monocdk-nag


Namemonocdk-nag JSON
Version 1.14.19 PyPI version JSON
download
home_pagehttps://github.com/cdklabs/cdk-nag.git
SummaryCheck CDK applications for best practices using a combination on available rule packs.
upload_time2022-05-31 00:32:21
maintainer
docs_urlNone
authorArun Donti<donti@amazon.com>
requires_python~=3.7
licenseApache-2.0
keywords
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls.
            <!--
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
-->

# cdk-nag

| Language   | cdk-nag                                                                                                                         | monocdk-nag                                                                                                                             |
| ---------- | ------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- |
| Python     | [![PyPI version](https://img.shields.io/pypi/v/cdk-nag)](https://pypi.org/project/cdk-nag/)                                     | [![PyPI version](https://img.shields.io/pypi/v/monocdk-nag)](https://pypi.org/project/monocdk-nag/)                                     |
| TypeScript | [![npm version](https://img.shields.io/npm/v/cdk-nag)](https://www.npmjs.com/package/cdk-nag)                                   | [![npm version](https://img.shields.io/npm/v/monocdk-nag/latest-1?label=npm)](https://www.npmjs.com/package/monocdk-nag)                |
| Java       | [![Maven version](https://img.shields.io/maven-central/v/io.github.cdklabs/cdknag)](https://search.maven.org/search?q=a:cdknag) | [![Maven version](https://img.shields.io/maven-central/v/io.github.cdklabs/monocdknag)](https://search.maven.org/search?q=a:monocdknag) |
| .NET       | [![NuGet version](https://img.shields.io/nuget/v/Cdklabs.CdkNag)](https://www.nuget.org/packages/Cdklabs.CdkNag)                | [![NuGet version](https://img.shields.io/nuget/v/Cdklabs.MonocdkNag)](https://www.nuget.org/packages/Cdklabs.MonocdkNag)                |

* If your project uses cdk version **1.x.x** use `cdk-nag` **^1.0.0**
* If your project uses cdk version **2.x.x** use `cdk-nag` **^2.0.0**
* If your project uses monocdk use `monocdk-nag` **^1.0.0**

Check CDK applications or [CloudFormation templates](#using-on-cloudformation-templates) for best practices using a combination of available rule packs. Inspired by [cfn_nag](https://github.com/stelligent/cfn_nag)

![](cdk_nag.gif)

## Available Packs

See [RULES](./RULES.md) for more information on all the available packs.

1. [AWS Solutions](./RULES.md#awssolutions)
2. [HIPAA Security](./RULES.md#hipaa-security)
3. [NIST 800-53 rev 4](./RULES.md#nist-800-53-rev-4)
4. [NIST 800-53 rev 5](./RULES.md#nist-800-53-rev-5)
5. [PCI DSS 3.2.1](./RULES.md#pci-dss-321)

Read the [NagPack developer docs](./docs/NagPack.md) if you are interested in creating your own pack.

## Usage

For a full list of options See `NagPackProps` in the [API.md](./API.md#struct-nagpackprops)

<details>
<summary>cdk</summary>

```python
import { App, Aspects } from '@aws-cdk/core';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { AwsSolutionsChecks } from 'cdk-nag';

const app = new App();
new CdkTestStack(app, 'CdkNagDemo');
// Simple rule informational messages
Aspects.of(app).add(new AwsSolutionsChecks());
// Additional explanations on the purpose of triggered rules
// Aspects.of(stack).add(new AwsSolutionsChecks({ verbose: true }));
```

</details><details>
<summary>cdk v2</summary>

```python
import { App, Aspects } from 'aws-cdk-lib';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { AwsSolutionsChecks } from 'cdk-nag';

const app = new App();
new CdkTestStack(app, 'CdkNagDemo');
// Simple rule informational messages
Aspects.of(app).add(new AwsSolutionsChecks());
// Additional explanations on the purpose of triggered rules
// Aspects.of(stack).add(new AwsSolutionsChecks({ verbose: true }));
```

</details><details>
<summary>monocdk</summary>

```python
import { App, Aspects } from 'monocdk';
import { CdkTestStack } from '../lib/my-stack';
import { AwsSolutionsChecks } from 'monocdk-nag';

const app = new App();
new CdkTestStack(app, 'CdkNagDemo');
// Simple rule informational messages
Aspects.of(app).add(new AwsSolutionsChecks());
// Additional explanations on the purpose of triggered rules
// Aspects.of(stack).add(new AwsSolutionsChecks({ verbose: true }));
```

