UNPKG

cdk-nag

Version:

Check CDK v2 applications for best practices using a combination on available rule packs.

89 lines (81 loc) • 562 kB
<!-- Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: Apache-2.0 --> # Rules A list of all the available rules by Rule Pack ## AWS Solutions The [AWS Solutions Library](https://aws.amazon.com/solutions/) offers a collection of cloud-based solutions for dozens of technical and business problems, vetted for you by AWS. The AwsSolutions Rules Pack contains many of the checks that the are used as part of the vetting process. ### Warnings | Rule ID | Cause | Explanation | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | AwsSolutions-APIG3 | The REST API stage is not associated with AWS WAFv2 web ACL. | AWS WAFv2 is a web application firewall that helps protect web applications and APIs from attacks by allowing configured rules to allow, block, or monitor (count) web requests based on customizable rules and conditions that are defined. | | AwsSolutions-CB3 | The CodeBuild project has privileged mode enabled. | Privileged grants elevated rights to the system, which introduces additional risk. Privileged mode should only be set to true only if the build project is used to build Docker images. Otherwise, a build that attempts to interact with the Docker daemon fails. | | AwsSolutions-CB5 | The Codebuild project does not use images provided by the CodeBuild service or have a cdk-nag suppression rule explaining the need for a custom image. | Explaining differences/edits to Docker images helps operators better understand system dependencies. | | AwsSolutions-CFR1 | The CloudFront distribution may require Geo restrictions. | Geo restriction may need to be enabled for the distribution in order to allow or deny a country in order to allow or restrict users in specific locations from accessing content. | | AwsSolutions-CFR2 | The CloudFront distribution may require integration with AWS WAF. | The Web Application Firewall can help protect against application-layer attacks that can compromise the security of the system or place unnecessary load on them. | | AwsSolutions-COG2 | The Cognito user pool does not require MFA. | Multi-factor authentication (MFA) increases security for the application by adding another authentication method, and not relying solely on user name and password. | | AwsSolutions-DDB3 | The DynamoDB table does not have Point-in-time Recovery enabled. | DynamoDB continuous backups represent an additional layer of insurance against accidental loss of data on top of on-demand backups. The DynamoDB service can back up the data with per-second granularity and restore it to any single second from the time PITR was enabled up to the prior 35 days. | | AwsSolutions-EB4 | The Elastic Beanstalk environment does not upload EC2 Instance logs to S3. | Beanstalk environment logs should be retained and uploaded to Amazon S3 in order to keep the logging data for future audits, historical purposes or to track and analyze the EB application environment behavior for a long period of time. | | AwsSolutions-GL1 | The Glue crawler or job does not use a security configuration with CloudWatch Log encryption enabled. | Enabling encryption at rest helps prevent unauthorized users from getting access to the logging data published to CloudWatch Logs. | | AwsSolutions-GL3 | The Glue job does not use a security configuration with job bookmark encryption enabled. | Job bookmark encryption encrypts bookmark data before it is sent to Amazon S3 for storage. | | AwsSolutions-KDA3 | The Kinesis Data Analytics Flink Application does not have checkpointing enabled. | Checkpoints are backups of application state that KDA automatically creates periodically and uses to restore from faults. | | AwsSolutions-KDS3 | The Kinesis Data Stream specifies server-side encryption and does not use the "aws/kinesis" key. | Customer Managed Keys can incur additional costs that scale with the amount of consumers and producers. Ensure that Customer Managed Keys are required for compliance before using them (https://docs.aws.amazon.com/streams/latest/dev/costs-performance.html). | | AwsSolutions-MS4 | The MediaStore container does not define a metric policy to send metrics to CloudWatch. | Using a combination of MediaStore metrics and CloudWatch alarms helps operators gain better insights into container operations. | | AwsSolutions-MS7 | The MediaStore container does not define a container policy. | Using a container policy helps follow the standard security advice of granting least privilege, or granting only the permissions required to allow needed access to the container. | | AwsSolutions-MS8 | The MediaStore container does not define a CORS policy. | Using a CORS policy helps follow the standard security advice of granting least privilege, or granting only the permissions required to allow needed access to the container. | | AwsSolutions-MS10 | The MediaStore container does not define a lifecycle policy. | Many use cases warrant the usage of lifecycle configurations