{"id":2426,"library":"cdk-nag","title":"CDK Nag","description":"cdk-nag is an open-source library for the AWS Cloud Development Kit (CDK) that checks CDK applications for security and compliance best practices. It functions as a linter for Infrastructure as Code, leveraging CDK Aspects to validate constructs against various rule packs like AWS Solutions, HIPAA, NIST, and PCI DSS. The library helps identify issues such as unencrypted S3 buckets, overly permissive IAM policies, and public databases before deployment. It is currently at version 2.37.55 and actively maintained with a regular release cadence.","status":"active","version":"2.37.55","language":"en","source_language":"en","source_url":"https://github.com/cdklabs/cdk-nag.git","tags":["aws","cdk","security","iac","linting","best practices","compliance"],"install":[{"cmd":"pip install cdk-nag","lang":"bash","label":"Install cdk-nag"}],"dependencies":[{"reason":"cdk-nag is an extension for AWS CDK applications and requires the AWS CDK library to function. Ensure it's installed and compatible with your cdk-nag version.","package":"aws-cdk-lib","optional":false},{"reason":"The library officially supports Python versions compatible with '~=3.9'.","package":"Python ~=3.9","optional":false}],"imports":[{"symbol":"AwsSolutionsChecks","correct":"from cdk_nag import AwsSolutionsChecks"},{"symbol":"NagSuppressions","correct":"from cdk_nag import NagSuppressions"},{"symbol":"NagPack","correct":"from cdk_nag import NagPack"},{"symbol":"NIST80053R5Checks","correct":"from cdk_nag import NIST80053R5Checks"},{"symbol":"HIPAASecurityChecks","correct":"from cdk_nag import HIPAASecurityChecks"}],"quickstart":{"code":"import os\nfrom aws_cdk import App, Stack, Aspects, aws_s3 as s3\nfrom constructs import Construct\nfrom cdk_nag import AwsSolutionsChecks, NagSuppressions\n\nclass MyNaggedStack(Stack):\n    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:\n        super().__init__(scope, construct_id, **kwargs)\n\n        # An S3 bucket that will likely trigger some AwsSolutions nags\n        # for missing logging, encryption, and public access blocks.\n        my_bucket = s3.Bucket(self, \"MyInsecureBucket\")\n\n        # Suppress a specific finding on the bucket with a clear reason\n        # This suppression is for demonstration; always address findings first.\n        NagSuppressions.add_resource_suppressions(\n            my_bucket,\n            [\n                {\n                    \"id\": \"AwsSolutions-S1\",\n                    \"reason\": \"This is a demonstration bucket; access logging is not critical for this specific example.\"\n                }\n            ]\n        )\n\napp = App()\n\n# Apply AWS Solutions Checks to the entire app\nAspects.of(app).add(AwsSolutionsChecks(verbose=True))\n\nMyNaggedStack(app, \"CdkNagDemoStack\")\n\napp.synth()\n","lang":"python","description":"This quickstart demonstrates how to integrate `cdk-nag` into a Python CDK application. It creates a simple S3 bucket that would typically trigger AWS Solutions best practice warnings. It then shows how to apply the `AwsSolutionsChecks` to the entire application and how to add a suppression for a specific rule on a resource, including a mandatory reason for the suppression. Run `cdk synth` after adding this code to see the nag findings."},"warnings":[{"fix":"Ensure that only a single, consistent version of `aws-cdk-lib` is used across your entire monorepo. Workarounds like using `vite-node` for specific build steps have been reported.","message":"When using monorepos with package managers like PNPM, `cdk-nag` might fail to enforce rule checks silently if multiple versions of `aws-cdk-lib` are present. This occurs due to `instanceof` checks that evaluate to false across different instances of the `aws-cdk-lib` module.","severity":"gotcha","affected_versions":"Potentially all `cdk-nag` versions relying on `instanceof` checks for `aws-cdk-lib` constructs (e.g., 2.22.21 and later)."},{"fix":"Explicitly call `.buildPipeline()` on your `CodePipeline` object to force the pipeline construct creation forward, ensuring that all child constructs are available for aspect visitation.","message":"Constructs within `aws-cdk-lib/pipelines.CodePipeline` and its children are not always guaranteed to be 'Visited' by `cdk-nag` Aspects during the CDK lifecycle. This can lead to missed rule violations or ineffective suppressions on pipeline-related resources.","severity":"gotcha","affected_versions":"All versions where `aws-cdk-lib/pipelines` aspects are not consistently visited."},{"fix":"Always provide a detailed and meaningful `reason` when adding `NagSuppressions`. This documentation is crucial for future audits and understanding security decisions.","message":"Suppressing `cdk-nag` findings without a clear, valid reason can undermine security posture and compliance efforts. Each suppression should be a conscious decision, not a shortcut.","severity":"gotcha","affected_versions":"All versions."},{"fix":"Proactively configure AWS resources to adhere to security best practices (e.g., enable encryption, enforce SSL, configure logging) rather than relying on defaults. Use `cdk-nag` output to guide these improvements.","message":"Many AWS resources, when created with default CDK configurations, do not meet common security best practices (e.g., S3 buckets without server-side encryption or access logging, SNS topics without SSL enforcement). These defaults will often trigger `cdk-nag` warnings or errors.","severity":"gotcha","affected_versions":"All versions, as this relates to default CDK resource behavior."}],"env_vars":null,"last_verified":"2026-04-10T00:00:00.000Z","next_check":"2026-07-09T00:00:00.000Z"}