DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Last call! Secure your stack and shape the future! Help dev teams across the globe navigate their software supply chain security challenges.

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Releasing software shouldn't be stressful or risky. Learn how to leverage progressive delivery techniques to ensure safer deployments.

Avoid machine learning mistakes and boost model performance! Discover key ML patterns, anti-patterns, data strategies, and more.

Related

  • Unlocking the Benefits of a Private API in AWS API Gateway
  • AWS WAF Classic vs WAFV2: Features and Migration Considerations
  • Processing Cloud Data With DuckDB And AWS S3
  • AWS Nitro Enclaves: Enhancing Security With Isolated Compute Environments

Trending

  • Breaking Bottlenecks: Applying the Theory of Constraints to Software Development
  • Stateless vs Stateful Stream Processing With Kafka Streams and Apache Flink
  • Doris: Unifying SQL Dialects for a Seamless Data Query Ecosystem
  • Revolutionizing Financial Monitoring: Building a Team Dashboard With OpenObserve
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. Improve AWS Security and Compliance With CDK-nag?

Improve AWS Security and Compliance With CDK-nag?

AWS Cloud Development Kit (AWS CDK) is a powerful tool that allows developers to define cloud infrastructure in code using familiar programming languages.

By 
Jeroen Reijn user avatar
Jeroen Reijn
DZone Core CORE ·
Apr. 14, 23 · Tutorial
Likes (2)
Comment
Save
Tweet
Share
4.9K Views

Join the DZone community and get the full member experience.

Join For Free

AWS Cloud Development Kit (AWS CDK) is a powerful tool that allows developers to define cloud infrastructure in code using familiar programming languages like TypeScript, Python, and Java. However, as with any infrastructure-as-code tool, it's important to ensure that the resulting infrastructure adheres to security and compliance best practices. This is where CDK-nag comes in.

What Is CDK-nag?

CDK-nag is an open-source tool that provides automated checks for AWS CDK code and the resulting Cloudformation templates to help ensure that they adhere to security and compliance best practices.

After adding CDK-nag to your project, it checks for a variety of known security and compliance issues, including overly-permissive IAM policies, missing access logs, and unintended public s3 buckets. CDK-nag also checks for common mistakes that can lead to security vulnerabilities, such as the use of plain text passwords and the use of default security groups.

The great thing about CDK-nag is that it allows you to catch mistakes at a very early stage in the process. Ideally, you can catch them while developing your infrastructure as code in CDK on your local machine. As an alternative, you can add CDK-nag to your CI/CD pipeline and make the build fail in case of any issues.

Adding CDK-nag to Your Project

Using CDK-nag is simple. First, add it as a dependency to your AWS CDK project. If you're using Java, you can add it to your pom.xml file.

XML
 
<dependency>
  <groupId>io.github.cdklabs</groupId>
  <artifactId>cdknag</artifactId>
  <version>2.25.2</version>
</dependency>


After you've added the dependency, you will need to explicitly enable CDK-nag utilizing a CDK aspect. You can apply CDK-nag in the scope of your entire CDK application or just in the scope of a single CDK stack.

CDK-nag works with rules which are defined in packs. Those packs are based on the AWS Config conformance pack. If you've never looked at AWS Config, the Operational Best Practices for HIPAA Security page is a nice page to look at in the context of these CDK-nag conformance packs. By default, CDK-nag comes with several rule packs out of the box.

Based on your requirements, you can enable one or more rule packs. Let's take a look at how to apply such a rule pack.

Java
 
public class AwsCdkNagDemoApp {
    public static void main(final String[] args) {
        App app = new App();

        new AwsCdkNagDemoStack(app, "AwsCdkNagDemoStack", 
            StackProps
                .builder()
                .env(Environment.builder()
                .account(System.getenv("CDK_DEFAULT_ACCOUNT"))
                .region(System.getenv("CDK_DEFAULT_REGION"))
                .build())
            .build()
        );

         Aspects.of(app)
           .add(
                AwsSolutionsChecks.Builder
                .create()
                .verbose(true)
                .build()
           );
        app.synth();
    }
}


As you can see in the above code fragment, we've enabled the AwsSolutionsChecks rules for the scope of the entire CDK app. In this example, we've explicitly enabled verbose mode as it will generate more descriptive messages.

Now let's take a look at an example stack and see how CDK-nag responds to that. The stack below is a very simple stack that contains an AWS Lambda function processing messages from an SQS queue.

Java
 
public AwsCdkNagDemoStack(final Construct scope, 
  final String id, final StackProps props) {

  super(scope, id, props);

  final Queue queue = Queue.Builder.create(this, "demo-queue")
                 .visibilityTimeout(Duration.seconds(300))
                 .build();

  final Function function = Function.Builder
    .create(this, "demo-function")
    .handler("com.jeroenreijn.demo.aws.cdknag.FunctionHandler")
    .code(Code.fromAsset("function.jar"))
    .runtime(Runtime.JAVA_11)
    .events(List.of(
      SqsEventSource.Builder.create(queue).build())
    )
    .build();

  queue.grantConsumeMessages(function);
}


Analyzing Results

Now when you run cdk synth from the command line, it will trigger CDK-nag, and it will automatically scan your resources in the resulting templates and check them for security and compliance issues. Once the scan is done, CDK-nag will either return successfully or return an error message and output a list of violations in a format that is easy to understand. After running, cdk synth we will get the following messages in our output.

Plain Text
 
[Error at /AwsCdkNagDemoStack/demo-queue/Resource] 
AwsSolutions-SQS3: The SQS queue is not used as a dead-letter queue (DLQ) and does not have a DLQ enabled. 
Using a DLQ helps maintain the queue flow and avoid losing data by detecting and mitigating failures and service disruptions on time. 

[Error at /AwsCdkNagDemoStack/demo-queue/Resource] 
AwsSolutions-SQS4: The SQS queue does not require requests to use SSL. 
Without HTTPS (TLS), a network-based attacker can eavesdrop on network traffic or manipulate it, using an attack such as man-in-the-middle. 
Allow only encrypted connections over HTTPS (TLS) using the aws:SecureTransport condition in the queue policy to force requests to use SSL. 

[Error at /AwsCdkNagDemoStack/demo-function/ServiceRole/Resource] 
AwsSolutions-IAM4[Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole]: 
The IAM user, role, or group uses AWS managed policies. 
An AWS managed policy is a standalone policy that is created and administered by AWS. 
Currently, many AWS managed policies do not restrict resource scope. 
Replace AWS managed policies with system specific (customer) managed policies. 
This is a granular rule that returns individual findings that can be suppressed with 'appliesTo'. 
The findings are in the format 'Policy::<policy>' for AWS managed policies. 
Example: appliesTo: ['Policy::arn:<AWS::Partition>:iam::aws:policy/foo']. 

Found errors 


As you can see, CDK-nag spotted some errors and explains what we can do to improve our infrastructure. Usually, it's quite easy to fix these errors. Level 2 CDK constructs already incorporate some of the best practices, so when using them, you will probably find fewer errors compared to using Level 1 constructs.

The messages depend on the rule pack you select. For instance, when we switch to the HIPAASecurityChecks rule pack, we will get some duplicates but also some additional error messages.

Plain Text
 
[Error at /AwsCdkNagDemoStack/demo-function/Resource] 
HIPAA.Security-LambdaConcurrency: The Lambda function is not configured with function-level concurrent execution limits - (Control ID: 164.312(b)). 
Ensure that a Lambda function's concurrency high and low limits are established. 
This can assist in baselining the number of requests that your function is serving at any given time. 

[Error at /AwsCdkNagDemoStack/demo-function/Resource] 
HIPAA.Security-LambdaDLQ: The Lambda function is not configured with a dead-letter configuration - (Control ID: 164.312(b)). 
Notify the appropriate personnel through Amazon Simple Queue Service (Amazon SQS) or Amazon Simple Notification Service (Amazon SNS) when a function has failed. 

[Error at /AwsCdkNagDemoStack/demo-function/Resource] 
HIPAA.Security-LambdaInsideVPC: The Lambda function is not VPC enabled - (Control IDs: 164.308(a)(3)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(C), 164.312(a)(1), 164.312(e)(1)). 
Because of their logical isolation, domains that reside within an Amazon VPC have an extra layer of security when compared to domains that use public endpoints. 

... 


The HIPAASecurityChecks also finds issues related to Lambda function concurrency and running your Lambda function inside a VPC. As you can see, different packs look at different things, so it's worthwhile to explore the different packs and see how they can help you improve. It's worth mentioning that CDK-nag does not implement all rules defined in these AWS Config conformance packs. You can check which rules are excluded in the CDK-nag excluded rules documentation.

Summary

Overall, CDK-nag is a powerful tool for ensuring that your AWS CDK code and templates adhere to security and compliance best practices. By catching security issues early in the development process, CDK-nag can help you build more secure and reliable infrastructure. I've used it in many projects over the last couple of years, and it's adding value. Especially if you work in a team that does not have a lot of AWS experience, it shines. If you're using AWS CDK, I highly recommend giving CDK-nag a try. The example code in this post and a working project can be found on GitHub.

AWS CDK (programming library) security

Published at DZone with permission of Jeroen Reijn. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Unlocking the Benefits of a Private API in AWS API Gateway
  • AWS WAF Classic vs WAFV2: Features and Migration Considerations
  • Processing Cloud Data With DuckDB And AWS S3
  • AWS Nitro Enclaves: Enhancing Security With Isolated Compute Environments

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!