</details>

## Suppressing a Rule

<details>
  <summary>Example 1) Default Construct</summary>

```python
import { SecurityGroup, Vpc, Peer, Port } from '@aws-cdk/aws-ec2';
import { Construct, Stack, StackProps } from '@aws-cdk/core';
import { NagSuppressions } from 'cdk-nag';

export class CdkTestStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
    const test = new SecurityGroup(this, 'test', {
      vpc: new Vpc(this, 'vpc'),
    });
    test.addIngressRule(Peer.anyIpv4(), Port.allTraffic());
    NagSuppressions.addResourceSuppressions(test, [
      { id: 'AwsSolutions-EC23', reason: 'lorem ipsum' },
    ]);
  }
}
```

</details><details>
  <summary>Example 2) Child Constructs</summary>

```python
import { User, PolicyStatement } from '@aws-cdk/aws-iam';
import { Construct, Stack, StackProps } from '@aws-cdk/core';
import { NagSuppressions } from 'cdk-nag';

export class CdkTestStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
    const user = new User(this, 'rUser');
    user.addToPolicy(
      new PolicyStatement({
        actions: ['s3:PutObject'],
        resources: ['arn:aws:s3:::bucket_name/*'],
      })
    );
    // Enable adding suppressions to child constructs
    NagSuppressions.addResourceSuppressions(
      user,
      [
        {
          id: 'AwsSolutions-IAM5',
          reason: 'lorem ipsum',
          appliesTo: ['Resource::arn:aws:s3:::bucket_name/*'], // optional
        },
      ],
      true
    );
  }
}
```

</details><details>
  <summary>Example 3) Stack Level </summary>

```python
import { App, Aspects } from '@aws-cdk/core';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { AwsSolutionsChecks, NagSuppressions } from 'cdk-nag';

const app = new App();
const stack = new CdkTestStack(app, 'CdkNagDemo');
Aspects.of(app).add(new AwsSolutionsChecks());
NagSuppressions.addStackSuppressions(stack, [
  { id: 'AwsSolutions-EC23', reason: 'lorem ipsum' },
]);
```

</details><details>
  <summary>Example 4) Construct path</summary>

If you received the following error on synth/deploy

```bash
[Error at /StackName/Custom::CDKBucketDeployment8675309/ServiceRole/Resource] AwsSolutions-IAM4: The IAM user, role, or group uses AWS managed policies
```

```python
import { Bucket } from '@aws-cdk/aws-s3';
import { BucketDeployment } from '@aws-cdk/aws-s3-deployment';
import { NagSuppressions } from 'cdk-nag';
import { Construct, Stack, StackProps } from '@aws-cdk/core';

export class CdkTestStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
    new BucketDeployment(this, 'rDeployment', {
      sources: [],
      destinationBucket: Bucket.fromBucketName(this, 'rBucket', 'foo'),
    });
    NagSuppressions.addResourceSuppressionsByPath(
      this,
      '/StackName/Custom::CDKBucketDeployment8675309/ServiceRole/Resource',
      [{ id: 'AwsSolutions-IAM4', reason: 'at least 10 characters' }]
    );
  }
}
```

</details><details>
  <summary>Example 5) Granular Suppressions of findings</summary>

Certain rules support granular suppressions of `findings`. If you received the following errors on synth/deploy

```bash
[Error at /StackName/rFirstUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Action::s3:*]: The IAM entity contains wildcard permissions and does not have a cdk_nag rule suppression with evidence for those permission.
[Error at /StackName/rFirstUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Resource::*]: The IAM entity contains wildcard permissions and does not have a cdk_nag rule suppression with evidence for those permission.
[Error at /StackName/rSecondUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Action::s3:*]: The IAM entity contains wildcard permissions and does not have a cdk_nag rule suppression with evidence for those permission.
[Error at /StackName/rSecondUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Resource::*]: The IAM entity contains wildcard permissions and does not have a cdk_nag rule suppression with evidence for those permission.
```

