Examples of AWS CDK template scanning.
Example CDK Definition
import cdk = require("aws-cdk-lib");
import {
Table,
AttributeType,
StreamViewType,
BillingMode,
} from "aws-cdk-lib/aws-dynamodb";
import { Construct } from "constructs";
export class AppSyncCdkStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const tableName = "items";
new Table(this, "ItemsTable", {
tableName: tableName,
partitionKey: {
name: `${tableName}Id`,
type: AttributeType.STRING,
},
billingMode: BillingMode.PAY_PER_REQUEST,
stream: StreamViewType.NEW_IMAGE,
});
}
}
const app = new cdk.App();
new AppSyncCdkStack(app, "DynamoDBExample");
app.synth();
Example CDK Synth Output
Resources:
ItemsTable5AAC2C46:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
- AttributeName: itemsId
AttributeType: S
BillingMode: PAY_PER_REQUEST
KeySchema:
- AttributeName: itemsId
KeyType: HASH
StreamSpecification:
StreamViewType: NEW_IMAGE
TableName: items
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
Metadata:
aws:cdk:path: DynamoDBExample/ItemsTable/Resource
CDKMetadata:
Type: AWS::CDK::Metadata
Properties:
Analytics: v2:deflate64:H4sIAAAAAAAA/zPSMzQ20jNQTCwv1k1OydbNyUzSqw4uSUzO1gEKxadU5iXm5qcAxUISk3JSdZzT8sCMWp2g1OL80qJksBAy2zk/LyWzJDM/r1YnLz8lVS+rWL/M0EwPiAwUs4ozM3WLSvNKMnNT9YIgNABcnFrfgQAAAA==
Metadata:
aws:cdk:path: DynamoDBExample/CDKMetadata/Default
Condition: CDKMetadataAvailable
Conditions:
CDKMetadataAvailable:
Fn::Or:
- Fn::Or:
- Fn::Equals:
- Ref: AWS::Region
- af-south-1
- Fn::Equals:
- Ref: AWS::Region
- ap-east-1
- Fn::Equals:
- Ref: AWS::Region
- ap-northeast-1
- Fn::Equals:
- Ref: AWS::Region
- ap-northeast-2
- Fn::Equals:
- Ref: AWS::Region
- ap-south-1
- Fn::Equals:
- Ref: AWS::Region
- ap-southeast-1
- Fn::Equals:
- Ref: AWS::Region
- ap-southeast-2
- Fn::Equals:
- Ref: AWS::Region
- ca-central-1
- Fn::Equals:
- Ref: AWS::Region
- cn-north-1
- Fn::Equals:
- Ref: AWS::Region
- cn-northwest-1
- Fn::Or:
- Fn::Equals:
- Ref: AWS::Region
- eu-central-1
- Fn::Equals:
- Ref: AWS::Region
- eu-north-1
- Fn::Equals:
- Ref: AWS::Region
- eu-south-1
- Fn::Equals:
- Ref: AWS::Region
- eu-west-1
- Fn::Equals:
- Ref: AWS::Region
- eu-west-2
- Fn::Equals:
- Ref: AWS::Region
- eu-west-3
- Fn::Equals:
- Ref: AWS::Region
- il-central-1
- Fn::Equals:
- Ref: AWS::Region
- me-central-1
- Fn::Equals:
- Ref: AWS::Region
- me-south-1
- Fn::Equals:
- Ref: AWS::Region
- sa-east-1
- Fn::Or:
- Fn::Equals:
- Ref: AWS::Region
- us-east-1
- Fn::Equals:
- Ref: AWS::Region
- us-east-2
- Fn::Equals:
- Ref: AWS::Region
- us-west-1
- Fn::Equals:
- Ref: AWS::Region
- us-west-2
Parameters:
BootstrapVersion:
Type: AWS::SSM::Parameter::Value<String>
Default: /cdk-bootstrap/hnb659fds/version
Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]
Rules:
CheckBootstrapVersion:
Assertions:
- Assert:
Fn::Not:
- Fn::Contains:
- - "1"
- "2"
- "3"
- "4"
- "5"
- Ref: BootstrapVersion
AssertDescription: CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.
