- 最新
- 最多得票
- 最多評論
Hi JessDL,
It's a good practice to use Security Scan Tools like cdk-nag [1], which is inspired by cfn-nag, or cfn-nag itself too.
You can find a best practices recommendation for scanning tools here: [2]
You can add this to your pipeline too for automated scanning of code. [3]
References:
[1] https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/check-aws-cdk-applications-or-cloudformation-templates-for-best-practices-by-using-cdk-nag-rule-packs.html
[2] https://docs.aws.amazon.com/prescriptive-guidance/latest/best-practices-cdk-typescript-iac/security-formatting-best-practices.html#common-dev-tools
[3] https://github.com/aws-samples/aws-cdk-iac-pipeline-with-cfn-nag
Thanks,
Atul
Hi,
Re. best practices, other response by IBAtulAnand is very correct. But, on top, you may want to go one step further: this article really show how to do it best
See https://xebia.com/blog/cdk-pipelines-and-cloudformation-linting/
For example, it recommends the use of CodeCommit (i.e. git) to archive the different versions of the CFN templates generated by CDK so that you get full auditability and can see changes easily via git diff.
Best,
Didier
相關內容
- 已提問 10 個月前
AWS 官方已更新 2 年前
