- 新しい順
- 投票が多い順
- コメントが多い順
Hi JessDL,
It's a good practice to use Security Scan Tools like cdk-nag [1], which is inspired by cfn-nag, or cfn-nag itself too.
You can find a best practices recommendation for scanning tools here: [2]
You can add this to your pipeline too for automated scanning of code. [3]
References:
[1] https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/check-aws-cdk-applications-or-cloudformation-templates-for-best-practices-by-using-cdk-nag-rule-packs.html
[2] https://docs.aws.amazon.com/prescriptive-guidance/latest/best-practices-cdk-typescript-iac/security-formatting-best-practices.html#common-dev-tools
[3] https://github.com/aws-samples/aws-cdk-iac-pipeline-with-cfn-nag
Thanks,
Atul
Hi,
Re. best practices, other response by IBAtulAnand is very correct. But, on top, you may want to go one step further: this article really show how to do it best
See https://xebia.com/blog/cdk-pipelines-and-cloudformation-linting/
For example, it recommends the use of CodeCommit (i.e. git) to archive the different versions of the CFN templates generated by CDK so that you get full auditability and can see changes easily via git diff.
Best,
Didier
関連するコンテンツ
AWS公式更新しました 2年前