to manage container objects during their lifetime. | | AwsSolutions-TS3 | The Timestream database does not use a Customer Managed KMS Key for at rest encryption. | All Timestream tables in a database are encrypted at rest by default using AWS Managed Key. These keys are rotated every three years. Data at rest must be encrypted using CMKs if you require more control over the permissions and lifecycle of your keys, including the ability to have them automatically rotated on an annual basis. | | AwsSolutions-VPC3 | A Network ACL or Network ACL entry has been implemented. | Network ACLs should be used sparingly for the following reasons: they can be complex to manage, they are stateless, every IP address must be explicitly opened in each (inbound/outbound) direction, and they affect a complete subnet. Use security groups when possible as they are stateful and easier to manage. | ### Errors | Rule ID | Cause | Explanation | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | AwsSolutions-AEC1 | The ElastiCache cluster is not provisioned in a VPC. | Provisioning the cluster within a VPC allows for better flexibility and control over the cache clusters security, availability, traffic routing and more. | | AwsSolutions-AEC3 | The ElastiCache Redis cluster does not have both encryption in transit and at rest enabled. | Encryption in transit helps secure communications to the cluster. Encryption at rest helps protect data at rest from unauthorized access. | | AwsSolutions-AEC4 | The ElastiCache Redis cluster is not deployed in a Multi-AZ configuration. | The cluster should use a Multi-AZ deployment configuration for high availability. | | AwsSolutions-AEC5 | The ElastiCache cluster uses the default endpoint port. | Port obfuscation (using a non default endpoint port) adds an additional layer of defense against non-targeted attacks (i.e. Redis port 6379 and Memcached port 11211). | | AwsSolutions-AEC6 | The ElastiCache Redis cluster does not use Redis AUTH for user authentication. | Redis authentication tokens enable Redis to require a token (password) before allowing clients to execute commands, thereby improving data security. | | AwsSolutions-APIG1 | The API does not have access logging enabled. | Enabling access logs helps operators view who accessed an API and how the caller accessed the API. | | AwsSolutions-APIG2 | The REST API does not have request validation enabled. | The API should have basic request validation enabled. If the API is integrated with custom source (Lambda, ECS, etc..) in the backend, deeper input validation should be considered for implementation. | | AwsSolutions-APIG4 | The API does not implement authorization. | In most cases an API needs to have an authentication and authorization implementation strategy. This includes using such approaches as IAM, Cognito User Pools, Custom authorizer, etc. | | AwsSolutions-APIG6 | The REST API Stage does not have CloudWatch logging enabled for all methods. | Enabling CloudWatch logs at the stage level helps operators to track and analyze execution behavior at the API stage level. | | AwsSolutions-AS1 | The Auto Scaling Group does not have a cooldown period. | A cooldown period temporarily suspends any scaling activities in order to allow the newly launched EC2 instance(s) some time to start handling the application traffic. | | AwsSolutions-AS2 | The Auto Scaling Group does not have properly configured health checks. | The health check feature enables the service to detect whether its registered EC2 instances are healthy or not. | | AwsSolutions-AS3 | The Auto Scaling Group does not have notifications configured for all scaling events. | Notifications on EC2 instance launch, launch error, termination, and termination errors allow operators to gain better insights into systems attributes such as activity and health. | | AwsSolutions-ASC3 | The GraphQL API does not have request level logging enabled. | It is important to use CloudWatch Logs to log metrics such as who has accessed the GraphQL API, how the caller accessed the API, and invalid requests. | | AwsSolutions-ATH1 | The Athena workgroup does not encrypt query results. | Encrypting query results stored in S3 helps secure data to meet compliance requirements for data-at-rest encryption. | | AwsSolutions-CB4 | The CodeBuild project does not use an AWS KMS key for encryption. | Using an AWS KMS key helps follow the standard security advice of granting least privilege to objects generated by the project. | | AwsSolutions-C91 | The Cloud9 instance does not use a no-ingress EC2 instance with AWS Systems Manager. | SSM adds an additional layer of protection as it allows operators to control access through IAM permissions and does not require opening inbound ports. | | AwsSolutions-CFR3 | The CloudFront distribution does not have access logging enabled. | Enabling access logs helps operators track all viewer requests for the content delivered through the Content Delivery Network. | | AwsSolutions-CFR4 | The CloudFront distribution allows for SSLv3 or TLSv1 