Skip to content

Latest commit

 

History

History
2718 lines (1605 loc) · 84.3 KB

API.md

File metadata and controls

2718 lines (1605 loc) · 84.3 KB
Raw

API Reference

Structs

AnnotationLoggerProps

Props for the AnnotationLogger.

Initializer 

import { AnnotationLoggerProps } from 'cdk-nag'

const annotationLoggerProps: AnnotationLoggerProps = { ... }

Properties

Name Type Description
logIgnores boolean Whether or not to log suppressed rule violations as informational messages (default: false).
verbose boolean Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages.
logIgnoresOptional 
public readonly logIgnores: boolean;
  • Type: boolean

Whether or not to log suppressed rule violations as informational messages (default: false).

verboseOptional 
public readonly verbose: boolean;
  • Type: boolean

Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages.

NagLoggerBaseData

Shared data for all INagLogger methods.

Initializer 

import { NagLoggerBaseData } from 'cdk-nag'

const nagLoggerBaseData: NagLoggerBaseData = { ... }

Properties

Name Type Description
nagPackName string No description.
resource aws-cdk-lib.CfnResource No description.
ruleExplanation string No description.
ruleId string No description.
ruleInfo string No description.
ruleLevel NagMessageLevel No description.
ruleOriginalName string No description.
nagPackNameRequired 
public readonly nagPackName: string;
  • Type: string
resourceRequired 
public readonly resource: CfnResource;
  • Type: aws-cdk-lib.CfnResource
ruleExplanationRequired 
public readonly ruleExplanation: string;
  • Type: string
ruleIdRequired 
public readonly ruleId: string;
  • Type: string
ruleInfoRequired 
public readonly ruleInfo: string;
  • Type: string
ruleLevelRequired 
public readonly ruleLevel: NagMessageLevel;
ruleOriginalNameRequired 
public readonly ruleOriginalName: string;
  • Type: string

NagLoggerComplianceData

Data for onCompliance method of an INagLogger.

Initializer 

import { NagLoggerComplianceData } from 'cdk-nag'

const nagLoggerComplianceData: NagLoggerComplianceData = { ... }

Properties

Name Type Description
nagPackName string No description.
resource aws-cdk-lib.CfnResource No description.
ruleExplanation string No description.
ruleId string No description.
ruleInfo string No description.
ruleLevel NagMessageLevel No description.
ruleOriginalName string No description.
nagPackNameRequired 
public readonly nagPackName: string;
  • Type: string
resourceRequired 
public readonly resource: CfnResource;
  • Type: aws-cdk-lib.CfnResource
ruleExplanationRequired 
public readonly ruleExplanation: string;
  • Type: string
ruleIdRequired 
public readonly ruleId: string;
  • Type: string
ruleInfoRequired 
public readonly ruleInfo: string;
  • Type: string
ruleLevelRequired 
public readonly ruleLevel: NagMessageLevel;
ruleOriginalNameRequired 
public readonly ruleOriginalName: string;
  • Type: string

NagLoggerErrorData

Data for onError method of an INagLogger.

Initializer 

import { NagLoggerErrorData } from 'cdk-nag'

const nagLoggerErrorData: NagLoggerErrorData = { ... }

Properties

Name Type Description
nagPackName string No description.
resource aws-cdk-lib.CfnResource No description.
ruleExplanation string No description.
ruleId string No description.
ruleInfo string No description.
ruleLevel NagMessageLevel No description.
ruleOriginalName string No description.
errorMessage string No description.
nagPackNameRequired 
public readonly nagPackName: string;
  • Type: string
resourceRequired 
public readonly resource: CfnResource;
  • Type: aws-cdk-lib.CfnResource
ruleExplanationRequired 
public readonly ruleExplanation: string;
  • Type: string
ruleIdRequired 
public readonly ruleId: string;
  • Type: string
ruleInfoRequired 
public readonly ruleInfo: string;
  • Type: string
ruleLevelRequired 
public readonly ruleLevel: NagMessageLevel;
ruleOriginalNameRequired 
public readonly ruleOriginalName: string;
  • Type: string
errorMessageRequired 
public readonly errorMessage: string;
  • Type: string

NagLoggerNonComplianceData

Data for onNonCompliance method of an INagLogger.

