API.md

API Reference

Classes

Name	Description
AwsSolutionsChecks	Check Best practices based on AWS Solutions Security Matrix.
HIPAASecurityChecks	Check for HIPAA Security compliance.
NIST80053R4Checks	Check for NIST 800-53 rev 4 compliance.
NIST80053R5Checks	Check for NIST 800-53 rev 5 compliance.
NagPack	Base class for all rule packs.
NagRules	Helper class with methods for rule creation.
NagSuppressions	Helper class with methods to add cdk-nag suppressions to cdk resources.
PCIDSS321Checks	Check for PCI DSS 3.2.1 compliance. Based on the PCI DSS 3.2.1 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-pci-dss.html.

Structs

Name	Description
NagPackProps	Interface for creating a Nag rule pack.
NagPackSuppression	Interface for creating a rule suppression.
RegexAppliesTo	A regular expression to apply to matching findings.

Interfaces

Name	Description
IApplyRule	Interface for JSII interoperability for passing parameters and the Rule Callback to @applyRule method.

Enums

Name	Description
NagMessageLevel	The level of the message that the rule applies.
NagRuleCompliance	The compliance level of a resource in relation to a rule.

class AwsSolutionsChecks

Check Best practices based on AWS Solutions Security Matrix.

Implements: IAspect Extends: NagPack

Initializer

new AwsSolutionsChecks(props?: NagPackProps)

• props (NagPackProps) No description
  • logIgnores (boolean) Whether or not to log triggered rules that have been suppressed as informational messages (default: false). Optional
  • reports (boolean) Whether or not to generate CSV compliance reports for applied Stacks in the App's output directory (default: true). Optional
  • verbose (boolean) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). Optional

Methods

visit(node)

All aspects can visit an IConstruct.

visit(node: IConstruct): void

• node (IConstruct) No description

class HIPAASecurityChecks

Check for HIPAA Security compliance.

Based on the HIPAA Security AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-hipaa_security.html

Implements: IAspect Extends: NagPack

Initializer

new HIPAASecurityChecks(props?: NagPackProps)

• props (NagPackProps) No description
  • logIgnores (boolean) Whether or not to log triggered rules that have been suppressed as informational messages (default: false). Optional
  • reports (boolean) Whether or not to generate CSV compliance reports for applied Stacks in the App's output directory (default: true). Optional
  • verbose (boolean) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). Optional

Methods

visit(node)

All aspects can visit an IConstruct.

visit(node: IConstruct): void

• node (IConstruct) No description

class NIST80053R4Checks

Check for NIST 800-53 rev 4 compliance.

Based on the NIST 800-53 rev 4 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_4.html

Implements: IAspect Extends: NagPack

Initializer

new NIST80053R4Checks(props?: NagPackProps)

• props (NagPackProps) No description
  • logIgnores (boolean) Whether or not to log triggered rules that have been suppressed as informational messages (default: false). Optional
  • reports (boolean) Whether or not to generate CSV compliance reports for applied Stacks in the App's output directory (default: true). Optional
  • verbose (boolean) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). Optional

Methods

visit(node)

All aspects can visit an IConstruct.

visit(node: IConstruct): void

• node (IConstruct) No description

class NIST80053R5Checks

Check for NIST 800-53 rev 5 compliance.

Based on the NIST 800-53 rev 5 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_5.html

Implements: IAspect Extends: NagPack

Initializer

new NIST80053R5Checks(props?: NagPackProps)

• props (NagPackProps) No description
  • logIgnores (boolean) Whether or not to log triggered rules that have been suppressed as informational messages (default: false). Optional
  • reports (boolean) Whether or not to generate CSV compliance reports for applied Stacks in the App's output directory (default: true). Optional
  • verbose (boolean) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). Optional

Methods

visit(node)

All aspects can visit an IConstruct.

visit(node: IConstruct): void

• node (IConstruct) No description

class NagPack

Base class for all rule packs.

