cloud formation template Sec

0

Good morning team,

The security team mandates scanning our CDK code for security measures to avoid deploying potentially harmful code.

Do you have recommendations or best practices for tools that facilitate scanning CloudFormation templates and CDK code and integrate it into our pipeline (BuildSpec)?

Thank you!

2 Answers
2

Hi JessDL,

It's a good practice to use Security Scan Tools like cdk-nag [1], which is inspired by cfn-nag, or cfn-nag itself too.
You can find a best practices recommendation for scanning tools here: [2]

You can add this to your pipeline too for automated scanning of code. [3]

References:
[1] https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/check-aws-cdk-applications-or-cloudformation-templates-for-best-practices-by-using-cdk-nag-rule-packs.html
[2] https://docs.aws.amazon.com/prescriptive-guidance/latest/best-practices-cdk-typescript-iac/security-formatting-best-practices.html#common-dev-tools
[3] https://github.com/aws-samples/aws-cdk-iac-pipeline-with-cfn-nag

Thanks,
Atul

profile picture
answered 10 months ago
profile pictureAWS
EXPERT
reviewed 10 months ago
0

Hi,

Re. best practices, other response by IBAtulAnand is very correct. But, on top, you may want to go one step further: this article really show how to do it best

See https://xebia.com/blog/cdk-pipelines-and-cloudformation-linting/

For example, it recommends the use of CodeCommit (i.e. git) to archive the different versions of the CFN templates generated by CDK so that you get full auditability and can see changes easily via git diff.

Best,

Didier

profile pictureAWS
EXPERT
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions