsSolutionsChecks ¶
type AwsSolutionsChecks interface {
NagPack
LogIgnores() *bool
SetLogIgnores(val *bool)
PackGlobalSuppressionIgnore() INagSuppressionIgnore
SetPackGlobalSuppressionIgnore(val INagSuppressionIgnore)
PackName() *string
SetPackName(val *string)
ReadPackName() *string
ReadReportStacks() *[]*string
Reports() *bool
SetReports(val *bool)
ReportStacks() *[]*string
SetReportStacks(val *[]*string)
UserGlobalSuppressionIgnore() INagSuppressionIgnore
SetUserGlobalSuppressionIgnore(val INagSuppressionIgnore)
Verbose() *bool
SetVerbose(val *bool)
// Create a rule to be used in the NagPack.
ApplyRule(params IApplyRule)
// Helper function to create a line for the compliance report.
CreateComplianceReportLine(params IApplyRule, ruleId *string, compliance interface{}, explanation *string) *string
// The message to output to the console when a rule is triggered.
//
// Returns: The formatted message string.
CreateMessage(ruleId *string, findingId *string, info *string, explanation *string) *string
// Check whether a specific rule should be ignored.
//
// Returns: The reason the rule was ignored, or an empty string.
IgnoreRule(suppressions *[]*NagPackSuppression, ruleId *string, findingId *string, resource awscdk.CfnResource, level NagMessageLevel, ignoreSuppressionCondition INagSuppressionIgnore) *string
// Initialize the report for the rule pack's compliance report for the resource's Stack if it doesn't exist.
InitializeStackReport(params IApplyRule)
// All aspects can visit an IConstruct.
Visit(node constructs.IConstruct)
// Write a line to the rule pack's compliance report for the resource's Stack.
WriteToStackComplianceReport(params IApplyRule, ruleId *string, compliance interface{}, explanation *string)
}
Check Best practices based on AWS Solutions Security Matrix.
func NewAwsSolutionsChecks ¶
func NewAwsSolutionsChecks(props *NagPackProps) AwsSolutionsChecks
type HIPAASecurityChecks ¶
type HIPAASecurityChecks interface {
NagPack
LogIgnores() *bool
SetLogIgnores(val *bool)
PackGlobalSuppressionIgnore() INagSuppressionIgnore
SetPackGlobalSuppressionIgnore(val INagSuppressionIgnore)
PackName() *string
SetPackName(val *string)
ReadPackName() *string
ReadReportStacks() *[]*string
Reports() *bool
SetReports(val *bool)
ReportStacks() *[]*string
SetReportStacks(val *[]*string)
UserGlobalSuppressionIgnore() INagSuppressionIgnore
SetUserGlobalSuppressionIgnore(val INagSuppressionIgnore)
Verbose() *bool
SetVerbose(val *bool)
// Create a rule to be used in the NagPack.
ApplyRule(params IApplyRule)
// Helper function to create a line for the compliance report.
CreateComplianceReportLine(params IApplyRule, ruleId *string, compliance interface{}, explanation *string) *string
// The message to output to the console when a rule is triggered.
//
// Returns: The formatted message string.
CreateMessage(ruleId *string, findingId *string, info *string, explanation *string) *string
// Check whether a specific rule should be ignored.
//
// Returns: The reason the rule was ignored, or an empty string.
IgnoreRule(suppressions *[]*NagPackSuppression, ruleId *string, findingId *string, resource awscdk.CfnResource, level NagMessageLevel, ignoreSuppressionCondition INagSuppressionIgnore) *string
// Initialize the report for the rule pack's compliance report for the resource's Stack if it doesn't exist.
InitializeStackReport(params IApplyRule)
// All aspects can visit an IConstruct.
Visit(node constructs.IConstruct)
// Write a line to the rule pack's compliance report for the resource's Stack.
WriteToStackComplianceReport(params IApplyRule, ruleId *string, compliance interface{}, explanation *string)
}
Check for HIPAA Security compliance.