By applying the following suppressions

```python
import { User } from '@aws-cdk/aws-iam';
import { NagSuppressions } from 'cdk-nag';
import { Construct, Stack, StackProps } from '@aws-cdk/core';

export class CdkTestStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
    const firstUser = new User(this, 'rFirstUser');
    firstUser.addToPolicy(
      new PolicyStatement({
        actions: ['s3:*'],
        resources: ['*'],
      })
    );
    const secondUser = new User(this, 'rSecondUser');
    secondUser.addToPolicy(
      new PolicyStatement({
        actions: ['s3:*'],
        resources: ['*'],
      })
    );
    const thirdUser = new User(this, 'rSecondUser');
    thirdUser.addToPolicy(
      new PolicyStatement({
        actions: ['sqs:CreateQueue'],
        resources: [`arn:aws:sqs:${this.region}:${this.account}:*`],
      })
    );
    NagSuppressions.addResourceSuppressions(
      firstUser,
      [
        {
          id: 'AwsSolutions-IAM5',
          reason:
            "Only suppress AwsSolutions-IAM5 's3:*' finding on First User.",
          appliesTo: ['Action::s3:*'],
        },
      ],
      true
    );
    NagSuppressions.addResourceSuppressions(
      secondUser,
      [
        {
          id: 'AwsSolutions-IAM5',
          reason: 'Suppress all AwsSolutions-IAM5 findings on Second User.',
        },
      ],
      true
    );
    NagSuppressions.addResourceSuppressions(
      thirdUser,
      [
        {
          id: 'AwsSolutions-IAM5',
          reason: 'Suppress AwsSolutions-IAM5 on the SQS resource.',
          appliesTo: [
            {
              regex: '/^Resource::arn:aws:sqs:(.*):\\*$/g',
            },
          ],
        },
      ],
      true
    );
  }
}
```

You would see the following error on synth/deploy

```bash
[Error at /StackName/rFirstUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Resource::*]: The IAM entity contains wildcard permissions and does not have a cdk_nag rule suppression with evidence for those permission.
```

</details>

## Rules and Property Overrides

In some cases L2 Constructs do not have a native option to remediate an issue and must be fixed via [Raw Overrides](https://docs.aws.amazon.com/cdk/latest/guide/cfn_layer.html#cfn_layer_raw). Since raw overrides take place after template synthesis these fixes are not caught by the cdk_nag. In this case you should remediate the issue and suppress the issue like in the following example.

<details>
  <summary>Example) Property Overrides</summary>

```python
import {
  Instance,
  InstanceType,
  InstanceClass,
  MachineImage,
  Vpc,
  CfnInstance,
} from '@aws-cdk/aws-ec2';
import { Construct, Stack, StackProps } from '@aws-cdk/core';
import { NagSuppressions } from 'cdk-nag';

export class CdkTestStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
    const instance = new Instance(this, 'rInstance', {
      vpc: new Vpc(this, 'rVpc'),
      instanceType: new InstanceType(InstanceClass.T3),
      machineImage: MachineImage.latestAmazonLinux(),
    });
    const cfnIns = instance.node.defaultChild as CfnInstance;
    cfnIns.addPropertyOverride('DisableApiTermination', true);
    NagSuppressions.addResourceSuppressions(instance, [
      {
        id: 'AwsSolutions-EC29',
        reason: 'Remediated through property override.',
      },
    ]);
  }
}
```

</details>

## Using on CloudFormation templates

You can use cdk-nag on existing CloudFormation templates by using the [cloudformation-include](https://docs.aws.amazon.com/cdk/latest/guide/use_cfn_template.html#use_cfn_template_install) module.

<details>
  <summary>Example 1) CloudFormation template with suppression</summary>

Sample CloudFormation template with suppression

```json
{
  "Resources": {
    "rBucket": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketName": "some-bucket-name"
      },
      "Metadata": {
        "cdk_nag": {
          "rules_to_suppress": [
            {
              "id": "AwsSolutions-S1",
              "reason": "at least 10 characters"
            }
          ]
        }
      }
    }
  }
}
```

Sample App

```python
import { App, Aspects } from '@aws-cdk/core';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { AwsSolutionsChecks } from 'cdk-nag';

const app = new App();
new CdkTestStack(app, 'CdkNagDemo');
Aspects.of(app).add(new AwsSolutionsChecks());
```

Sample Stack with imported template

```python
import { CfnInclude } from '@aws-cdk/cloudformation-include';
import { NagSuppressions } from 'cdk-nag';
import { Construct, Stack, StackProps } from '@aws-cdk/core';

export class CdkTestStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
    new CfnInclude(this, 'Template', {
      templateFile: 'my-template.json',
    });
    // Add any additional suppressions
    NagSuppressions.addResourceSuppressionsByPath(
      this,
      '/CdkNagDemo/Template/rBucket',
      [
        {
          id: 'AwsSolutions-S2',
          reason: 'at least 10 characters',
        },
      ]
    );
  }
}
```

</details><details>
  <summary>Example 2) CloudFormation template with granular suppressions</summary>

