-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Annotations and stages #637
Comments
Related to: aws/aws-cdk#17805. |
Using the example provided, @ericzbeard can you confirm whether a
Like in @joel-aws's issue, donti@DESKTOP-GL4A569:~/test-cdk-project$ cdk deploy TestStage/MyStack
[Error at /TestStage/MyStack/Queue/Resource] AwsSolutions-SQS2: The SQS Queue does not have server-side encryption enabled. Server side encryption adds additional protection of sensitive data delivered as messages to subscribers.
[Error at /TestStage/MyStack/Queue/Resource] AwsSolutions-SQS3: The SQS queue does not have a dead-letter queue (DLQ) enabled or have a cdk_nag rule suppression indicating it is a DLQ. Using a DLQ helps maintain the queue flow and avoid losing data by detecting and mitigating failures and service disruptions on time.
[Error at /TestStage/MyStack/Queue/Resource] AwsSolutions-SQS4: The SQS queue does not require requests to use SSL. Without HTTPS (TLS), a network-based attacker can eavesdrop on network traffic or manipulate it, using an attack such as man-in-the-middle. Allow only encrypted connections over HTTPS (TLS) using the aws:SecureTransport condition in the queue policy to force requests to use SSL.
[Error at /TestStage/MyStack/Bucket/Resource] AwsSolutions-S1: The S3 Bucket has server access logs disabled. The bucket should have server access logging enabled to provide detailed records for the requests that are made to the bucket.
[Error at /TestStage/MyStack/Bucket/Resource] AwsSolutions-S2: The S3 Bucket does not have public access restricted and blocked. The bucket should have public access restricted and blocked to prevent unauthorized access.
[Error at /TestStage/MyStack/Bucket/Resource] AwsSolutions-S3: The S3 Bucket does not default encryption enabled. The bucket should minimally have SSE enabled to help protect data-at-rest.
[Error at /TestStage/MyStack/Bucket/Resource] AwsSolutions-S10: The S3 Bucket does not require requests to use SSL. You can use HTTPS (TLS) to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. You should allow only encrypted connections over HTTPS (TLS) using the aws:SecureTransport condition on Amazon S3 bucket policies.
Found errors |
Annotations also rendered with |
In the provided example I left in the regular stack-based check under |
This issue is now marked as stale because it hasn't seen activity for a while. Add a comment or it will be closed soon. |
Hi @dontirun , I have noticed the same error as @ericzbeard described. Has there been any progress on the item, considering that the issue got marked as stale? |
This isn't something that seems to be fixable within this construct. I believe it's related to this cdk issue |
Any fix on this? |
I believe the issue is with the implementation of Annotations within the CDK itself (linked issue above), unfortunately not something that can fixed within cdk-nag |
Related to aws/aws-cdk#22507 |
Closing since,this is related to the implementation of stages and is an intended behavior. Running |
What is the problem?
cdk-nag
does not work with Stages. If an app contains a stage, it is not possible to applycdk-nag
at the app, stage, or stack level.Reproduction Steps
What did you expect to happen?
I expect
cdk-nag
to work if my stacks are in a stage.What actually happened?
Nothing happens unless you pull the stack up to the app level when you instantiate it.
cdk-nag version
2.5.0
Language
Typescript
Other information
Also,
cdk-nag
2.6.0 is broken on NPM. You can't do a default install.Workaround
I created a file called
nag.ts
, in which I directly instantiate my stacks at the app level. I synthesize it with the following npm script:The text was updated successfully, but these errors were encountered: