DEV Community

Cover image for Level-Up Your AWS CDK Game: Shift Left Security Unveiled!

Level-Up Your AWS CDK Game: Shift Left Security Unveiled!

Infrastructure as Code (IaC) benefits are known to everyone and one of the major benefits is to offer rapid infrastructure deployment as a major benefit, yet paradoxically, it can also contribute to slower deployment cycles.

Infrastructure Security and compliance issues will become that reason which will lead to slower deployment cycles using IaC.

In this blog I have tried to show how we can implement security and compliance i.e. Shift Left DevSecOps practices during the infrastructure development phase to achieve security by design, reducing the risks and issues of cloud infrastructure misconfigurations leading to the faster deployment phase of CDK applications using CDK and policy validation plugin called as Keeping Infrastructure as Code Secure(KICS).

Prerequisites

  • Access to AWS account.
  • Prior experience of working with CDK.
  • Understanding how CDK works.

Tools used

Programming language

  • Javascript/Typescript

Before jumping right into the usage of the plugin I would like to explain how did this approach to Shift Left with CDK came into existence.

About CDK KICS plugin

  • An amazing plugin which reads the synthesized cloudFormation template to security issues and infrastructure misconfigurations.
  • I like it because it tells the exact location of the resource in the CDK code, and gives a how-to-fix link which saves so much time.
  • Super easy to set up in the CDK application.

How is it possible to achieve validation using CDK?

  • Using static code analysis tool against Cloudformation templates is possible after April 3rd, 2023 with this update.

  • In very simple terms this updates means the following:

The AWS Cloud Development Kit (CDK) now facilitates developers in validating Infrastructure as Code (IaC) templates against policy-as-code tools throughout the development process.

This integration ensures prompt detection and resolution of security or configuration issues aligned with organizational policies.

Once the CDK application synthesizes the template, the plugin automatically triggers validation against policies, presenting a detailed report with compliance status and actionable insights for any detected misconfigurations.

Let's see some security with CDK in action

  • To maintain the simplicity of the blog, I will be creating a CDK application( infrastructure) using CDK workshop by AWS which can be easily replicated and followed along even by first-time users of CDK.

Create a new Typescript CDK project

cdk init sample-app --language typescript
Enter fullscreen mode Exit fullscreen mode

Note: I won't be explaining the project structure as this information is provided in the workshop .

Install the KICS plugin to your CDK application

npm install @checkmarx/cdk-validator-kics
Enter fullscreen mode Exit fullscreen mode
  • This will automatically modify the package.json file.

Enable the KICS plugin in your CDK application

  • To use the plugin we need to add it to the CDK app.
  • Under the /bin/<directory-name>.ts directory of this project modify the App construct for the CDK application.
const app = new cdk.App({
  policyValidationBeta1: [new KicsValidator()],
});
Enter fullscreen mode Exit fullscreen mode
  • The final code for the entry point of the CDK application will look like the following:

#!/usr/bin/env node
import * as cdk from 'aws-cdk-lib';
import { CdkLeftShiftStack } from '../lib/cdk-left-shift-stack';
import { KicsValidator, QueryCategory, Severity } from "@checkmarx/cdk-validator-kics/lib/plugin";

const app = new cdk.App({
    policyValidationBeta1: [new KicsValidator()],
});
new CdkLeftShiftStack(app, 'CdkLeftShiftStack');

Enter fullscreen mode Exit fullscreen mode

Important Note

Error from aws blog

import { KicsValidator } from '@checkmarx/cdk-validator-kics/lib/plugin';

const app = new App({
  validationPluginsBeta1: [
    new KicsValidator(),
  ],
});

Enter fullscreen mode Exit fullscreen mode
Object literal may only specify known properties, and 'validationPluginsBeta1' does not exist in type 'AppProps'.
Enter fullscreen mode Exit fullscreen mode
  • The property policyValidationBeta1 exist which is used to in this blog to illustrate the use of KICS plugin.