Sample CloudFormation template with suppression

```json
{
  "Resources": {
    "myPolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*"
              ],
              "Effect": "Allow",
              "Resource": ["some-key-arn"]
            }
          ],
          "Version": "2012-10-17"
        }
      },
      "Metadata": {
        "cdk_nag": {
          "rules_to_suppress": [
            {
              "id": "AwsSolutions-IAM5",
              "reason": "Allow key data access",
              "applies_to": [
                "Action::kms:ReEncrypt*",
                "Action::kms:GenerateDataKey*"
              ]
            }
          ]
        }
      }
    }
  }
}
```

Sample App

```python
import { App, Aspects } from '@aws-cdk/core';
import { CdkTestStack } from '../lib/cdk-test-stack';
import { AwsSolutionsChecks } from 'cdk-nag';

const app = new App();
new CdkTestStack(app, 'CdkNagDemo');
Aspects.of(app).add(new AwsSolutionsChecks());
```

Sample Stack with imported template

```python
import { CfnInclude } from '@aws-cdk/cloudformation-include';
import { NagSuppressions } from 'cdk-nag';
import { Construct, Stack, StackProps } from '@aws-cdk/core';

export class CdkTestStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
    new CfnInclude(this, 'Template', {
      templateFile: 'my-template.json',
    });
    // Add any additional suppressions
    NagSuppressions.addResourceSuppressionsByPath(
      this,
      '/CdkNagDemo/Template/myPolicy',
      [
        {
          id: 'AwsSolutions-IAM5',
          reason: 'Allow key data access',
          appliesTo: ['Action::kms:ReEncrypt*', 'Action::kms:GenerateDataKey*'],
        },
      ]
    );
  }
}
```

</details>

## Contributing

See [CONTRIBUTING](./CONTRIBUTING.md) for more information.

## License

This project is licensed under the Apache-2.0 License.



            

