API Reference

Classes

Name	Description
AnnotationLogger	A NagLogger that outputs to the CDK Annotations system.
AwsSolutionsChecks	Check Best practices based on AWS Solutions Security Matrix.
HIPAASecurityChecks	Check for HIPAA Security compliance.
NIST80053R4Checks	Check for NIST 800-53 rev 4 compliance.
NIST80053R5Checks	Check for NIST 800-53 rev 5 compliance.
NagPack	Base class for all rule packs.
NagReportLogger	A NagLogger that creates compliance reports.
NagRules	Helper class with methods for rule creation.
NagSuppressions	Helper class with methods to add cdk-nag suppressions to cdk resources.
PCIDSS321Checks	Check for PCI DSS 3.2.1 compliance. Based on the PCI DSS 3.2.1 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-pci-dss.html.
SuppressionIgnoreAlways	Always ignore the suppression.
SuppressionIgnoreAnd	Ignore the suppression if all of the given INagSuppressionIgnore return a non-empty message.
SuppressionIgnoreErrors	Ignore Suppressions for Rules with a NagMessageLevel.ERROR.
SuppressionIgnoreNever	Don't ignore the suppression.
SuppressionIgnoreOr	Ignore the suppression if any of the given INagSuppressionIgnore return a non-empty message.

Structs

Name	Description
AnnotationLoggerProps	Props for the AnnotationLogger.
NagLoggerBaseData	Shared data for all INagLogger methods.
NagLoggerComplianceData	Data for onCompliance method of an INagLogger.
NagLoggerErrorData	Data for onError method of an INagLogger.
NagLoggerNonComplianceData	Data for onNonCompliance method of an INagLogger.
NagLoggerNotApplicableData	Data for onNotApplicable method of an INagLogger.
NagLoggerSuppressedData	Data for onSuppressed method of an INagLogger.
NagLoggerSuppressedErrorData	Data for onSuppressedError method of an INagLogger.
NagPackProps	Interface for creating a NagPack.
NagPackSuppression	Interface for creating a rule suppression.
NagReportLine	No description
NagReportLoggerProps	Props for the NagReportLogger.
NagReportSchema	No description
RegexAppliesTo	A regular expression to apply to matching findings.
SuppressionIgnoreInput	Information about the NagRule and the relevant NagSuppression for the INagSuppressionIgnore.

Interfaces

Name	Description
IApplyRule	Interface for JSII interoperability for passing parameters and the Rule Callback to @applyRule method.
INagLogger	Interface for creating NagSuppression Ignores.
INagSuppressionIgnore	Interface for creating NagSuppression Ignores.

Enums

Name	Description
NagMessageLevel	The severity level of the rule.
NagReportFormat	Possible output formats of the NagReport.
NagRuleCompliance	The compliance level of a resource in relation to a rule.
NagRulePostValidationStates	Additional states a rule can be in post compliance validation.

class AnnotationLogger

A NagLogger that outputs to the CDK Annotations system.

Implements: INagLogger

Initializer

new AnnotationLogger(props?: AnnotationLoggerProps)

props (AnnotationLoggerProps) No description
- logIgnores (boolean) Whether or not to log suppressed rule violations as informational messages (default: false). Optional
- verbose (boolean) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages. Optional

Properties

Name	Type	Description
logIgnores	`boolean`
suppressionId	`string`
verbose	`boolean`

Methods

onCompliance(_data)

Called when a CfnResource passes the compliance check for a given rule.

onCompliance(_data: NagLoggerComplianceData): void

_data (NagLoggerComplianceData) No description
- nagPackName (string) No description
- resource (CfnResource) No description
- ruleExplanation (string) No description
- ruleId (string) No description
- ruleInfo (string) No description
- ruleLevel (NagMessageLevel) No description

onError(data)

Called when a rule throws an error during while validating a CfnResource for compliance.

onError(data: NagLoggerErrorData): void

data (NagLoggerErrorData) No description
- nagPackName (string) No description
- resource (CfnResource) No description
- ruleExplanation (string) No description
- ruleId (string) No description
- ruleInfo (string) No description
- ruleLevel (NagMessageLevel) No description
- errorMessage (string) No description

onNonCompliance(data)

