Manage application security and compliance with the Amazon Cloud Development Kit and cdk-nag

海外精选
海外精选的内容汇集了全球优质的亚马逊云科技相关技术内容。同时,内容中提到的“AWS” 是 “Amazon Web Services” 的缩写,在此网站不作为商标展示。
0
0
{"value":"Infrastructure as Code (IaC) is an important part of Cloud Applications. Developers rely on various Static Application Security Testing (SAST) tools to identify security/compliance issues and mitigate these issues early on, before releasing their applications to production. Additionally, SAST tools often provide reporting mechanisms that can help developers verify compliance during security reviews.\n\n```cdk-nag``` integrates directly into [AWS Cloud Development Kit (AWS CDK)](https://aws.amazon.com/cdk/) applications to provide identification and reporting mechanisms similar to SAST tooling.\n\nThis post demonstrates how to integrate cdk-nag into an AWS CDK application to provide continual feedback and help align your applications with best practices.\n\n### **Overview of cdk-nag**\n```cdk-nag``` (inspired by [cfn_nag](https://github.com/stelligent/cfn_nag)) validates that the state of constructs within a given scope comply with a given set of rules. Additionally, cdk-nag provides a rule suppression and compliance reporting system. cdk-nag validates constructs by extending AWS [CDK Aspects](https://docs.aws.amazon.com/cdk/v2/guide/aspects.html). If you’re interested in learning more about the AWS CDK Aspect system, then you should check out this post.\n\n```cdk-nag``` includes several rule sets (NagPacks) to validate your application against. As of this post, cdk-nag includes the [ AWS Solutions](https://github.com/cdklabs/cdk-nag/blob/main/RULES.md#awssolutions), [HIPAA Security](https://github.com/cdklabs/cdk-nag/blob/main/RULES.md#hipaa-security), [NIST 800-53 rev 4](https://github.com/cdklabs/cdk-nag/blob/main/RULES.md#nist-800-53-rev-4), NIST 800-53 rev 5, and [PCI DSS 3.2.1](https://github.com/cdklabs/cdk-nag/blob/main/RULES.md#pci-dss-321) NagPacks. You can pick and choose different NagPacks and apply as many as you wish to a given scope.\n\ncdk-nag rules can either be ```warnings``` or ```errors```. Both ```warning```s and ```errors``` will be displayed in the console and compliance reports. Only unsuppressed ```errors``` will prevent applications from deploying with the ```cdk deploy``` command.\n\nYou can see which rules are implemented in each of the NagPacks in the [Rules Documentation](https://github.com/cdklabs/cdk-nag/blob/main/RULES.md) in the GitHub repository.\n\n### **Walkthrough**\nThis walkthrough will setup a minimal AWS CDK v2 application, as well as demonstrate how to apply a NagPack to the application, how to suppress rules, and how to view a report of the findings. Although cdk-nag has support for Python, TypeScript, Java, and .NET AWS CDK applications, we’ll use TypeScript for this walkthrough.\n\n### **Prerequisites**\nFor this walkthrough, you should have the following prerequisites:\n\n- A local installation of and experience using the AWS CDK.\n\n\n### **Create a baseline AWS CDK application**\nIn this section you will create and synthesize a small AWS CDK v2 application with an Amazon Simple Storage Service (Amazon S3) bucket. If you are unfamiliar with using the AWS CDK, then learn how to install and setup the AWS CDK by looking at their open source [GitHub repository](https://github.com/aws/aws-cdk).\n\n1. Run the following commands to create the AWS CDK application:\n\nBash\n```\nmkdir CdkTest\ncd CdkTest\ncdk init app --language typescript\n```\n\n\n2. Replace the contents of the ```lib/cdk_test-stack.ts``` with the following:\n\nTypeScript\n```\nimport { Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { Bucket } from 'aws-cdk-lib/aws-s3';\n\nexport class CdkTestStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n const bucket = new Bucket(this, 'Bucket')\n }\n}\n```\n\n\n3. Run the following commands to install dependencies and synthesize our sample app:\n\nBash\n```\nnpm install\nnpx cdk synth\n```\n\n\nYou should see an [AWS CloudFormation](https://aws.amazon.com/cloudformation/) template with an S3 bucket both in your terminal and in ```cdk.out/CdkTestStack.template.json.```\n\n### **Apply a NagPack in your application**\nIn this section, you’ll install cdk-nag, include the AwsSolutions NagPack in your application, and view the results.