cdknag

package module
v2.29.16 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 24, 2024 License: Apache-2.0 Imports: 7 Imported by: 0

README

cdk-nag

PyPI version npm version Maven version NuGet version Go version

View on Construct Hub

Check CDK applications or CloudFormation templates for best practices using a combination of available rule packs. Inspired by cfn_nag.

Check out this blog post for a guided overview!

demo

Available Rules and Packs

See RULES for more information on all the available packs.

  1. AWS Solutions
  2. HIPAA Security
  3. NIST 800-53 rev 4
  4. NIST 800-53 rev 5
  5. PCI DSS 3.2.1

RULES also includes a collection of additional rules that are not currently included in any of the pre-built NagPacks, but are still available for inclusion in custom NagPacks.

Read the NagPack developer docs if you are interested in creating your own pack.

Usage

For a full list of options See NagPackProps in the API.md

Including in an application
import { App, Aspects } from 'aws-cdk-lib';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { AwsSolutionsChecks } from 'cdk-nag';

const app = new App();
new CdkTestStack(app, 'CdkNagDemo');
// Simple rule informational messages
Aspects.of(app).add(new AwsSolutionsChecks());
// Additional explanations on the purpose of triggered rules
// Aspects.of(stack).add(new AwsSolutionsChecks({ verbose: true }));

Suppressing a Rule

Example 1) Default Construct
import { SecurityGroup, Vpc, Peer, Port } from 'aws-cdk-lib/aws-ec2';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { NagSuppressions } from 'cdk-nag';

export class CdkTestStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
    const test = new SecurityGroup(this, 'test', {
      vpc: new Vpc(this, 'vpc'),
    });
    test.addIngressRule(Peer.anyIpv4(), Port.allTraffic());
    NagSuppressions.addResourceSuppressions(test, [
      { id: 'AwsSolutions-EC23', reason: 'lorem ipsum' },
    ]);
  }
}
Example 2) On Multiple Constructs
import { SecurityGroup, Vpc, Peer, Port } from 'aws-cdk-lib/aws-ec2';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { NagSuppressions } from 'cdk-nag';

export class CdkTestStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
    const vpc = new Vpc(this, 'vpc');
    const test1 = new SecurityGroup(this, 'test', { vpc });
    test1.addIngressRule(Peer.anyIpv4(), Port.allTraffic());
    const test2 = new SecurityGroup(this, 'test', { vpc });
    test2.addIngressRule(Peer.anyIpv4(), Port.allTraffic());
    NagSuppressions.addResourceSuppressions(
      [test1, test2],
      [{ id: 'AwsSolutions-EC23', reason: 'lorem ipsum' }]
    );
  }
}
Example 3) Child Constructs
import { User, PolicyStatement } from 'aws-cdk-lib/aws-iam';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { NagSuppressions } from 'cdk-nag';

export class CdkTestStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
    const user = new User(this, 'rUser');
    user.addToPolicy(
      new PolicyStatement({
        actions: ['s3:PutObject'],
        resources: ['arn:aws:s3:::bucket_name/*'],
      })
    );
    // Enable adding suppressions to child constructs
    NagSuppressions.addResourceSuppressions(
      user,
      [
        {
          id: 'AwsSolutions-IAM5',
          reason: 'lorem ipsum',
          appliesTo: ['Resource::arn:aws:s3:::bucket_name/*'], // optional
        },
      ],
      true
    );
  }
}
Example 4) Stack Level
import { App, Aspects } from 'aws-cdk-lib';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { AwsSolutionsChecks, NagSuppressions } from 'cdk-nag';

const app = new App();
const stack = new CdkTestStack(app, 'CdkNagDemo');
Aspects.of(app).add(new AwsSolutionsChecks());
NagSuppressions.addStackSuppressions(stack, [
  { id: 'AwsSolutions-EC23', reason: 'lorem ipsum' },
]);
Example 5) Construct path

If you received the following error on synth/deploy

[Error at /StackName/Custom::CDKBucketDeployment8675309/ServiceRole/Resource] AwsSolutions-IAM4: The IAM user, role, or group uses AWS managed policies
import { Bucket } from 'aws-cdk-lib/aws-s3';
import { BucketDeployment } from 'aws-cdk-lib/aws-s3-deployment';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { NagSuppressions } from 'cdk-nag';

export class CdkTestStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
    new BucketDeployment(this, 'rDeployment', {
      sources: [],
      destinationBucket: Bucket.fromBucketName(this, 'rBucket', 'foo'),
    });
    NagSuppressions.addResourceSuppressionsByPath(
      this,
      '/StackName/Custom::CDKBucketDeployment8675309/ServiceRole/Resource',
      [{ id: 'AwsSolutions-IAM4', reason: 'at least 10 characters' }]
    );
  }
}
Example 6) Granular Suppressions of findings

Certain rules support granular suppressions of findings. If you received the following errors on synth/deploy

[Error at /StackName/rFirstUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Action::s3:*]: The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
[Error at /StackName/rFirstUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Resource::*]: The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
[Error at /StackName/rSecondUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Action::s3:*]: The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
[Error at /StackName/rSecondUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Resource::*]: The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.