Called when a CfnResource does not pass the compliance check for a given rule and the the rule violation is not suppressed by the user.

onNonCompliance(data: NagLoggerNonComplianceData): void

data (NagLoggerNonComplianceData) No description
- nagPackName (string) No description
- resource (CfnResource) No description
- ruleExplanation (string) No description
- ruleId (string) No description
- ruleInfo (string) No description
- ruleLevel (NagMessageLevel) No description
- findingId (string) No description

onNotApplicable(_data)

Called when a rule does not apply to the given CfnResource.

onNotApplicable(_data: NagLoggerNotApplicableData): void

_data (NagLoggerNotApplicableData) No description
- nagPackName (string) No description
- resource (CfnResource) No description
- ruleExplanation (string) No description
- ruleId (string) No description
- ruleInfo (string) No description
- ruleLevel (NagMessageLevel) No description

onSuppressed(data)

Called when a CfnResource does not pass the compliance check for a given rule and the rule violation is suppressed by the user.

onSuppressed(data: NagLoggerSuppressedData): void

data (NagLoggerSuppressedData) No description
- nagPackName (string) No description
- resource (CfnResource) No description
- ruleExplanation (string) No description
- ruleId (string) No description
- ruleInfo (string) No description
- ruleLevel (NagMessageLevel) No description
- findingId (string) No description
- suppressionReason (string) No description

onSuppressedError(data)

Called when a rule throws an error during while validating a CfnResource for compliance and the error is suppressed.

onSuppressedError(data: NagLoggerSuppressedErrorData): void

data (NagLoggerSuppressedErrorData) No description
- nagPackName (string) No description
- resource (CfnResource) No description
- ruleExplanation (string) No description
- ruleId (string) No description
- ruleInfo (string) No description
- ruleLevel (NagMessageLevel) No description
- errorMessage (string) No description
- errorSuppressionReason (string) No description

protected createMessage(ruleId, findingId, ruleInfo, ruleExplanation, verbose)

protected createMessage(ruleId: string, findingId: string, ruleInfo: string, ruleExplanation: string, verbose: boolean): string

ruleId (string) No description
findingId (string) No description
ruleInfo (string) No description
ruleExplanation (string) No description
verbose (boolean) No description

Returns:

string

class AwsSolutionsChecks

Check Best practices based on AWS Solutions Security Matrix.

Implements: IAspect Extends: NagPack

Initializer

new AwsSolutionsChecks(props?: NagPackProps)

props (NagPackProps) No description
- additionalLoggers (Array<INagLogger>) Additional NagLoggers for logging rule validation outputs. Optional
- logIgnores (boolean) Whether or not to log suppressed rule violations as informational messages (default: false). Optional
- reportFormats (Array<NagReportFormat>) If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV). Optional
- reports (boolean) Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true). Optional
- suppressionIgnoreCondition (INagSuppressionIgnore) Conditionally prevent rules from being suppressed (default: no user provided condition). Optional
- verbose (boolean) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). Optional

Methods

visit(node)

All aspects can visit an IConstruct.

visit(node: IConstruct): void

node (IConstruct) No description

class HIPAASecurityChecks

Check for HIPAA Security compliance.

Based on the HIPAA Security AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-hipaa_security.html

Implements: IAspect Extends: NagPack

Initializer

new HIPAASecurityChecks(props?: NagPackProps)

props (NagPackProps) No description
- additionalLoggers (Array<INagLogger>) Additional NagLoggers for logging rule validation outputs. Optional
- logIgnores (boolean) Whether or not to log suppressed rule violations as informational messages (default: false). Optional
- reportFormats (Array<NagReportFormat>) If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV). Optional
- reports (boolean) Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true). Optional
- suppressionIgnoreCondition (INagSuppressionIgnore) Conditionally prevent rules from being suppressed (default: no user provided condition). Optional
- verbose (boolean) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). Optional

Methods

visit(node)

All aspects can visit an IConstruct.

visit(node: IConstruct): void

node (IConstruct) No description

class NIST80053R4Checks

Check for NIST 800-53 rev 4 compliance.

