Views:

Examples of AWS CDK template scanning.

Example CDK Definition

import cdk = require("aws-cdk-lib");
import {
  Table,
  AttributeType,
  StreamViewType,
  BillingMode,
} from "aws-cdk-lib/aws-dynamodb";
import { Construct } from "constructs";

export class AppSyncCdkStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const tableName = "items";

    new Table(this, "ItemsTable", {
      tableName: tableName,
      partitionKey: {
        name: `${tableName}Id`,
        type: AttributeType.STRING,
      },
      billingMode: BillingMode.PAY_PER_REQUEST,
      stream: StreamViewType.NEW_IMAGE,
    });
  }
}

const app = new cdk.App();
new AppSyncCdkStack(app, "DynamoDBExample");
app.synth();

Example CDK Synth Output

Resources:
  ItemsTable5AAC2C46:
    Type: AWS::DynamoDB::Table
    Properties:
      AttributeDefinitions:
        - AttributeName: itemsId
          AttributeType: S
      BillingMode: PAY_PER_REQUEST
      KeySchema:
        - AttributeName: itemsId
          KeyType: HASH
      StreamSpecification:
        StreamViewType: NEW_IMAGE
      TableName: items
    UpdateReplacePolicy: Retain
    DeletionPolicy: Retain
    Metadata:
      aws:cdk:path: DynamoDBExample/ItemsTable/Resource
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Analytics: v2:deflate64:H4sIAAAAAAAA/zPSMzQ20jNQTCwv1k1OydbNyUzSqw4uSUzO1gEKxadU5iXm5qcAxUISk3JSdZzT8sCMWp2g1OL80qJksBAy2zk/LyWzJDM/r1YnLz8lVS+rWL/M0EwPiAwUs4ozM3WLSvNKMnNT9YIgNABcnFrfgQAAAA==
    Metadata:
      aws:cdk:path: DynamoDBExample/CDKMetadata/Default
    Condition: CDKMetadataAvailable
Conditions:
  CDKMetadataAvailable:
    Fn::Or:
      - Fn::Or:
          - Fn::Equals:
              - Ref: AWS::Region
              - af-south-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-east-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-northeast-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-northeast-2
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-south-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-southeast-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-southeast-2
          - Fn::Equals:
              - Ref: AWS::Region
              - ca-central-1
          - Fn::Equals:
              - Ref: AWS::Region
              - cn-north-1
          - Fn::Equals:
              - Ref: AWS::Region
              - cn-northwest-1
      - Fn::Or:
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-central-1
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-north-1
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-south-1
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-west-1
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-west-2
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-west-3
          - Fn::Equals:
              - Ref: AWS::Region
              - il-central-1
          - Fn::Equals:
              - Ref: AWS::Region
              - me-central-1
          - Fn::Equals:
              - Ref: AWS::Region
              - me-south-1
          - Fn::Equals:
              - Ref: AWS::Region
              - sa-east-1
      - Fn::Or:
          - Fn::Equals:
              - Ref: AWS::Region
              - us-east-1
          - Fn::Equals:
              - Ref: AWS::Region
              - us-east-2
          - Fn::Equals:
              - Ref: AWS::Region
              - us-west-1
          - Fn::Equals:
              - Ref: AWS::Region
              - us-west-2
Parameters:
  BootstrapVersion:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /cdk-bootstrap/hnb659fds/version
    Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]
Rules:
  CheckBootstrapVersion:
    Assertions:
      - Assert:
          Fn::Not:
            - Fn::Contains:
                - - "1"
                  - "2"
                  - "3"
                  - "4"
                  - "5"
                - Ref: BootstrapVersion
        AssertDescription: CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.

Example Scan command

#!/usr/bin/env bash
# Scans a template file
# Requires "cdk" (https://docs.aws.amazon.com/cdk/v2/guide/home.html) to be installed
# Requires "jq" (https://stedolan.github.io/jq/) to be installed

api_key="Your Trend Vision One API Key"
api_base_url="https://api.xdr.trendmicro.com"

# Perform any language specific compilation steps before this line. (example transpiling typescript to javascript)

content=$(cdk synth | jq '.' -MRs)
payload="{\"type\":\"cloudformation-template\",\"content\":${content}}"

echo Request:
echo ${payload} | jq '.' -M

echo Response:
curl -s -X POST \
     -H "Authorization: Bearer ${api_key}" \
     -H "Content-Type: application/json" \
     ${api_base_url}/beta/cloudPosture/scanTemplate \
     --data-binary "${payload}" | jq '.' -M