By applying the following suppressions

import { User } from 'aws-cdk-lib/aws-iam';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { NagSuppressions } from 'cdk-nag';

export class CdkTestStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
    const firstUser = new User(this, 'rFirstUser');
    firstUser.addToPolicy(
      new PolicyStatement({
        actions: ['s3:*'],
        resources: ['*'],
      })
    );
    const secondUser = new User(this, 'rSecondUser');
    secondUser.addToPolicy(
      new PolicyStatement({
        actions: ['s3:*'],
        resources: ['*'],
      })
    );
    const thirdUser = new User(this, 'rSecondUser');
    thirdUser.addToPolicy(
      new PolicyStatement({
        actions: ['sqs:CreateQueue'],
        resources: [`arn:aws:sqs:${this.region}:${this.account}:*`],
      })
    );
    NagSuppressions.addResourceSuppressions(
      firstUser,
      [
        {
          id: 'AwsSolutions-IAM5',
          reason:
            "Only suppress AwsSolutions-IAM5 's3:*' finding on First User.",
          appliesTo: ['Action::s3:*'],
        },
      ],
      true
    );
    NagSuppressions.addResourceSuppressions(
      secondUser,
      [
        {
          id: 'AwsSolutions-IAM5',
          reason: 'Suppress all AwsSolutions-IAM5 findings on Second User.',
        },
      ],
      true
    );
    NagSuppressions.addResourceSuppressions(
      thirdUser,
      [
        {
          id: 'AwsSolutions-IAM5',
          reason: 'Suppress AwsSolutions-IAM5 on the SQS resource.',
          appliesTo: [
            {
              regex: '/^Resource::arn:aws:sqs:(.*):\\*$/g',
            },
          ],
        },
      ],
      true
    );
  }
}

You would see the following error on synth/deploy

[Error at /StackName/rFirstUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Resource::*]: The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.

Suppressing aws-cdk-lib/pipelines Violations

The aws-cdk-lib/pipelines.CodePipeline construct and its child constructs are not guaranteed to be "Visited" by Aspects, as they are not added during the "Construction" phase of the cdk lifecycle. Because of this behavior, you may experience problems such as rule violations not appearing or the inability to suppress violations on these constructs.

You can remediate these rule violation and suppression problems by forcing the pipeline construct creation forward by calling .buildPipeline() on your CodePipeline object. Otherwise you may see errors such as:

Error: Suppression path "/this/construct/path" did not match any resource. This can occur when a resource does not exist or if a suppression is applied before a resource is created.

See this issue for more information.

Example) Suppressing Violations in Pipelines

example-app.ts

import { App, Aspects } from 'aws-cdk-lib';
import { AwsSolutionsChecks } from 'cdk-nag';
import { ExamplePipeline } from '../lib/example-pipeline';

const app = new App();
new ExamplePipeline(app, 'example-cdk-pipeline');
Aspects.of(app).add(new AwsSolutionsChecks({ verbose: true }));
app.synth();

example-pipeline.ts

import { Stack, StackProps } from 'aws-cdk-lib';
import { Repository } from 'aws-cdk-lib/aws-codecommit';
import {
  CodePipeline,
  CodePipelineSource,
  ShellStep,
} from 'aws-cdk-lib/pipelines';
import { NagSuppressions } from 'cdk-nag';
import { Construct } from 'constructs';

export class ExamplePipeline extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);

    const exampleSynth = new ShellStep('ExampleSynth', {
      commands: ['yarn build --frozen-lockfile'],
      input: CodePipelineSource.codeCommit(
        new Repository(this, 'ExampleRepo', { repositoryName: 'ExampleRepo' }),
        'main'
      ),
    });

    const ExamplePipeline = new CodePipeline(this, 'ExamplePipeline', {
      synth: exampleSynth,
    });

    // Force the pipeline construct creation forward before applying suppressions.
    // @See https://github.com/aws/aws-cdk/issues/18440
    ExamplePipeline.buildPipeline();

    // The path suppression will error if you comment out "ExamplePipeline.buildPipeline();""
    NagSuppressions.addResourceSuppressionsByPath(
      this,
      '/example-cdk-pipeline/ExamplePipeline/Pipeline/ArtifactsBucket/Resource',
      [
        {
          id: 'AwsSolutions-S1',
          reason: 'Because I said so',
        },
      ]
    );
  }
}

Rules and Property Overrides

In some cases L2 Constructs do not have a native option to remediate an issue and must be fixed via Raw Overrides. Since raw overrides take place after template synthesis these fixes are not caught by cdk-nag. In this case you should remediate the issue and suppress the issue like in the following example.

Example) Property Overrides
import {
  Instance,
  InstanceType,
  InstanceClass,
  MachineImage,
  Vpc,
  CfnInstance,
} from 'aws-cdk-lib/aws-ec2';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { NagSuppressions } from 'cdk-nag';

export class CdkTestStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
    const instance = new Instance(this, 'rInstance', {
      vpc: new Vpc(this, 'rVpc'),
      instanceType: new InstanceType(InstanceClass.T3),
      machineImage: MachineImage.latestAmazonLinux(),
    });
    const cfnIns = instance.node.defaultChild as CfnInstance;
    cfnIns.addPropertyOverride('DisableApiTermination', true);
    NagSuppressions.addResourceSuppressions(instance, [
      {
        id: 'AwsSolutions-EC29',
        reason: 'Remediated through property override.',
      },
    ]);
  }
}

Conditionally Ignoring Suppressions

You can optionally create a condition that prevents certain rules from being suppressed. You can create conditions for any variety of reasons. Examples include a condition that always ignores a suppression, a condition that ignores a suppression based on the date, a condition that ignores a suppression based on the reason. You can read the developer docs for more information on creating your own conditions.

Example) Using the pre-built `SuppressionIgnoreErrors` class to ignore suppressions on any `Error` level rules.
import { App, Aspects } from 'aws-cdk-lib';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { AwsSolutionsChecks, SuppressionIgnoreErrors } from 'cdk-nag';

const app = new App();
new CdkTestStack(app, 'CdkNagDemo');
// Ignore Suppressions on any errors
Aspects.of(app).add(
  new AwsSolutionsChecks({
    suppressionIgnoreCondition: new SuppressionIgnoreErrors(),
  })
);

Customizing Logging

NagLoggers give NagPack authors and users the ability to create their own custom reporting mechanisms. All pre-built NagPackscome with the AnnotationsLoggerand the NagReportLogger (with CSV reports) enabled by default.