Initializer 

import { NagLoggerNonComplianceData } from 'cdk-nag'

const nagLoggerNonComplianceData: NagLoggerNonComplianceData = { ... }

Properties

Name Type Description
nagPackName string No description.
resource aws-cdk-lib.CfnResource No description.
ruleExplanation string No description.
ruleId string No description.
ruleInfo string No description.
ruleLevel NagMessageLevel No description.
ruleOriginalName string No description.
findingId string No description.
nagPackNameRequired 
public readonly nagPackName: string;
  • Type: string
resourceRequired 
public readonly resource: CfnResource;
  • Type: aws-cdk-lib.CfnResource
ruleExplanationRequired 
public readonly ruleExplanation: string;
  • Type: string
ruleIdRequired 
public readonly ruleId: string;
  • Type: string
ruleInfoRequired 
public readonly ruleInfo: string;
  • Type: string
ruleLevelRequired 
public readonly ruleLevel: NagMessageLevel;
ruleOriginalNameRequired 
public readonly ruleOriginalName: string;
  • Type: string
findingIdRequired 
public readonly findingId: string;
  • Type: string

NagLoggerNotApplicableData

Data for onNotApplicable method of an INagLogger.

Initializer 

import { NagLoggerNotApplicableData } from 'cdk-nag'

const nagLoggerNotApplicableData: NagLoggerNotApplicableData = { ... }

Properties

Name Type Description
nagPackName string No description.
resource aws-cdk-lib.CfnResource No description.
ruleExplanation string No description.
ruleId string No description.
ruleInfo string No description.
ruleLevel NagMessageLevel No description.
ruleOriginalName string No description.
nagPackNameRequired 
public readonly nagPackName: string;
  • Type: string
resourceRequired 
public readonly resource: CfnResource;
  • Type: aws-cdk-lib.CfnResource
ruleExplanationRequired 
public readonly ruleExplanation: string;
  • Type: string
ruleIdRequired 
public readonly ruleId: string;
  • Type: string
ruleInfoRequired 
public readonly ruleInfo: string;
  • Type: string
ruleLevelRequired 
public readonly ruleLevel: NagMessageLevel;
ruleOriginalNameRequired 
public readonly ruleOriginalName: string;
  • Type: string

NagLoggerSuppressedData

Data for onSuppressed method of an INagLogger.

Initializer 

import { NagLoggerSuppressedData } from 'cdk-nag'

const nagLoggerSuppressedData: NagLoggerSuppressedData = { ... }

Properties

Name Type Description
nagPackName string No description.
resource aws-cdk-lib.CfnResource No description.
ruleExplanation string No description.
ruleId string No description.
ruleInfo string No description.
ruleLevel NagMessageLevel No description.
ruleOriginalName string No description.
findingId string No description.
suppressionReason string No description.
nagPackNameRequired 
public readonly nagPackName: string;
  • Type: string
resourceRequired 
public readonly resource: CfnResource;
  • Type: aws-cdk-lib.CfnResource
ruleExplanationRequired 
public readonly ruleExplanation: string;
  • Type: string
ruleIdRequired 
public readonly ruleId: string;
  • Type: string
ruleInfoRequired 
public readonly ruleInfo: string;
  • Type: string
ruleLevelRequired 
public readonly ruleLevel: NagMessageLevel;
ruleOriginalNameRequired 
public readonly ruleOriginalName: string;
  • Type: string
findingIdRequired 
public readonly findingId: string;
  • Type: string
suppressionReasonRequired 
public readonly suppressionReason: string;
  • Type: string

NagLoggerSuppressedErrorData

Data for onSuppressedError method of an INagLogger.