  • I have mentioned the relevant authors of the blog about this and hopefully, it will fixed soon.

Add a s3 bucket to the Stack

  • Add s3 bucket to the stack to get observe more findings from KICS.
 new s3.Bucket(this, 'MyFirstBucket');
Enter fullscreen mode Exit fullscreen mode
  • The final code would look like the following for the stack of the CDK application
import { Duration, Stack, StackProps } from 'aws-cdk-lib';
import * as sns from 'aws-cdk-lib/aws-sns';
import * as subs from 'aws-cdk-lib/aws-sns-subscriptions';
import * as sqs from 'aws-cdk-lib/aws-sqs';
import * as s3 from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';

export class CdkLeftShiftStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);

    new s3.Bucket(this, 'MyFirstBucket');

    const queue = new sqs.Queue(this, 'CdkLeftShiftQueue', {
      visibilityTimeout: Duration.seconds(300)
    });

    const topic = new sns.Topic(this, 'CdkLeftShiftTopic');

    topic.addSubscription(new subs.SqsSubscription(queue));
  }
}
Enter fullscreen mode Exit fullscreen mode

Run cdk synth

cdk deploy ーprofile cicd

Enter fullscreen mode Exit fullscreen mode
  • Upon running CDK synth the plugin will be triggered and it will run its checks against the generated cloudFormation template.

  • We can easily KICS plugin has identified configuration and security issues and segregated them into HIGH, MEDIUM, LOW severity.

  • We can also see because its a failure to KICS it didn't allow CDK to deploy the resources with these security issues and configurations hence perfectly displaying the Shift left principles in action leading to a secure cloud infrastructure deployment process.


Validation Report
-----------------

╔═══════════════════════════════════════╗
║             Plugin Report             ║
║   Plugin: kics-cdk-validator-plugin   ║
║   Version: N/A                        ║
║   Status: failure                     ║
╚═══════════════════════════════════════╝


(Violations)

S3 Bucket Without SSL In Write Actions (1 occurrences)
Severity: HIGH

  Occurrences:

    - Construct Path: CdkLeftShiftStack/MyFirstBucket/Resource
    - Template Path: cdk.out/CdkLeftShiftStack.template.json
    - Creation Stack:
        └──  CdkLeftShiftStack (CdkLeftShiftStack)
             │ Construct: aws-cdk-lib.Stack
             │ Library Version: 2.132.1
             │ Location: Run with '--debug' to include location info
             └──  MyFirstBucket (CdkLeftShiftStack/MyFirstBucket)
                  │ Construct: aws-cdk-lib.aws_s3.Bucket
                  │ Library Version: 2.132.1
                  │ Location: Run with '--debug' to include location info
                  └──  Resource (CdkLeftShiftStack/MyFirstBucket/Resource)
                       │ Construct: aws-cdk-lib.aws_s3.CfnBucket
                       │ Library Version: 2.132.1
                       │ Location: Run with '--debug' to include location info
    - Resource ID: MyFirstBucketB8884501
    - Template Locations:
      > Resources.MyFirstBucketB8884501

  Description: S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)
  How to fix: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html
  Rule Metadata: 
        Category: Encryption
        QueryId: 38c64e76-c71e-4d92-a337-60174d1de1c9

S3 Bucket Without Server-side-encryption (1 occurrences)
Severity: HIGH

  Occurrences:

    - Construct Path: CdkLeftShiftStack/MyFirstBucket/Resource
    - Template Path: cdk.out/CdkLeftShiftStack.template.json
    - Creation Stack:
        └──  CdkLeftShiftStack (CdkLeftShiftStack)
             │ Construct: aws-cdk-lib.Stack
             │ Library Version: 2.132.1
             │ Location: Run with '--debug' to include location info
             └──  MyFirstBucket (CdkLeftShiftStack/MyFirstBucket)
                  │ Construct: aws-cdk-lib.aws_s3.Bucket
                  │ Library Version: 2.132.1
                  │ Location: Run with '--debug' to include location info
                  └──  Resource (CdkLeftShiftStack/MyFirstBucket/Resource)
                       │ Construct: aws-cdk-lib.aws_s3.CfnBucket
                       │ Library Version: 2.132.1
                       │ Location: Run with '--debug' to include location info
    - Resource ID: MyFirstBucketB8884501
    - Template Locations:
      > Resources.MyFirstBucketB8884501.Properties