\n\n1. Run the following command to install ```cdk-nag```:\n\nBash\n\n```\nnpm install cdk-nag\n```\n2. Replace the contents of the ```bin/cdk_test.ts``` with the following:\n\nTypeScript\n```\n#!/usr/bin/env node\nimport 'source-map-support/register';\nimport * as cdk from 'aws-cdk-lib';\nimport { CdkTestStack } from '../lib/cdk_test-stack';\nimport { AwsSolutionsChecks } from 'cdk-nag'\nimport { Aspects } from 'aws-cdk-lib';\n\nconst app = new cdk.App();\n// Add the cdk-nag AwsSolutions Pack with extra verbose logging enabled.\nAspects.of(app).add(new AwsSolutionsChecks({ verbose: true }))\nnew CdkTestStack(app, 'CdkTestStack', {});\n```\n\n3. Run the following command to view the output and generate the compliance report:\n\nBash\n```\nnpx cdk synth\n```\n\n\nThe output should look similar to the following (Note: SSE stands for Server-side encryption):\n\nBash\n\n```\n[Error at /CdkTestStack/Bucket/Resource] AwsSolutions-S1: The S3 Bucket has server access logs disabled. The bucket should have server access logging enabled to provide detailed records for the requests that are made to the bucket.\n\n[Error at /CdkTestStack/Bucket/Resource] AwsSolutions-S2: The S3 Bucket does not have public access restricted and blocked. The bucket should have public access restricted and blocked to prevent unauthorized access.\n\n[Error at /CdkTestStack/Bucket/Resource] AwsSolutions-S3: The S3 Bucket does not default encryption enabled. The bucket should minimally have SSE enabled to help protect data-at-rest.\n\n[Error at /CdkTestStack/Bucket/Resource] AwsSolutions-S10: The S3 Bucket does not require requests to use SSL. You can use HTTPS (TLS) to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. You should allow only encrypted connections over HTTPS (TLS) using the aws:SecureTransport condition on Amazon S3 bucket policies.\n\nFound errors\n```\n\n\nNote that applying the AwsSolutions NagPack to the application rendered several ```errors``` in the console (```AwsSolutions-S1```, ```AwsSolutions-S2```, ```AwsSolutions-S3```, and ```AwsSolutions-S10```). Furthermore, the ```cdk.out/AwsSolutions-CdkTestStack-NagReport.csv``` contains the errors as well:\n\nCsv\n```\nRule ID,Resource ID,Compliance,Exception Reason,Rule Level,Rule Info\n\"AwsSolutions-S1\",\"CdkTestStack/Bucket/Resource\",\"Non-Compliant\",\"N/A\",\"Error\",\"The S3 Bucket has server access logs disabled.\"\n\"AwsSolutions-S2\",\"CdkTestStack/Bucket/Resource\",\"Non-Compliant\",\"N/A\",\"Error\",\"The S3 Bucket does not have public access restricted and blocked.\"\n\"AwsSolutions-S3\",\"CdkTestStack/Bucket/Resource\",\"Non-Compliant\",\"N/A\",\"Error\",\"The S3 Bucket does not default encryption enabled.\"\n\"AwsSolutions-S5\",\"CdkTestStack/Bucket/Resource\",\"Compliant\",\"N/A\",\"Error\",\"The S3 static website bucket either has an open world bucket policy or does not use a CloudFront Origin Access Identity (OAI) in the bucket policy for limited getObject and/or putObject permissions.\"\n\"AwsSolutions-S10\",\"CdkTestStack/Bucket/Resource\",\"Non-Compliant\",\"N/A\",\"Error\",\"The S3 Bucket does not require requests to use SSL.\"\n```\n\n\n### **Remediating and suppressing errors**\nIn this section, you’ll remediate the AwsSolutions-S10 ```error```, suppress the ```AwsSolutions-S1``` error on a ```Stack``` level, suppress the ```AwsSolutions-S2``` ```error``` on a ```Resource``` level errors, and **not** remediate the ```AwsSolutions-S3``` error and view the results.\n\n1. Replace the contents of the ```lib/cdk_test-stack.ts``` with the following:\n\nTypeScript\n```\nimport { Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { Bucket } from 'aws-cdk-lib/aws-s3';\nimport { NagSuppressions } from 'cdk-nag'\n\nexport class CdkTestStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n // The local scope 'this' is the Stack. \n NagSuppressions.addStackSuppressions(this, [\n {\n id: 'AwsSolutions-S1',\n reason: 'Demonstrate a stack level suppression.'\n },\n ])\n // Remediating AwsSolutions-S10 by enforcing SSL on the bucket.\n const bucket = new Bucket(this, 'Bucket', { enforceSSL: true })\n NagSuppressions.addResourceSuppressions(bucket, [\n {\n id: 'AwsSolutions-S2',\n reason: 'Demonstrate a resource level suppression.'\n },\n ])\n }\n}\n```\n\n\n2. Run the ```cdk synt```h command again:\n\nBash\n```\nnpx cdk synth\n```\n\n\nThe output should look similar to the following:\n\nBash\n\n```\n[Error at /CdkTestStack/Bucket/Resource] AwsSolutions-S3: The S3 Bucket does not default encryption enabled. The bucket should minimally have SSE enabled to help protect data-at-rest.\n\nFound errors\n```\n\n\nThe ```cdk.out/AwsSolutions-CdkTestStack-NagReport.csv``` contains more details about rule compliance, non-compliance, and suppressions.\n\nCsv\n\n```\nRule ID,Resource ID,Compliance,Exception Reason,Rule Level,Rule Info\n\"AwsSolutions-S1\",\"CdkTestStack/Bucket/Resource\",\"Suppressed\",\"Demonstrate a stack level suppression.\",\"Error\",\"The S3 Bucket has server access logs disabled.\"\n\"AwsSolutions-S2\",\"CdkTestStack/Bucket/Resource\",\"Suppressed\",\"Demonstrate a resource level suppression.\",\"Error\",\"The S3 Bucket does not have public access restricted and blocked.\"\n\"AwsSolutions-S3\",\"CdkTestStack/Bucket/Resource\",\"Non-Compliant\",\"N/A\",\"Error\",\"The S3 Bucket does not default encryption enabled.\"\n\"AwsSolutions-S5\",\"CdkTestStack/Bucket/Resource\",\"Compliant\",\"N/A\",\"Error\",\"The S3 static website bucket either has an open world bucket policy or does not use a CloudFront Origin Access Identity (OAI) in the bucket policy for limited getObject and/or putObject permissions.\"\n\"AwsSolutions-S10\",\"CdkTestStack/Bucket/Resource\",\"Compliant\",\"N/A\",\"Error\",\"The S3 Bucket does not require requests to use SSL.\"\n```\n\nMoreover, note that the resultant ```cdk.out/CdkTestStack.template.json``` template contains the ```cdk-nag``` suppression data. This provides transparency with what rules weren’t applied to an application, as the suppression data is included in the resources.\n\nJSON\n```\n{\n \"Metadata\": {\n \"cdk_nag\": {\n \"rules_to_suppress\": [\n {\n \"id\": \"AwsSolutions-S1\",\n \"reason\": \"Demonstrate a stack level suppression.\"\n }\n ]\n }\n },\n \"Resources\": {\n \"BucketDEB6E181\": {\n \"Type\": \"AWS::S3::Bucket\",\n \"UpdateReplacePolicy\": \"Retain\",\n \"DeletionPolicy\": \"Retain\",\n \"Metadata\": {\n \"aws:cdk:path\": \"CdkTestStack/Bucket/Resource\",\n \"cdk_nag\": {\n \"rules_to_suppress\": [\n {\n \"id\": \"AwsSolutions-S2\",\n \"reason\": \"Demonstrate a resource level suppression.\"\n }\n ]\n }\n }\n },\n ...\n },\n ...\n}\n```\n\n\n### **Reflecting on the Walkthrough**\nIn this section, you learned how to apply a ```NagPack``` to your application, remediate/suppress ```warnings``` and ```errors```, and review the compliance reports. The reporting and suppression systems provide mechanisms for the development and security teams within organizations to work together to identify and mitigate potential security/compliance issues. Security can choose which NagPacks developers should apply to their applications. Then, developers can use the feedback to quickly remediate issues. Security can use the reports to validate compliances. Furthermore, developers and security can work together to use suppressions to transparently document exceptions to rules that they’ve decided not to follow.\n\n### **Advanced usage and further reading**\nThis section briefly covers some advanced options for using ```cdk-nag```.\n\n#### **Unit Testing with the AWS CDK Assertions Library**\nThe Annotations submodule of the AWS CDK assertions library lets you check for ```cdk-nag ``` ```vwarnings``` and ```errors``` without AWS credentials by integrating a NagPack into your application unit tests. Read this post for further information about the AWS CDK assertions module. The following is an example of using assertions with a TypeScript AWS CDK application and Jest for unit testing.\n\nTypeScript\n\n```\nimport { Annotations, Match } from 'aws-cdk-lib/assertions';\nimport { App, Aspects, Stack } from 'aws-cdk-lib';\nimport { AwsSolutionsChecks } from 'cdk-nag';\nimport { CdkTestStack } from '../lib/cdk_test-stack';\n\ndescribe('cdk-nag AwsSolutions Pack', () => {\n let stack: Stack;\n let app: App;\n // In this case we can use beforeAll() over beforeEach() since our tests \n // do not modify the state of the application \n beforeAll(() => {\n // GIVEN\n app = new App();\n stack = new CdkTestStack(app, 'test');\n\n // WHEN\n Aspects.of(stack).add(new AwsSolutionsChecks());\n });\n\n // THEN\n test('No unsuppressed Warnings', () => {\n const warnings = Annotations.fromStack(stack).findWarning(\n '*',\n Match.stringLikeRegexp('AwsSolutions-.