Based on the HIPAA Security AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-hipaa_security.html
func NewHIPAASecurityChecks ¶
func NewHIPAASecurityChecks(props *NagPackProps) HIPAASecurityChecks
type IApplyRule ¶
type IApplyRule interface {
// The callback to the rule.
Rule(node awscdk.CfnResource) interface{}
// Why the rule exists.
Explanation() *string
SetExplanation(e *string)
// A condition in which a suppression should be ignored.
IgnoreSuppressionCondition() INagSuppressionIgnore
SetIgnoreSuppressionCondition(i INagSuppressionIgnore)
// Why the rule was triggered.
Info() *string
SetInfo(i *string)
// The annotations message level to apply to the rule if triggered.
Level() NagMessageLevel
SetLevel(l NagMessageLevel)
// The CfnResource to check.
Node() awscdk.CfnResource
SetNode(n awscdk.CfnResource)
// Override for the suffix of the Rule ID for this rule.
RuleSuffixOverride() *string
SetRuleSuffixOverride(r *string)
}
Interface for JSII interoperability for passing parameters and the Rule Callback to @applyRule method.
type INagSuppressionIgnore ¶ added in v2.23.0
type INagSuppressionIgnore interface {
CreateMessage(input *SuppressionIgnoreInput) *string
}
Interface for creating NagSuppression Ignores.
type NIST80053R4Checks ¶
type NIST80053R4Checks interface {
NagPack
LogIgnores() *bool
SetLogIgnores(val *bool)
PackGlobalSuppressionIgnore() INagSuppressionIgnore
SetPackGlobalSuppressionIgnore(val INagSuppressionIgnore)
PackName() *string
SetPackName(val *string)
ReadPackName() *string
ReadReportStacks() *[]*string
Reports() *bool
SetReports(val *bool)
ReportStacks() *[]*string
SetReportStacks(val *[]*string)
UserGlobalSuppressionIgnore() INagSuppressionIgnore
SetUserGlobalSuppressionIgnore(val INagSuppressionIgnore)
Verbose() *bool
SetVerbose(val *bool)
// Create a rule to be used in the NagPack.
ApplyRule(params IApplyRule)
// Helper function to create a line for the compliance report.
CreateComplianceReportLine(params IApplyRule, ruleId *string, compliance interface{}, explanation *string) *string
// The message to output to the console when a rule is triggered.
//
// Returns: The formatted message string.
CreateMessage(ruleId *string, findingId *string, info *string, explanation *string) *string
// Check whether a specific rule should be ignored.
//
// Returns: The reason the rule was ignored, or an empty string.
IgnoreRule(suppressions *[]*NagPackSuppression, ruleId *string, findingId *string, resource awscdk.CfnResource, level NagMessageLevel, ignoreSuppressionCondition INagSuppressionIgnore) *string
// Initialize the report for the rule pack's compliance report for the resource's Stack if it doesn't exist.
InitializeStackReport(params IApplyRule)
// All aspects can visit an IConstruct.
Visit(node constructs.IConstruct)
// Write a line to the rule pack's compliance report for the resource's Stack.
WriteToStackComplianceReport(params IApplyRule, ruleId *string, compliance interface{}, explanation *string)
}
Check for NIST 800-53 rev 4 compliance.
Based on the NIST 800-53 rev 4 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_4.html
func NewNIST80053R4Checks ¶
func NewNIST80053R4Checks(props *NagPackProps) NIST80053R4Checks
type NIST80053R5Checks ¶
type NIST80053R5Checks interface {
NagPack
LogIgnores() *bool
SetLogIgnores(val *bool)
PackGlobalSuppressionIgnore() INagSuppressionIgnore
SetPackGlobalSuppressionIgnore(val INagSuppressionIgnore)
PackName() *string
SetPackName(val *string)
ReadPackName() *string
ReadReportStacks() *[]*string
Reports() *bool
SetReports(val *bool)
ReportStacks() *[]*string
SetReportStacks(val *[]*string)
UserGlobalSuppressionIgnore() INagSuppressionIgnore
SetUserGlobalSuppressionIgnore(val INagSuppressionIgnore)
Verbose() *bool
SetVerbose(val *bool)
// Create a rule to be used in the NagPack.