Example Scan command
#!/usr/bin/env bash
# Scans a template file
# Requires "cdk" (https://docs.aws.amazon.com/cdk/v2/guide/home.html) to be installed
# Requires "jq" (https://stedolan.github.io/jq/) to be installed
api_key="Your Trend Vision One API Key"
api_base_url="https://api.xdr.trendmicro.com"
# Perform any language specific compilation steps before this line. (example transpiling typescript to javascript)
content=$(cdk synth | jq '.' -MRs)
payload="{\"type\":\"cloudformation-template\",\"content\":${content}}"
echo Request:
echo ${payload} | jq '.' -M
echo Response:
curl -s -X POST \
-H "Authorization: Bearer ${api_key}" \
-H "Content-Type: application/json" \
${api_base_url}/beta/cloudPosture/scanTemplate \
--data-binary "${payload}" | jq '.' -M
Example Template Scanner API Output
Output truncated, actual number of checks generated for this template may be
greater than seen below:
{
"scanResults": [
{
"id": "ccc:OrganisationId:RG-001:ResourceGroup:us-east-1:itemstable5aac2c46-qp3d3l7gcv5r",
"accountId": "",
"ruleId": "RG-001",
"provider": "aws",
"ruleTitle": "Tags",
"riskLevel": "LOW",
"status": "FAILURE",
"service": "ResourceGroup",
"description": "dynamodb-table itemstable5aac2c46-qp3d3l7gcv5r has [Environment, Role, Owner, Name] tags missing",
"resource": "itemstable5aac2c46-qp3d3l7gcv5r",
"resourceType": "dynamodb-table",
"ignored": false,
"categories": [
"security",
"reliability",
"performance-efficiency",
"cost-optimisation",
"operational-excellence",
"sustainability"
],
"compliances": [
"AWAF",
"CIS-V8",
"NIST4",
"NIST5",
"SOC2",
"NIST-CSF",
"ISO27001",
"ISO27001-2022",
"AGISM",
"HITRUST",
"ASAE-3150",
"PCI-V4",
"FEDRAMP",
"MAS",
"CSA"
],
"region": "us-east-1",
"notScored": false,
"resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/ResourceGroup/tags.html"
},
{
"id": "ccc:OrganisationId:DynamoDB-003:DynamoDB:us-east-1:itemstable5aac2c46-qp3d3l7gcv5r",
"accountId": "",
"ruleId": "DynamoDB-003",
"provider": "aws",
"ruleTitle": "DynamoDB Continuous Backups",
"riskLevel": "HIGH",
"status": "FAILURE",
"service": "DynamoDB",
"description": "Continuous Backups aren't enabled for [itemstable5aac2c46-qp3d3l7gcv5r]",
"resource": "itemstable5aac2c46-qp3d3l7gcv5r",
"resourceType": "dynamodb-table",
"resourceId": "itemstable5aac2c46-qp3d3l7gcv5r",
"ignored": false,
"categories": [
"reliability"
],
"compliances": [
"AWAF",
"CIS-V8",
"NIST4",
"NIST5",
"SOC2",
"NIST-CSF",
"ISO27001",
"ISO27001-2022",
"AGISM",
"HIPAA",
"HITRUST",
"ASAE-3150",
"PCI",
"PCI-V4",
"APRA",
"FEDRAMP",
"MAS",
"CSA",
"ENISA",
"FISC-V9"
],
"region": "us-east-1",
"tags": [],
"notScored": false,
"resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/DynamoDB/continuous-backups.html"
},
{
"id": "ccc:OrganisationId:DynamoDB-004:DynamoDB:us-east-1:itemstable5aac2c46-qp3d3l7gcv5r",
"accountId": "",
"ruleId": "DynamoDB-004",
"provider": "aws",
"ruleTitle": "Enable Encryption at Rest with Amazon KMS Keys",
"riskLevel": "HIGH",
"status": "FAILURE",
"service": "DynamoDB",
"description": "Table [itemstable5aac2c46-qp3d3l7gcv5r] is encrypted at rest using the AWS-owned key",
"resource": "itemstable5aac2c46-qp3d3l7gcv5r",
"resourceType": "dynamodb-table",
"resourceId": "itemstable5aac2c46-qp3d3l7gcv5r",
"ignored": false,
"categories": [
"security"
],
"compliances": [
"GDPR",
"AWAF",
"CIS-V8",
"NIST4",
"NIST5",
"SOC2",
"NIST-CSF",
"ISO27001",
"ISO27001-2022",
"AGISM",
"HIPAA",
"HITRUST",
"ASAE-3150",
"PCI",
"PCI-V4",
"APRA",
"FEDRAMP",
"MAS",
"CSA",
"ENISA",
"FISC-V9",
"LGPD"
],
"region": "us-east-1",
"tags": [],
"notScored": false,
"resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/DynamoDB/encrypted-with-cmk.html"
}
],
"missingParameters": [],
"skippedRules": []
}