  Description: S3 Buckets should have server-side encryption at rest enabled to protect sensitive data
  How to fix: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html
  Rule Metadata: 
        Category: Encryption
        QueryId: b2e8752c-3497-4255-98d2-e4ae5b46bbf5

S3 Bucket Should Have Bucket Policy (1 occurrences)
Severity: MEDIUM

  Occurrences:

    - Construct Path: CdkLeftShiftStack/MyFirstBucket/Resource
    - Template Path: cdk.out/CdkLeftShiftStack.template.json
    - Creation Stack:
        └──  CdkLeftShiftStack (CdkLeftShiftStack)
             │ Construct: aws-cdk-lib.Stack
             │ Library Version: 2.132.1
             │ Location: Run with '--debug' to include location info
             └──  MyFirstBucket (CdkLeftShiftStack/MyFirstBucket)
                  │ Construct: aws-cdk-lib.aws_s3.Bucket
                  │ Library Version: 2.132.1
                  │ Location: Run with '--debug' to include location info
                  └──  Resource (CdkLeftShiftStack/MyFirstBucket/Resource)
                       │ Construct: aws-cdk-lib.aws_s3.CfnBucket
                       │ Library Version: 2.132.1
                       │ Location: Run with '--debug' to include location info
    - Resource ID: MyFirstBucketB8884501
    - Template Locations:
      > Resources.MyFirstBucketB8884501

  Description: Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated
  How to fix: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html
  Rule Metadata: 
        Category: Insecure Defaults
        QueryId: 37fa8188-738b-42c8-bf82-6334ea567738

SQS With SSE Disabled (1 occurrences)
Severity: MEDIUM

  Occurrences:

    - Construct Path: CdkLeftShiftStack/CdkLeftShiftQueue/Resource
    - Template Path: cdk.out/CdkLeftShiftStack.template.json
    - Creation Stack:
        └──  CdkLeftShiftStack (CdkLeftShiftStack)
             │ Construct: aws-cdk-lib.Stack
             │ Library Version: 2.132.1
             │ Location: Run with '--debug' to include location info
             └──  CdkLeftShiftQueue (CdkLeftShiftStack/CdkLeftShiftQueue)
                  │ Construct: aws-cdk-lib.aws_sqs.Queue
                  │ Library Version: 2.132.1
                  │ Location: Run with '--debug' to include location info
                  └──  Resource (CdkLeftShiftStack/CdkLeftShiftQueue/Resource)
                       │ Construct: aws-cdk-lib.aws_sqs.CfnQueue
                       │ Library Version: 2.132.1
                       │ Location: Run with '--debug' to include location info
    - Resource ID: CdkLeftShiftQueue1CF96D0B
    - Template Locations:
      > Resources.CdkLeftShiftQueue1CF96D0B.Properties

  Description: Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)
  How to fix: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html#aws-sqs-queue-kmsmasterkeyid
  Rule Metadata: 
        Category: Encryption
        QueryId: 12726829-93ed-4d51-9cbe-13423f4299e1

IAM Access Analyzer Not Enabled (1 occurrences)
Severity: LOW

  Occurrences:

    - Construct Path: N/A
    - Template Path: cdk.out/CdkLeftShiftStack.template.json
    - Creation Stack:
                Construct trace not available. Rerun with `--debug` to see trace information
    - Resource ID: n/a
    - Template Locations:
      > Resources

