AWS logo
Amazon QDetector Library

February 2026 change log

This change log includes updates to detectors made in February 2026.

Added and updated rules

JavaScript

  • javascript-sql-injection-ide

    • Enhanced to improve detection coverage by:
      • Detects unsafe SQLite prepare() usage while excluding parameterized queries

  • javascript-server-side-request-forgery-ide

    • Enhanced to improve detection coverage by:
      • Added detection pattern to catch SSRF vulnerabilities in the new Node.js 24 WebSocketStream() API

  • javascript-path-traversal-ide

    • Enhanced to improve detection coverage by:
      • Extending JavaScript security rule to detect path traversal and arbitrary module resolution via import.meta.resolve() when used with user-controlled input

TypeScript CDK

  • typescript-cdk-allows-rds-db-security-group-for-inbound-access

    • Enhanced to improve detection coverage by:
      • Expanding detection patterns to cover all CDK import styles (direct, wildcard, namespace/barrel imports)
      • Updating metadata (CWE, shortDescription, AWS documentation references) to make remediations more actionable

  • typescript-cdk-aurora-my-postgres-iam-auth

    • Enhanced to improve detection coverage by:
      • Broadening patterns to detect missing IAM authentication in Aurora MySQL/PostgreSQL clusters
      • Adding CDK v2 support with updated construct patterns
      • Updating rule metadata with latest AWS security best practices
      • Improving detection accuracy with consolidated pattern matching

  • typescript-cdk-public-s3-bucket-access-configuration

    • Enhanced to improve detection coverage by:
      • Detecting public access configurations through bucket policies and ACLs
      • Adding patterns for CDK v2 constructs and all import styles
      • Updating remediation guidance with CloudFront OAC recommendations
      • Improving metadata with comprehensive AWS security references

  • typescript-cdk-bucket-enforce-ssl

    • Enhanced to improve detection coverage by:
      • Detecting missing SSL/TLS enforcement in S3 bucket policies
      • Adding CDK v2 pattern support for bucket policy statements
      • Updating metadata with AWS security best practices for encryption in transit

  • typescript-cdk-sqs-queue-sse

    • Enhanced to improve detection coverage by:
      • Detecting missing server-side encryption configuration in SQS queues
      • Reclassifying from SecurityRules to AwsBestPractice category
      • Adding CDK v2 support with updated Queue construct patterns
      • Expanding test coverage for explicit encryption declarations
      • Updating rule description emphasizing IaC best practices

  • typescript-cdk-sqs-queue-ssl-requests-only

    • Enhanced to improve detection coverage by:
      • Detecting missing SSL-only access policies for SQS queues
      • Adding patterns for queue policy statements requiring HTTPS
      • Expanding test cases with various policy configurations
      • Updating metadata with AWS security best practices
      • Improving detection accuracy for CDK v2 constructs

  • typescript-cdk-s3-bucket-use-cloudfront-origin-access-control

    • Enhanced to improve detection coverage by:
      • Detecting S3 buckets not using CloudFront Origin Access Control (OAC)
      • Adding CDK v2 patterns for CloudFront distributions and S3 origins
      • Expanding test coverage with OAC vs OAI configurations
      • Updating remediation guidance with migration steps from OAI to OAC
      • Improving metadata with latest AWS CloudFront best practices

  • typescript-cdk-iam-no-managed-policies

    • Enhanced to improve detection coverage by:
      • Detecting usage of AWS managed policies in IAM roles/users/groups
      • Adding patterns for all CDK import styles and v2 constructs
      • Expanding test cases with various managed policy attachments
      • Updating metadata with least privilege principle guidance
      • Improving detection to catch inline and attached managed policies

  • typescript-cdk-public-s3-bucket

    • Enhanced to improve detection coverage by:
      • Detecting publicly accessible S3 buckets through various configurations
      • Adding comprehensive patterns for publicReadAccess and blockPublicAccess settings
      • Updating rule description with CloudFront OAC recommendations
      • Improving metadata with AWS security best practices references

  • typescript-cdk-rds-missing-storage-encryption

    • Enhanced to improve detection coverage by:
      • Detecting RDS instances without storage encryption enabled
      • Adding CDK v2 support for DatabaseInstance and DatabaseCluster constructs
      • Expanding test cases covering all RDS engine types
      • Updating metadata to reflect AWS encryption-by-default changes (Jan 2025)
      • Improving detection patterns to reduce false positives