*')\n );\n expect(warnings).toHaveLength(0);\n });\n\n test('No unsuppressed Errors', () => {\n const errors = Annotations.fromStack(stack).findError(\n '*',\n Match.stringLikeRegexp('AwsSolutions-.*')\n );\n expect(errors).toHaveLength(0);\n });\n});\n```\n\n\nAdditionally, many testing frameworks include ```watch ```functionality. This is a background process that reruns all of the tests when files in your project have changed for fast feedback. For example, when using the AWS CDK in JavaScript/Typescript, you can use the Jest CLI watch commands. When Jest watch detects a file change, it attempts to run unit tests related to the changed file. This can be used to automatically run cdk-nag-related tests when making changes to your AWS CDK application.\n\n### **CDK Watch**\nWhen developing in non-production environments, consider using AWS CDK Watch with a NagPack for fast feedback. AWS CDK Watch attempts to synthesize and then deploy changes whenever you save changes to your files. Aspects are run during synthesis. Therefore, any NagPacks applied to your application will also run on save. As in the walkthrough, all of the unsuppressed ```errors``` will prevent deployments, all of the messages will be output to the console, and all of the compliance reports will be generated. Read this [post](https://aws.amazon.com/blogs/developer/increasing-development-speed-with-cdk-watch/) for further information about AWS CDK Watch.\n\n### **Conclusion**\nIn this post, you learned how to use ```cdk-nag``` in your AWS CDK applications. To learn more about using ```cdk-nag``` in your applications, check out the [README](https://github.com/cdklabs/cdk-nag/blob/main/README.md) in the GitHub Repository. If you would like to learn how to create your own rules and NagPacks, then check out the [developer documentation](https://github.com/cdklabs/cdk-nag/blob/main/docs/NagPack.md). The repository is open source and welcomes [community contributions and feedback](https://github.com/cdklabs/cdk-nag/blob/main/CONTRIBUTING.md).\n\n#### **Author:**\n\n![image.png](https://dev-media.amazoncloud.cn/20ffdab8cc6e47c8879000f36e0eb547_image.png)\n\n**Arun Donti**\nArun Donti is a Senior Software Engineer with Twitch. He loves working on building automated processes and tools that enable builders and organizations to focus on and deliver their mission critical needs. You can find him on [GitHub](https://github.com/dontirun).\n","render":"<p>Infrastructure as Code (IaC) is an important part of Cloud Applications. Developers rely on various Static Application Security Testing (SAST) tools to identify security/compliance issues and mitigate these issues early on, before releasing their applications to production. Additionally, SAST tools often provide reporting mechanisms that can help developers verify compliance during security reviews.</p>\n<p><code>cdk-nag</code> integrates directly into <a href=\"https://aws.amazon.com/cdk/\" target=\"_blank\">AWS Cloud Development Kit (AWS CDK)</a> applications to provide identification and reporting mechanisms similar to SAST tooling.</p>\n<p>This post demonstrates how to integrate cdk-nag into an AWS CDK application to provide continual feedback and help align your applications with best practices.</p>\n<h3><a id=\"Overview_of_cdknag_6\"></a><strong>Overview of cdk-nag</strong></h3>\n<p><code>cdk-nag</code> (inspired by <a href=\"https://github.com/stelligent/cfn_nag\" target=\"_blank\">cfn_nag</a>) validates that the state of constructs within a given scope comply with a given set of rules. Additionally, cdk-nag provides a rule suppression and compliance reporting system. cdk-nag validates constructs by extending AWS <a href=\"https://docs.aws.amazon.com/cdk/v2/guide/aspects.html\" target=\"_blank\">CDK Aspects</a>. If you’re interested in learning more about the AWS CDK Aspect system, then you should check out this post.