  Description: IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
  How to fix: https://docs.amazonaws.cn/en_us/AWSCloudFormation/latest/UserGuide/aws-resource-accessanalyzer-analyzer.html
  Rule Metadata: 
        Category: Best Practices
        QueryId: 8d29754a-2a18-460d-a1ba-9509f8d359da

Policy Validation Report Summary

╔═══════════════════════════╤═════════╗
║ Plugin                    │ Status  ║
╟───────────────────────────┼─────────╢
║ kics-cdk-validator-plugin │ failure ║
╚═══════════════════════════╧═════════╝

Validation failed. See the validation report above for details

Subprocess exited with error 1
Enter fullscreen mode Exit fullscreen mode

What else can we do with KICS?

Disable Categories, Individual Queries

  • In the previous report if there was some finding which we want to disable it is possible to do so by 2 options either by disabling it as a category or as a query.

IAM Access Analyzer Not Enabled (1 occurrences)
Severity: LOW

  Occurrences:

    - Construct Path: N/A
    - Template Path: cdk.out/CdkLeftShiftStack.template.json
    - Creation Stack:
                Construct trace not available. Rerun with `--debug` to see trace information
    - Resource ID: n/a
    - Template Locations:
      > Resources

  Description: IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
  How to fix: https://docs.amazonaws.cn/en_us/AWSCloudFormation/latest/UserGuide/aws-resource-accessanalyzer-analyzer.html
  Rule Metadata: 
        Category: Best Practices
        QueryId: 8d29754a-2a18-460d-a1ba-9509f8d359da

Enter fullscreen mode Exit fullscreen mode
  • To disable the above we can do this by category(Best Practices) by adding the following code:

const app = new cdk.App({
    policyValidationBeta1: [new KicsValidator({
        excludeCategories: [QueryCategory.BEST_PRACTICES]
    })],
});

Enter fullscreen mode Exit fullscreen mode
  • To disable the same we can do this by QueryId(8d29754a-2a18-460d-a1ba-9509f8d359da) by adding the following code:

const app = new cdk.App({
    policyValidationBeta1: [new KicsValidator({
        excludeQueries: ['8d29754a-2a18-460d-a1ba-9509f8d359da']
    })],

Enter fullscreen mode Exit fullscreen mode
  • After running adding the above code we can observe IAM Access Analyzer Not Enabled (1 occurrences) is excluded from the final report.

Validation Report
-----------------

╔═══════════════════════════════════════╗
║             Plugin Report             ║
║   Plugin: kics-cdk-validator-plugin   ║
║   Version: N/A                        ║
║   Status: failure                     ║
╚═══════════════════════════════════════╝


(Violations)

S3 Bucket Without SSL In Write Actions (1 occurrences)
Severity: HIGH

  Occurrences:

    - Construct Path: CdkLeftShiftStack/MyFirstBucket/Resource
    - Template Path: cdk.out/CdkLeftShiftStack.template.json
    - Creation Stack:
        └──  CdkLeftShiftStack (CdkLeftShiftStack)
             │ Construct: aws-cdk-lib.Stack
             │ Library Version: 2.132.1
             │ Location: Run with '--debug' to include location info
             └──  MyFirstBucket (CdkLeftShiftStack/MyFirstBucket)
                  │ Construct: aws-cdk-lib.aws_s3.Bucket
                  │ Library Version: 2.132.1
                  │ Location: Run with '--debug' to include location info
                  └──  Resource (CdkLeftShiftStack/MyFirstBucket/Resource)
                       │ Construct: aws-cdk-lib.aws_s3.CfnBucket
                       │ Library Version: 2.132.1
                       │ Location: Run with '--debug' to include location info
    - Resource ID: MyFirstBucketB8884501
    - Template Locations:
      > Resources.MyFirstBucketB8884501

  Description: S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)
  How to fix: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html
  Rule Metadata: 
        Category: Encryption
        QueryId: 38c64e76-c71e-4d92-a337-60174d1de1c9