Raw data

            {
    "_id": null,
    "home_page": "https://github.com/cdklabs/cdk-nag.git",
    "name": "monocdk-nag",
    "maintainer": "",
    "docs_url": null,
    "requires_python": "~=3.7",
    "maintainer_email": "",
    "keywords": "",
    "author": "Arun Donti<donti@amazon.com>",
    "author_email": "",
    "download_url": "https://files.pythonhosted.org/packages/ad/38/a9812f4195296bd6c84800ae5cbbe4e6d759cf3b5a34db14c038b8b0b437/monocdk-nag-1.14.19.tar.gz",
    "platform": null,
    "description": "<!--\nCopyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\nSPDX-License-Identifier: Apache-2.0\n-->\n\n# cdk-nag\n\n| Language   | cdk-nag                                                                                                                         | monocdk-nag                                                                                                                             |\n| ---------- | ------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- |\n| Python     | [![PyPI version](https://img.shields.io/pypi/v/cdk-nag)](https://pypi.org/project/cdk-nag/)                                     | [![PyPI version](https://img.shields.io/pypi/v/monocdk-nag)](https://pypi.org/project/monocdk-nag/)                                     |\n| TypeScript | [![npm version](https://img.shields.io/npm/v/cdk-nag)](https://www.npmjs.com/package/cdk-nag)                                   | [![npm version](https://img.shields.io/npm/v/monocdk-nag/latest-1?label=npm)](https://www.npmjs.com/package/monocdk-nag)                |\n| Java       | [![Maven version](https://img.shields.io/maven-central/v/io.github.cdklabs/cdknag)](https://search.maven.org/search?q=a:cdknag) | [![Maven version](https://img.shields.io/maven-central/v/io.github.cdklabs/monocdknag)](https://search.maven.org/search?q=a:monocdknag) |\n| .NET       | [![NuGet version](https://img.shields.io/nuget/v/Cdklabs.CdkNag)](https://www.nuget.org/packages/Cdklabs.CdkNag)                | [![NuGet version](https://img.shields.io/nuget/v/Cdklabs.MonocdkNag)](https://www.nuget.org/packages/Cdklabs.MonocdkNag)                |\n\n* If your project uses cdk version **1.x.x** use `cdk-nag` **^1.0.0**\n* If your project uses cdk version **2.x.x** use `cdk-nag` **^2.0.0**\n* If your project uses monocdk use `monocdk-nag` **^1.0.0**\n\nCheck CDK applications or [CloudFormation templates](#using-on-cloudformation-templates) for best practices using a combination of available rule packs. Inspired by [cfn_nag](https://github.com/stelligent/cfn_nag)\n\n![](cdk_nag.gif)\n\n## Available Packs\n\nSee [RULES](./RULES.md) for more information on all the available packs.\n\n1. [AWS Solutions](./RULES.md#awssolutions)\n2. [HIPAA Security](./RULES.md#hipaa-security)\n3. [NIST 800-53 rev 4](./RULES.md#nist-800-53-rev-4)\n4. [NIST 800-53 rev 5](./RULES.md#nist-800-53-rev-5)\n5. [PCI DSS 3.2.1](./RULES.md#pci-dss-321)\n\nRead the [NagPack developer docs](./docs/NagPack.md) if you are interested in creating your own pack.\n\n## Usage\n\nFor a full list of options See `NagPackProps` in the [API.md](./API.md#struct-nagpackprops)\n\n<details>\n<summary>cdk</summary>\n\n```python\nimport { App, Aspects } from '@aws-cdk/core';\nimport { CdkTestStack } from '../lib/cdk-test-stack';\nimport { AwsSolutionsChecks } from 'cdk-nag';\n\nconst app = new App();\nnew CdkTestStack(app, 'CdkNagDemo');\n// Simple rule informational messages\nAspects.of(app).add(new AwsSolutionsChecks());\n// Additional explanations on the purpose of triggered rules\n// Aspects.of(stack).add(new AwsSolutionsChecks({ verbose: true }));\n```\n\n</details><details>\n<summary>cdk v2</summary>\n\n```python\nimport { App, Aspects } from 'aws-cdk-lib';\nimport { CdkTestStack } from '../lib/cdk-test-stack';\nimport { AwsSolutionsChecks } from 'cdk-nag';\n\nconst app = new App();\nnew CdkTestStack(app, 'CdkNagDemo');\n// Simple rule informational messages\nAspects.of(app).add(new AwsSolutionsChecks());\n// Additional explanations on the purpose of triggered rules\n// Aspects.of(stack).add(new AwsSolutionsChecks({ verbose: true }));\n```\n\n</details><details>\n<summary>monocdk</summary>\n\n```python\nimport { App, Aspects } from 'monocdk';\nimport { CdkTestStack } from '../lib/my-stack';\nimport { AwsSolutionsChecks } from 'monocdk-nag';\n\nconst app = new App();\nnew CdkTestStack(app, 'CdkNagDemo');\n// Simple rule informational messages\nAspects.of(app).add(new AwsSolutionsChecks());\n// Additional explanations on the purpose of triggered rules\n// Aspects.of(stack).add(new AwsSolutionsChecks({ verbose: true }));\n```\n\n</details>\n\n## Suppressing a Rule\n\n<details>\n  <summary>Example 1) Default Construct</summary>\n\n```python\nimport { SecurityGroup, Vpc, Peer, Port } from '@aws-cdk/aws-ec2';\nimport { Construct, Stack, StackProps } from '@aws-cdk/core';\nimport { NagSuppressions } from 'cdk-nag';\n\nexport class CdkTestStack extends Stack {\n  constructor(scope: Construct, id: string, props?: StackProps) {\n    super(scope, id, props);\n    const test = new SecurityGroup(this, 'test', {\n      vpc: new Vpc(this, 'vpc'),\n    });\n    test.addIngressRule(Peer.anyIpv4(), Port.allTraffic());\n    NagSuppressions.addResourceSuppressions(test, [\n      { id: 'AwsSolutions-EC23', reason: 'lorem ipsum' },\n    ]);\n  }\n}\n```\n\n</details><details>\n  <summary>Example 2) Child Constructs</summary>\n\n```python\nimport { User, PolicyStatement } from '@aws-cdk/aws-iam';\nimport { Construct, Stack, StackProps } from '@aws-cdk/core';\nimport { NagSuppressions } from 'cdk-nag';\n\nexport class CdkTestStack extends Stack {\n  constructor(scope: Construct, id: string, props?: StackProps) {\n    super(scope, id, props);\n    const user = new User(this, 'rUser');\n    user.addToPolicy(\n      new PolicyStatement({\n        actions: ['s3:PutObject'],\n        resources: ['arn:aws:s3:::bucket_name/*'],\n      })\n    );\n    // Enable adding suppressions to child constructs\n    NagSuppressions.addResourceSuppressions(\n      user,\n      [\n        {\n          id: 'AwsSolutions-IAM5',\n          reason: 'lorem ipsum',\n          appliesTo: ['Resource::arn:aws:s3:::bucket_name/*'], // optional\n        },\n      ],\n      true\n    );\n  }\n}\n```\n\n</details><details>\n  <summary>Example 3) Stack Level </summary>\n\n```python\nimport { App, Aspects } from '@aws-cdk/core';\nimport { CdkTestStack } from '../lib/cdk-test-stack';\nimport { AwsSolutionsChecks, NagSuppressions } from 'cdk-nag';\n\nconst app = new App();\nconst stack = new CdkTestStack(app, 'CdkNagDemo');\nAspects.of(app).add(new AwsSolutionsChecks());\nNagSuppressions.addStackSuppressions(stack, [\n  { id: 'AwsSolutions-EC23', reason: 'lorem ipsum' },\n]);\n```\n\n</details><details>\n  <summary>Example 4) Construct path</summary>\n\nIf you received the following error on synth/deploy\n\n```bash\n[Error at /StackName/Custom::CDKBucketDeployment8675309/ServiceRole/Resource] AwsSolutions-IAM4: The IAM user, role, or group uses AWS managed policies\n```\n\n```python\nimport { Bucket } from '@aws-cdk/aws-s3';\nimport { BucketDeployment } from '@aws-cdk/aws-s3-deployment';\nimport { NagSuppressions } from 'cdk-nag';\nimport { Construct, Stack, StackProps } from '@aws-cdk/core';\n\nexport class CdkTestStack extends Stack {\n  constructor(scope: Construct, id: string, props?: StackProps) {\n    super(scope, id, props);\n    new BucketDeployment(this, 'rDeployment', {\n      sources: [],\n      destinationBucket: Bucket.fromBucketName(this, 'rBucket', 'foo'),\n    });\n    NagSuppressions.addResourceSuppressionsByPath(\n      this,\n      '/StackName/Custom::CDKBucketDeployment8675309/ServiceRole/Resource',\n      [{ id: 'AwsSolutions-IAM4', reason: 'at least 10 characters' }]\n    );\n  }\n}\n```\n\n</details><details>\n  <summary>Example 5) Granular Suppressions of findings</summary>\n\nCertain rules support granular suppressions of `findings`. If you received the following errors on synth/deploy\n\n```bash\n[Error at /StackName/rFirstUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Action::s3:*]: The IAM entity contains wildcard permissions and does not have a cdk_nag rule suppression with evidence for those permission.\n[Error at /StackName/rFirstUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Resource::*]: The IAM entity contains wildcard permissions and does not have a cdk_nag rule suppression with evidence for those permission.\n[Error at /StackName/rSecondUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Action::s3:*]: The IAM entity contains wildcard permissions and does not have a cdk_nag rule suppression with evidence for those permission.\n[Error at /StackName/rSecondUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Resource::*]: The IAM entity contains wildcard permissions and does not have a cdk_nag rule suppression with evidence for those permission.