</p>\n<p><code>cdk-nag</code> includes several rule sets (NagPacks) to validate your application against. As of this post, cdk-nag includes the <a href=\"https://github.com/cdklabs/cdk-nag/blob/main/RULES.md#awssolutions\" target=\"_blank\"> AWS Solutions</a>, <a href=\"https://github.com/cdklabs/cdk-nag/blob/main/RULES.md#hipaa-security\" target=\"_blank\">HIPAA Security</a>, <a href=\"https://github.com/cdklabs/cdk-nag/blob/main/RULES.md#nist-800-53-rev-4\" target=\"_blank\">NIST 800-53 rev 4</a>, NIST 800-53 rev 5, and <a href=\"https://github.com/cdklabs/cdk-nag/blob/main/RULES.md#pci-dss-321\" target=\"_blank\">PCI DSS 3.2.1</a> NagPacks. You can pick and choose different NagPacks and apply as many as you wish to a given scope.</p>\n<p>cdk-nag rules can either be <code>warnings</code> or <code>errors</code>. Both <code>warning</code>s and <code>errors</code> will be displayed in the console and compliance reports. Only unsuppressed <code>errors</code> will prevent applications from deploying with the <code>cdk deploy</code> command.</p>\n<p>You can see which rules are implemented in each of the NagPacks in the <a href=\"https://github.com/cdklabs/cdk-nag/blob/main/RULES.md\" target=\"_blank\">Rules Documentation</a> in the GitHub repository.</p>\n<h3><a id=\"Walkthrough_15\"></a><strong>Walkthrough</strong></h3>\n<p>This walkthrough will setup a minimal AWS CDK v2 application, as well as demonstrate how to apply a NagPack to the application, how to suppress rules, and how to view a report of the findings. Although cdk-nag has support for Python, TypeScript, Java, and .NET AWS CDK applications, we’ll use TypeScript for this walkthrough.</p>\n<h3><a id=\"Prerequisites_18\"></a><strong>Prerequisites</strong></h3>\n<p>For this walkthrough, you should have the following prerequisites:</p>\n<ul>\n<li>A local installation of and experience using the AWS CDK.</li>\n</ul>\n<h3><a id=\"Create_a_baseline_AWS_CDK_application_24\"></a><strong>Create a baseline AWS CDK application</strong></h3>\n<p>In this section you will create and synthesize a small AWS CDK v2 application with an Amazon Simple Storage Service (Amazon S3) bucket. If you are unfamiliar with using the AWS CDK, then learn how to install and setup the AWS CDK by looking at their open source <a href=\"https://github.com/aws/aws-cdk\" target=\"_blank\">GitHub repository</a>.</p>\n<ol>\n<li>Run the following commands to create the AWS CDK application:</li>\n</ol>\n<p>Bash</p>\n<pre><code class=\"lang-\">mkdir CdkTest\ncd CdkTest\ncdk init app --language typescript\n</code></pre>\n<ol start=\"2\">\n<li>Replace the contents of the <code>lib/cdk_test-stack.ts</code> with the following:</li>\n</ol>\n<p>TypeScript</p>\n<pre><code class=\"lang-\">import { Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { Bucket } from 'aws-cdk-lib/aws-s3';\n\nexport class CdkTestStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n const bucket = new Bucket(this, 'Bucket')\n }\n}\n</code></pre>\n<ol start=\"3\">\n<li>Run the following commands to install dependencies and synthesize our sample app:</li>\n</ol>\n<p>Bash</p>\n<pre><code class=\"lang-\">npm install\nnpx cdk synth\n</code></pre>\n<p>You should see an <a href=\"https://aws.amazon.com/cloudformation/\" target=\"_blank\">AWS CloudFormation</a> template with an S3 bucket both in your terminal and in <code>cdk.out/CdkTestStack.template.json.</code></p>\n<h3><a id=\"Apply_a_NagPack_in_your_application_65\"></a><strong>Apply a NagPack in your application</strong></h3>\n<p>In this section, you’ll install cdk-nag, include the AwsSolutions NagPack in your application, and view the results.</p>\n<ol>\n<li>Run the following command to install <code>cdk-nag</code>:</li>\n</ol>\n<p>Bash</p>\n<pre><code class=\"lang-\">npm install cdk-nag\n</code></pre>\n<ol start=\"2\">\n<li>Replace the contents of the <code>bin/cdk_test.ts</code> with the following:</li>\n</ol>\n<p>TypeScript</p>\n<pre><code class=\"lang-\">#!/usr/bin/env node\nimport 'source-map-support/register';\nimport * as cdk from 'aws-cdk-lib';\nimport { CdkTestStack } from '../lib/cdk_test-stack';\nimport { AwsSolutionsChecks } from 'cdk-nag'\nimport { Aspects } from 'aws-cdk-lib';\n\nconst app = new cdk.App();\n// Add the cdk-nag AwsSolutions Pack with extra verbose logging enabled.