Initializer 

import { NagLoggerSuppressedErrorData } from 'cdk-nag'

const nagLoggerSuppressedErrorData: NagLoggerSuppressedErrorData = { ... }

Properties

Name Type Description
nagPackName string No description.
resource aws-cdk-lib.CfnResource No description.
ruleExplanation string No description.
ruleId string No description.
ruleInfo string No description.
ruleLevel NagMessageLevel No description.
ruleOriginalName string No description.
errorMessage string No description.
errorSuppressionReason string No description.
nagPackNameRequired 
public readonly nagPackName: string;
  • Type: string
resourceRequired 
public readonly resource: CfnResource;
  • Type: aws-cdk-lib.CfnResource
ruleExplanationRequired 
public readonly ruleExplanation: string;
  • Type: string
ruleIdRequired 
public readonly ruleId: string;
  • Type: string
ruleInfoRequired 
public readonly ruleInfo: string;
  • Type: string
ruleLevelRequired 
public readonly ruleLevel: NagMessageLevel;
ruleOriginalNameRequired 
public readonly ruleOriginalName: string;
  • Type: string
errorMessageRequired 
public readonly errorMessage: string;
  • Type: string
errorSuppressionReasonRequired 
public readonly errorSuppressionReason: string;
  • Type: string

NagPackProps

Interface for creating a NagPack.

Initializer 

import { NagPackProps } from 'cdk-nag'

const nagPackProps: NagPackProps = { ... }

Properties

Name Type Description
additionalLoggers INagLogger[] Additional NagLoggers for logging rule validation outputs.
logIgnores boolean Whether or not to log suppressed rule violations as informational messages (default: false).
reportFormats NagReportFormat[] If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV).
reports boolean Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true).
suppressionIgnoreCondition INagSuppressionIgnore Conditionally prevent rules from being suppressed (default: no user provided condition).
verbose boolean Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false).
additionalLoggersOptional 
public readonly additionalLoggers: INagLogger[];

Additional NagLoggers for logging rule validation outputs.

logIgnoresOptional 
public readonly logIgnores: boolean;
  • Type: boolean

Whether or not to log suppressed rule violations as informational messages (default: false).

reportFormatsOptional 
public readonly reportFormats: NagReportFormat[];

If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV).

reportsOptional 
public readonly reports: boolean;
  • Type: boolean

Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true).

suppressionIgnoreConditionOptional 
public readonly suppressionIgnoreCondition: INagSuppressionIgnore;

Conditionally prevent rules from being suppressed (default: no user provided condition).

verboseOptional 
public readonly verbose: boolean;
  • Type: boolean

Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false).

NagPackSuppression

Interface for creating a rule suppression.

Initializer 

import { NagPackSuppression } from 'cdk-nag'

const nagPackSuppression: NagPackSuppression = { ... }

Properties

Name Type Description
id string The id of the rule to ignore.
reason string The reason to ignore the rule (minimum 10 characters).
appliesTo string | RegexAppliesTo[] Rule specific granular suppressions.
idRequired 
public readonly id: string;
  • Type: string

The id of the rule to ignore.

reasonRequired 
public readonly reason: string;
  • Type: string

The reason to ignore the rule (minimum 10 characters).

appliesToOptional 
public readonly appliesTo: string | RegexAppliesTo[];

Rule specific granular suppressions.

NagReportLine

Initializer 

import { NagReportLine } from 'cdk-nag'

const nagReportLine: NagReportLine = { ... }

Properties

Name Type Description
compliance string No description.
exceptionReason string No description.
resourceId string No description.
ruleId string No description.
ruleInfo string No description.
ruleLevel string No description.
complianceRequired 
public readonly compliance: string;
  • Type: string
exceptionReasonRequired 
public readonly exceptionReason: string;
  • Type: string
resourceIdRequired 
public readonly resourceId: string;
  • Type: string
ruleIdRequired 
public readonly ruleId: string;
  • Type: string
ruleInfoRequired 
public readonly ruleInfo: string;
  • Type: string
ruleLevelRequired 
public readonly ruleLevel: string;
  • Type: string

NagReportLoggerProps

Props for the NagReportLogger.

