- Más nuevo
- Más votos
- Más comentarios
Hi JessDL,
It's a good practice to use Security Scan Tools like cdk-nag [1], which is inspired by cfn-nag, or cfn-nag itself too.
You can find a best practices recommendation for scanning tools here: [2]
You can add this to your pipeline too for automated scanning of code. [3]
References:
[1] https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/check-aws-cdk-applications-or-cloudformation-templates-for-best-practices-by-using-cdk-nag-rule-packs.html
[2] https://docs.aws.amazon.com/prescriptive-guidance/latest/best-practices-cdk-typescript-iac/security-formatting-best-practices.html#common-dev-tools
[3] https://github.com/aws-samples/aws-cdk-iac-pipeline-with-cfn-nag
Thanks,
Atul
Hi,
Re. best practices, other response by IBAtulAnand is very correct. But, on top, you may want to go one step further: this article really show how to do it best
See https://xebia.com/blog/cdk-pipelines-and-cloudformation-linting/
For example, it recommends the use of CodeCommit (i.e. git) to archive the different versions of the CFN templates generated by CDK so that you get full auditability and can see changes easily via git diff.
Best,
Didier
Contenido relevante
OFICIAL DE AWSActualizada hace 2 años- OFICIAL DE AWSActualizada hace un año