\nAspects.of(app).add(new AwsSolutionsChecks({ verbose: true }))\nnew CdkTestStack(app, 'CdkTestStack', {});\n</code></pre>\n<ol start=\"3\">\n<li>Run the following command to view the output and generate the compliance report:</li>\n</ol>\n<p>Bash</p>\n<pre><code class=\"lang-\">npx cdk synth\n</code></pre>\n<p>The output should look similar to the following (Note: SSE stands for Server-side encryption):</p>\n<p>Bash</p>\n<pre><code class=\"lang-\">[Error at /CdkTestStack/Bucket/Resource] AwsSolutions-S1: The S3 Bucket has server access logs disabled. The bucket should have server access logging enabled to provide detailed records for the requests that are made to the bucket.\n\n[Error at /CdkTestStack/Bucket/Resource] AwsSolutions-S2: The S3 Bucket does not have public access restricted and blocked. The bucket should have public access restricted and blocked to prevent unauthorized access.\n\n[Error at /CdkTestStack/Bucket/Resource] AwsSolutions-S3: The S3 Bucket does not default encryption enabled. The bucket should minimally have SSE enabled to help protect data-at-rest.\n\n[Error at /CdkTestStack/Bucket/Resource] AwsSolutions-S10: The S3 Bucket does not require requests to use SSL. You can use HTTPS (TLS) to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. You should allow only encrypted connections over HTTPS (TLS) using the aws:SecureTransport condition on Amazon S3 bucket policies.\n\nFound errors\n</code></pre>\n<p>Note that applying the AwsSolutions NagPack to the application rendered several <code>errors</code> in the console (<code>AwsSolutions-S1</code>, <code>AwsSolutions-S2</code>, <code>AwsSolutions-S3</code>, and <code>AwsSolutions-S10</code>). Furthermore, the <code>cdk.out/AwsSolutions-CdkTestStack-NagReport.csv</code> contains the errors as well:</p>\n<p>Csv</p>\n<pre><code class=\"lang-\">Rule ID,Resource ID,Compliance,Exception Reason,Rule Level,Rule Info\n&quot;AwsSolutions-S1&quot;,&quot;CdkTestStack/Bucket/Resource&quot;,&quot;Non-Compliant&quot;,&quot;N/A&quot;,&quot;Error&quot;,&quot;The S3 Bucket has server access logs disabled.&quot;\n&quot;AwsSolutions-S2&quot;,&quot;CdkTestStack/Bucket/Resource&quot;,&quot;Non-Compliant&quot;,&quot;N/A&quot;,&quot;Error&quot;,&quot;The S3 Bucket does not have public access restricted and blocked.&quot;\n&quot;AwsSolutions-S3&quot;,&quot;CdkTestStack/Bucket/Resource&quot;,&quot;Non-Compliant&quot;,&quot;N/A&quot;,&quot;Error&quot;,&quot;The S3 Bucket does not default encryption enabled.&quot;\n&quot;AwsSolutions-S5&quot;,&quot;CdkTestStack/Bucket/Resource&quot;,&quot;Compliant&quot;,&quot;N/A&quot;,&quot;Error&quot;,&quot;The S3 static website bucket either has an open world bucket policy or does not use a CloudFront Origin Access Identity (OAI) in the bucket policy for limited getObject and/or putObject permissions.&quot;\n&quot;AwsSolutions-S10&quot;,&quot;CdkTestStack/Bucket/Resource&quot;,&quot;Non-Compliant&quot;,&quot;N/A&quot;,&quot;Error&quot;,&quot;The S3 Bucket does not require requests to use SSL.&quot;\n</code></pre>\n<h3><a id=\"Remediating_and_suppressing_errors_130\"></a><strong>Remediating and suppressing errors</strong></h3>\n<p>In this section, you’ll remediate the AwsSolutions-S10 <code>error</code>, suppress the <code>AwsSolutions-S1</code> error on a <code>Stack</code> level, suppress the <code>AwsSolutions-S2</code> <code>error</code> on a <code>Resource</code> level errors, and <strong>not</strong> remediate the <code>AwsSolutions-S3</code> error and view the results.</p>\n<ol>\n<li>Replace the contents of the <code>lib/cdk_test-stack.ts</code> with the following:</li>\n</ol>\n<p>TypeScript</p>\n<pre><code class=\"lang-\">import { Stack, StackProps } from 'aws-cdk-lib';\nimport { Construct } from 'constructs';\nimport { Bucket } from 'aws-cdk-lib/aws-s3';\nimport { NagSuppressions } from 'cdk-nag'\n\nexport class CdkTestStack extends Stack {\n constructor(scope: Construct, id: string, props?: StackProps) {\n super(scope, id, props);\n // The local scope 'this' is the Stack. \n NagSuppressions.addStackSuppressions(this, [\n {\n id: 'AwsSolutions-S1',\n reason: 'Demonstrate a stack level suppression.'\n },\n ])\n // Remediating AwsSolutions-S10 by enforcing SSL on the bucket.