Implements: IAspect Implemented by: AwsSolutionsChecks, HIPAASecurityChecks, NIST80053R4Checks, NIST80053R5Checks, PCIDSS321Checks

Initializer

new NagPack(props?: NagPackProps)

• props (NagPackProps) No description
  • logIgnores (boolean) Whether or not to log triggered rules that have been suppressed as informational messages (default: false). Optional
  • reports (boolean) Whether or not to generate CSV compliance reports for applied Stacks in the App's output directory (default: true). Optional
  • verbose (boolean) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). Optional

Properties

Name	Type	Description
logIgnores	boolean
packName	string
readPackName	string
readReportStacks	Array
reportStacks	Array
reports	boolean
verbose	boolean

Methods

visit(node)

All aspects can visit an IConstruct.

visit(node: IConstruct): void

• node (IConstruct) No description

protected applyRule(params)

Create a rule to be used in the NagPack.

protected applyRule(params: IApplyRule): void

• params (IApplyRule) The.

protected createComplianceReportLine(params, ruleId, compliance, explanation?)

Helper function to create a line for the compliance report.

protected createComplianceReportLine(params: IApplyRule, ruleId: string, compliance: NagRuleCompliance | string, explanation?: string): string

• params (IApplyRule) The.
• ruleId (string) The id of the rule.
• compliance (NagRuleCompliance | string) The compliance status of the rule.
• explanation (string) The explanation for suppressed rules.

Returns:

• string

protected createMessage(ruleId, findingId, info, explanation)

The message to output to the console when a rule is triggered.

protected createMessage(ruleId: string, findingId: string, info: string, explanation: string): string

• ruleId (string) The id of the rule.
• findingId (string) The id of the finding.
• info (string) Why the rule was triggered.
• explanation (string) Why the rule exists.

Returns:

• string

protected ignoreRule(ignores, ruleId, findingId)

Check whether a specific rule should be ignored.

protected ignoreRule(ignores: Array<NagPackSuppression>, ruleId: string, findingId: string): string

• ignores (Array<NagPackSuppression>) The ignores listed in cdk-nag metadata.
• ruleId (string) The id of the rule to ignore.
• findingId (string) The id of the finding that is being checked.

Returns:

• string

protected initializeStackReport(params)

Initialize the report for the rule pack's compliance report for the resource's Stack if it doesn't exist.

protected initializeStackReport(params: IApplyRule): void

• params (IApplyRule) No description

protected writeToStackComplianceReport(params, ruleId, compliance, explanation?)

Write a line to the rule pack's compliance report for the resource's Stack.

protected writeToStackComplianceReport(params: IApplyRule, ruleId: string, compliance: NagRuleCompliance | string, explanation?: string): void

• params (IApplyRule) The.
• ruleId (string) The id of the rule.
• compliance (NagRuleCompliance | string) The compliance status of the rule.
• explanation (string) The explanation for suppressed rules.

class NagRules

Helper class with methods for rule creation.

Initializer

new NagRules()

Methods

static resolveIfPrimitive(node, parameter)

Use in cases where a primitive value must be known to pass a rule.

https://developer.mozilla.org/en-US/docs/Glossary/Primitive

static resolveIfPrimitive(node: CfnResource, parameter: any): any

• node (CfnResource) The CfnResource to check.
• parameter (any) The value to attempt to resolve.

Returns:

• any

static resolveResourceFromInstrinsic(node, parameter)

Use in cases where a token resolves to an intrinsic function and the referenced resource must be known to pass a rule.

static resolveResourceFromInstrinsic(node: CfnResource, parameter: any): any

• node (CfnResource) The CfnResource to check.
• parameter (any) The value to attempt to resolve.

Returns:

• any

class NagSuppressions

Helper class with methods to add cdk-nag suppressions to cdk resources.

Initializer

new NagSuppressions()

Methods

static addResourceSuppressions(construct, suppressions, applyToChildren?)

Add cdk-nag suppressions to a CfnResource and optionally its children.

static addResourceSuppressions(construct: IConstruct, suppressions: Array<NagPackSuppression>, applyToChildren?: boolean): void

• construct (IConstruct) The IConstruct to apply the suppression to.
• suppressions (Array<NagPackSuppression>) A list of suppressions to apply to the resource.
• applyToChildren (boolean) Apply the suppressions to children CfnResources (default:false).

static addResourceSuppressionsByPath(stack, path, suppressions, applyToChildren?)

Add cdk-nag suppressions to a CfnResource and optionally its children via its path.

static addResourceSuppressionsByPath(stack: Stack, path: string, suppressions: Array<NagPackSuppression>, applyToChildren?: boolean): void

• stack (Stack) The Stack the construct belongs to.
• path (string) The path to the construct in the provided stack.
• suppressions (Array<NagPackSuppression>) A list of suppressions to apply to the resource.
• applyToChildren (boolean) Apply the suppressions to children CfnResources (default:false).

static addStackSuppressions(stack, suppressions, applyToNestedStacks?)

Apply cdk-nag suppressions to a Stack and optionally nested stacks.

static addStackSuppressions(stack: Stack, suppressions: Array<NagPackSuppression>, applyToNestedStacks?: boolean): void

• stack (Stack) The Stack to apply the suppression to.
• suppressions (Array<NagPackSuppression>) A list of suppressions to apply to the stack.
• applyToNestedStacks (boolean) Apply the suppressions to children stacks (default:false).

class PCIDSS321Checks

Check for PCI DSS 3.2.1 compliance. Based on the PCI DSS 3.2.1 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-pci-dss.html.

Implements: IAspect Extends: NagPack

Initializer

new PCIDSS321Checks(props?: NagPackProps)

• props (NagPackProps) No description
  • logIgnores (boolean) Whether or not to log triggered rules that have been suppressed as informational messages (default: false). Optional
  • reports (boolean) Whether or not to generate CSV compliance reports for applied Stacks in the App's output directory (default: true). Optional
  • verbose (boolean) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). Optional

Methods

visit(node)

All aspects can visit an IConstruct.

visit(node: IConstruct): void

• node (IConstruct) No description

interface IApplyRule

Interface for JSII interoperability for passing parameters and the Rule Callback to @applyRule method.

Properties

Name	Type	Description
explanation	string	Why the rule exists.
info	string	Why the rule was triggered.
level	NagMessageLevel	The annotations message level to apply to the rule if triggered.
node	CfnResource	Ignores listed in cdk-nag metadata.
ruleSuffixOverride?	string	Override for the suffix of the Rule ID for this rule. Optional

Methods

rule(node)

The callback to the rule.

rule(node: CfnResource): NagRuleCompliance &#124; Array<string>

• node (CfnResource) The CfnResource to check.

Returns:

• NagRuleCompliance | Array

struct NagPackProps

Interface for creating a Nag rule pack.

Name	Type	Description
logIgnores?	boolean	Whether or not to log triggered rules that have been suppressed as informational messages (default: false). Optional
reports?	boolean	Whether or not to generate CSV compliance reports for applied Stacks in the App's output directory (default: true). Optional
verbose?	boolean	Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). Optional

struct NagPackSuppression

Interface for creating a rule suppression.

Name	Type	Description
id	string	The id of the rule to ignore.
reason	string	The reason to ignore the rule (minimum 10 characters).
appliesTo?	Array<string | RegexAppliesTo>	Rule specific granular suppressions. Optional

struct RegexAppliesTo

A regular expression to apply to matching findings.

Name	Type	Description
regex	string	An ECMA-262 regex string.

enum NagMessageLevel

The level of the message that the rule applies.

Name	Description
WARN
ERROR

enum NagRuleCompliance

The compliance level of a resource in relation to a rule.

Name	Description
COMPLIANT
NON_COMPLIANT
NOT_APPLICABLE