Initializer 

import { NagReportLoggerProps } from 'cdk-nag'

const nagReportLoggerProps: NagReportLoggerProps = { ... }

Properties

Name Type Description
formats NagReportFormat[] No description.
formatsRequired 
public readonly formats: NagReportFormat[];

NagReportSchema

Initializer 

import { NagReportSchema } from 'cdk-nag'

const nagReportSchema: NagReportSchema = { ... }

Properties

Name Type Description
lines NagReportLine[] No description.
linesRequired 
public readonly lines: NagReportLine[];

RegexAppliesTo

A regular expression to apply to matching findings.

Initializer 

import { RegexAppliesTo } from 'cdk-nag'

const regexAppliesTo: RegexAppliesTo = { ... }

Properties

Name Type Description
regex string An ECMA-262 regex string.
regexRequired 
public readonly regex: string;
  • Type: string

An ECMA-262 regex string.

SuppressionIgnoreInput

Information about the NagRule and the relevant NagSuppression for the INagSuppressionIgnore.

Initializer 

import { SuppressionIgnoreInput } from 'cdk-nag'

const suppressionIgnoreInput: SuppressionIgnoreInput = { ... }

Properties

Name Type Description
findingId string No description.
reason string No description.
resource aws-cdk-lib.CfnResource No description.
ruleId string No description.
ruleLevel NagMessageLevel No description.
findingIdRequired 
public readonly findingId: string;
  • Type: string
reasonRequired 
public readonly reason: string;
  • Type: string
resourceRequired 
public readonly resource: CfnResource;
  • Type: aws-cdk-lib.CfnResource
ruleIdRequired 
public readonly ruleId: string;
  • Type: string
ruleLevelRequired 
public readonly ruleLevel: NagMessageLevel;

Classes

AnnotationLogger

A NagLogger that outputs to the CDK Annotations system.

Initializers 

import { AnnotationLogger } from 'cdk-nag'

new AnnotationLogger(props?: AnnotationLoggerProps)
Name Type Description
props AnnotationLoggerProps No description.
propsOptional

Methods

Name Description
onCompliance Called when a CfnResource passes the compliance check for a given rule.
onError Called when a rule throws an error during while validating a CfnResource for compliance.
onNonCompliance Called when a CfnResource does not pass the compliance check for a given rule and the the rule violation is not suppressed by the user.
onNotApplicable Called when a rule does not apply to the given CfnResource.
onSuppressed Called when a CfnResource does not pass the compliance check for a given rule and the rule violation is suppressed by the user.
onSuppressedError Called when a rule throws an error during while validating a CfnResource for compliance and the error is suppressed.
onCompliance 
public onCompliance(_data: NagLoggerComplianceData): void

Called when a CfnResource passes the compliance check for a given rule.

_dataRequired
onError 
public onError(data: NagLoggerErrorData): void

Called when a rule throws an error during while validating a CfnResource for compliance.

dataRequired
onNonCompliance 
public onNonCompliance(data: NagLoggerNonComplianceData): void

Called when a CfnResource does not pass the compliance check for a given rule and the the rule violation is not suppressed by the user.

dataRequired
onNotApplicable 
public onNotApplicable(_data: NagLoggerNotApplicableData): void

Called when a rule does not apply to the given CfnResource.

_dataRequired
onSuppressed 
public onSuppressed(data: NagLoggerSuppressedData): void

Called when a CfnResource does not pass the compliance check for a given rule and the rule violation is suppressed by the user.

dataRequired
onSuppressedError 
public onSuppressedError(data: NagLoggerSuppressedErrorData): void

Called when a rule throws an error during while validating a CfnResource for compliance and the error is suppressed.

dataRequired

Properties

Name Type Description
logIgnores boolean No description.
verbose boolean No description.
suppressionId string No description.
logIgnoresRequired 
public readonly logIgnores: boolean;
  • Type: boolean
verboseRequired 
public readonly verbose: boolean;
  • Type: boolean
suppressionIdRequired 
public readonly suppressionId: string;
  • Type: string

AwsSolutionsChecks

Check Best practices based on AWS Solutions Security Matrix.