Based on the NIST 800-53 rev 4 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_4.html

Implements: IAspect Extends: NagPack

Initializer

new NIST80053R4Checks(props?: NagPackProps)

props (NagPackProps) No description
- additionalLoggers (Array<INagLogger>) Additional NagLoggers for logging rule validation outputs. Optional
- logIgnores (boolean) Whether or not to log suppressed rule violations as informational messages (default: false). Optional
- reportFormats (Array<NagReportFormat>) If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV). Optional
- reports (boolean) Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true). Optional
- suppressionIgnoreCondition (INagSuppressionIgnore) Conditionally prevent rules from being suppressed (default: no user provided condition). Optional
- verbose (boolean) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). Optional

Methods

visit(node)

All aspects can visit an IConstruct.

visit(node: IConstruct): void

node (IConstruct) No description

class NIST80053R5Checks

Check for NIST 800-53 rev 5 compliance.

Based on the NIST 800-53 rev 5 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_5.html

Implements: IAspect Extends: NagPack

Initializer

new NIST80053R5Checks(props?: NagPackProps)

props (NagPackProps) No description
- additionalLoggers (Array<INagLogger>) Additional NagLoggers for logging rule validation outputs. Optional
- logIgnores (boolean) Whether or not to log suppressed rule violations as informational messages (default: false). Optional
- reportFormats (Array<NagReportFormat>) If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV). Optional
- reports (boolean) Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true). Optional
- suppressionIgnoreCondition (INagSuppressionIgnore) Conditionally prevent rules from being suppressed (default: no user provided condition). Optional
- verbose (boolean) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). Optional

Methods

visit(node)

All aspects can visit an IConstruct.

visit(node: IConstruct): void

node (IConstruct) No description

class NagPack

Base class for all rule packs.

Implements: IAspect Implemented by: AwsSolutionsChecks, HIPAASecurityChecks, NIST80053R4Checks, NIST80053R5Checks, PCIDSS321Checks

Initializer

new NagPack(props?: NagPackProps)

props (NagPackProps) No description
- additionalLoggers (Array<INagLogger>) Additional NagLoggers for logging rule validation outputs. Optional
- logIgnores (boolean) Whether or not to log suppressed rule violations as informational messages (default: false). Optional
- reportFormats (Array<NagReportFormat>) If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV). Optional
- reports (boolean) Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true). Optional
- suppressionIgnoreCondition (INagSuppressionIgnore) Conditionally prevent rules from being suppressed (default: no user provided condition). Optional
- verbose (boolean) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). Optional

Properties

Name	Type	Description
loggers	`Array<INagLogger>`
packName	`string`
readPackName	`string`
packGlobalSuppressionIgnore?	`INagSuppressionIgnore`	*Optional*
userGlobalSuppressionIgnore?	`INagSuppressionIgnore`	*Optional*

Methods

visit(node)

All aspects can visit an IConstruct.

visit(node: IConstruct): void

node (IConstruct) No description

protected applyRule(params)

Create a rule to be used in the NagPack.

protected applyRule(params: IApplyRule): void

params (IApplyRule) The.

protected ignoreRule(suppressions, ruleId, findingId, resource, level, ignoreSuppressionCondition?)

Check whether a specific rule should be ignored.

protected ignoreRule(suppressions: Array<NagPackSuppression>, ruleId: string, findingId: string, resource: CfnResource, level: NagMessageLevel, ignoreSuppressionCondition?: INagSuppressionIgnore): string

suppressions (Array<NagPackSuppression>) The suppressions listed in the cdk-nag metadata.
ruleId (string) The id of the rule to ignore.
findingId (string) The id of the finding that is being checked.
resource (CfnResource) The resource being evaluated.
level (NagMessageLevel) No description
ignoreSuppressionCondition (INagSuppressionIgnore) No description

Returns:

string

class NagReportLogger

A NagLogger that creates compliance reports.