  • typescript-cdk-api-logging-disabled

    • Enhanced to improve detection coverage by:
      • Detecting API Gateway stages without CloudWatch logging enabled
      • Adding patterns for REST API and HTTP API logging configurations
      • Expanding test coverage with various logging level scenarios
      • Updating metadata with AWS observability best practices
      • Improving detection for CDK v2 API Gateway constructs

  • typescript-cdk-apigateway-missingreq-validation-enabled

    • Enhanced to improve detection coverage by:
      • Detecting API Gateway methods without request validation
      • Adding patterns for request validator configurations
      • Expanding test cases with body and parameter validation scenarios
      • Updating metadata with API security best practices
      • Improving detection accuracy for CDK v2 constructs

  • typescript-cdk-rds-deletion-protection-enabled

    • Enhanced to improve detection coverage by:
      • Detecting RDS instances without deletion protection enabled
      • Adding CDK v2 support for DatabaseInstance and DatabaseCluster
      • Expanding test coverage with various RDS configurations
      • Updating metadata with data protection best practices
      • Improving detection patterns for production workload scenarios

  • typescript-cdk-cloud-front-distribution-no-outdated-ssl

    • Enhanced to improve detection coverage by:
      • Detecting CloudFront distributions using outdated SSL/TLS protocols
      • Consolidating patterns covering all CDK import styles (direct, wildcard, namespace/barrel)
      • Updating metadata (CWE, shortDescription, AWS documentation references)

  • typescript-cdk-sns-topic-ssl-requests-only

    • Enhanced to improve detection coverage by:
      • Detecting SNS topics without SSL-only access policies
      • Adding patterns for topic policy statements requiring HTTPS transport
      • Expanding test cases with various policy configurations and CDK v2 constructs
      • Updating metadata with AWS security best practices for encryption in transit
      • Improving detection accuracy to reduce false negatives

  • typescript-cdk-kinesis-sse

    • Enhanced to improve detection coverage by:
      • Detecting Kinesis streams without server-side encryption enabled
      • Adding CDK v2 support for Stream construct encryption configurations
      • Expanding test coverage with KMS key and encryption type scenarios
      • Updating metadata with AWS data protection best practices
      • Improving detection patterns for explicit encryption declarations

  • typescript-cdk-cognito-user-pool-no-unauthenticated-logins

    • Enhanced to improve detection coverage by:
      • Detecting Cognito Identity Pools allowing unauthenticated access
      • Expanding test coverage for allowUnauthenticatedIdentities configurations
      • Improving rule documentation and categorization in registry

  • typescript-cdk-ec2-instance-detailed-monitoring-enabled

    • Enhanced to improve detection coverage by:
      • Detecting EC2 instances without detailed monitoring enabled
      • Adding CDK v2 support for Instance construct monitoring configurations
      • Expanding test cases with various monitoring settings
      • Updating metadata with AWS observability best practices
      • Improving detection patterns for production workload scenarios

  • typescript-cdk-dynamodb-table-encrypted

    • Enhanced to improve detection coverage by:
      • Detecting DynamoDB tables without encryption at rest
      • Adding CDK v2 support for Table construct encryption configurations
      • Expanding test coverage with KMS key and encryption type scenarios
      • Updating metadata to reflect AWS encryption-by-default changes
      • Improving detection patterns to reduce false positives

  • typescript-cdk-efs-encrypted

    • Enhanced to improve detection coverage by:
      • Detecting EFS file systems without encryption enabled
      • Adding patterns for FileSystem construct encryption configurations
      • Expanding test cases with KMS key scenarios
      • Updating metadata with AWS data protection best practices
      • Improving detection for CDK v2 constructs

  • typescript-cdk-redshift-cluster-encrypted

    • Enhanced to improve detection coverage by:
      • Detecting Redshift clusters without encryption enabled
      • Adding CDK v2 support for Cluster construct encryption configurations
      • Expanding test coverage with KMS key scenarios
      • Updating metadata to reflect AWS encryption-by-default changes (Jan 2025)
      • Improving detection patterns for production data warehouse scenarios

Disabled rules

The following rules were disabled:

  • typescript-cdk-s3-partial-encrypt
  • typescript-cdk-s3-server-access-logs-disabled
  • typescript-cdk-sqs-missing-encryption
  • loop_injection_rule
  • loop_injection_rule_ts_rule
  • pytorch_assign_in_place_mod