See the NagLogger developer docs for more information.

Example) Adding the `ExtremelyHelpfulConsoleLogger` example from the NagLogger docs
import { App, Aspects } from 'aws-cdk-lib';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { ExtremelyHelpfulConsoleLogger } from './docs/NagLogger';
import { AwsSolutionsChecks } from 'cdk-nag';

const app = new App();
new CdkTestStack(app, 'CdkNagDemo');
Aspects.of(app).add(
  new AwsSolutionsChecks({
    additionalLoggers: [new ExtremelyHelpfulConsoleLogger()],
  })
);

Using on CloudFormation templates

You can use cdk-nag on existing CloudFormation templates by using the cloudformation-include module.

Example 1) CloudFormation template with suppression

Sample CloudFormation template with suppression

{
  "Resources": {
    "rBucket": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketName": "some-bucket-name"
      },
      "Metadata": {
        "cdk_nag": {
          "rules_to_suppress": [
            {
              "id": "AwsSolutions-S1",
              "reason": "at least 10 characters"
            }
          ]
        }
      }
    }
  }
}

Sample App

import { App, Aspects } from 'aws-cdk-lib';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { AwsSolutionsChecks } from 'cdk-nag';

const app = new App();
new CdkTestStack(app, 'CdkNagDemo');
Aspects.of(app).add(new AwsSolutionsChecks());

Sample Stack with imported template

import { CfnInclude } from 'aws-cdk-lib/cloudformation-include';
import { NagSuppressions } from 'cdk-nag';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';

export class CdkTestStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
    new CfnInclude(this, 'Template', {
      templateFile: 'my-template.json',
    });
    // Add any additional suppressions
    NagSuppressions.addResourceSuppressionsByPath(
      this,
      '/CdkNagDemo/Template/rBucket',
      [
        {
          id: 'AwsSolutions-S2',
          reason: 'at least 10 characters',
        },
      ]
    );
  }
}
Example 2) CloudFormation template with granular suppressions

Sample CloudFormation template with suppression

{
  "Resources": {
    "myPolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*"
              ],
              "Effect": "Allow",
              "Resource": ["some-key-arn"]
            }
          ],
          "Version": "2012-10-17"
        }
      },
      "Metadata": {
        "cdk_nag": {
          "rules_to_suppress": [
            {
              "id": "AwsSolutions-IAM5",
              "reason": "Allow key data access",
              "applies_to": [
                "Action::kms:ReEncrypt*",
                "Action::kms:GenerateDataKey*"
              ]
            }
          ]
        }
      }
    }
  }
}

Sample App

import { App, Aspects } from 'aws-cdk-lib';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { AwsSolutionsChecks } from 'cdk-nag';

const app = new App();
new CdkTestStack(app, 'CdkNagDemo');
Aspects.of(app).add(new AwsSolutionsChecks());

Sample Stack with imported template

import { CfnInclude } from 'aws-cdk-lib/cloudformation-include';
import { NagSuppressions } from 'cdk-nag';
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';

export class CdkTestStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
    new CfnInclude(this, 'Template', {
      templateFile: 'my-template.json',
    });
    // Add any additional suppressions
    NagSuppressions.addResourceSuppressionsByPath(
      this,
      '/CdkNagDemo/Template/myPolicy',
      [
        {
          id: 'AwsSolutions-IAM5',
          reason: 'Allow key data access',
          appliesTo: ['Action::kms:ReEncrypt*', 'Action::kms:GenerateDataKey*'],
        },
      ]
    );
  }
}

Contributing

See CONTRIBUTING for more information.

License

This project is licensed under the Apache-2.0 License.

Documentation

Overview

Check CDK v2 applications for best practices using a combination on available rule packs.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NagRules_ResolveIfPrimitive

func NagRules_ResolveIfPrimitive(node awscdk.CfnResource, parameter interface{}) interface{}

Use in cases where a primitive value must be known to pass a rule.

https://developer.mozilla.org/en-US/docs/Glossary/Primitive

Returns: Return a value if resolves to a primitive data type, otherwise throw an error.

func NagRules_ResolveResourceFromInstrinsic

func NagRules_ResolveResourceFromInstrinsic(node awscdk.CfnResource, parameter interface{}) interface{}

Use in cases where a token resolves to an intrinsic function and the referenced resource must be known to pass a rule.

Returns: Return the Logical resource Id if resolves to a intrinsic function, otherwise the resolved provided value.

func NagSuppressions_AddResourceSuppressions

func NagSuppressions_AddResourceSuppressions(construct interface{}, suppressions *[]*NagPackSuppression, applyToChildren *bool)

Add cdk-nag suppressions to a CfnResource and optionally its children.

func NagSuppressions_AddResourceSuppressionsByPath

func NagSuppressions_AddResourceSuppressionsByPath(stack awscdk.Stack, path interface{}, suppressions *[]*NagPackSuppression, applyToChildren *bool)

Add cdk-nag suppressions to a CfnResource and optionally its children via its path.

func NagSuppressions_AddStackSuppressions

func NagSuppressions_AddStackSuppressions(stack awscdk.Stack, suppressions *[]*NagPackSuppression, applyToNestedStacks *bool)

Apply cdk-nag suppressions to a Stack and optionally nested stacks.