\n const bucket = new Bucket(this, 'Bucket', { enforceSSL: true })\n NagSuppressions.addResourceSuppressions(bucket, [\n {\n id: 'AwsSolutions-S2',\n reason: 'Demonstrate a resource level suppression.'\n },\n ])\n }\n}\n</code></pre>\n<ol start=\"2\">\n<li>Run the <code>cdk synt</code>h command again:</li>\n</ol>\n<p>Bash</p>\n<pre><code class=\"lang-\">npx cdk synth\n</code></pre>\n<p>The output should look similar to the following:</p>\n<p>Bash</p>\n<pre><code class=\"lang-\">[Error at /CdkTestStack/Bucket/Resource] AwsSolutions-S3: The S3 Bucket does not default encryption enabled. The bucket should minimally have SSE enabled to help protect data-at-rest.\n\nFound errors\n</code></pre>\n<p>The <code>cdk.out/AwsSolutions-CdkTestStack-NagReport.csv</code> contains more details about rule compliance, non-compliance, and suppressions.</p>\n<p>Csv</p>\n<pre><code class=\"lang-\">Rule ID,Resource ID,Compliance,Exception Reason,Rule Level,Rule Info\n&quot;AwsSolutions-S1&quot;,&quot;CdkTestStack/Bucket/Resource&quot;,&quot;Suppressed&quot;,&quot;Demonstrate a stack level suppression.&quot;,&quot;Error&quot;,&quot;The S3 Bucket has server access logs disabled.&quot;\n&quot;AwsSolutions-S2&quot;,&quot;CdkTestStack/Bucket/Resource&quot;,&quot;Suppressed&quot;,&quot;Demonstrate a resource level suppression.&quot;,&quot;Error&quot;,&quot;The S3 Bucket does not have public access restricted and blocked.&quot;\n&quot;AwsSolutions-S3&quot;,&quot;CdkTestStack/Bucket/Resource&quot;,&quot;Non-Compliant&quot;,&quot;N/A&quot;,&quot;Error&quot;,&quot;The S3 Bucket does not default encryption enabled.&quot;\n&quot;AwsSolutions-S5&quot;,&quot;CdkTestStack/Bucket/Resource&quot;,&quot;Compliant&quot;,&quot;N/A&quot;,&quot;Error&quot;,&quot;The S3 static website bucket either has an open world bucket policy or does not use a CloudFront Origin Access Identity (OAI) in the bucket policy for limited getObject and/or putObject permissions.&quot;\n&quot;AwsSolutions-S10&quot;,&quot;CdkTestStack/Bucket/Resource&quot;,&quot;Compliant&quot;,&quot;N/A&quot;,&quot;Error&quot;,&quot;The S3 Bucket does not require requests to use SSL.&quot;\n</code></pre>\n<p>Moreover, note that the resultant <code>cdk.out/CdkTestStack.template.json</code> template contains the <code>cdk-nag</code> suppression data. This provides transparency with what rules weren’t applied to an application, as the suppression data is included in the resources.</p>\n<p>JSON</p>\n<pre><code class=\"lang-\">{\n &quot;Metadata&quot;: {\n &quot;cdk_nag&quot;: {\n &quot;rules_to_suppress&quot;: [\n {\n &quot;id&quot;: &quot;AwsSolutions-S1&quot;,\n &quot;reason&quot;: &quot;Demonstrate a stack level suppression.&quot;\n }\n ]\n }\n },\n &quot;Resources&quot;: {\n &quot;BucketDEB6E181&quot;: {\n &quot;Type&quot;: &quot;AWS::S3::Bucket&quot;,\n &quot;UpdateReplacePolicy&quot;: &quot;Retain&quot;,\n &quot;DeletionPolicy&quot;: &quot;Retain&quot;,\n &quot;Metadata&quot;: {\n &quot;aws:cdk:path&quot;: &quot;CdkTestStack/Bucket/Resource&quot;,\n &quot;cdk_nag&quot;: {\n &quot;rules_to_suppress&quot;: [\n {\n &quot;id&quot;: &quot;AwsSolutions-S2&quot;,\n &quot;reason&quot;: &quot;Demonstrate a resource level suppression.&quot;\n }\n ]\n }\n }\n },\n ...\n },\n ...\n}\n</code></pre>\n<h3><a id=\"Reflecting_on_the_Walkthrough_236\"></a><strong>Reflecting on the Walkthrough</strong></h3>\n<p>In this section, you learned how to apply a <code>NagPack</code> to your application, remediate/suppress <code>warnings</code> and <code>errors</code>, and review the compliance reports. The reporting and suppression systems provide mechanisms for the development and security teams within organizations to work together to identify and mitigate potential security/compliance issues. Security can choose which NagPacks developers should apply to their applications. Then, developers can use the feedback to quickly remediate issues. Security can use the reports to validate compliances. Furthermore, developers and security can work together to use suppressions to transparently document exceptions to rules that they’ve decided not to follow.</p>\n<h3><a id=\"Advanced_usage_and_further_reading_239\"></a><strong>Advanced usage and further reading</strong></h3>\n<p>This section briefly covers some advanced options for using <code>cdk-nag</code>.