for HTTPS viewer connections. | Vulnerabilities have been and continue to be discovered in the deprecated SSL and TLS protocols. Help protect viewer connections by specifying a viewer certificate that enforces a minimum of TLSv1.1 or TLSv1.2 in the security policy. Distributions that use the default CloudFront viewer certificate or use 'vip' for the `SslSupportMethod` are non-compliant with this rule, as the minimum security policy is set to TLSv1 regardless of the specified `MinimumProtocolVersion` | | AwsSolutions-CFR5 | The CloudFront distributions uses SSLv3 or TLSv1 for communication to the origin. | Vulnerabilities have been and continue to be discovered in the deprecated SSL and TLS protocols. Using a security policy with minimum TLSv1.1 or TLSv1.2 and appropriate security ciphers for HTTPS helps protect viewer connections. | | AwsSolutions-CFR6 | The CloudFront distribution does not use an origin access identity with an S3 origin. | Origin access identities help with security by restricting any direct access to objects through S3 URLs. | | AwsSolutions-COG1 | The Cognito user pool does not have a password policy that minimally specify a password length of at least 8 characters, as well as requiring uppercase, numeric, and special characters. | Strong password policies increase system security by encouraging users to create reliable and secure passwords. | | AwsSolutions-COG3 | The Cognito user pool does not have AdvancedSecurityMode set to ENFORCED. | Advanced security features enable the system to detect and act upon malicious sign-in attempts. | | AwsSolutions-COG4 | The API GW method does not use a Cognito user pool authorizer. | API Gateway validates the tokens from a successful user pool authentication, and uses them to grant your users access to resources including Lambda functions, or your own API. | | AwsSolutions-COG7 | The Cognito identity pool allows for unauthenticated logins and does not have a cdk-nag rule suppression with a reason. | In many cases applications do not warrant unauthenticated guest access applications. Metadata explaining the use case allows for transparency to operators. | | AwsSolutions-DDB4 | The DAX cluster does not have server-side encryption enabled. | Data in cache, configuration data and log files should be encrypted using Server-Side Encryption in order to protect from unauthorized access to the underlying storage. | | AwsSolutions-DOC1 | The Document DB cluster does not have encryption at rest enabled. | Encrypting data-at-rest protects data confidentiality and prevents unauthorized users from accessing sensitive information. | | AwsSolutions-DOC2 | The Document DB cluster uses the default endpoint port. | Port obfuscation (using a non default endpoint port) adds an additional layer of defense against non-targeted attacks (i.e. MongoDB port 27017). | | AwsSolutions-DOC3 | The Document DB cluster does not have the username and password stored in Secrets Manager. | Secrets Manager enables operators to replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. This helps ensure the secret can't be compromised by someone examining system code, because the secret no longer exists in the code. Also, operators can configure Secrets Manager to automatically rotate the secret for you according to a specified schedule. This enables you to replace long-term secrets with short-term ones, significantly reducing the risk of compromise. | | AwsSolutions-DOC4 | The Document DB cluster does not have a reasonable minimum backup retention period configured. | The retention period represents the number of days to retain automated snapshots. A minimum retention period of 7 days is recommended but can be adjust to meet system requirements. | | AwsSolutions-DOC5 | The Document DB cluster does not have authenticate, createIndex, and dropCollection Log Exports enabled. | This allows operators to use CloudWatch to view logs to help diagnose problems in the database. The events recorded by the AWS DocumentDB audit logs include successful and failed authentication attempts, creating indexes or dropping a collection in a database within the DocumentDB cluster. This is a granular rule that returns individual findings that can be suppressed with `appliesTo`. The findings are in the format `LogExport::<log>` for exported logs. Example: `appliesTo: ['LogExport::authenticate']`. | | AwsSolutions-EB1 | The Elastic Beanstalk environment is not configured to use a specific VPC. | Use a non-default VPC in order to separate your environment from default resources. | | AwsSolutions-EB3 | The Elastic Beanstalk environment does not have managed updates enabled. | Enable managed platform updates for beanstalk environments in order to receive bug fixes, software updates and new features. Managed platform updates perform immutable environment updates. | | AwsSolutions-EC23 | The Security Group allows for 0.0.0.0/0 or ::/0 inbound access. | Large port ranges, when open, expose instances to unwanted attacks. More than that, they make traceability of vulnerabilities