Example Template Scanner API Output

Output truncated, actual number of checks generated for this template may be greater than seen below:
{
  "scanResults": [
    {
      "id": "ccc:OrganisationId:RG-001:ResourceGroup:us-east-1:itemstable5aac2c46-qp3d3l7gcv5r",
      "accountId": "",
      "ruleId": "RG-001",
      "provider": "aws",
      "ruleTitle": "Tags",
      "riskLevel": "LOW",
      "status": "FAILURE",
      "service": "ResourceGroup",
      "description": "dynamodb-table itemstable5aac2c46-qp3d3l7gcv5r has [Environment, Role, Owner, Name] tags missing",
      "resource": "itemstable5aac2c46-qp3d3l7gcv5r",
      "resourceType": "dynamodb-table",
      "ignored": false,
      "categories": [
        "security",
        "reliability",
        "performance-efficiency",
        "cost-optimisation",
        "operational-excellence",
        "sustainability"
      ],
      "compliances": [
        "AWAF",
        "CIS-V8",
        "NIST4",
        "NIST5",
        "SOC2",
        "NIST-CSF",
        "ISO27001",
        "ISO27001-2022",
        "AGISM",
        "HITRUST",
        "ASAE-3150",
        "PCI-V4",
        "FEDRAMP",
        "MAS",
        "CSA"
      ],
      "region": "us-east-1",
      "notScored": false,
      "resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/ResourceGroup/tags.html"
    },
    {
      "id": "ccc:OrganisationId:DynamoDB-003:DynamoDB:us-east-1:itemstable5aac2c46-qp3d3l7gcv5r",
      "accountId": "",
      "ruleId": "DynamoDB-003",
      "provider": "aws",
      "ruleTitle": "DynamoDB Continuous Backups",
      "riskLevel": "HIGH",
      "status": "FAILURE",
      "service": "DynamoDB",
      "description": "Continuous Backups aren't enabled for [itemstable5aac2c46-qp3d3l7gcv5r]",
      "resource": "itemstable5aac2c46-qp3d3l7gcv5r",
      "resourceType": "dynamodb-table",
      "resourceId": "itemstable5aac2c46-qp3d3l7gcv5r",
      "ignored": false,
      "categories": [
        "reliability"
      ],
      "compliances": [
        "AWAF",
        "CIS-V8",
        "NIST4",
        "NIST5",
        "SOC2",
        "NIST-CSF",
        "ISO27001",
        "ISO27001-2022",
        "AGISM",
        "HIPAA",
        "HITRUST",
        "ASAE-3150",
        "PCI",
        "PCI-V4",
        "APRA",
        "FEDRAMP",
        "MAS",
        "CSA",
        "ENISA",
        "FISC-V9"
      ],
      "region": "us-east-1",
      "tags": [],
      "notScored": false,
      "resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/DynamoDB/continuous-backups.html"
    },
    {
      "id": "ccc:OrganisationId:DynamoDB-004:DynamoDB:us-east-1:itemstable5aac2c46-qp3d3l7gcv5r",
      "accountId": "",
      "ruleId": "DynamoDB-004",
      "provider": "aws",
      "ruleTitle": "Enable Encryption at Rest with Amazon KMS Keys",
      "riskLevel": "HIGH",
      "status": "FAILURE",
      "service": "DynamoDB",
      "description": "Table [itemstable5aac2c46-qp3d3l7gcv5r] is encrypted at rest using the AWS-owned key",
      "resource": "itemstable5aac2c46-qp3d3l7gcv5r",
      "resourceType": "dynamodb-table",
      "resourceId": "itemstable5aac2c46-qp3d3l7gcv5r",
      "ignored": false,
      "categories": [
        "security"
      ],
      "compliances": [
        "GDPR",
        "AWAF",
        "CIS-V8",
        "NIST4",
        "NIST5",
        "SOC2",
        "NIST-CSF",
        "ISO27001",
        "ISO27001-2022",
        "AGISM",
        "HIPAA",
        "HITRUST",
        "ASAE-3150",
        "PCI",
        "PCI-V4",
        "APRA",
        "FEDRAMP",
        "MAS",
        "CSA",
        "ENISA",
        "FISC-V9",
        "LGPD"
      ],
      "region": "us-east-1",
      "tags": [],
      "notScored": false,
      "resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/DynamoDB/encrypted-with-cmk.html"
    }
  ],
  "missingParameters": [],
  "skippedRules": []
}