</p>\n<h4><a id=\"Unit_Testing_with_the_AWS_CDK_Assertions_Library_242\"></a><strong>Unit Testing with the AWS CDK Assertions Library</strong></h4>\n<p>The Annotations submodule of the AWS CDK assertions library lets you check for <code>cdk-nag </code> <code>vwarnings</code> and <code>errors</code> without AWS credentials by integrating a NagPack into your application unit tests. Read this post for further information about the AWS CDK assertions module. The following is an example of using assertions with a TypeScript AWS CDK application and Jest for unit testing.</p>\n<p>TypeScript</p>\n<pre><code class=\"lang-\">import { Annotations, Match } from 'aws-cdk-lib/assertions';\nimport { App, Aspects, Stack } from 'aws-cdk-lib';\nimport { AwsSolutionsChecks } from 'cdk-nag';\nimport { CdkTestStack } from '../lib/cdk_test-stack';\n\ndescribe('cdk-nag AwsSolutions Pack', () =&gt; {\n let stack: Stack;\n let app: App;\n // In this case we can use beforeAll() over beforeEach() since our tests \n // do not modify the state of the application \n beforeAll(() =&gt; {\n // GIVEN\n app = new App();\n stack = new CdkTestStack(app, 'test');\n\n // WHEN\n Aspects.of(stack).add(new AwsSolutionsChecks());\n });\n\n // THEN\n test('No unsuppressed Warnings', () =&gt; {\n const warnings = Annotations.fromStack(stack).findWarning(\n '*',\n Match.stringLikeRegexp('AwsSolutions-.*')\n );\n expect(warnings).toHaveLength(0);\n });\n\n test('No unsuppressed Errors', () =&gt; {\n const errors = Annotations.fromStack(stack).findError(\n '*',\n Match.stringLikeRegexp('AwsSolutions-.*')\n );\n expect(errors).toHaveLength(0);\n });\n});\n</code></pre>\n<p>Additionally, many testing frameworks include <code>watch </code>functionality. This is a background process that reruns all of the tests when files in your project have changed for fast feedback. For example, when using the AWS CDK in JavaScript/Typescript, you can use the Jest CLI watch commands. When Jest watch detects a file change, it attempts to run unit tests related to the changed file. This can be used to automatically run cdk-nag-related tests when making changes to your AWS CDK application.</p>\n<h3><a id=\"CDK_Watch_289\"></a><strong>CDK Watch</strong></h3>\n<p>When developing in non-production environments, consider using AWS CDK Watch with a NagPack for fast feedback. AWS CDK Watch attempts to synthesize and then deploy changes whenever you save changes to your files. Aspects are run during synthesis. Therefore, any NagPacks applied to your application will also run on save. As in the walkthrough, all of the unsuppressed <code>errors</code> will prevent deployments, all of the messages will be output to the console, and all of the compliance reports will be generated. Read this <a href=\"https://aws.amazon.com/blogs/developer/increasing-development-speed-with-cdk-watch/\" target=\"_blank\">post</a> for further information about AWS CDK Watch.</p>\n<h3><a id=\"Conclusion_292\"></a><strong>Conclusion</strong></h3>\n<p>In this post, you learned how to use <code>cdk-nag</code> in your AWS CDK applications. To learn more about using <code>cdk-nag</code> in your applications, check out the <a href=\"https://github.com/cdklabs/cdk-nag/blob/main/README.md\" target=\"_blank\">README</a> in the GitHub Repository. If you would like to learn how to create your own rules and NagPacks, then check out the <a href=\"https://github.com/cdklabs/cdk-nag/blob/main/docs/NagPack.md\" target=\"_blank\">developer documentation</a>. The repository is open source and welcomes <a href=\"https://github.com/cdklabs/cdk-nag/blob/main/CONTRIBUTING.md\" target=\"_blank\">community contributions and feedback</a>.</p>\n<h4><a id=\"Author_295\"></a><strong>Author:</strong></h4>\n<p><img src=\"https://dev-media.amazoncloud.cn/20ffdab8cc6e47c8879000f36e0eb547_image.png\" alt=\"image.png\" /></p>\n<p><strong>Arun Donti</strong><br />\nArun Donti is a Senior Software Engineer with Twitch. He loves working on building automated processes and tools that enable builders and organizations to focus on and deliver their mission critical needs. You can find him on <a href=\"https://github.com/dontirun\" target=\"_blank\">GitHub</a>.</p>\n"}
目录
亚马逊云科技解决方案 基于行业客户应用场景及技术领域的解决方案
联系亚马逊云科技专家
亚马逊云科技解决方案
基于行业客户应用场景及技术领域的解决方案
联系专家
0
目录
关闭
contact-us