WIP: cdk-nag

paradisec-archive · Oct 29, 2023 · 82e1484 · 82e1484
1 parent fb583d4
commit 82e1484
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 0 deletions.
diff --git a/cdk/cdk.json b/cdk/cdk.json
@@ -34,6 +34,7 @@
     "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
     "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
     "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
     "@aws-cdk/core:target-partitions": [
       "aws",
       "aws-cn"

diff --git a/cdk/lib/app-stack.ts b/cdk/lib/app-stack.ts
@@ -17,6 +17,7 @@ import { ISecret } from 'aws-cdk-lib/aws-secretsmanager';
 import { SecretValue } from 'aws-cdk-lib';
 
 import { AppProps } from './types';
+import { NagSuppressions } from 'cdk-nag';
 
 export class AppStack extends cdk.Stack {
   constructor(scope: Construct, id: string, appProps: AppProps, props?: cdk.StackProps) {
@@ -61,6 +62,10 @@ export class AppStack extends cdk.Stack {
         subnets: dataSubnets,
       },
     });
+    NagSuppressions.addResourceSuppressions(
+      db,
+      [{ id: 'AwsSolutions-RDS3', reason: 'Single AZ app, HA not needed' }],
+    );
 
     // ////////////////////////
     // ECS Cluster
@@ -284,6 +289,11 @@ export class AppStack extends cdk.Stack {
       actions: ['ses:SendRawEmail'],
       resources: ['*'],
     }));
+    NagSuppressions.addResourceSuppressions(
+      jobsTaskDefinition,
+      [{ id: 'AwsSolutions-IAM5', reason: 'SES has no resources', appliesTo: ['Resource::*'] }],
+      true,
+    );
 
     const jobsService = new ecs.Ec2Service(this, 'JobsService', {
       serviceName: 'jobs',
@@ -403,5 +413,10 @@ export class AppStack extends cdk.Stack {
         backup.BackupResource.fromRdsDatabaseInstance(db),
       ],
     });
+    NagSuppressions.addResourceSuppressions(
+      plan,
+      [{ id: 'AwsSolutions-IAM4', reason: 'Managed Policy is fine', appliesTo: ['Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup'] }],
+      true,
+    );
   }
 }
diff --git a/cdk/lib/main-stack.ts b/cdk/lib/main-stack.ts
@@ -111,6 +111,8 @@ export class MainStack extends cdk.Stack {
           '*',
         ],
       }],
+      serverAccessLogsBucket: metaBucket,
+      serverAccessLogsPrefix: `s3-access-logs/${appName}-catalog-${env}`,
     });
   }
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -111,6 +111,8 @@ export class MainStack extends cdk.Stack { @@
               '*',
             ],
           }],
+          serverAccessLogsBucket: metaBucket,
+          serverAccessLogsPrefix: `s3-access-logs/${appName}-catalog-${env}`,
         });
       }
     }