func NewAnnotationLogger_Override added in v2.24.0

func NewAnnotationLogger_Override(a AnnotationLogger, props *AnnotationLoggerProps)

func NewAwsSolutionsChecks_Override

func NewAwsSolutionsChecks_Override(a AwsSolutionsChecks, props *NagPackProps)

func NewHIPAASecurityChecks_Override

func NewHIPAASecurityChecks_Override(h HIPAASecurityChecks, props *NagPackProps)

func NewNIST80053R4Checks_Override

func NewNIST80053R4Checks_Override(n NIST80053R4Checks, props *NagPackProps)

func NewNIST80053R5Checks_Override

func NewNIST80053R5Checks_Override(n NIST80053R5Checks, props *NagPackProps)

func NewNagPack_Override

func NewNagPack_Override(n NagPack, props *NagPackProps)

func NewNagReportLogger_Override added in v2.24.0

func NewNagReportLogger_Override(n NagReportLogger, props *NagReportLoggerProps)

func NewNagRules_Override

func NewNagRules_Override(n NagRules)

func NewNagSuppressions_Override

func NewNagSuppressions_Override(n NagSuppressions)

func NewPCIDSS321Checks_Override

func NewPCIDSS321Checks_Override(p PCIDSS321Checks, props *NagPackProps)

func NewSuppressionIgnoreAlways_Override added in v2.23.0

func NewSuppressionIgnoreAlways_Override(s SuppressionIgnoreAlways, triggerMessage *string)

func NewSuppressionIgnoreAnd_Override added in v2.23.0

func NewSuppressionIgnoreAnd_Override(s SuppressionIgnoreAnd, SuppressionIgnoreAnds ...INagSuppressionIgnore)

func NewSuppressionIgnoreErrors_Override added in v2.23.0

func NewSuppressionIgnoreErrors_Override(s SuppressionIgnoreErrors)

func NewSuppressionIgnoreNever_Override added in v2.23.0

func NewSuppressionIgnoreNever_Override(s SuppressionIgnoreNever)

func NewSuppressionIgnoreOr_Override added in v2.23.0

func NewSuppressionIgnoreOr_Override(s SuppressionIgnoreOr, orSuppressionIgnores ...INagSuppressionIgnore)

Types

type AnnotationLogger added in v2.24.0

type AnnotationLogger interface {
	INagLogger
	LogIgnores() *bool
	SuppressionId() *string
	SetSuppressionId(val *string)
	Verbose() *bool
	CreateMessage(ruleId *string, findingId *string, ruleInfo *string, ruleExplanation *string, verbose *bool) *string
	// Called when a CfnResource passes the compliance check for a given rule.
	OnCompliance(_data *NagLoggerComplianceData)
	// Called when a rule throws an error during while validating a CfnResource for compliance.
	OnError(data *NagLoggerErrorData)
	// Called when a CfnResource does not pass the compliance check for a given rule and the the rule violation is not suppressed by the user.
	OnNonCompliance(data *NagLoggerNonComplianceData)
	// Called when a rule does not apply to the given CfnResource.
	OnNotApplicable(_data *NagLoggerNotApplicableData)
	// Called when a CfnResource does not pass the compliance check for a given rule and the rule violation is suppressed by the user.
	OnSuppressed(data *NagLoggerSuppressedData)
	// Called when a rule throws an error during while validating a CfnResource for compliance and the error is suppressed.
	OnSuppressedError(data *NagLoggerSuppressedErrorData)
}

A NagLogger that outputs to the CDK Annotations system.

func NewAnnotationLogger added in v2.24.0

func NewAnnotationLogger(props *AnnotationLoggerProps) AnnotationLogger

type AnnotationLoggerProps added in v2.24.0

type AnnotationLoggerProps struct {
	// Whether or not to log suppressed rule violations as informational messages (default: false).
	LogIgnores *bool `field:"optional" json:"logIgnores" yaml:"logIgnores"`
	// Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages.
	Verbose *bool `field:"optional" json:"verbose" yaml:"verbose"`
}

Props for the AnnotationLogger.

type AwsSolutionsChecks

type AwsSolutionsChecks interface {
	NagPack
	Loggers() *[]INagLogger
	SetLoggers(val *[]INagLogger)
	PackGlobalSuppressionIgnore() INagSuppressionIgnore
	SetPackGlobalSuppressionIgnore(val INagSuppressionIgnore)
	PackName() *string
	SetPackName(val *string)
	ReadPackName() *string
	UserGlobalSuppressionIgnore() INagSuppressionIgnore
	SetUserGlobalSuppressionIgnore(val INagSuppressionIgnore)
	// Create a rule to be used in the NagPack.
	ApplyRule(params IApplyRule)
	// Check whether a specific rule should be ignored.
	//
	// Returns: The reason the rule was ignored, or an empty string.
	IgnoreRule(suppressions *[]*NagPackSuppression, ruleId *string, findingId *string, resource awscdk.CfnResource, level NagMessageLevel, ignoreSuppressionCondition INagSuppressionIgnore) *string
	// All aspects can visit an IConstruct.
	Visit(node constructs.IConstruct)
}

Check Best practices based on AWS Solutions Security Matrix.

func NewAwsSolutionsChecks

func NewAwsSolutionsChecks(props *NagPackProps) AwsSolutionsChecks

type HIPAASecurityChecks

type HIPAASecurityChecks interface {
	NagPack
	Loggers() *[]INagLogger
	SetLoggers(val *[]INagLogger)
	PackGlobalSuppressionIgnore() INagSuppressionIgnore
	SetPackGlobalSuppressionIgnore(val INagSuppressionIgnore)
	PackName() *string
	SetPackName(val *string)
	ReadPackName() *string
	UserGlobalSuppressionIgnore() INagSuppressionIgnore
	SetUserGlobalSuppressionIgnore(val INagSuppressionIgnore)
	// Create a rule to be used in the NagPack.
	ApplyRule(params IApplyRule)
	// Check whether a specific rule should be ignored.
	//
	// Returns: The reason the rule was ignored, or an empty string.
	IgnoreRule(suppressions *[]*NagPackSuppression, ruleId *string, findingId *string, resource awscdk.CfnResource, level NagMessageLevel, ignoreSuppressionCondition INagSuppressionIgnore) *string
	// All aspects can visit an IConstruct.
	Visit(node constructs.IConstruct)
}

Check for HIPAA Security compliance.