Implements: INagLogger

Initializer

new NagReportLogger(props: NagReportLoggerProps)

props (NagReportLoggerProps) No description
- formats (Array<NagReportFormat>) No description

Properties

Name	Type	Description
formats	`Array<NagReportFormat>`

Methods

getFormatStacks(format)

getFormatStacks(format: NagReportFormat): Array<string>

format (NagReportFormat) No description

Returns:

Array

onCompliance(data)

Called when a CfnResource passes the compliance check for a given rule.

onCompliance(data: NagLoggerComplianceData): void

data (NagLoggerComplianceData) No description
- nagPackName (string) No description
- resource (CfnResource) No description
- ruleExplanation (string) No description
- ruleId (string) No description
- ruleInfo (string) No description
- ruleLevel (NagMessageLevel) No description

onError(data)

Called when a rule throws an error during while validating a CfnResource for compliance.

onError(data: NagLoggerErrorData): void

data (NagLoggerErrorData) No description
- nagPackName (string) No description
- resource (CfnResource) No description
- ruleExplanation (string) No description
- ruleId (string) No description
- ruleInfo (string) No description
- ruleLevel (NagMessageLevel) No description
- errorMessage (string) No description

onNonCompliance(data)

Called when a CfnResource does not pass the compliance check for a given rule and the the rule violation is not suppressed by the user.

onNonCompliance(data: NagLoggerNonComplianceData): void

data (NagLoggerNonComplianceData) No description
- nagPackName (string) No description
- resource (CfnResource) No description
- ruleExplanation (string) No description
- ruleId (string) No description
- ruleInfo (string) No description
- ruleLevel (NagMessageLevel) No description
- findingId (string) No description

onNotApplicable(data)

Called when a rule does not apply to the given CfnResource.

onNotApplicable(data: NagLoggerNotApplicableData): void

data (NagLoggerNotApplicableData) No description
- nagPackName (string) No description
- resource (CfnResource) No description
- ruleExplanation (string) No description
- ruleId (string) No description
- ruleInfo (string) No description
- ruleLevel (NagMessageLevel) No description

onSuppressed(data)

Called when a CfnResource does not pass the compliance check for a given rule and the rule violation is suppressed by the user.

onSuppressed(data: NagLoggerSuppressedData): void

data (NagLoggerSuppressedData) No description
- nagPackName (string) No description
- resource (CfnResource) No description
- ruleExplanation (string) No description
- ruleId (string) No description
- ruleInfo (string) No description
- ruleLevel (NagMessageLevel) No description
- findingId (string) No description
- suppressionReason (string) No description

onSuppressedError(data)

Called when a rule throws an error during while validating a CfnResource for compliance and the error is suppressed.

onSuppressedError(data: NagLoggerSuppressedErrorData): void

data (NagLoggerSuppressedErrorData) No description
- nagPackName (string) No description
- resource (CfnResource) No description
- ruleExplanation (string) No description
- ruleId (string) No description
- ruleInfo (string) No description
- ruleLevel (NagMessageLevel) No description
- errorMessage (string) No description
- errorSuppressionReason (string) No description

protected initializeStackReport(data)

Initialize the report for the rule pack's compliance report for the resource's Stack if it doesn't exist.

protected initializeStackReport(data: NagLoggerBaseData): void

data (NagLoggerBaseData) No description
- nagPackName (string) No description
- resource (CfnResource) No description
- ruleExplanation (string) No description
- ruleId (string) No description
- ruleInfo (string) No description
- ruleLevel (NagMessageLevel) No description

protected writeToStackComplianceReport(data, compliance)

protected writeToStackComplianceReport(data: NagLoggerBaseData, compliance: NagRuleCompliance &#124; NagRulePostValidationStates): void

data (NagLoggerBaseData) No description
compliance (NagRuleCompliance | NagRulePostValidationStates) No description

class NagRules

Helper class with methods for rule creation.

Initializer

new NagRules()

Methods

static resolveIfPrimitive(node, parameter)

Use in cases where a primitive value must be known to pass a rule.

https://developer.mozilla.org/en-US/docs/Glossary/Primitive

static resolveIfPrimitive(node: CfnResource, parameter: any): any

node (CfnResource) The CfnResource to check.
parameter (any) The value to attempt to resolve.

