- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
Hi JessDL,
It's a good practice to use Security Scan Tools like cdk-nag [1], which is inspired by cfn-nag, or cfn-nag itself too.
You can find a best practices recommendation for scanning tools here: [2]
You can add this to your pipeline too for automated scanning of code. [3]
References:
[1] https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/check-aws-cdk-applications-or-cloudformation-templates-for-best-practices-by-using-cdk-nag-rule-packs.html
[2] https://docs.aws.amazon.com/prescriptive-guidance/latest/best-practices-cdk-typescript-iac/security-formatting-best-practices.html#common-dev-tools
[3] https://github.com/aws-samples/aws-cdk-iac-pipeline-with-cfn-nag
Thanks,
Atul
Hi,
Re. best practices, other response by IBAtulAnand is very correct. But, on top, you may want to go one step further: this article really show how to do it best
See https://xebia.com/blog/cdk-pipelines-and-cloudformation-linting/
For example, it recommends the use of CodeCommit (i.e. git) to archive the different versions of the CFN templates generated by CDK so that you get full auditability and can see changes easily via git diff.
Best,
Didier
Contenuto pertinente
AWS UFFICIALEAggiornata un anno fa- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata un anno fa