ApplyRule(params IApplyRule)
// Helper function to create a line for the compliance report.
CreateComplianceReportLine(params IApplyRule, ruleId *string, compliance interface{}, explanation *string) *string
// The message to output to the console when a rule is triggered.
//
// Returns: The formatted message string.
CreateMessage(ruleId *string, findingId *string, info *string, explanation *string) *string
// Check whether a specific rule should be ignored.
//
// Returns: The reason the rule was ignored, or an empty string.
IgnoreRule(suppressions *[]*NagPackSuppression, ruleId *string, findingId *string, resource awscdk.CfnResource, level NagMessageLevel, ignoreSuppressionCondition INagSuppressionIgnore) *string
// Initialize the report for the rule pack's compliance report for the resource's Stack if it doesn't exist.
InitializeStackReport(params IApplyRule)
// All aspects can visit an IConstruct.
Visit(node constructs.IConstruct)
// Write a line to the rule pack's compliance report for the resource's Stack.
WriteToStackComplianceReport(params IApplyRule, ruleId *string, compliance interface{}, explanation *string)
}
Check for NIST 800-53 rev 5 compliance.
Based on the NIST 800-53 rev 5 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_5.html
func NewNIST80053R5Checks ¶
func NewNIST80053R5Checks(props *NagPackProps) NIST80053R5Checks
type NagMessageLevel ¶
type NagMessageLevel string
The severity level of the rule.
const ( NagMessageLevel_WARN NagMessageLevel = "WARN" NagMessageLevel_ERROR NagMessageLevel = "ERROR" )
type NagPack ¶
type NagPack interface {
awscdk.IAspect
LogIgnores() *bool
SetLogIgnores(val *bool)
PackGlobalSuppressionIgnore() INagSuppressionIgnore
SetPackGlobalSuppressionIgnore(val INagSuppressionIgnore)
PackName() *string
SetPackName(val *string)
ReadPackName() *string
ReadReportStacks() *[]*string
Reports() *bool
SetReports(val *bool)
ReportStacks() *[]*string
SetReportStacks(val *[]*string)
UserGlobalSuppressionIgnore() INagSuppressionIgnore
SetUserGlobalSuppressionIgnore(val INagSuppressionIgnore)
Verbose() *bool
SetVerbose(val *bool)
// Create a rule to be used in the NagPack.
ApplyRule(params IApplyRule)
// Helper function to create a line for the compliance report.
CreateComplianceReportLine(params IApplyRule, ruleId *string, compliance interface{}, explanation *string) *string
// The message to output to the console when a rule is triggered.
//
// Returns: The formatted message string.
CreateMessage(ruleId *string, findingId *string, info *string, explanation *string) *string
// Check whether a specific rule should be ignored.
//
// Returns: The reason the rule was ignored, or an empty string.
IgnoreRule(suppressions *[]*NagPackSuppression, ruleId *string, findingId *string, resource awscdk.CfnResource, level NagMessageLevel, ignoreSuppressionCondition INagSuppressionIgnore) *string
// Initialize the report for the rule pack's compliance report for the resource's Stack if it doesn't exist.
InitializeStackReport(params IApplyRule)
// All aspects can visit an IConstruct.
Visit(node constructs.IConstruct)
// Write a line to the rule pack's compliance report for the resource's Stack.
WriteToStackComplianceReport(params IApplyRule, ruleId *string, compliance interface{}, explanation *string)
}
Base class for all rule packs.
type NagPackProps ¶
type NagPackProps struct {
// Whether or not to log triggered rules that have been suppressed as informational messages (default: false).
LogIgnores *bool `field:"optional" json:"logIgnores" yaml:"logIgnores"`
// Whether or not to generate CSV compliance reports for applied Stacks in the App's output directory (default: true).
Reports *bool `field:"optional" json:"reports" yaml:"reports"`
// Conditionally prevent rules from being suppressed (default: no user provided condition).