\n```\n\nBy applying the following suppressions\n\n```python\nimport { User } from '@aws-cdk/aws-iam';\nimport { NagSuppressions } from 'cdk-nag';\nimport { Construct, Stack, StackProps } from '@aws-cdk/core';\n\nexport class CdkTestStack extends Stack {\n  constructor(scope: Construct, id: string, props?: StackProps) {\n    super(scope, id, props);\n    const firstUser = new User(this, 'rFirstUser');\n    firstUser.addToPolicy(\n      new PolicyStatement({\n        actions: ['s3:*'],\n        resources: ['*'],\n      })\n    );\n    const secondUser = new User(this, 'rSecondUser');\n    secondUser.addToPolicy(\n      new PolicyStatement({\n        actions: ['s3:*'],\n        resources: ['*'],\n      })\n    );\n    const thirdUser = new User(this, 'rSecondUser');\n    thirdUser.addToPolicy(\n      new PolicyStatement({\n        actions: ['sqs:CreateQueue'],\n        resources: [`arn:aws:sqs:${this.region}:${this.account}:*`],\n      })\n    );\n    NagSuppressions.addResourceSuppressions(\n      firstUser,\n      [\n        {\n          id: 'AwsSolutions-IAM5',\n          reason:\n            \"Only suppress AwsSolutions-IAM5 's3:*' finding on First User.\",\n          appliesTo: ['Action::s3:*'],\n        },\n      ],\n      true\n    );\n    NagSuppressions.addResourceSuppressions(\n      secondUser,\n      [\n        {\n          id: 'AwsSolutions-IAM5',\n          reason: 'Suppress all AwsSolutions-IAM5 findings on Second User.',\n        },\n      ],\n      true\n    );\n    NagSuppressions.addResourceSuppressions(\n      thirdUser,\n      [\n        {\n          id: 'AwsSolutions-IAM5',\n          reason: 'Suppress AwsSolutions-IAM5 on the SQS resource.',\n          appliesTo: [\n            {\n              regex: '/^Resource::arn:aws:sqs:(.*):\\\\*$/g',\n            },\n          ],\n        },\n      ],\n      true\n    );\n  }\n}\n```\n\nYou would see the following error on synth/deploy\n\n```bash\n[Error at /StackName/rFirstUser/DefaultPolicy/Resource] AwsSolutions-IAM5[Resource::*]: The IAM entity contains wildcard permissions and does not have a cdk_nag rule suppression with evidence for those permission.\n```\n\n</details>\n\n## Rules and Property Overrides\n\nIn some cases L2 Constructs do not have a native option to remediate an issue and must be fixed via [Raw Overrides](https://docs.aws.amazon.com/cdk/latest/guide/cfn_layer.html#cfn_layer_raw). Since raw overrides take place after template synthesis these fixes are not caught by the cdk_nag. In this case you should remediate the issue and suppress the issue like in the following example.\n\n<details>\n  <summary>Example) Property Overrides</summary>\n\n```python\nimport {\n  Instance,\n  InstanceType,\n  InstanceClass,\n  MachineImage,\n  Vpc,\n  CfnInstance,\n} from '@aws-cdk/aws-ec2';\nimport { Construct, Stack, StackProps } from '@aws-cdk/core';\nimport { NagSuppressions } from 'cdk-nag';\n\nexport class CdkTestStack extends Stack {\n  constructor(scope: Construct, id: string, props?: StackProps) {\n    super(scope, id, props);\n    const instance = new Instance(this, 'rInstance', {\n      vpc: new Vpc(this, 'rVpc'),\n      instanceType: new InstanceType(InstanceClass.T3),\n      machineImage: MachineImage.latestAmazonLinux(),\n    });\n    const cfnIns = instance.node.defaultChild as CfnInstance;\n    cfnIns.addPropertyOverride('DisableApiTermination', true);\n    NagSuppressions.addResourceSuppressions(instance, [\n      {\n        id: 'AwsSolutions-EC29',\n        reason: 'Remediated through property override.',\n      },\n    ]);\n  }\n}\n```\n\n</details>\n\n## Using on CloudFormation templates\n\nYou can use cdk-nag on existing CloudFormation templates by using the [cloudformation-include](https://docs.aws.amazon.com/cdk/latest/guide/use_cfn_template.html#use_cfn_template_install) module.\n\n<details>\n  <summary>Example 1) CloudFormation template with suppression</summary>\n\nSample CloudFormation template with suppression\n\n```json\n{\n  \"Resources\": {\n    \"rBucket\": {\n      \"Type\": \"AWS::S3::Bucket\",\n      \"Properties\": {\n        \"BucketName\": \"some-bucket-name\"\n      },\n      \"Metadata\": {\n        \"cdk_nag\": {\n          \"rules_to_suppress\": [\n            {\n              \"id\": \"AwsSolutions-S1\",\n              \"reason\": \"at least 10 characters\"\n            }\n          ]\n        }\n      }\n    }\n  }\n}\n```\n\nSample App\n\n```python\nimport { App, Aspects } from '@aws-cdk/core';\nimport { CdkTestStack } from '../lib/cdk-test-stack';\nimport { AwsSolutionsChecks } from 'cdk-nag';\n\nconst app = new App();\nnew CdkTestStack(app, 'CdkNagDemo');\nAspects.of(app).add(new AwsSolutionsChecks());\n```\n\nSample Stack with imported template\n\n```python\nimport { CfnInclude } from '@aws-cdk/cloudformation-include';\nimport { NagSuppressions } from 'cdk-nag';\nimport { Construct, Stack, StackProps } from '@aws-cdk/core';\n\nexport class CdkTestStack extends Stack {\n  constructor(scope: Construct, id: string, props?: StackProps) {\n    super(scope, id, props);\n    new CfnInclude(this, 'Template', {\n      templateFile: 'my-template.json',\n    });\n    // Add any additional suppressions\n    NagSuppressions.addResourceSuppressionsByPath(\n      