UNPKG

cdk-nag

Version:

Check CDK v2 applications for best practices using a combination on available rule packs.

github.com/cdklabs/cdk-nag

cdklabs/cdk-nag

160 lines (136 loc) 4.76 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
<!-- Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: Apache-2.0 --> # NagPack A `NagPack` is a named collection of [rules](./RuleCreation.md) that can be used to validate your stacks and applications. All of the [pre-built packs](../README.md#available-rules-and-packs) are `NagPacks`. ## Creating a NagPack `cdk-nag` exposes libraries that allow you to create your own `NagPack`. ### Setup Below is the minimal set-up for creating your own `NagPack`. At it's core a `NagPack` is an extension of [CDK Aspects](https://docs.aws.amazon.com/cdk/v2/guide/aspects.html#aspects_example) and inherits all the properties of Aspects. ```typescript import { CfnResource } from 'aws-cdk-lib'; import { IConstruct } from 'constructs'; import { NagPack, NagPackProps } from 'cdk-nag'; export class ExampleChecks extends NagPack { constructor(props?: NagPackProps) { super(props); this.packName = 'Example'; } public visit(node: IConstruct): void { if (node instanceof CfnResource) { // Add your rules here. } } } ``` ### Adding Rules You may add both premade and custom rules to your `NagPack`. The documentation on [rules](./RuleCreation.md) walks through the process of creating a rule. ```typescript import { CfnResource } from 'aws-cdk-lib'; import { IConstruct } from 'constructs'; import { NagMessageLevel, NagPack, NagPackProps, NagRuleCompliance, NagRuleResult, NagRules, rules, } from 'cdk-nag'; import { CfnReplicationInstance } from 'aws-cdk-lib/aws-dms'; export class ExampleChecks extends NagPack { constructor(props?: NagPackProps) { super(props); this.packName = 'Example'; } public visit(node: IConstruct): void { if (node instanceof CfnResource) { // premade rule this.applyRule({ info: 'My brief info.', explanation: 'My detailed explanation.', level: NagMessageLevel.ERROR, rule: rules.s3.S3BucketSSLRequestsOnly, node: node, }); // custom rule this.applyRule({ ruleSuffixOverride: 'NoPublicDMS', info: 'This rule triggers on public DMS replication instances.', explanation: 'This rule does not prevent deployment unless level is set to NagMessageLevel.ERROR.', level: NagMessageLevel.WARN, rule: function (node2: CfnResource): NagRuleResult { if (node2 instanceof CfnReplicationInstance) { const publicAccess = NagRules.resolveIfPrimitive( node2, node2.publiclyAccessible ); if (publicAccess !== false) { return NagRuleCompliance.NON_COMPLIANT; } return NagRuleCompliance.COMPLIANT; } else { return NagRuleCompliance.NOT_APPLICABLE; } }, node: node, }); } } } ``` ### Ignoring Suppressions You can optionally add a prebuilt or custom condition that prevents a rule from being suppressed. Below is an example of a condition that always prevents suppressions. The documentation on [rules](./IgnoreSuppressionConditions.md) walks through the process of creating your own conditions. ```typescript import { CfnResource } from 'aws-cdk-lib'; import { IConstruct } from 'constructs'; import { NagMessageLevel, NagPack, NagPackProps, NagRuleCompliance, NagRuleResult, NagRules, SuppressionIgnoreAlways, rules, } from 'cdk-nag'; const ALWAYS_IGNORE = new SuppressionIgnoreAlways( 'Here is a reason for ignoring the suppression.' ); export class ExampleChecks extends NagPack { constructor(props?: NagPackProps) { super(props); this.packName = 'Example'; } public visit(node: IConstruct): void { if (node instanceof CfnResource) { this.applyRule({ info: 'My brief info.', explanation: 'My detailed explanation.', level: NagMessageLevel.ERROR, rule: rules.s3.S3BucketSSLRequestsOnly, ignoreSuppressionCondition: ALWAYS_IGNORE, node: node, }); } } } ``` ### Custom Logging `NagLogger`s give `NagPack` authors and users the ability to create their own custom reporting mechanisms. Read the [NagLogger](./NagLogger.md) documentation for more details ## Using a NagPack You can apply as many `NagPacks` to a CDK Stack or Application via Aspects ```typescript import { App, Aspects } from 'aws-cdk-lib'; import { CdkTestStack } from '../lib/cdk-test-stack'; import { AwsSolutionsChecks } from 'cdk-nag'; import { ExampleChecks } from './ExampleClass'; const app = new App(); new CdkTestStack(app, 'CdkNagDemo'); // Simple rule informational messages Aspects.of(app).add(new AwsSolutionsChecks()); Aspects.of(app).add(new ExampleChecks()); ```