Returns:

any

static resolveResourceFromInstrinsic(node, parameter)

Use in cases where a token resolves to an intrinsic function and the referenced resource must be known to pass a rule.

static resolveResourceFromInstrinsic(node: CfnResource, parameter: any): any

node (CfnResource) The CfnResource to check.
parameter (any) The value to attempt to resolve.

Returns:

any

class NagSuppressions

Helper class with methods to add cdk-nag suppressions to cdk resources.

Initializer

new NagSuppressions()

Methods

static addResourceSuppressions(construct, suppressions, applyToChildren?)

Add cdk-nag suppressions to a CfnResource and optionally its children.

static addResourceSuppressions(construct: IConstruct &#124; Array<IConstruct>, suppressions: Array<NagPackSuppression>, applyToChildren?: boolean): void

construct (IConstruct | Array<IConstruct>) The IConstruct(s) to apply the suppression to.
suppressions (Array<NagPackSuppression>) A list of suppressions to apply to the resource.
applyToChildren (boolean) Apply the suppressions to children CfnResources (default:false).

static addResourceSuppressionsByPath(stack, path, suppressions, applyToChildren?)

Add cdk-nag suppressions to a CfnResource and optionally its children via its path.

static addResourceSuppressionsByPath(stack: Stack, path: string &#124; Array<string>, suppressions: Array<NagPackSuppression>, applyToChildren?: boolean): void

stack (Stack) The Stack the construct belongs to.
path (string | Array) The path(s) to the construct in the provided stack.
suppressions (Array<NagPackSuppression>) A list of suppressions to apply to the resource.
applyToChildren (boolean) Apply the suppressions to children CfnResources (default:false).

static addStackSuppressions(stack, suppressions, applyToNestedStacks?)

Apply cdk-nag suppressions to a Stack and optionally nested stacks.

static addStackSuppressions(stack: Stack, suppressions: Array<NagPackSuppression>, applyToNestedStacks?: boolean): void

stack (Stack) The Stack to apply the suppression to.
suppressions (Array<NagPackSuppression>) A list of suppressions to apply to the stack.
applyToNestedStacks (boolean) Apply the suppressions to children stacks (default:false).

class PCIDSS321Checks

Check for PCI DSS 3.2.1 compliance. Based on the PCI DSS 3.2.1 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-pci-dss.html.

Implements: IAspect Extends: NagPack

Initializer

new PCIDSS321Checks(props?: NagPackProps)

props (NagPackProps) No description
- additionalLoggers (Array<INagLogger>) Additional NagLoggers for logging rule validation outputs. Optional
- logIgnores (boolean) Whether or not to log suppressed rule violations as informational messages (default: false). Optional
- reportFormats (Array<NagReportFormat>) If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV). Optional
- reports (boolean) Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true). Optional
- suppressionIgnoreCondition (INagSuppressionIgnore) Conditionally prevent rules from being suppressed (default: no user provided condition). Optional
- verbose (boolean) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). Optional

Methods

visit(node)

All aspects can visit an IConstruct.

visit(node: IConstruct): void

node (IConstruct) No description

class SuppressionIgnoreAlways

Always ignore the suppression.

Implements: INagSuppressionIgnore

Initializer

new SuppressionIgnoreAlways(triggerMessage: string)

triggerMessage (string) No description

Methods

createMessage(_input)

createMessage(_input: SuppressionIgnoreInput): string

_input (SuppressionIgnoreInput) No description
- findingId (string) No description
- reason (string) No description
- resource (CfnResource) No description
- ruleId (string) No description
- ruleLevel (NagMessageLevel) No description

Returns:

string

class SuppressionIgnoreAnd

Ignore the suppression if all of the given INagSuppressionIgnore return a non-empty message.

Implements: INagSuppressionIgnore

Initializer

new SuppressionIgnoreAnd(...SuppressionIgnoreAnds: INagSuppressionIgnore[])

SuppressionIgnoreAnds (INagSuppressionIgnore) No description

Methods

createMessage(input)

createMessage(input: SuppressionIgnoreInput): string

input (SuppressionIgnoreInput) No description
- findingId (string) No description
- reason (string) No description
- resource (CfnResource) No description
- ruleId (string) No description
- ruleLevel (NagMessageLevel) No description

Returns:

string

class SuppressionIgnoreErrors

Ignore Suppressions for Rules with a NagMessageLevel.ERROR.

