You ship a CDK stack. One IAM role has a wildcard because you copy-pasted a gist eight months ago. That role is now your blast radius.
Most CDK pipelines have linting. They have type checking. They have cdk diff to preview changes. But nobody's checking IAM policies for overpermissions at synth time.
@shieldly/cdk-guard fills that gap. It runs AI-Powered security analysis on every synthesized stack: risky IAM policies and CloudFormation misconfigurations get flagged before anything hits CloudFormation.
Disclosure: I work on Shieldly.
What it catches
The patterns that manual review misses:
-
Action: "*"or"*:*": the obvious one, but easy to miss when buried in a 200-line stack -
iam:PassRolewith a wildcard resource and no conditions: lets a compromised principal hand privileged roles to services it controls -
s3:*on a role that only needsGetObject: permission inflation that grows over time -
Missing condition keys: no
aws:SourceArn, noaws:PrincipalOrgID, no constraints at all
None of these are obscure. They're the patterns that show up in every post-incident review.
Setup
npm install --save-dev @shieldly/cdk-guard
Simplest path is the CLI wrapper: it runs cdk synth, then analyzes all synthesized stacks. Works with any CDK language:
npx @shieldly/cdk-guard
Or add the construct-style guard in a JavaScript/TypeScript CDK app. It analyzes cdk.out/ automatically when the process exits, no explicit call needed:
import * as cdk from 'aws-cdk-lib';
import { ShieldlyGuard } from '@shieldly/cdk-guard';
const app = new cdk.App();
new ShieldlyGuard({
failOn: 'High', // Critical | High | Medium | Low | none
});
new MyStack(app, 'MyStack');
If findings at or above failOn severity come back, the process exits non-zero and your deploy stops.
You'll need an API key (SHIELDLY_API_KEY env var, keys are on the Builder plan and above); without a key it runs against the free demo endpoint with a scan limit. Privacy note: your CDK templates are never logged, cache keys are one-way SHA-256 hashes.
CI/CD integration
Block bad policies before they reach main:
# GitHub Actions example
- name: CDK security check
run: npx @shieldly/cdk-guard
env:
SHIELDLY_API_KEY: ${{ secrets.SHIELDLY_API_KEY }}
There's also a cdk.json hook variant ("afterSynth": ["npx", "@shieldly/cdk-guard", "--no-synth"]) if you want it to run on every synth regardless of who invokes it.
What it costs
API keys start on the Builder plan ($19/mo, 150 analysis units/day). There's also a free tier (20 analysis units/day) and a keyless demo mode with a scan limit, so you can try it before paying anything.
Top comments (0)