Originally published to: makingitup.substack.com
With cdk-nag you can check your infrastructure before it’s deployed. Potentially preventing issues before they happen. Saving you time and money.
TL;DR: Here’s a working repo with a sample configuration.
Getting Started
The steps in this tutorial will assume you already have a CDK project made. If you don’t you can follow this guide from the docs or clone the sample repo from above.
1. Install cdk-nag
npm i cdk-nag
Simple as.
2. Import and setup Rules and Packs
In your root application file, you’ll need to import the packs and rules you’d like to have applied to your infrastructure. Once available, you hook the rules into your application by adding stack aspects.
3. Output issues in flatfile formats (Optional)
It’s great that you can now check for issues. But unless you take the time to develop a system to bring these issues up and out, they will likely just be disregarded.
To remedy this, you should either import the NagReportLogger provided as part of the cdk-nag project or develop your own. The logger they supply can output JSON or CSV, making it ideal for integrating with existing CI/CD systems. If this isn’t enough, they have a great guide on how to implement your own custom logger.
Recap
Fancy buzzwords aside. By including cdk-nag as part of your application, you can check for potential HIPAA violations as early as the code is written. Preventing the lengthy debug cycle of
Write
Build
Deploy
Validate
And reducing it to
Write
Build
Conclusion
The savings only begin there. Out of the box cdk-nag supplies rule packs for
NIST 800-53 rev 4
NIST 800-53 rev 5
PCI DSS 3.2.1
As well as the ability to build your own.
Don’t want developers deploying g6e.24xlarge instances to run the latest LLM? You can write a rule for that. The abilities provided can have tremendous ROI with very little upfront investment. However, the ROI you could see by investing in engineering power to shape what your cloud can and cannot look like is vast.
Top comments (0)