Implements: INagSuppressionIgnore

Initializer

new SuppressionIgnoreErrors()

Methods

createMessage(input)

createMessage(input: SuppressionIgnoreInput): string

input (SuppressionIgnoreInput) No description
- findingId (string) No description
- reason (string) No description
- resource (CfnResource) No description
- ruleId (string) No description
- ruleLevel (NagMessageLevel) No description

Returns:

string

class SuppressionIgnoreNever

Don't ignore the suppression.

Implements: INagSuppressionIgnore

Initializer

new SuppressionIgnoreNever()

Methods

createMessage(_input)

createMessage(_input: SuppressionIgnoreInput): string

_input (SuppressionIgnoreInput) No description
- findingId (string) No description
- reason (string) No description
- resource (CfnResource) No description
- ruleId (string) No description
- ruleLevel (NagMessageLevel) No description

Returns:

string

class SuppressionIgnoreOr

Ignore the suppression if any of the given INagSuppressionIgnore return a non-empty message.

Implements: INagSuppressionIgnore

Initializer

new SuppressionIgnoreOr(...orSuppressionIgnores: INagSuppressionIgnore[])

orSuppressionIgnores (INagSuppressionIgnore) No description

Methods

createMessage(input)

createMessage(input: SuppressionIgnoreInput): string

input (SuppressionIgnoreInput) No description
- findingId (string) No description
- reason (string) No description
- resource (CfnResource) No description
- ruleId (string) No description
- ruleLevel (NagMessageLevel) No description

Returns:

string

struct AnnotationLoggerProps

Props for the AnnotationLogger.

Name	Type	Description
logIgnores?	`boolean`	Whether or not to log suppressed rule violations as informational messages (default: false). *Optional*
verbose?	`boolean`	Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages. *Optional*

interface IApplyRule

Interface for JSII interoperability for passing parameters and the Rule Callback to @applyRule method.

Properties

Name	Type	Description
explanation	`string`	Why the rule exists.
info	`string`	Why the rule was triggered.
level	`NagMessageLevel`	The annotations message level to apply to the rule if triggered.
node	`CfnResource`	The CfnResource to check.
ignoreSuppressionCondition?	`INagSuppressionIgnore`	A condition in which a suppression should be ignored. *Optional*
ruleSuffixOverride?	`string`	Override for the suffix of the Rule ID for this rule. *Optional*

Methods

rule(node)

The callback to the rule.

rule(node: CfnResource): NagRuleCompliance &#124; Array<string>

node (CfnResource) The CfnResource to check.

Returns:

NagRuleCompliance | Array

interface INagLogger

Implemented by: AnnotationLogger, NagReportLogger

Interface for creating NagSuppression Ignores.

Methods

onCompliance(data)

Called when a CfnResource passes the compliance check for a given rule.

onCompliance(data: NagLoggerComplianceData): void

data (NagLoggerComplianceData) No description
- nagPackName (string) No description
- resource (CfnResource) No description
- ruleExplanation (string) No description
- ruleId (string) No description
- ruleInfo (string) No description
- ruleLevel (NagMessageLevel) No description

onError(data)

Called when a rule throws an error during while validating a CfnResource for compliance.

onError(data: NagLoggerErrorData): void

data (NagLoggerErrorData) No description
- nagPackName (string) No description
- resource (CfnResource) No description
- ruleExplanation (string) No description
- ruleId (string) No description
- ruleInfo (string) No description
- ruleLevel (NagMessageLevel) No description
- errorMessage (string) No description

onNonCompliance(data)

Called when a CfnResource does not pass the compliance check for a given rule and the the rule violation is not suppressed by the user.

onNonCompliance(data: NagLoggerNonComplianceData): void

data (NagLoggerNonComplianceData) No description
- nagPackName (string) No description
- resource (CfnResource) No description
- ruleExplanation (string) No description
- ruleId (string) No description
- ruleInfo (string) No description
- ruleLevel (NagMessageLevel) No description
- findingId (string) No description

onNotApplicable(data)