Initializers 

import { AwsSolutionsChecks } from 'cdk-nag'

new AwsSolutionsChecks(props?: NagPackProps)
Name Type Description
props NagPackProps No description.
propsOptional

Methods

Name Description
visit All aspects can visit an IConstruct.
visit 
public visit(node: IConstruct): void

All aspects can visit an IConstruct.

nodeRequired
  • Type: constructs.IConstruct

Properties

Name Type Description
readPackName string No description.
readPackNameRequired 
public readonly readPackName: string;
  • Type: string

HIPAASecurityChecks

Check for HIPAA Security compliance.

Based on the HIPAA Security AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-hipaa_security.html

Initializers 

import { HIPAASecurityChecks } from 'cdk-nag'

new HIPAASecurityChecks(props?: NagPackProps)
Name Type Description
props NagPackProps No description.
propsOptional

Methods

Name Description
visit All aspects can visit an IConstruct.
visit 
public visit(node: IConstruct): void

All aspects can visit an IConstruct.

nodeRequired
  • Type: constructs.IConstruct

Properties

Name Type Description
readPackName string No description.
readPackNameRequired 
public readonly readPackName: string;
  • Type: string

NagPack

  • Implements: aws-cdk-lib.IAspect

Base class for all rule packs.

Initializers 

import { NagPack } from 'cdk-nag'

new NagPack(props?: NagPackProps)
Name Type Description
props NagPackProps No description.
propsOptional

Methods

Name Description
visit All aspects can visit an IConstruct.
visit 
public visit(node: IConstruct): void

All aspects can visit an IConstruct.

nodeRequired
  • Type: constructs.IConstruct

Properties

Name Type Description
readPackName string No description.
readPackNameRequired 
public readonly readPackName: string;
  • Type: string

NagReportLogger

A NagLogger that creates compliance reports.

Initializers 

import { NagReportLogger } from 'cdk-nag'

new NagReportLogger(props: NagReportLoggerProps)
Name Type Description
props NagReportLoggerProps No description.
propsRequired

Methods

Name Description
getFormatStacks No description.
onCompliance Called when a CfnResource passes the compliance check for a given rule.
onError Called when a rule throws an error during while validating a CfnResource for compliance.
onNonCompliance Called when a CfnResource does not pass the compliance check for a given rule and the the rule violation is not suppressed by the user.
onNotApplicable Called when a rule does not apply to the given CfnResource.
onSuppressed Called when a CfnResource does not pass the compliance check for a given rule and the rule violation is suppressed by the user.
onSuppressedError Called when a rule throws an error during while validating a CfnResource for compliance and the error is suppressed.
getFormatStacks 
public getFormatStacks(format: NagReportFormat): string[]
formatRequired
onCompliance 
public onCompliance(data: NagLoggerComplianceData): void

Called when a CfnResource passes the compliance check for a given rule.

dataRequired
onError 
public onError(data: NagLoggerErrorData): void

Called when a rule throws an error during while validating a CfnResource for compliance.

dataRequired
onNonCompliance 
public onNonCompliance(data: NagLoggerNonComplianceData): void

Called when a CfnResource does not pass the compliance check for a given rule and the the rule violation is not suppressed by the user.

dataRequired
onNotApplicable 
public onNotApplicable(data: NagLoggerNotApplicableData): void

Called when a rule does not apply to the given CfnResource.

dataRequired
onSuppressed 
public onSuppressed(data: NagLoggerSuppressedData): void

Called when a CfnResource does not pass the compliance check for a given rule and the rule violation is suppressed by the user.

dataRequired
onSuppressedError 
public onSuppressedError(data: NagLoggerSuppressedErrorData): void

Called when a rule throws an error during while validating a CfnResource for compliance and the error is suppressed.

dataRequired

Properties

Name Type Description
formats NagReportFormat[] No description.
formatsRequired 
public readonly formats: NagReportFormat[];

NagRules

Helper class with methods for rule creation.