S3 Bucket Without Server-side-encryption (1 occurrences)
Severity: HIGH

  Occurrences:

    - Construct Path: CdkLeftShiftStack/MyFirstBucket/Resource
    - Template Path: cdk.out/CdkLeftShiftStack.template.json
    - Creation Stack:
        └──  CdkLeftShiftStack (CdkLeftShiftStack)
             │ Construct: aws-cdk-lib.Stack
             │ Library Version: 2.132.1
             │ Location: Run with '--debug' to include location info
             └──  MyFirstBucket (CdkLeftShiftStack/MyFirstBucket)
                  │ Construct: aws-cdk-lib.aws_s3.Bucket
                  │ Library Version: 2.132.1
                  │ Location: Run with '--debug' to include location info
                  └──  Resource (CdkLeftShiftStack/MyFirstBucket/Resource)
                       │ Construct: aws-cdk-lib.aws_s3.CfnBucket
                       │ Library Version: 2.132.1
                       │ Location: Run with '--debug' to include location info
    - Resource ID: MyFirstBucketB8884501
    - Template Locations:
      > Resources.MyFirstBucketB8884501.Properties

  Description: S3 Buckets should have server-side encryption at rest enabled to protect sensitive data
  How to fix: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html
  Rule Metadata: 
        Category: Encryption
        QueryId: b2e8752c-3497-4255-98d2-e4ae5b46bbf5

S3 Bucket Should Have Bucket Policy (1 occurrences)
Severity: MEDIUM

  Occurrences:

    - Construct Path: CdkLeftShiftStack/MyFirstBucket/Resource
    - Template Path: cdk.out/CdkLeftShiftStack.template.json
    - Creation Stack:
        └──  CdkLeftShiftStack (CdkLeftShiftStack)
             │ Construct: aws-cdk-lib.Stack
             │ Library Version: 2.132.1
             │ Location: Run with '--debug' to include location info
             └──  MyFirstBucket (CdkLeftShiftStack/MyFirstBucket)
                  │ Construct: aws-cdk-lib.aws_s3.Bucket
                  │ Library Version: 2.132.1
                  │ Location: Run with '--debug' to include location info
                  └──  Resource (CdkLeftShiftStack/MyFirstBucket/Resource)
                       │ Construct: aws-cdk-lib.aws_s3.CfnBucket
                       │ Library Version: 2.132.1
                       │ Location: Run with '--debug' to include location info
    - Resource ID: MyFirstBucketB8884501
    - Template Locations:
      > Resources.MyFirstBucketB8884501

  Description: Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated
  How to fix: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html
  Rule Metadata: 
        Category: Insecure Defaults
        QueryId: 37fa8188-738b-42c8-bf82-6334ea567738

SQS With SSE Disabled (1 occurrences)
Severity: MEDIUM

  Occurrences:

    - Construct Path: CdkLeftShiftStack/CdkLeftShiftQueue/Resource
    - Template Path: cdk.out/CdkLeftShiftStack.template.json
    - Creation Stack:
        └──  CdkLeftShiftStack (CdkLeftShiftStack)
             │ Construct: aws-cdk-lib.Stack
             │ Library Version: 2.132.1
             │ Location: Run with '--debug' to include location info
             └──  CdkLeftShiftQueue (CdkLeftShiftStack/CdkLeftShiftQueue)
                  │ Construct: aws-cdk-lib.aws_sqs.Queue
                  │ Library Version: 2.132.1
                  │ Location: Run with '--debug' to include location info
                  └──  Resource (CdkLeftShiftStack/CdkLeftShiftQueue/Resource)
                       │ Construct: aws-cdk-lib.aws_sqs.CfnQueue
                       │ Library Version: 2.132.1
                       │ Location: Run with '--debug' to include location info
    - Resource ID: CdkLeftShiftQueue1CF96D0B
    - Template Locations:
      > Resources.CdkLeftShiftQueue1CF96D0B.Properties

