This is a stable example. It should successfully build out of the box
This example is built on Construct Libraries marked "Stable" and does not have any infrastructure prerequisites to build.
-
In order to have a CDK security oriented deployments you must use CDK NAG.
-
When using CDK-NAG, you are likely to see some security warnings from default CDK behavior. In this example, you will learn how you can deal with a common scenario using an IAM role and nag suppressions.
To build this app, you need to be in this example's root folder. Then run the following:
$ python3 -m venv .env
$ source .env/bin/activate
$ pip install -r requirements.txtI'm using CDK==2.87 to run this example.
Using a lambda without a decoupled role (or using a role created by CDK) will cause the following cdk-nag error:
[Error at /LambdaNagExampleStack/lambda-nag-func-example/ServiceRole/Resource] AwsSolutions-IAM4[Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole]: The IAM user, role, or group uses AWS managed policies. An AWS managed policy is a standalone policy that is created and administered by AWS. Currently, many AWS managed policies do not restrict resource scope. Replace AWS managed policies with system specific (customer) managed policies.This is a granular rule that returns individual findings that can be suppressed with 'appliesTo'. The findings are in the format 'Policy::<policy>' for AWS managed policies. Example: appliesTo: ['Policy::arn:<AWS::Partition>:iam::aws:policy/foo'].
[Error at /LambdaNagExampleStack/lambda-nag-func-example/Resource] AwsSolutions-L1: The non-container Lambda function is not configured to use the latest runtime version. Use the latest available runtime for the targeted language to avoid technical debt. Runtimes specific to a language or framework version are deprecated when the version reaches end of life. This rule only applies to non-container Lambda functions.
Found errors
If using a wildcard in a policy statement is necessary, you can use a nag suppression and document a justification for it.
[Error at /LambdaNagExampleStack/lambda-nag-func-role-policy-example/Resource] AwsSolutions-IAM5[Resource::*]: The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission. Metadata explaining the evidence (e.g. via supporting links) for wildcard permissions allows for transparency to operators. This is a granular rule that returns individual findings that can be suppressed with 'appliesTo'. The findings are in the format 'Action::<action>' for policy actions and 'Resource::<resource>' for resources. Example: appliesTo: ['Action::s3:*'].
[Error at /LambdaNagExampleStack/lambda-nag-func-example/Resource] AwsSolutions-L1: The non-container Lambda function is not configured to use the latest runtime version. Use the latest available runtime for the targeted language to avoid technical debt. Runtimes specific to a language or framework version are deprecated when the version reaches end of life. This rule only applies to non-container Lambda functions.
Found errors
Run cdk deploy. This will deploy / redeploy your Stack to your AWS Account.
To see the Cloudformation template generated by the CDK, run cdk synth, then check the output file in the "cdk.out" directory