Initializers 

import { NagRules } from 'cdk-nag'

new NagRules()
Name Type Description

Static Functions

Name Description
resolveIfPrimitive Use in cases where a primitive value must be known to pass a rule.
resolveResourceFromInstrinsic Use in cases where a token resolves to an intrinsic function and the referenced resource must be known to pass a rule.
resolveIfPrimitive 
import { NagRules } from 'cdk-nag'

NagRules.resolveIfPrimitive(node: CfnResource, parameter: any)

Use in cases where a primitive value must be known to pass a rule.

https://developer.mozilla.org/en-US/docs/Glossary/Primitive

nodeRequired
  • Type: aws-cdk-lib.CfnResource

The CfnResource to check.

parameterRequired
  • Type: any

The value to attempt to resolve.

resolveResourceFromInstrinsic 
import { NagRules } from 'cdk-nag'

NagRules.resolveResourceFromInstrinsic(node: CfnResource, parameter: any)

Use in cases where a token resolves to an intrinsic function and the referenced resource must be known to pass a rule.

nodeRequired
  • Type: aws-cdk-lib.CfnResource

The CfnResource to check.

parameterRequired
  • Type: any

The value to attempt to resolve.

NagSuppressions

Helper class with methods to add cdk-nag suppressions to cdk resources.

Initializers 

import { NagSuppressions } from 'cdk-nag'

new NagSuppressions()
Name Type Description

Static Functions

Name Description
addResourceSuppressions Add cdk-nag suppressions to a CfnResource and optionally its children.
addResourceSuppressionsByPath Add cdk-nag suppressions to a CfnResource and optionally its children via its path.
addStackSuppressions Apply cdk-nag suppressions to a Stack and optionally nested stacks.
addResourceSuppressions 
import { NagSuppressions } from 'cdk-nag'

NagSuppressions.addResourceSuppressions(construct: IConstruct | IConstruct[], suppressions: NagPackSuppression[], applyToChildren?: boolean)

Add cdk-nag suppressions to a CfnResource and optionally its children.

constructRequired
  • Type: constructs.IConstruct | constructs.IConstruct[]

The IConstruct(s) to apply the suppression to.

suppressionsRequired

A list of suppressions to apply to the resource.

applyToChildrenOptional
  • Type: boolean

Apply the suppressions to children CfnResources (default:false).

addResourceSuppressionsByPath 
import { NagSuppressions } from 'cdk-nag'

NagSuppressions.addResourceSuppressionsByPath(stack: Stack, path: string | string[], suppressions: NagPackSuppression[], applyToChildren?: boolean)

Add cdk-nag suppressions to a CfnResource and optionally its children via its path.

stackRequired
  • Type: aws-cdk-lib.Stack

The Stack the construct belongs to.

pathRequired
  • Type: string | string[]

The path(s) to the construct in the provided stack.

suppressionsRequired

A list of suppressions to apply to the resource.

applyToChildrenOptional
  • Type: boolean

Apply the suppressions to children CfnResources (default:false).

addStackSuppressions 
import { NagSuppressions } from 'cdk-nag'

NagSuppressions.addStackSuppressions(stack: Stack, suppressions: NagPackSuppression[], applyToNestedStacks?: boolean)

Apply cdk-nag suppressions to a Stack and optionally nested stacks.

stackRequired
  • Type: aws-cdk-lib.Stack

The Stack to apply the suppression to.

suppressionsRequired

A list of suppressions to apply to the stack.

applyToNestedStacksOptional
  • Type: boolean

Apply the suppressions to children stacks (default:false).

NIST80053R4Checks

Check for NIST 800-53 rev 4 compliance.