Called when a rule does not apply to the given CfnResource.

onNotApplicable(data: NagLoggerNotApplicableData): void

data (NagLoggerNotApplicableData) No description
- nagPackName (string) No description
- resource (CfnResource) No description
- ruleExplanation (string) No description
- ruleId (string) No description
- ruleInfo (string) No description
- ruleLevel (NagMessageLevel) No description

onSuppressed(data)

Called when a CfnResource does not pass the compliance check for a given rule and the rule violation is suppressed by the user.

onSuppressed(data: NagLoggerSuppressedData): void

data (NagLoggerSuppressedData) No description
- nagPackName (string) No description
- resource (CfnResource) No description
- ruleExplanation (string) No description
- ruleId (string) No description
- ruleInfo (string) No description
- ruleLevel (NagMessageLevel) No description
- findingId (string) No description
- suppressionReason (string) No description

onSuppressedError(data)

Called when a rule throws an error during while validating a CfnResource for compliance and the error is suppressed.

onSuppressedError(data: NagLoggerSuppressedErrorData): void

data (NagLoggerSuppressedErrorData) No description
- nagPackName (string) No description
- resource (CfnResource) No description
- ruleExplanation (string) No description
- ruleId (string) No description
- ruleInfo (string) No description
- ruleLevel (NagMessageLevel) No description
- errorMessage (string) No description
- errorSuppressionReason (string) No description

interface INagSuppressionIgnore

Implemented by: SuppressionIgnoreAlways, SuppressionIgnoreAnd, SuppressionIgnoreErrors, SuppressionIgnoreNever, SuppressionIgnoreOr

Interface for creating NagSuppression Ignores.

Methods

createMessage(input)

createMessage(input: SuppressionIgnoreInput): string

input (SuppressionIgnoreInput) No description
- findingId (string) No description
- reason (string) No description
- resource (CfnResource) No description
- ruleId (string) No description
- ruleLevel (NagMessageLevel) No description

Returns:

string

struct NagLoggerBaseData

Shared data for all INagLogger methods.

Name	Type	Description
nagPackName	`string`
resource	`CfnResource`
ruleExplanation	`string`
ruleId	`string`
ruleInfo	`string`
ruleLevel	`NagMessageLevel`

struct NagLoggerComplianceData

Data for onCompliance method of an INagLogger.

Name	Type	Description
nagPackName	`string`
resource	`CfnResource`
ruleExplanation	`string`
ruleId	`string`
ruleInfo	`string`
ruleLevel	`NagMessageLevel`

struct NagLoggerErrorData

Data for onError method of an INagLogger.

Name	Type	Description
errorMessage	`string`
nagPackName	`string`
resource	`CfnResource`
ruleExplanation	`string`
ruleId	`string`
ruleInfo	`string`
ruleLevel	`NagMessageLevel`

struct NagLoggerNonComplianceData

Data for onNonCompliance method of an INagLogger.

Name	Type	Description
findingId	`string`
nagPackName	`string`
resource	`CfnResource`
ruleExplanation	`string`
ruleId	`string`
ruleInfo	`string`
ruleLevel	`NagMessageLevel`

struct NagLoggerNotApplicableData

Data for onNotApplicable method of an INagLogger.

Name	Type	Description
nagPackName	`string`
resource	`CfnResource`
ruleExplanation	`string`
ruleId	`string`
ruleInfo	`string`
ruleLevel	`NagMessageLevel`

struct NagLoggerSuppressedData

Data for onSuppressed method of an INagLogger.

Name	Type	Description
findingId	`string`
nagPackName	`string`
resource	`CfnResource`
ruleExplanation	`string`
ruleId	`string`
ruleInfo	`string`
ruleLevel	`NagMessageLevel`
suppressionReason	`string`

struct NagLoggerSuppressedErrorData

Data for onSuppressedError method of an INagLogger.

Name	Type	Description
errorMessage	`string`
errorSuppressionReason	`string`
nagPackName	`string`
resource	`CfnResource`
ruleExplanation	`string`
ruleId	`string`
ruleInfo	`string`
ruleLevel	`NagMessageLevel`

struct NagPackProps

Interface for creating a NagPack.

