- Newest
- Most votes
- Most comments
Hi JessDL,
It's a good practice to use Security Scan Tools like cdk-nag [1], which is inspired by cfn-nag, or cfn-nag itself too.
You can find a best practices recommendation for scanning tools here: [2]
You can add this to your pipeline too for automated scanning of code. [3]
References:
[1] https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/check-aws-cdk-applications-or-cloudformation-templates-for-best-practices-by-using-cdk-nag-rule-packs.html
[2] https://docs.aws.amazon.com/prescriptive-guidance/latest/best-practices-cdk-typescript-iac/security-formatting-best-practices.html#common-dev-tools
[3] https://github.com/aws-samples/aws-cdk-iac-pipeline-with-cfn-nag
Thanks,
Atul
Hi,
Re. best practices, other response by IBAtulAnand is very correct. But, on top, you may want to go one step further: this article really show how to do it best
See https://xebia.com/blog/cdk-pipelines-and-cloudformation-linting/
For example, it recommends the use of CodeCommit (i.e. git) to archive the different versions of the CFN templates generated by CDK so that you get full auditability and can see changes easily via git diff.
Best,
Didier
Relevant content
- asked a month ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 16 days ago