Based on the HIPAA Security AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-hipaa_security.html

func NewHIPAASecurityChecks

func NewHIPAASecurityChecks(props *NagPackProps) HIPAASecurityChecks

type IApplyRule

type IApplyRule interface {
	// The callback to the rule.
	Rule(node awscdk.CfnResource) interface{}
	// Why the rule exists.
	Explanation() *string
	SetExplanation(e *string)
	// A condition in which a suppression should be ignored.
	IgnoreSuppressionCondition() INagSuppressionIgnore
	SetIgnoreSuppressionCondition(i INagSuppressionIgnore)
	// Why the rule was triggered.
	Info() *string
	SetInfo(i *string)
	// The annotations message level to apply to the rule if triggered.
	Level() NagMessageLevel
	SetLevel(l NagMessageLevel)
	// The CfnResource to check.
	Node() awscdk.CfnResource
	SetNode(n awscdk.CfnResource)
	// Override for the suffix of the Rule ID for this rule.
	RuleSuffixOverride() *string
	SetRuleSuffixOverride(r *string)
}

Interface for JSII interoperability for passing parameters and the Rule Callback to @applyRule method.

type INagLogger added in v2.24.0

type INagLogger interface {
	// Called when a CfnResource passes the compliance check for a given rule.
	OnCompliance(data *NagLoggerComplianceData)
	// Called when a rule throws an error during while validating a CfnResource for compliance.
	OnError(data *NagLoggerErrorData)
	// Called when a CfnResource does not pass the compliance check for a given rule and the the rule violation is not suppressed by the user.
	OnNonCompliance(data *NagLoggerNonComplianceData)
	// Called when a rule does not apply to the given CfnResource.
	OnNotApplicable(data *NagLoggerNotApplicableData)
	// Called when a CfnResource does not pass the compliance check for a given rule and the rule violation is suppressed by the user.
	OnSuppressed(data *NagLoggerSuppressedData)
	// Called when a rule throws an error during while validating a CfnResource for compliance and the error is suppressed.
	OnSuppressedError(data *NagLoggerSuppressedErrorData)
}

Interface for creating NagSuppression Ignores.

type INagSuppressionIgnore added in v2.23.0

type INagSuppressionIgnore interface {
	CreateMessage(input *SuppressionIgnoreInput) *string
}

Interface for creating NagSuppression Ignores.

type NIST80053R4Checks

type NIST80053R4Checks interface {
	NagPack
	Loggers() *[]INagLogger
	SetLoggers(val *[]INagLogger)
	PackGlobalSuppressionIgnore() INagSuppressionIgnore
	SetPackGlobalSuppressionIgnore(val INagSuppressionIgnore)
	PackName() *string
	SetPackName(val *string)
	ReadPackName() *string
	UserGlobalSuppressionIgnore() INagSuppressionIgnore
	SetUserGlobalSuppressionIgnore(val INagSuppressionIgnore)
	// Create a rule to be used in the NagPack.
	ApplyRule(params IApplyRule)
	// Check whether a specific rule should be ignored.
	//
	// Returns: The reason the rule was ignored, or an empty string.
	IgnoreRule(suppressions *[]*NagPackSuppression, ruleId *string, findingId *string, resource awscdk.CfnResource, level NagMessageLevel, ignoreSuppressionCondition INagSuppressionIgnore) *string
	// All aspects can visit an IConstruct.
	Visit(node constructs.IConstruct)
}

Check for NIST 800-53 rev 4 compliance.

Based on the NIST 800-53 rev 4 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_4.html

func NewNIST80053R4Checks

func NewNIST80053R4Checks(props *NagPackProps) NIST80053R4Checks

type NIST80053R5Checks

type NIST80053R5Checks interface {
	NagPack
	Loggers() *[]INagLogger
	SetLoggers(val *[]INagLogger)
	PackGlobalSuppressionIgnore() INagSuppressionIgnore
	SetPackGlobalSuppressionIgnore(val INagSuppressionIgnore)
	PackName() *string
	SetPackName(val *string)
	ReadPackName() *string
	UserGlobalSuppressionIgnore() INagSuppressionIgnore
	SetUserGlobalSuppressionIgnore(val INagSuppressionIgnore)
	// Create a rule to be used in the NagPack.
	ApplyRule(params IApplyRule)
	// Check whether a specific rule should be ignored.
	//
	// Returns: The reason the rule was ignored, or an empty string.
	IgnoreRule(suppressions *[]*NagPackSuppression, ruleId *string, findingId *string, resource awscdk.CfnResource, level NagMessageLevel, ignoreSuppressionCondition INagSuppressionIgnore) *string
	// All aspects can visit an IConstruct.
	Visit(node constructs.IConstruct)
}

Check for NIST 800-53 rev 5 compliance.