very difficult. For instance, your web servers may only require 80 and 443 ports to be open, but not all. One of the most common mistakes observed is when all ports for 0.0.0.0/0 range are open in a rush to access the instance. EC2 instances must expose only to those ports enabled on the corresponding security group level. | | AwsSolutions-EC26 | The resource creates one or more EBS volumes that have encryption disabled. | With EBS encryption, you aren't required to build, maintain, and secure your own key management infrastructure. EBS encryption uses KMS keys when creating encrypted volumes and snapshots. This helps protect data at rest. | | AwsSolutions-EC27 | The Security Group does not have a description. | Descriptions help simplify operations and remove any opportunities for operator errors. | | AwsSolutions-EC28 | The EC2 instance/AutoScaling launch configuration does not have detailed monitoring enabled. | Monitoring data helps make better decisions on architecting and managing compute resources. | | AwsSolutions-EC29 | The EC2 instance is not part of an ASG and has Termination Protection disabled. | Termination Protection safety feature enabled in order to protect the instances from being accidentally terminated. | | AwsSolutions-ECR1 | The ECR Repository allows open access. | Removing \* principals in an ECR Repository helps protect against unauthorized access. | | AwsSolutions-ECS2 | The ECS Task Definition includes a container definition that directly specifies environment variables. | Use secrets to inject environment variables during container startup from AWS Systems Manager Parameter Store or Secrets Manager instead of directly specifying plaintext environment variables. Updates to direct environment variables require operators to change task definitions and perform new deployments. | | AwsSolutions-ECS4 | The ECS Cluster has CloudWatch Container Insights disabled. | CloudWatch Container Insights allow operators to gain a better perspective on how the cluster’s applications and microservices are performing. | | AwsSolutions-ECS7 | One or more containers in the ECS Task Definition do not have container logging enabled. | Container logging allows operators to view and aggregate the logs from the container. Containers should use the 'awslogs' driver at a minimum. | | AwsSolutions-EFS1 | The EFS is not configured for encryption at rest. | By using an encrypted file system, data and metadata are automatically encrypted before being written to the file system. Similarly, as data and metadata are read, they are automatically decrypted before being presented to the application. These processes are handled transparently by EFS without requiring modification of applications. | | AwsSolutions-EKS1 | The EKS cluster's Kubernetes API server endpoint has public access enabled. | A cluster's Kubernetes API server endpoint should not be publicly accessible from the Internet in order to avoid exposing private data and minimizing security risks. The API server endpoints should only be accessible from within a AWS Virtual Private Cloud (VPC). | | AwsSolutions-EKS2 | The EKS Cluster does not publish 'api', 'audit', 'authenticator, 'controllerManager', and 'scheduler' control plane logs. | EKS control plane logging provides audit and diagnostic logs directly from the Amazon EKS control plane to CloudWatch Logs in your account. These logs make it easy for you to secure and run your clusters. This is a granular rule that returns individual findings that can be suppressed with `appliesTo`. The findings are in the format `LogExport::<log>` for exported logs. Example: `appliesTo: ['LogExport::authenticate']`. | | AwsSolutions-ELB1 | The CLB is used for incoming HTTP/HTTPS traffic. Use ALBs instead. | HTTP/HTTPS applications (monolithic or containerized) should use the ALB instead of the CLB for enhanced incoming traffic distribution, better performance and lower costs. | | AwsSolutions-ELB2 | The ELB does not have access logs enabled. | Access logs allow operators to to analyze traffic patterns and identify and troubleshoot security issues. | | AwsSolutions-ELB3 | The CLB does not have connection draining enabled. | With Connection Draining feature enabled, if an EC2 backend instance fails health checks the CLB will not send any new requests to the unhealthy instance. However, it will still allow existing (in-flight) requests to complete for the duration of the configured timeout. | | AwsSolutions-ELB4 | The CLB does not use at least two AZs with the Cross-Zone Load Balancing feature enabled. | CLBs can distribute the traffic evenly across all backend instances. To use Cross-Zone Load Balancing at optimal level, the system should maintain an equal EC2 capacity distribution in each of the AZs registered with the load balancer. | | AwsSolutions-ELB5 | The CLB listener is not configured for secure (HTTPs or SSL) protocols for client communication. | The HTTPs or SSL protocols enable secure communication by encrypting the communication between the client and the load balancer.