SuppressionIgnoreCondition INagSuppressionIgnore `field:"optional" json:"suppressionIgnoreCondition" yaml:"suppressionIgnoreCondition"`
// Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false).
Verbose *bool `field:"optional" json:"verbose" yaml:"verbose"`
}
Interface for creating a Nag rule pack.
type NagPackSuppression ¶
type NagPackSuppression struct {
// The id of the rule to ignore.
Id *string `field:"required" json:"id" yaml:"id"`
// The reason to ignore the rule (minimum 10 characters).
Reason *string `field:"required" json:"reason" yaml:"reason"`
// Rule specific granular suppressions.
AppliesTo *[]interface{} `field:"optional" json:"appliesTo" yaml:"appliesTo"`
}
Interface for creating a rule suppression.
type NagRuleCompliance ¶
type NagRuleCompliance string
The compliance level of a resource in relation to a rule.
const ( NagRuleCompliance_COMPLIANT NagRuleCompliance = "COMPLIANT" NagRuleCompliance_NON_COMPLIANT NagRuleCompliance = "NON_COMPLIANT" NagRuleCompliance_NOT_APPLICABLE NagRuleCompliance = "NOT_APPLICABLE" )
type NagRules ¶
type NagRules interface {
}
Helper class with methods for rule creation.
func NewNagRules ¶
func NewNagRules() NagRules
type NagSuppressions ¶
type NagSuppressions interface {
}
Helper class with methods to add cdk-nag suppressions to cdk resources.
func NewNagSuppressions ¶
func NewNagSuppressions() NagSuppressions
type PCIDSS321Checks ¶
type PCIDSS321Checks interface {
NagPack
LogIgnores() *bool
SetLogIgnores(val *bool)
PackGlobalSuppressionIgnore() INagSuppressionIgnore
SetPackGlobalSuppressionIgnore(val INagSuppressionIgnore)
PackName() *string
SetPackName(val *string)
ReadPackName() *string
ReadReportStacks() *[]*string
Reports() *bool
SetReports(val *bool)
ReportStacks() *[]*string
SetReportStacks(val *[]*string)
UserGlobalSuppressionIgnore() INagSuppressionIgnore
SetUserGlobalSuppressionIgnore(val INagSuppressionIgnore)
Verbose() *bool
SetVerbose(val *bool)
// Create a rule to be used in the NagPack.
ApplyRule(params IApplyRule)
// Helper function to create a line for the compliance report.
CreateComplianceReportLine(params IApplyRule, ruleId *string, compliance interface{}, explanation *string) *string
// The message to output to the console when a rule is triggered.
//
// Returns: The formatted message string.
CreateMessage(ruleId *string, findingId *string, info *string, explanation *string) *string
// Check whether a specific rule should be ignored.
//
// Returns: The reason the rule was ignored, or an empty string.
IgnoreRule(suppressions *[]*NagPackSuppression, ruleId *string, findingId *string, resource awscdk.CfnResource, level NagMessageLevel, ignoreSuppressionCondition INagSuppressionIgnore) *string
// Initialize the report for the rule pack's compliance report for the resource's Stack if it doesn't exist.
InitializeStackReport(params IApplyRule)
// All aspects can visit an IConstruct.
Visit(node constructs.IConstruct)
// Write a line to the rule pack's compliance report for the resource's Stack.
WriteToStackComplianceReport(params IApplyRule, ruleId *string, compliance interface{}, explanation *string)
}
Check for PCI DSS 3.2.1 compliance. Based on the PCI DSS 3.2.1 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-pci-dss.html.
func NewPCIDSS321Checks ¶
func NewPCIDSS321Checks(props *NagPackProps) PCIDSS321Checks
type RegexAppliesTo ¶
type RegexAppliesTo struct {
// An ECMA-262 regex string.