  Description: Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)
  How to fix: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html#aws-sqs-queue-kmsmasterkeyid
  Rule Metadata: 
        Category: Encryption
        QueryId: 12726829-93ed-4d51-9cbe-13423f4299e1

Policy Validation Report Summary

╔═══════════════════════════╤═════════╗
║ Plugin                    │ Status  ║
╟───────────────────────────┼─────────╢
║ kics-cdk-validator-plugin │ failure ║
╚═══════════════════════════╧═════════╝

Validation failed. See the validation report above for details

Enter fullscreen mode Exit fullscreen mode

Exclude based on Severity

  • KICS queries can fall under 5 different severities: high, medium, low, info, and trace.

  • Let's say we want to remove MEDIUM category serverity form out the report. (only for example per se, not advised for production system)

  • Add the following to the KICS configuration


const app = new cdk.App({
    policyValidationBeta1: [new KicsValidator({
        excludeSeverities: [Severity.MEDIUM],
    })],
});

Enter fullscreen mode Exit fullscreen mode
  • Report after the above configuration only contains HIGH and LOW category issues.

Validation Report
-----------------

╔═══════════════════════════════════════╗
║             Plugin Report             ║
║   Plugin: kics-cdk-validator-plugin   ║
║   Version: N/A                        ║
║   Status: failure                     ║
╚═══════════════════════════════════════╝


(Violations)

S3 Bucket Without SSL In Write Actions (1 occurrences)
Severity: HIGH

  Occurrences:

    - Construct Path: CdkLeftShiftStack/MyFirstBucket/Resource
    - Template Path: cdk.out/CdkLeftShiftStack.template.json
    - Creation Stack:
        └──  CdkLeftShiftStack (CdkLeftShiftStack)
             │ Construct: aws-cdk-lib.Stack
             │ Library Version: 2.132.1
             │ Location: Run with '--debug' to include location info
             └──  MyFirstBucket (CdkLeftShiftStack/MyFirstBucket)
                  │ Construct: aws-cdk-lib.aws_s3.Bucket
                  │ Library Version: 2.132.1
                  │ Location: Run with '--debug' to include location info
                  └──  Resource (CdkLeftShiftStack/MyFirstBucket/Resource)
                       │ Construct: aws-cdk-lib.aws_s3.CfnBucket
                       │ Library Version: 2.132.1
                       │ Location: Run with '--debug' to include location info
    - Resource ID: MyFirstBucketB8884501
    - Template Locations:
      > Resources.MyFirstBucketB8884501

  Description: S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)
  How to fix: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html
  Rule Metadata: 
        Category: Encryption
        QueryId: 38c64e76-c71e-4d92-a337-60174d1de1c9

S3 Bucket Without Server-side-encryption (1 occurrences)
Severity: HIGH

  Occurrences:

    - Construct Path: CdkLeftShiftStack/MyFirstBucket/Resource
    - Template Path: cdk.out/CdkLeftShiftStack.template.json
    - Creation Stack:
        └──  CdkLeftShiftStack (CdkLeftShiftStack)
             │ Construct: aws-cdk-lib.Stack
             │ Library Version: 2.132.1
             │ Location: Run with '--debug' to include location info
             └──  MyFirstBucket (CdkLeftShiftStack/MyFirstBucket)
                  │ Construct: aws-cdk-lib.aws_s3.Bucket
                  │ Library Version: 2.132.1
                  │ Location: Run with '--debug' to include location info
                  └──  Resource (CdkLeftShiftStack/MyFirstBucket/Resource)
                       │ Construct: aws-cdk-lib.aws_s3.CfnBucket
                       │ Library Version: 2.132.1
                       │ Location: Run with '--debug' to include location info
    - Resource ID: MyFirstBucketB8884501
    - Template Locations:
      > Resources.MyFirstBucketB8884501.Properties