Based on the NIST 800-53 rev 4 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_4.html

Initializers 

import { NIST80053R4Checks } from 'cdk-nag'

new NIST80053R4Checks(props?: NagPackProps)
Name Type Description
props NagPackProps No description.
propsOptional

Methods

Name Description
visit All aspects can visit an IConstruct.
visit 
public visit(node: IConstruct): void

All aspects can visit an IConstruct.

nodeRequired
  • Type: constructs.IConstruct

Properties

Name Type Description
readPackName string No description.
readPackNameRequired 
public readonly readPackName: string;
  • Type: string

NIST80053R5Checks

Check for NIST 800-53 rev 5 compliance.

Based on the NIST 800-53 rev 5 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_5.html

Initializers 

import { NIST80053R5Checks } from 'cdk-nag'

new NIST80053R5Checks(props?: NagPackProps)
Name Type Description
props NagPackProps No description.
propsOptional

Methods

Name Description
visit All aspects can visit an IConstruct.
visit 
public visit(node: IConstruct): void

All aspects can visit an IConstruct.

nodeRequired
  • Type: constructs.IConstruct

Properties

Name Type Description
readPackName string No description.
readPackNameRequired 
public readonly readPackName: string;
  • Type: string

PCIDSS321Checks

Check for PCI DSS 3.2.1 compliance. Based on the PCI DSS 3.2.1 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-pci-dss.html.

Initializers 

import { PCIDSS321Checks } from 'cdk-nag'

new PCIDSS321Checks(props?: NagPackProps)
Name Type Description
props NagPackProps No description.
propsOptional

Methods

Name Description
visit All aspects can visit an IConstruct.
visit 
public visit(node: IConstruct): void

All aspects can visit an IConstruct.

nodeRequired
  • Type: constructs.IConstruct

Properties

Name Type Description
readPackName string No description.
readPackNameRequired 
public readonly readPackName: string;
  • Type: string

SuppressionIgnoreAlways

Always ignore the suppression.

Initializers 

import { SuppressionIgnoreAlways } from 'cdk-nag'

new SuppressionIgnoreAlways(triggerMessage: string)
Name Type Description
triggerMessage string No description.
triggerMessageRequired
  • Type: string

Methods

Name Description
createMessage No description.
createMessage 
public createMessage(_input: SuppressionIgnoreInput): string
_inputRequired

SuppressionIgnoreAnd

Ignore the suppression if all of the given INagSuppressionIgnore return a non-empty message.

Initializers 

import { SuppressionIgnoreAnd } from 'cdk-nag'

new SuppressionIgnoreAnd(SuppressionIgnoreAnds: ...INagSuppressionIgnore[])
Name Type Description
SuppressionIgnoreAnds ...INagSuppressionIgnore[] No description.
SuppressionIgnoreAndsRequired

Methods

Name Description
createMessage No description.
createMessage 
public createMessage(input: SuppressionIgnoreInput): string
inputRequired

SuppressionIgnoreErrors

Ignore Suppressions for Rules with a NagMessageLevel.ERROR.

Initializers 

import { SuppressionIgnoreErrors } from 'cdk-nag'

new SuppressionIgnoreErrors()
Name Type Description

Methods

Name Description
createMessage No description.
createMessage 
public createMessage(input: SuppressionIgnoreInput): string
inputRequired

SuppressionIgnoreNever

Don't ignore the suppression.

Initializers 

import { SuppressionIgnoreNever } from 'cdk-nag'

new SuppressionIgnoreNever()
Name Type Description

Methods

Name Description
createMessage No description.
createMessage 
public createMessage(_input: SuppressionIgnoreInput): string
_inputRequired

SuppressionIgnoreOr

Ignore the suppression if any of the given INagSuppressionIgnore return a non-empty message.

Initializers 

import { SuppressionIgnoreOr } from 'cdk-nag'

new SuppressionIgnoreOr(orSuppressionIgnores: ...INagSuppressionIgnore[])
Name Type Description
orSuppressionIgnores ...INagSuppressionIgnore[] No description.
orSuppressionIgnoresRequired

Methods

Name Description
createMessage No description.
createMessage 
public createMessage(input: SuppressionIgnoreInput): string
inputRequired

Protocols

IApplyRule

Interface for JSII interoperability for passing parameters and the Rule Callback to @applyRule method.