Regex *string `field:"required" json:"regex" yaml:"regex"`
}
A regular expression to apply to matching findings.
type SuppressionIgnoreAlways ¶ added in v2.23.0
type SuppressionIgnoreAlways interface {
INagSuppressionIgnore
CreateMessage(_input *SuppressionIgnoreInput) *string
}
Always ignore the suppression.
func NewSuppressionIgnoreAlways ¶ added in v2.23.0
func NewSuppressionIgnoreAlways(triggerMessage *string) SuppressionIgnoreAlways
type SuppressionIgnoreAnd ¶ added in v2.23.0
type SuppressionIgnoreAnd interface {
INagSuppressionIgnore
CreateMessage(input *SuppressionIgnoreInput) *string
}
Ignore the suppression if all of the given INagSuppressionIgnore return a non-empty message.
func NewSuppressionIgnoreAnd ¶ added in v2.23.0
func NewSuppressionIgnoreAnd(SuppressionIgnoreAnds ...INagSuppressionIgnore) SuppressionIgnoreAnd
type SuppressionIgnoreErrors ¶ added in v2.23.0
type SuppressionIgnoreErrors interface {
INagSuppressionIgnore
CreateMessage(input *SuppressionIgnoreInput) *string
}
Ignore Suppressions for Rules with a NagMessageLevel.ERROR.
func NewSuppressionIgnoreErrors ¶ added in v2.23.0
func NewSuppressionIgnoreErrors() SuppressionIgnoreErrors
type SuppressionIgnoreInput ¶ added in v2.23.0
type SuppressionIgnoreInput struct {
FindingId *string `field:"required" json:"findingId" yaml:"findingId"`
Reason *string `field:"required" json:"reason" yaml:"reason"`
Resource awscdk.CfnResource `field:"required" json:"resource" yaml:"resource"`
RuleId *string `field:"required" json:"ruleId" yaml:"ruleId"`
RuleLevel NagMessageLevel `field:"required" json:"ruleLevel" yaml:"ruleLevel"`
}
Information about the NagRule and the relevant NagSuppression for the INagSuppressionIgnore.
type SuppressionIgnoreNever ¶ added in v2.23.0
type SuppressionIgnoreNever interface {
INagSuppressionIgnore
CreateMessage(_input *SuppressionIgnoreInput) *string
}
Don't ignore the suppression.
func NewSuppressionIgnoreNever ¶ added in v2.23.0
func NewSuppressionIgnoreNever() SuppressionIgnoreNever
type SuppressionIgnoreOr ¶ added in v2.23.0
type SuppressionIgnoreOr interface {
INagSuppressionIgnore
CreateMessage(input *SuppressionIgnoreInput) *string
}
Ignore the suppression if any of the given INagSuppressionIgnore return a non-empty message.
func NewSuppressionIgnoreOr ¶ added in v2.23.0
func NewSuppressionIgnoreOr(orSuppressionIgnores ...INagSuppressionIgnore) SuppressionIgnoreOr
Source Files
¶
- AwsSolutionsChecks.go
- AwsSolutionsChecks__checks.go
- HIPAASecurityChecks.go
- HIPAASecurityChecks__checks.go
- IApplyRule.go
- IApplyRule__checks.go
- INagSuppressionIgnore.go
- INagSuppressionIgnore__checks.go
- NIST80053R4Checks.go
- NIST80053R4Checks__checks.go
- NIST80053R5Checks.go
- NIST80053R5Checks__checks.go
- NagMessageLevel.go
- NagPack.go
- NagPackProps.go
- NagPackSuppression.go
- NagPack__checks.go
- NagRuleCompliance.go
- NagRules.go
- NagRules__checks.go
- NagSuppressions.go
- NagSuppressions__checks.go
- PCIDSS321Checks.go
- PCIDSS321Checks__checks.go
- RegexAppliesTo.go
- SuppressionIgnoreAlways.go
- SuppressionIgnoreAlways__checks.go
- SuppressionIgnoreAnd.go
- SuppressionIgnoreAnd__checks.go
- SuppressionIgnoreErrors.go
- SuppressionIgnoreErrors__checks.go
- SuppressionIgnoreInput.go
- SuppressionIgnoreNever.go
- SuppressionIgnoreNever__checks.go
- SuppressionIgnoreOr.go
- SuppressionIgnoreOr__checks.go
- main.go
Directories
Click to show internal directories.
Click to hide internal directories.