feat: enable aws solution checks

sbstjn · Mar 23, 2024 · 905738d · 905738d
1 parent 5cd9ae3
commit 905738d
Show file tree

Hide file tree

Showing 7 changed files with 123 additions and 6 deletions.
diff --git a/aws/index.ts b/aws/index.ts
@@ -1,16 +1,50 @@
 #!/usr/bin/env node
 
-import { App, Aspects } from 'aws-cdk-lib';
-import { UnifiedTags } from './aspects/UnifiedTags';
-import { Example } from './workloads/Example';
+import { App, Aspects } from 'aws-cdk-lib'
+import { AwsSolutionsChecks, NagSuppressions } from 'cdk-nag'
+import { UnifiedTags } from './aspects/UnifiedTags'
+import { Example } from './workloads/Example'
+
+/**
+ * Configure CDK App
+ */
 
 const app = new App({
   context: {
     version: 'v1.2.3',
   },
 })
 
+/**
+ * Configure Aspects
+ */
+
 Aspects.of(app).add(new UnifiedTags())
+Aspects.of(app).add(new AwsSolutionsChecks())
+
+NagSuppressions.addResourceSuppressions(
+  app,
+  [
+    {
+      id: 'AwsSolutions-IAM4',
+      reason: 'Allow usage of AWSLambdaBasicExecutionRole',
+      appliesTo: ['Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'],
+    },
+    {
+      id: 'AwsSolutions-SQS3',
+      reason: 'Allow usage of SQS without DLQ',
+    },
+    {
+      id: 'AwsSolutions-S1',
+      reason: 'Allow usage of S3 without server access logs',
+    },
+  ],
+  true,
+)
+
+/**
+ * Configure Workloads
+ */
 
 new Example(app, {
   enableObservability: false,

diff --git a/aws/stacks/Compute.ts b/aws/stacks/Compute.ts
@@ -4,6 +4,7 @@ import {
   StackProps,
   aws_iam,
   aws_kms,
+  aws_lambda,
   aws_lambda_nodejs,
   aws_sns,
   aws_sns_subscriptions,
@@ -16,13 +17,15 @@ export interface ComputeStackProps extends StackProps {}
 export class ComputeStack extends Stack {
   key = new aws_kms.Key(this, 'key', {
     alias: 'compute/key',
+    enableKeyRotation: true,
   })
 
   queue = new aws_sqs.Queue(this, 'queue', {
     visibilityTimeout: Duration.seconds(300),
     encryption: aws_sqs.QueueEncryption.KMS,
     dataKeyReuse: Duration.minutes(5),
     encryptionMasterKey: this.key,
+    enforceSSL: true,
   })
 
   topic = new aws_sns.Topic(this, 'topic', {
@@ -31,6 +34,8 @@ export class ComputeStack extends Stack {
 
   process = new aws_lambda_nodejs.NodejsFunction(this, 'process', {
     entry: 'src/functions/process.ts',
+    runtime: aws_lambda.Runtime.NODEJS_20_X,
+    runtimeManagementMode: aws_lambda.RuntimeManagementMode.AUTO,
     environment: {
       TOPIC_ARN: this.topic.topicArn,
     },

diff --git a/aws/stacks/Storage.ts b/aws/stacks/Storage.ts
@@ -6,11 +6,13 @@ export interface StorageStackProps extends StackProps {}
 export class StorageStack extends Stack {
   key = new aws_kms.Key(this, 'key', {
     alias: 'storage/key',
+    enableKeyRotation: true,
   })
 
   bucket = new aws_s3.Bucket(this, 'bucket', {
     bucketKeyEnabled: true,
     encryptionKey: this.key,
+    enforceSSL: true,
   })
 