  Description: S3 Buckets should have server-side encryption at rest enabled to protect sensitive data
  How to fix: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html
  Rule Metadata: 
        Category: Encryption
        QueryId: b2e8752c-3497-4255-98d2-e4ae5b46bbf5

IAM Access Analyzer Not Enabled (1 occurrences)
Severity: LOW

  Occurrences:

    - Construct Path: N/A
    - Template Path: cdk.out/CdkLeftShiftStack.template.json
    - Creation Stack:
                Construct trace not available. Rerun with `--debug` to see trace information
    - Resource ID: n/a
    - Template Locations:
      > Resources

  Description: IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
  How to fix: https://docs.amazonaws.cn/en_us/AWSCloudFormation/latest/UserGuide/aws-resource-accessanalyzer-analyzer.html
  Rule Metadata: 
        Category: Best Practices
        QueryId: 8d29754a-2a18-460d-a1ba-9509f8d359da

Policy Validation Report Summary

╔═══════════════════════════╤═════════╗
║ Plugin                    │ Status  ║
╟───────────────────────────┼─────────╢
║ kics-cdk-validator-plugin │ failure ║
╚═══════════════════════════╧═════════╝

Enter fullscreen mode Exit fullscreen mode

Don't fail the execution

  • This option is most likely to be used when you have decided the policy on what to exclude and what to include after reviewing the merits and demerits of the policy

  • The last option be used to list the severities which should cause the execution to fail. By default, this is set to [Severity.HIGH, Severity.MEDIUM].

  • In our case now I just want it to deploy the resources even irrespective of the severities.


const app = new cdk.App({
    policyValidationBeta1: [new KicsValidator({
        failureSeverities: [],
    })],
});

Enter fullscreen mode Exit fullscreen mode
  • With the following configuration cdk deploy will set the report to success and continue to deploy the resources.

From DevSecOps Perspective

  • The support to validate IaC templates against policy-as-code tools has further increased the trust in IaC by enabling Security first and compliance practice during CDK application development cycles.
  • By verifying compliance with organizational policies at the early stages of development, the teams can enhance the success rate of the deployment phase for their CDK applications.
  • There will be many tools and plugins leveraging this feature to further enhance the DevSecops Shift Left principles for IaC which will not be just limited to KICS, Open Policy Agent(OPA),CfnGuardValidator, Checkov etc.

  • No doubt, these tools are still young and many features are still in the experimental phase but at least we have a starting point to implement Shift Left practices into IaC.

I would be happy to know what kind of tools the community is using for their Iac with AWS CDK to take security and compliance first approach.

Top comments (4)

Collapse
 
airmonitor profile image
Tomasz Szuster

Hey,

Thx for your article, I'm wondering what is your opinion about cdk-nag?

github.com/cdklabs/cdk-nag

Checkmarx product and cdk-nag are doing the same I think,

Collapse
 
jatinmehrotra profile image
Jatin Mehrotra

Hello @airmonitor

Thank you for reading my blog and your views. Yes they are doing similar thing, I haven't used cdk-nag. Will give it a try.

But to answer your question, syntactically I prefer the checkmark Plugin more as it is easy to use and operate, plus the way it generates reports is far better than cdk-nag IMO.

1 difference which I could see is:

  • how to suppress errors which again is operationally far easier and better in the checkmarks plugin.

I am giving these views on the basis of this blog by AWS: aws.amazon.com/blogs/devops/manage...

Collapse
 
felixbrm profile image
Felix Berman

@jatinmehrotra An awesome deep dive into the KICS CDK validation plugin! Also, thank you for pointing out the issue with code example in my blog - I'll update it shortly.

Collapse
 
jatinmehrotra profile image
Jatin Mehrotra

@felixbrm Thank you for introducing this amazing plugin in the first place. In this deep dive, I was able to test many breaking edge cases which I will be open in KICS GitHub soon.

I am glad my blog was helpful.