DEV Community

Max Kryvych
Max Kryvych

Posted on

AWS CDK template validation during synthesis with Cloudformation Guard

It takes about 5 minutes to integrate.

Hey there! πŸ‘‹

⚑️ CDK just released a new killer feature that increases user experience for those ones who develop infrastructure in CDK. πŸ’₯

Note: Keep in mind that you can use different plugins (such as OPA, Chekov, KICS, etc) instead of Cloudfromation Guard to validate your infrastructure with the feature.

What is the benefit?

From what I see the biggest benefit of this feature is improved development flow of the CDK code. Being able to check your code on the fly against a ruleset of policies will warn you earlier which saves a lot of time and prevents accidental deployments of vulnerable infrastructure.

That being said do note this is an experimental feature in the CDK which comes with its own pros/cons.

How to integrate the plugin into your project?

First thing first go to the terminal and add this dependency to your project:

$ npm install @cdklabs/cdk-validator-cfnguard
Enter fullscreen mode Exit fullscreen mode

The next step is to pass this into your cdk.App object

const app = new cdk.App({
    policyValidationBeta1: [
        new CfnGuardValidator({
            rules: [
                "/workspace/aws-guard-rules-registry/rules/aws/amazon_s3/",
            ]
        })
    ]
});
Enter fullscreen mode Exit fullscreen mode

All done πŸƒ β€” Now you are ready to run use the plugin.

$ cdk synth                                                  
Performing Policy Validations

Validation Report
-----------------

Policy Validation Report Summary

╔════════════════════════╀═════════╗
β•‘ Plugin                 β”‚ Status  β•‘
β•Ÿβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β•’
β•‘ cdk-validator-cfnguard β”‚ success β•‘
β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•§β•β•β•β•β•β•β•β•β•β•

Policy Validation Successful!
.....
Enter fullscreen mode Exit fullscreen mode

What if I'm new to Guard?

Well, it's totally fine. Guard is less known to the general public. I will not talk about Guard in this blog post, and it deserves a separate article to talk about the pros/cons.

I want to mention repository created by AWS that didn't get a lot of attention. The repository contains a collection of rules written in Guard DSL, which covers 80% of use cases. If you're just starting off with your journey on increasing security posture definitely follow the link.

Wrapping Up

Looks like it is a good step forward to improve the framework. So go there and give it a try!

Thank you for your time! Stay awesome πŸŽƒ
Max


Links:

Top comments (0)