Methods

Name Description
rule The callback to the rule.
rule 
public rule(node: CfnResource): NagRuleCompliance | string[]

The callback to the rule.

nodeRequired
  • Type: aws-cdk-lib.CfnResource

The CfnResource to check.

Properties

Name Type Description
explanation string Why the rule exists.
info string Why the rule was triggered.
level NagMessageLevel The annotations message level to apply to the rule if triggered.
node aws-cdk-lib.CfnResource The CfnResource to check.
ignoreSuppressionCondition INagSuppressionIgnore A condition in which a suppression should be ignored.
ruleSuffixOverride string Override for the suffix of the Rule ID for this rule.
explanationRequired 
public readonly explanation: string;
  • Type: string

Why the rule exists.

infoRequired 
public readonly info: string;
  • Type: string

Why the rule was triggered.

levelRequired 
public readonly level: NagMessageLevel;

The annotations message level to apply to the rule if triggered.

nodeRequired 
public readonly node: CfnResource;
  • Type: aws-cdk-lib.CfnResource

The CfnResource to check.

ignoreSuppressionConditionOptional 
public readonly ignoreSuppressionCondition: INagSuppressionIgnore;

A condition in which a suppression should be ignored.

ruleSuffixOverrideOptional 
public readonly ruleSuffixOverride: string;
  • Type: string

Override for the suffix of the Rule ID for this rule.

INagLogger

Interface for creating NagSuppression Ignores.

Methods

Name Description
onCompliance Called when a CfnResource passes the compliance check for a given rule.
onError Called when a rule throws an error during while validating a CfnResource for compliance.
onNonCompliance Called when a CfnResource does not pass the compliance check for a given rule and the the rule violation is not suppressed by the user.
onNotApplicable Called when a rule does not apply to the given CfnResource.
onSuppressed Called when a CfnResource does not pass the compliance check for a given rule and the rule violation is suppressed by the user.
onSuppressedError Called when a rule throws an error during while validating a CfnResource for compliance and the error is suppressed.
onCompliance 
public onCompliance(data: NagLoggerComplianceData): void

Called when a CfnResource passes the compliance check for a given rule.

dataRequired
onError 
public onError(data: NagLoggerErrorData): void

Called when a rule throws an error during while validating a CfnResource for compliance.

dataRequired
onNonCompliance 
public onNonCompliance(data: NagLoggerNonComplianceData): void

Called when a CfnResource does not pass the compliance check for a given rule and the the rule violation is not suppressed by the user.

dataRequired
onNotApplicable 
public onNotApplicable(data: NagLoggerNotApplicableData): void

Called when a rule does not apply to the given CfnResource.

dataRequired
onSuppressed 
public onSuppressed(data: NagLoggerSuppressedData): void

Called when a CfnResource does not pass the compliance check for a given rule and the rule violation is suppressed by the user.

dataRequired
onSuppressedError 
public onSuppressedError(data: NagLoggerSuppressedErrorData): void

Called when a rule throws an error during while validating a CfnResource for compliance and the error is suppressed.

dataRequired

INagSuppressionIgnore

Interface for creating NagSuppression Ignores.

Methods

Name Description
createMessage No description.
createMessage 
public createMessage(input: SuppressionIgnoreInput): string
inputRequired

Enums

NagMessageLevel

The severity level of the rule.

Members

Name Description
WARN No description.
ERROR No description.
WARN
ERROR

NagReportFormat

Possible output formats of the NagReport.

Members

Name Description
CSV No description.
JSON No description.
CSV
JSON

NagRuleCompliance

The compliance level of a resource in relation to a rule.

Members

Name Description
COMPLIANT No description.
NON_COMPLIANT No description.
NOT_APPLICABLE No description.
COMPLIANT
NON_COMPLIANT
NOT_APPLICABLE

NagRulePostValidationStates

Additional states a rule can be in post compliance validation.

Members

Name Description
SUPPRESSED No description.
UNKNOWN No description.
SUPPRESSED
UNKNOWN