   constructor(scope: IConstruct, id: string, props?: StorageStackProps) {

diff --git a/package.json b/package.json
@@ -50,6 +50,7 @@
     "typescript": "^5.4.2"
   },
   "dependencies": {
-    "@aws-community/arch-dia": "^1.1.2"
+    "@aws-community/arch-dia": "^1.1.2",
+    "cdk-nag": "^2.28.72"
   }
 }
diff --git a/test/aws/stacks/__snapshots__/Compute.test.ts.snap b/test/aws/stacks/__snapshots__/Compute.test.ts.snap
@@ -25,6 +25,7 @@ exports[`Stack Template match snapshot 1`] = `
     "keyFEDD6EC0": {
       "DeletionPolicy": "Retain",
       "Properties": {
+        "EnableKeyRotation": true,
         "KeyPolicy": {
           "Statement": [
             {
@@ -96,7 +97,7 @@ exports[`Stack Template match snapshot 1`] = `
           "S3Bucket": {
             "Fn::Sub": "cdk-hnb659fds-assets-\${AWS::AccountId}-\${AWS::Region}",
           },
-          "S3Key": "e442148fa28aa746e7676e5f5c9c3de54f1f98d9a1fd1b96b52a9e391dd9b5f7.zip",
+          "S3Key": "a135ffcab3220ac3435b6d1d49c86e0704c0208cb9eed285d7c4f918dc7265a9.zip",
         },
         "Environment": {
           "Variables": {
@@ -113,7 +114,10 @@ exports[`Stack Template match snapshot 1`] = `
             "Arn",
           ],
         },
-        "Runtime": "nodejs16.x",
+        "Runtime": "nodejs20.x",
+        "RuntimeManagementConfig": {
+          "UpdateRuntimeOn": "Auto",
+        },
       },
       "Type": "AWS::Lambda::Function",
     },
@@ -190,6 +194,24 @@ exports[`Stack Template match snapshot 1`] = `
       "Properties": {
         "PolicyDocument": {
           "Statement": [
+            {
+              "Action": "sqs:*",
+              "Condition": {
+                "Bool": {
+                  "aws:SecureTransport": "false",
+                },
+              },
+              "Effect": "Deny",
+              "Principal": {
+                "AWS": "*",
+              },
+              "Resource": {
+                "Fn::GetAtt": [
+                  "queue276F7297",
+                  "Arn",
+                ],
+              },
+            },
             {
               "Action": "sqs:SendMessage",
               "Condition": {

diff --git a/test/aws/stacks/__snapshots__/Storage.test.ts.snap b/test/aws/stacks/__snapshots__/Storage.test.ts.snap
@@ -33,6 +33,53 @@ exports[`Stack Template match snapshot 1`] = `
       "Type": "AWS::S3::Bucket",
       "UpdateReplacePolicy": "Retain",
     },
+    "bucketPolicy638F945D": {
+      "Properties": {
+        "Bucket": {
+          "Ref": "bucket43879C71",
+        },
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": "s3:*",
+              "Condition": {
+                "Bool": {
+                  "aws:SecureTransport": "false",
+                },
+              },
+              "Effect": "Deny",
+              "Principal": {
+                "AWS": "*",
+              },
+              "Resource": [
+                {
+                  "Fn::GetAtt": [
+                    "bucket43879C71",
+                    "Arn",
+                  ],
+                },
+                {
+                  "Fn::Join": [
+                    "",
+                    [
+                      {
+                        "Fn::GetAtt": [
+                          "bucket43879C71",
+                          "Arn",
+                        ],
+                      },
+                      "/*",
+                    ],
+                  ],
+                },
+              ],
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+      },
+      "Type": "AWS::S3::BucketPolicy",
+    },
     "keyAliasCEB16DF2": {
       "Properties": {
         "AliasName": "alias/storage/key",
@@ -48,6 +95,7 @@ exports[`Stack Template match snapshot 1`] = `
     "keyFEDD6EC0": {
       "DeletionPolicy": "Retain",
       "Properties": {
+        "EnableKeyRotation": true,
         "KeyPolicy": {
           "Statement": [
             {

diff --git a/yarn.lock b/yarn.lock
@@ -1299,6 +1299,11 @@ case@1.6.3:
   resolved "https://registry.npmjs.org/case/-/case-1.6.3.tgz#0a4386e3e9825351ca2e6216c60467ff5f1ea1c9"
   integrity sha512-mzDSXIPaFwVDvZAHqZ9VlbyF4yyXRuX6IvB06WvPYkqJVO24kX1PPhv9bfpKNFZyxYFmmgo03HUiD8iklmJYRQ==
 
+cdk-nag@^2.28.72:
+  version "2.28.72"
+  resolved "https://registry.npmjs.org/cdk-nag/-/cdk-nag-2.28.72.tgz#70815bd05d8446bb2fdb3bddfed5278198d330f2"
+  integrity sha512-vcTg643b+hlnA4ZUq6KU/Sv5inapJuKogZ/5jmThZ7MhhBCpxmIEyWI/CNEX+zQhwuyvORtxQB4fDmU9kHKK5w==
+
 chalk@^2.4.2:
   version "2.4.2"
   resolved "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz#cd42541677a54333cf541a49108c1432b44c9424"