Based on the NIST 800-53 rev 5 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_5.html

func NewNIST80053R5Checks

func NewNIST80053R5Checks(props *NagPackProps) NIST80053R5Checks

type NagLoggerBaseData added in v2.24.0

type NagLoggerBaseData struct {
	NagPackName      *string            `field:"required" json:"nagPackName" yaml:"nagPackName"`
	Resource         awscdk.CfnResource `field:"required" json:"resource" yaml:"resource"`
	RuleExplanation  *string            `field:"required" json:"ruleExplanation" yaml:"ruleExplanation"`
	RuleId           *string            `field:"required" json:"ruleId" yaml:"ruleId"`
	RuleInfo         *string            `field:"required" json:"ruleInfo" yaml:"ruleInfo"`
	RuleLevel        NagMessageLevel    `field:"required" json:"ruleLevel" yaml:"ruleLevel"`
	RuleOriginalName *string            `field:"required" json:"ruleOriginalName" yaml:"ruleOriginalName"`
}

Shared data for all INagLogger methods.

type NagLoggerComplianceData added in v2.24.0

type NagLoggerComplianceData struct {
	NagPackName      *string            `field:"required" json:"nagPackName" yaml:"nagPackName"`
	Resource         awscdk.CfnResource `field:"required" json:"resource" yaml:"resource"`
	RuleExplanation  *string            `field:"required" json:"ruleExplanation" yaml:"ruleExplanation"`
	RuleId           *string            `field:"required" json:"ruleId" yaml:"ruleId"`
	RuleInfo         *string            `field:"required" json:"ruleInfo" yaml:"ruleInfo"`
	RuleLevel        NagMessageLevel    `field:"required" json:"ruleLevel" yaml:"ruleLevel"`
	RuleOriginalName *string            `field:"required" json:"ruleOriginalName" yaml:"ruleOriginalName"`
}

Data for onCompliance method of an INagLogger.

type NagLoggerErrorData added in v2.24.0

type NagLoggerErrorData struct {
	NagPackName      *string            `field:"required" json:"nagPackName" yaml:"nagPackName"`
	Resource         awscdk.CfnResource `field:"required" json:"resource" yaml:"resource"`
	RuleExplanation  *string            `field:"required" json:"ruleExplanation" yaml:"ruleExplanation"`
	RuleId           *string            `field:"required" json:"ruleId" yaml:"ruleId"`
	RuleInfo         *string            `field:"required" json:"ruleInfo" yaml:"ruleInfo"`
	RuleLevel        NagMessageLevel    `field:"required" json:"ruleLevel" yaml:"ruleLevel"`
	RuleOriginalName *string            `field:"required" json:"ruleOriginalName" yaml:"ruleOriginalName"`
	ErrorMessage     *string            `field:"required" json:"errorMessage" yaml:"errorMessage"`
}

Data for onError method of an INagLogger.

type NagLoggerNonComplianceData added in v2.24.0

type NagLoggerNonComplianceData struct {
	NagPackName      *string            `field:"required" json:"nagPackName" yaml:"nagPackName"`
	Resource         awscdk.CfnResource `field:"required" json:"resource" yaml:"resource"`
	RuleExplanation  *string            `field:"required" json:"ruleExplanation" yaml:"ruleExplanation"`
	RuleId           *string            `field:"required" json:"ruleId" yaml:"ruleId"`
	RuleInfo         *string            `field:"required" json:"ruleInfo" yaml:"ruleInfo"`
	RuleLevel        NagMessageLevel    `field:"required" json:"ruleLevel" yaml:"ruleLevel"`
	RuleOriginalName *string            `field:"required" json:"ruleOriginalName" yaml:"ruleOriginalName"`
	FindingId        *string            `field:"required" json:"findingId" yaml:"findingId"`
}

Data for onNonCompliance method of an INagLogger.

type NagLoggerNotApplicableData added in v2.24.0

type NagLoggerNotApplicableData struct {
	NagPackName      *string            `field:"required" json:"nagPackName" yaml:"nagPackName"`
	Resource         awscdk.CfnResource `field:"required" json:"resource" yaml:"resource"`
	RuleExplanation  *string            `field:"required" json:"ruleExplanation" yaml:"ruleExplanation"`
	RuleId           *string            `field:"required" json:"ruleId" yaml:"ruleId"`
	RuleInfo         *string            `field:"required" json:"ruleInfo" yaml:"ruleInfo"`
	RuleLevel        NagMessageLevel    `field:"required" json:"ruleLevel" yaml:"ruleLevel"`
	RuleOriginalName *string            `field:"required" json:"ruleOriginalName" yaml:"ruleOriginalName"`
}

Data for onNotApplicable method of an INagLogger.

type NagLoggerSuppressedData added in v2.24.0

type NagLoggerSuppressedData struct {
	NagPackName       *string            `field:"required" json:"nagPackName" yaml:"nagPackName"`
	Resource          awscdk.CfnResource `field:"required" json:"resource" yaml:"resource"`
	RuleExplanation   *string            `field:"required" json:"ruleExplanation" yaml:"ruleExplanation"`
	RuleId            *string            `field:"required" json:"ruleId" yaml:"ruleId"`
	RuleInfo          *string            `field:"required" json:"ruleInfo" yaml:"ruleInfo"`
	RuleLevel         NagMessageLevel    `field:"required" json:"ruleLevel" yaml:"ruleLevel"`
	RuleOriginalName  *string            `field:"required" json:"ruleOriginalName" yaml:"ruleOriginalName"`
	FindingId         *string            `field:"required" json:"findingId" yaml:"findingId"`
	SuppressionReason *string            `field:"required" json:"suppressionReason" yaml:"suppressionReason"`
}

Data for onSuppressed method of an INagLogger.

type NagLoggerSuppressedErrorData added in v2.24.0

type NagLoggerSuppressedErrorData struct {
	NagPackName            *string            `field:"required" json:"nagPackName" yaml:"nagPackName"`
	Resource               awscdk.CfnResource `field:"required" json:"resource" yaml:"resource"`
	RuleExplanation        *string            `field:"required" json:"ruleExplanation" yaml:"ruleExplanation"`
	RuleId                 *string            `field:"required" json:"ruleId" yaml:"ruleId"`
	RuleInfo               *string            `field:"required" json:"ruleInfo" yaml:"ruleInfo"`
	RuleLevel              NagMessageLevel    `field:"required" json:"ruleLevel" yaml:"ruleLevel"`
	RuleOriginalName       *string            `field:"required" json:"ruleOriginalName" yaml:"ruleOriginalName"`
	ErrorMessage           *string            `field:"required" json:"errorMessage" yaml:"errorMessage"`
	ErrorSuppressionReason *string            `field:"required" json:"errorSuppressionReason" yaml:"errorSuppressionReason"`
}

