Tutorials
Manage Security and Compliance

Manage Security and Compliance

Infrastructure as Code (IaC) is an important part of Cloud Applications. With cdk4j-compliancy we provide identification and reporting mechanisms to identify security/compliance issues and mitigate these issues early on, before releasing their applications to production. This tutorial demonstrates how to integrate cdk4j-compliancy into an AWS CDK application to provide continual feedback and help align your applications with best practices.

Overview of cdk4j-compliancy

cdk4j-compliancy validates that the state of constructs within a given scope comply with a given set of rules. Additionally, cdk4j-compliancy provides a rule suppression system.

cdk4j-compliancy includes several rule sets to validate your application against. For now, cdk4j-compliancy includes the AWS Solutions, HIPAA Security, NIST 800-53 rev 4, NIST 800-53 rev 5, and PCI DSS 3.2.1. You can pick and choose different rule packs and apply as many as you wish to a given scope.

cdk4j-compliancy rules can either be warnings or errors. Both warnings and errors will be displayed in the console and compliance reports. Only unsuppressed errors will prevent applications from compiling.

Create a baseline AWS CDK application

In this section you will create and synthesize a small AWS CDK application with an Amazon Simple Storage Service (Amazon S3) bucket.

  1. Create a maven project and use the following pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

  <modelVersion>4.0.0</modelVersion>

  <groupId>org.datapith</groupId>
  <artifactId>cdk4j-examples</artifactId>
  <name>CDK4J Examples</name>
  <description>Examples CDK4j</description>

  <dependencies>
    <dependency>
      <groupId>software.amazon.awscdk</groupId>
      <artifactId>aws-cdk-lib</artifactId>
      <version>2.238.0</version>
    </dependency>

    <dependency>
      <groupId>org.datapith</groupId>
      <artifactId>cdk4j-compliancy</artifactId>
      <version>[Latest CDK version]</version>
    </dependency>
  </dependencies>

</project>
  1. Create within src/main/java the following classes:
package org.datapith.cdk4j.examples.compliancy;

import software.amazon.awscdk.App;
import software.amazon.awscdk.StackProps;

public class Cdk4jCompliancyDemoApp {

  public static void main(final String[] args) {
    App app = new App();

    new Cdk4jComplianceDemoStack(app, "Cdk4jCompliancyDemoStack", StackProps.builder().build());

    app.synth();
  }
}

and

package org.datapith.cdk4j.examples.compliancy;

import software.amazon.awscdk.Stack;
import software.amazon.awscdk.StackProps;
import software.amazon.awscdk.services.s3.Bucket;
import software.constructs.Construct;

public class Cdk4jComplianceDemoStack  extends Stack {

  public Cdk4jComplianceDemoStack(final Construct scope, final String id, final StackProps props) {
    super(scope, id, props);

    Bucket.Builder.create(this, "DemoBucket")
        .bucketName("unit-test-bucket")
        .build();
  }
}
  1. Compile the maven project and execute main of Cdk4jCompliancyDemoApp. If all goes okay the terminal should show
Process finished with exit code 0

Apply cdk4-compliancy in your application

In this section, you’ll apply cdk4j-compliancy to your application, and view the results.

  1. Apply the AWS rules pack to your AWS CDK application by adding Compliance:
package org.datapith.cdk4j.examples.compliancy;

import org.datapith.cdk4j.compliancy.Compliancy;
import org.datapith.cdk4j.compliancy.Compliancy.RulePack;
import org.datapith.cdk4j.compliancy.Suppress;
import software.amazon.awscdk.App;
import software.amazon.awscdk.StackProps;
import software.amazon.awscdk.cxapi.CloudAssembly;

public class Cdk4jCompliancyDemoApp {

  public static void main(final String[] args) {
    App app = new App();

    new Cdk4jComplianceDemoStack(app, "Cdk4jCompliancyDemoStack", StackProps.builder().build());
    
     // Validate application against AWS rules pack
    Compliancy compliancy = Compliancy.Builder.create(app)
        .withRulePacks(RulePack.AWS)
        .build();

    compliancy.validate(app.synth());
  }
}
  1. Compile the maven project and execute main of Cdk4jCompliancyDemoApp. The output in your terminal should look similar to the following (Note: SSE stands for Server-side encryption):
Exception in thread "main" java.lang.RuntimeException: Compliancy errors:
[/Cdk4jCompliancyDemoStack/DemoBucket/Resource] AwsSolutions-S1: The S3 Bucket has server access logs disabled.

[/Cdk4jCompliancyDemoStack/DemoBucket/Resource] AwsSolutions-S10: The S3 Bucket or bucket policy does not require requests to use SSL.

Note that applying cdk4j-compliancy to the application rendered several errors in the console.

Remediating and suppressing errors

In this section, you’ll remediate the AwsSolutions-S10 error and suppress the AwsSolutions-S1 error on Bucket level,

  1. Replace the contents of the Cdk4jComplianceDemoStack with the following:
package org.datapith.cdk4j.examples.compliancy;

import org.datapith.cdk4j.compliancy.Suppress;
import software.amazon.awscdk.Stack;
import software.amazon.awscdk.StackProps;
import software.amazon.awscdk.services.s3.Bucket;
import software.constructs.Construct;

public class Cdk4jComplianceDemoStack  extends Stack {

  public Cdk4jComplianceDemoStack(final Construct scope, final String id, final StackProps props) {
    super(scope, id, props);

    Bucket bucket = Bucket.Builder.create(this, "DemoBucket")
        .bucketName("unit-test-bucket")
        // Remediating AwsSolutions-S10 by enforcing SSL on the bucket.
        .enforceSsl(true)
        .build();

    // Suppress AwsSolutions-S1
    Suppress.Builder.create(bucket).withRuleId("AwsSolutions-S1").reason("Suspend finding for demo").build();

  }

}
  1. Compile the code and run Cdk4jCompliancyDemoApp again. The output should look similar to the following:
Suppressed AwsSolutions-S1 for Cdk4jCompliancyDemoStack.DemoBucket

Process finished with exit code 0

Reflecting on the tutorial

In this tutorial, you learned how to apply cdk4j-compliancy to your application, and remediate/suppress warnings and errors. Security can choose which RulePacks developers should apply to their applications. Then, developers can use the feedback to quickly remediate issues. Furthermore, developers and security can work together to use suppressions to transparently document exceptions to rules that they’ve decided not to follow.

Get started with CDK4J