Check AWS CDK applications or CloudFormation templates for best practices by using cdk-nag rule packs - AWS Prescriptive Guidance
SummaryPrerequisites and limitationsToolsEpicsRelated resources

Check AWS CDK applications or CloudFormation templates for best practices by using cdk-nag rule packs

Created by Arun Donti

Environment: Production

Technologies: DevOps; Security, identity, compliance

Workload: Open-source

AWS services: AWS CDK

Summary

This pattern explains how you can use the cdk-nag utility to check AWS Cloud Development Kit (AWS CDK) applications for best practices by using a combination of rule packs. cdk-nag is an open-source project that was inspired by cfn_nag. It implements rules in evaluation packs such as AWS Solutions Library, Health Insurance Portability and Accountability Act (HIPAA), and National Institute of Standards and Technology (NIST) 800-53 by using AWS CDK Aspects. You can check your AWS CDK applications for best practices by using the rules in these packs, detect and remediate code based on best practices, and suppress the rules that you don’t want to use in your evaluations. 

You can also use cdk-nag to check your AWS CloudFormation templates by using the cloudformation-include module.

For information about all available packs, see the Rules section of the cdk-nag repository. Evaluation packs are available for:

Prerequisites and limitations

Prerequisites 

  • An application that uses the AWS CDK

Tools

  • AWS CDK – Cloud Development Kit (AWS CDK) is a software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation.

  • AWS CloudFormation – AWS CloudFormation helps you model and set up your AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle. You can use a template to describe your resources and their dependencies, and you can launch and configure them together as a stack, instead of managing resources individually. You can manage and provision stacks across multiple AWS accounts and AWS Regions.  

Epics

TaskDescriptionSkills required
Learn about cdk-nag.

Navigate to the cdk-nag GitHub repository and read through the documentation.

App developer
Install the cdk-nag package in your AWS CDK application.

To use cdk-nag in your AWS CDK application, you must install it first. cdk-nag is available to download from PyPI, npm, NuGet, and Apache Maven. For the latest information about available versions and download locations, see the Readme file in the repository.

App developer
Choose your NagPacks.

cdk-nag has different packs of rules called NagPacks. Each NagPack contains rules that conform to a specific standard. For example, the AWS Solutions NagPack contains general best practices, and the NIST 800-53 rev 5 NagPack can help with compliance. You can apply multiple NagPacks to your application, and you can add and remove packs as necessary. For a list of available packs, see the Readme file in the GitHub repository. For information about the individual rules in each pack, see the Rules section of the GitHub repository.

App developer
Integrate cdk-nag into your AWS CDK application.

You can integrate cdk-nag into your application on an applicationwide level, or integrate it into individual stages or stacks in your application. For example, to integrate the AWS Solutions and HIPAA security NagPacks into an AWS CDK v2 TypeScript application on an applicationwide level, you can use the following code:

import { App, Aspects } from 'aws-cdk-lib';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { AwsSolutionsChecks, HIPAASecurityChecks } from 'cdk-nag';

const app = new App();
new CdkTestStack(app, 'CdkNagDemo');
// Simple rule informational messages
Aspects.of(app).add(new AwsSolutionsChecks());
// Additional explanations on the purpose of triggered rules
Aspects.of(app).add(new HIPAASecurityChecks({ verbose: true }));
App developer

Related resources