Data for onSuppressedError method of an INagLogger.

type NagMessageLevel

type NagMessageLevel string

The severity level of the rule.

const (
	NagMessageLevel_WARN  NagMessageLevel = "WARN"
	NagMessageLevel_ERROR NagMessageLevel = "ERROR"
)

type NagPack

type NagPack interface {
	awscdk.IAspect
	Loggers() *[]INagLogger
	SetLoggers(val *[]INagLogger)
	PackGlobalSuppressionIgnore() INagSuppressionIgnore
	SetPackGlobalSuppressionIgnore(val INagSuppressionIgnore)
	PackName() *string
	SetPackName(val *string)
	ReadPackName() *string
	UserGlobalSuppressionIgnore() INagSuppressionIgnore
	SetUserGlobalSuppressionIgnore(val INagSuppressionIgnore)
	// Create a rule to be used in the NagPack.
	ApplyRule(params IApplyRule)
	// Check whether a specific rule should be ignored.
	//
	// Returns: The reason the rule was ignored, or an empty string.
	IgnoreRule(suppressions *[]*NagPackSuppression, ruleId *string, findingId *string, resource awscdk.CfnResource, level NagMessageLevel, ignoreSuppressionCondition INagSuppressionIgnore) *string
	// All aspects can visit an IConstruct.
	Visit(node constructs.IConstruct)
}

Base class for all rule packs.

type NagPackProps

type NagPackProps struct {
	// Additional NagLoggers for logging rule validation outputs.
	AdditionalLoggers *[]INagLogger `field:"optional" json:"additionalLoggers" yaml:"additionalLoggers"`
	// Whether or not to log suppressed rule violations as informational messages (default: false).
	LogIgnores *bool `field:"optional" json:"logIgnores" yaml:"logIgnores"`
	// If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV).
	ReportFormats *[]NagReportFormat `field:"optional" json:"reportFormats" yaml:"reportFormats"`
	// Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true).
	Reports *bool `field:"optional" json:"reports" yaml:"reports"`
	// Conditionally prevent rules from being suppressed (default: no user provided condition).
	SuppressionIgnoreCondition INagSuppressionIgnore `field:"optional" json:"suppressionIgnoreCondition" yaml:"suppressionIgnoreCondition"`
	// Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false).
	Verbose *bool `field:"optional" json:"verbose" yaml:"verbose"`
}

Interface for creating a NagPack.

type NagPackSuppression

type NagPackSuppression struct {
	// The id of the rule to ignore.
	Id *string `field:"required" json:"id" yaml:"id"`
	// The reason to ignore the rule (minimum 10 characters).
	Reason *string `field:"required" json:"reason" yaml:"reason"`
	// Rule specific granular suppressions.
	AppliesTo *[]interface{} `field:"optional" json:"appliesTo" yaml:"appliesTo"`
}

Interface for creating a rule suppression.

type NagReportFormat added in v2.24.0

type NagReportFormat string

Possible output formats of the NagReport.

const (
	NagReportFormat_CSV  NagReportFormat = "CSV"
	NagReportFormat_JSON NagReportFormat = "JSON"
)

type NagReportLine added in v2.24.0

type NagReportLine struct {
	Compliance      *string `field:"required" json:"compliance" yaml:"compliance"`
	ExceptionReason *string `field:"required" json:"exceptionReason" yaml:"exceptionReason"`
	ResourceId      *string `field:"required" json:"resourceId" yaml:"resourceId"`
	RuleId          *string `field:"required" json:"ruleId" yaml:"ruleId"`
	RuleInfo        *string `field:"required" json:"ruleInfo" yaml:"ruleInfo"`
	RuleLevel       *string `field:"required" json:"ruleLevel" yaml:"ruleLevel"`
}

type NagReportLogger added in v2.24.0

type NagReportLogger interface {
	INagLogger
	Formats() *[]NagReportFormat
	GetFormatStacks(format NagReportFormat) *[]*string
	// Initialize the report for the rule pack's compliance report for the resource's Stack if it doesn't exist.
	InitializeStackReport(data *NagLoggerBaseData)
	// Called when a CfnResource passes the compliance check for a given rule.
	OnCompliance(data *NagLoggerComplianceData)
	// Called when a rule throws an error during while validating a CfnResource for compliance.
	OnError(data *NagLoggerErrorData)
	// Called when a CfnResource does not pass the compliance check for a given rule and the the rule violation is not suppressed by the user.
	OnNonCompliance(data *NagLoggerNonComplianceData)
	// Called when a rule does not apply to the given CfnResource.
	OnNotApplicable(data *NagLoggerNotApplicableData)
	// Called when a CfnResource does not pass the compliance check for a given rule and the rule violation is suppressed by the user.
	OnSuppressed(data *NagLoggerSuppressedData)
	// Called when a rule throws an error during while validating a CfnResource for compliance and the error is suppressed.
	OnSuppressedError(data *NagLoggerSuppressedErrorData)
	WriteToStackComplianceReport(data *NagLoggerBaseData, compliance interface{})
}

A NagLogger that creates compliance reports.

func NewNagReportLogger added in v2.24.0

func NewNagReportLogger(props *NagReportLoggerProps) NagReportLogger

type NagReportLoggerProps added in v2.24.0

type NagReportLoggerProps struct {
	Formats *[]NagReportFormat `field:"required" json:"formats" yaml:"formats"`
}

Props for the NagReportLogger.