Name	Type	Description
additionalLoggers?	`Array<INagLogger>`	Additional NagLoggers for logging rule validation outputs. *Optional*
logIgnores?	`boolean`	Whether or not to log suppressed rule violations as informational messages (default: false). *Optional*
reportFormats?	`Array<NagReportFormat>`	If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV). *Optional*
reports?	`boolean`	Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true). *Optional*
suppressionIgnoreCondition?	`INagSuppressionIgnore`	Conditionally prevent rules from being suppressed (default: no user provided condition). *Optional*
verbose?	`boolean`	Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). *Optional*

struct NagPackSuppression

Interface for creating a rule suppression.

Name	Type	Description
id	`string`	The id of the rule to ignore.
reason	`string`	The reason to ignore the rule (minimum 10 characters).
appliesTo?	`Array<string \| RegexAppliesTo>`	Rule specific granular suppressions. *Optional*

struct NagReportLine

Name	Type	Description
compliance	`string`
exceptionReason	`string`
resourceId	`string`
ruleId	`string`
ruleInfo	`string`
ruleLevel	`string`

struct NagReportLoggerProps

Props for the NagReportLogger.

Name	Type	Description
formats	`Array<NagReportFormat>`

struct NagReportSchema

Name	Type	Description
lines	`Array<NagReportLine>`

struct RegexAppliesTo

A regular expression to apply to matching findings.

Name	Type	Description
regex	`string`	An ECMA-262 regex string.

struct SuppressionIgnoreInput

Information about the NagRule and the relevant NagSuppression for the INagSuppressionIgnore.

Name	Type	Description
findingId	`string`
reason	`string`
resource	`CfnResource`
ruleId	`string`
ruleLevel	`NagMessageLevel`

enum NagMessageLevel

The severity level of the rule.

Name	Description
WARN
ERROR

enum NagReportFormat

Possible output formats of the NagReport.

Name	Description
CSV
JSON

enum NagRuleCompliance

The compliance level of a resource in relation to a rule.

Name	Description
COMPLIANT
NON_COMPLIANT
NOT_APPLICABLE

enum NagRulePostValidationStates

Additional states a rule can be in post compliance validation.

Name	Description
SUPPRESSED
UNKNOWN

Files

API.md

Latest commit

History

API.md

File metadata and controls

API Reference

class AnnotationLogger

Initializer

Properties

Methods

onCompliance(_data)

onError(data)

onNonCompliance(data)

onNotApplicable(_data)

onSuppressed(data)

onSuppressedError(data)

protected createMessage(ruleId, findingId, ruleInfo, ruleExplanation, verbose)

class AwsSolutionsChecks

Initializer

Methods

visit(node)

class HIPAASecurityChecks

Initializer

Methods

visit(node)

class NIST80053R4Checks

Initializer

Methods

visit(node)

class NIST80053R5Checks

Initializer

Methods

visit(node)

class NagPack

Initializer

Properties

Methods

visit(node)

protected applyRule(params)

protected ignoreRule(suppressions, ruleId, findingId, resource, level, ignoreSuppressionCondition?)

class NagReportLogger

Initializer

Properties

Methods

getFormatStacks(format)

onCompliance(data)

onError(data)

onNonCompliance(data)

onNotApplicable(data)

onSuppressed(data)

onSuppressedError(data)

protected initializeStackReport(data)

protected writeToStackComplianceReport(data, compliance)

class NagRules

Initializer

Methods

static resolveIfPrimitive(node, parameter)

static resolveResourceFromInstrinsic(node, parameter)

class NagSuppressions

Initializer

Methods

static addResourceSuppressions(construct, suppressions, applyToChildren?)

static addResourceSuppressionsByPath(stack, path, suppressions, applyToChildren?)

static addStackSuppressions(stack, suppressions, applyToNestedStacks?)

class PCIDSS321Checks

Initializer

Methods

visit(node)

class SuppressionIgnoreAlways

Initializer

Methods

createMessage(_input)

class SuppressionIgnoreAnd

Initializer

Methods

createMessage(input)

class SuppressionIgnoreErrors

Initializer

Methods