this,\n      '/CdkNagDemo/Template/rBucket',\n      [\n        {\n          id: 'AwsSolutions-S2',\n          reason: 'at least 10 characters',\n        },\n      ]\n    );\n  }\n}\n```\n\n</details><details>\n  <summary>Example 2) CloudFormation template with granular suppressions</summary>\n\nSample CloudFormation template with suppression\n\n```json\n{\n  \"Resources\": {\n    \"myPolicy\": {\n      \"Type\": \"AWS::IAM::Policy\",\n      \"Properties\": {\n        \"PolicyDocument\": {\n          \"Statement\": [\n            {\n              \"Action\": [\n                \"kms:Decrypt\",\n                \"kms:DescribeKey\",\n                \"kms:Encrypt\",\n                \"kms:ReEncrypt*\",\n                \"kms:GenerateDataKey*\"\n              ],\n              \"Effect\": \"Allow\",\n              \"Resource\": [\"some-key-arn\"]\n            }\n          ],\n          \"Version\": \"2012-10-17\"\n        }\n      },\n      \"Metadata\": {\n        \"cdk_nag\": {\n          \"rules_to_suppress\": [\n            {\n              \"id\": \"AwsSolutions-IAM5\",\n              \"reason\": \"Allow key data access\",\n              \"applies_to\": [\n                \"Action::kms:ReEncrypt*\",\n                \"Action::kms:GenerateDataKey*\"\n              ]\n            }\n          ]\n        }\n      }\n    }\n  }\n}\n```\n\nSample App\n\n```python\nimport { App, Aspects } from '@aws-cdk/core';\nimport { CdkTestStack } from '../lib/cdk-test-stack';\nimport { AwsSolutionsChecks } from 'cdk-nag';\n\nconst app = new App();\nnew CdkTestStack(app, 'CdkNagDemo');\nAspects.of(app).add(new AwsSolutionsChecks());\n```\n\nSample Stack with imported template\n\n```python\nimport { CfnInclude } from '@aws-cdk/cloudformation-include';\nimport { NagSuppressions } from 'cdk-nag';\nimport { Construct, Stack, StackProps } from '@aws-cdk/core';\n\nexport class CdkTestStack extends Stack {\n  constructor(scope: Construct, id: string, props?: StackProps) {\n    super(scope, id, props);\n    new CfnInclude(this, 'Template', {\n      templateFile: 'my-template.json',\n    });\n    // Add any additional suppressions\n    NagSuppressions.addResourceSuppressionsByPath(\n      this,\n      '/CdkNagDemo/Template/myPolicy',\n      [\n        {\n          id: 'AwsSolutions-IAM5',\n          reason: 'Allow key data access',\n          appliesTo: ['Action::kms:ReEncrypt*', 'Action::kms:GenerateDataKey*'],\n        },\n      ]\n    );\n  }\n}\n```\n\n</details>\n\n## Contributing\n\nSee [CONTRIBUTING](./CONTRIBUTING.md) for more information.\n\n## License\n\nThis project is licensed under the Apache-2.0 License.\n\n\n",
    "bugtrack_url": null,
    "license": "Apache-2.0",
    "summary": "Check CDK applications for best practices using a combination on available rule packs.",
    "version": "1.14.19",
    "split_keywords": [],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "md5": "4a42c84e92d7fcf5ee6ac3aab14d51ad",
                "sha256": "933121e3af87d2e93c58256088de145e0679b403257d0ba0e139ff13908aa245"
            },
            "downloads": -1,
            "filename": "monocdk_nag-1.14.19-py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "4a42c84e92d7fcf5ee6ac3aab14d51ad",
            "packagetype": "bdist_wheel",
            "python_version": "py3",
            "requires_python": "~=3.7",
            "size": 682836,
            "upload_time": "2022-05-31T00:32:18",
            "upload_time_iso_8601": "2022-05-31T00:32:18.224922Z",
            "url": "https://files.pythonhosted.org/packages/09/f5/a643253fd7daefad7890ab6fa7ef4d48bfd901ff4870dec0f4ab68baeae6/monocdk_nag-1.14.19-py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        },
        {
            "comment_text": "",
            "digests": {
                "md5": "3c960e198837c99a9e974e430f6070f6",
                "sha256": "0ebe82163095f84f644ba31711107e65ed3f2481f5cf428a09e096697c911eab"
            },
            "downloads": -1,
            "filename": "monocdk-nag-1.14.19.tar.gz",
            "has_sig": false,
            "md5_digest": "3c960e198837c99a9e974e430f6070f6",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": "~=3.7",
            "size": 684446,
            "upload_time": "2022-05-31T00:32:21",
            "upload_time_iso_8601": "2022-05-31T00:32:21.605910Z",
            "url": "https://files.pythonhosted.org/packages/ad/38/a9812f4195296bd6c84800ae5cbbe4e6d759cf3b5a34db14c038b8b0b437/monocdk-nag-1.14.19.tar.gz",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2022-05-31 00:32:21",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "github_user": "cdklabs",
    "github_project": "cdk-nag.git",
    "lcname": "monocdk-nag"
}
        
Elapsed time: 0.38326s