type NagReportSchema added in v2.24.0

type NagReportSchema struct {
	Lines *[]*NagReportLine `field:"required" json:"lines" yaml:"lines"`
}

type NagRuleCompliance

type NagRuleCompliance string

The compliance level of a resource in relation to a rule.

const (
	NagRuleCompliance_COMPLIANT      NagRuleCompliance = "COMPLIANT"
	NagRuleCompliance_NON_COMPLIANT  NagRuleCompliance = "NON_COMPLIANT"
	NagRuleCompliance_NOT_APPLICABLE NagRuleCompliance = "NOT_APPLICABLE"
)

type NagRulePostValidationStates added in v2.24.0

type NagRulePostValidationStates string

Additional states a rule can be in post compliance validation.

const (
	NagRulePostValidationStates_SUPPRESSED NagRulePostValidationStates = "SUPPRESSED"
	NagRulePostValidationStates_UNKNOWN    NagRulePostValidationStates = "UNKNOWN"
)

type NagRules

type NagRules interface {
}

Helper class with methods for rule creation.

func NewNagRules

func NewNagRules() NagRules

type NagSuppressions

type NagSuppressions interface {
}

Helper class with methods to add cdk-nag suppressions to cdk resources.

func NewNagSuppressions

func NewNagSuppressions() NagSuppressions

type PCIDSS321Checks

type PCIDSS321Checks interface {
	NagPack
	Loggers() *[]INagLogger
	SetLoggers(val *[]INagLogger)
	PackGlobalSuppressionIgnore() INagSuppressionIgnore
	SetPackGlobalSuppressionIgnore(val INagSuppressionIgnore)
	PackName() *string
	SetPackName(val *string)
	ReadPackName() *string
	UserGlobalSuppressionIgnore() INagSuppressionIgnore
	SetUserGlobalSuppressionIgnore(val INagSuppressionIgnore)
	// Create a rule to be used in the NagPack.
	ApplyRule(params IApplyRule)
	// Check whether a specific rule should be ignored.
	//
	// Returns: The reason the rule was ignored, or an empty string.
	IgnoreRule(suppressions *[]*NagPackSuppression, ruleId *string, findingId *string, resource awscdk.CfnResource, level NagMessageLevel, ignoreSuppressionCondition INagSuppressionIgnore) *string
	// All aspects can visit an IConstruct.
	Visit(node constructs.IConstruct)
}

Check for PCI DSS 3.2.1 compliance. Based on the PCI DSS 3.2.1 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-pci-dss.html.

func NewPCIDSS321Checks

func NewPCIDSS321Checks(props *NagPackProps) PCIDSS321Checks

type RegexAppliesTo

type RegexAppliesTo struct {
	// An ECMA-262 regex string.
	Regex *string `field:"required" json:"regex" yaml:"regex"`
}

A regular expression to apply to matching findings.

type SuppressionIgnoreAlways added in v2.23.0

type SuppressionIgnoreAlways interface {
	INagSuppressionIgnore
	CreateMessage(_input *SuppressionIgnoreInput) *string
}

Always ignore the suppression.

func NewSuppressionIgnoreAlways added in v2.23.0

func NewSuppressionIgnoreAlways(triggerMessage *string) SuppressionIgnoreAlways

type SuppressionIgnoreAnd added in v2.23.0

type SuppressionIgnoreAnd interface {
	INagSuppressionIgnore
	CreateMessage(input *SuppressionIgnoreInput) *string
}

Ignore the suppression if all of the given INagSuppressionIgnore return a non-empty message.

func NewSuppressionIgnoreAnd added in v2.23.0

func NewSuppressionIgnoreAnd(SuppressionIgnoreAnds ...INagSuppressionIgnore) SuppressionIgnoreAnd

type SuppressionIgnoreErrors added in v2.23.0

type SuppressionIgnoreErrors interface {
	INagSuppressionIgnore
	CreateMessage(input *SuppressionIgnoreInput) *string
}

Ignore Suppressions for Rules with a NagMessageLevel.ERROR.

func NewSuppressionIgnoreErrors added in v2.23.0

func NewSuppressionIgnoreErrors() SuppressionIgnoreErrors

type SuppressionIgnoreInput added in v2.23.0

type SuppressionIgnoreInput struct {
	FindingId *string            `field:"required" json:"findingId" yaml:"findingId"`
	Reason    *string            `field:"required" json:"reason" yaml:"reason"`
	Resource  awscdk.CfnResource `field:"required" json:"resource" yaml:"resource"`
	RuleId    *string            `field:"required" json:"ruleId" yaml:"ruleId"`
	RuleLevel NagMessageLevel    `field:"required" json:"ruleLevel" yaml:"ruleLevel"`
}

Information about the NagRule and the relevant NagSuppression for the INagSuppressionIgnore.

type SuppressionIgnoreNever added in v2.23.0

type SuppressionIgnoreNever interface {
	INagSuppressionIgnore
	CreateMessage(_input *SuppressionIgnoreInput) *string
}

Don't ignore the suppression.

func NewSuppressionIgnoreNever added in v2.23.0

func NewSuppressionIgnoreNever() SuppressionIgnoreNever

type SuppressionIgnoreOr added in v2.23.0

type SuppressionIgnoreOr interface {
	INagSuppressionIgnore
	CreateMessage(input *SuppressionIgnoreInput) *string
}

Ignore the suppression if any of the given INagSuppressionIgnore return a non-empty message.

func NewSuppressionIgnoreOr added in v2.23.0

func NewSuppressionIgnoreOr(orSuppressionIgnores ...INagSuppressionIgnore) SuppressionIgnoreOr

Directories

Path Synopsis
Package jsii contains the functionaility needed for jsii packages to initialize their dependencies and themselves.
Package jsii contains the functionaility needed for jsii packages to initialize their dependencies and themselves.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL