Classes
Name | Description |
---|---|
AnnotationLogger | A NagLogger that outputs to the CDK Annotations system. |
AwsSolutionsChecks | Check Best practices based on AWS Solutions Security Matrix. |
HIPAASecurityChecks | Check for HIPAA Security compliance. |
NIST80053R4Checks | Check for NIST 800-53 rev 4 compliance. |
NIST80053R5Checks | Check for NIST 800-53 rev 5 compliance. |
NagPack | Base class for all rule packs. |
NagReportLogger | A NagLogger that creates compliance reports. |
NagRules | Helper class with methods for rule creation. |
NagSuppressions | Helper class with methods to add cdk-nag suppressions to cdk resources. |
PCIDSS321Checks | Check for PCI DSS 3.2.1 compliance. Based on the PCI DSS 3.2.1 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-pci-dss.html. |
SuppressionIgnoreAlways | Always ignore the suppression. |
SuppressionIgnoreAnd | Ignore the suppression if all of the given INagSuppressionIgnore return a non-empty message. |
SuppressionIgnoreErrors | Ignore Suppressions for Rules with a NagMessageLevel.ERROR. |
SuppressionIgnoreNever | Don't ignore the suppression. |
SuppressionIgnoreOr | Ignore the suppression if any of the given INagSuppressionIgnore return a non-empty message. |
Structs
Name | Description |
---|---|
AnnotationLoggerProps | Props for the AnnotationLogger. |
NagLoggerBaseData | Shared data for all INagLogger methods. |
NagLoggerComplianceData | Data for onCompliance method of an INagLogger. |
NagLoggerErrorData | Data for onError method of an INagLogger. |
NagLoggerNonComplianceData | Data for onNonCompliance method of an INagLogger. |
NagLoggerNotApplicableData | Data for onNotApplicable method of an INagLogger. |
NagLoggerSuppressedData | Data for onSuppressed method of an INagLogger. |
NagLoggerSuppressedErrorData | Data for onSuppressedError method of an INagLogger. |
NagPackProps | Interface for creating a NagPack. |
NagPackSuppression | Interface for creating a rule suppression. |
NagReportLine | No description |
NagReportLoggerProps | Props for the NagReportLogger. |
NagReportSchema | No description |
RegexAppliesTo | A regular expression to apply to matching findings. |
SuppressionIgnoreInput | Information about the NagRule and the relevant NagSuppression for the INagSuppressionIgnore. |
Interfaces
Name | Description |
---|---|
IApplyRule | Interface for JSII interoperability for passing parameters and the Rule Callback to @applyRule method. |
INagLogger | Interface for creating NagSuppression Ignores. |
INagSuppressionIgnore | Interface for creating NagSuppression Ignores. |
Enums
Name | Description |
---|---|
NagMessageLevel | The severity level of the rule. |
NagReportFormat | Possible output formats of the NagReport. |
NagRuleCompliance | The compliance level of a resource in relation to a rule. |
NagRulePostValidationStates | Additional states a rule can be in post compliance validation. |
A NagLogger that outputs to the CDK Annotations system.
Implements: INagLogger
new AnnotationLogger(props?: AnnotationLoggerProps)
- props (
AnnotationLoggerProps
) No description- logIgnores (
boolean
) Whether or not to log suppressed rule violations as informational messages (default: false). Optional - verbose (
boolean
) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages. Optional
- logIgnores (
Name | Type | Description |
---|---|---|
logIgnores | boolean |
|
suppressionId | string |
|
verbose | boolean |
Called when a CfnResource passes the compliance check for a given rule.
onCompliance(_data: NagLoggerComplianceData): void
- _data (
NagLoggerComplianceData
) No description- nagPackName (
string
) No description - resource (
CfnResource
) No description - ruleExplanation (
string
) No description - ruleId (
string
) No description - ruleInfo (
string
) No description - ruleLevel (
NagMessageLevel
) No description
- nagPackName (
Called when a rule throws an error during while validating a CfnResource for compliance.
onError(data: NagLoggerErrorData): void
- data (
NagLoggerErrorData
) No description- nagPackName (
string
) No description - resource (
CfnResource
) No description - ruleExplanation (
string
) No description - ruleId (
string
) No description - ruleInfo (
string
) No description - ruleLevel (
NagMessageLevel
) No description - errorMessage (
string
) No description
- nagPackName (
Called when a CfnResource does not pass the compliance check for a given rule and the the rule violation is not suppressed by the user.
onNonCompliance(data: NagLoggerNonComplianceData): void
- data (
NagLoggerNonComplianceData
) No description- nagPackName (
string
) No description - resource (
CfnResource
) No description - ruleExplanation (
string
) No description - ruleId (
string
) No description - ruleInfo (
string
) No description - ruleLevel (
NagMessageLevel
) No description - findingId (
string
) No description
- nagPackName (
Called when a rule does not apply to the given CfnResource.
onNotApplicable(_data: NagLoggerNotApplicableData): void
- _data (
NagLoggerNotApplicableData
) No description- nagPackName (
string
) No description - resource (
CfnResource
) No description - ruleExplanation (
string
) No description - ruleId (
string
) No description - ruleInfo (
string
) No description - ruleLevel (
NagMessageLevel
) No description
- nagPackName (
Called when a CfnResource does not pass the compliance check for a given rule and the rule violation is suppressed by the user.
onSuppressed(data: NagLoggerSuppressedData): void
- data (
NagLoggerSuppressedData
) No description- nagPackName (
string
) No description - resource (
CfnResource
) No description - ruleExplanation (
string
) No description - ruleId (
string
) No description - ruleInfo (
string
) No description - ruleLevel (
NagMessageLevel
) No description - findingId (
string
) No description - suppressionReason (
string
) No description
- nagPackName (
Called when a rule throws an error during while validating a CfnResource for compliance and the error is suppressed.
onSuppressedError(data: NagLoggerSuppressedErrorData): void
- data (
NagLoggerSuppressedErrorData
) No description- nagPackName (
string
) No description - resource (
CfnResource
) No description - ruleExplanation (
string
) No description - ruleId (
string
) No description - ruleInfo (
string
) No description - ruleLevel (
NagMessageLevel
) No description - errorMessage (
string
) No description - errorSuppressionReason (
string
) No description
- nagPackName (
protected createMessage(ruleId: string, findingId: string, ruleInfo: string, ruleExplanation: string, verbose: boolean): string
- ruleId (
string
) No description - findingId (
string
) No description - ruleInfo (
string
) No description - ruleExplanation (
string
) No description - verbose (
boolean
) No description
Returns:
string
Check Best practices based on AWS Solutions Security Matrix.
Implements: IAspect Extends: NagPack
new AwsSolutionsChecks(props?: NagPackProps)
- props (
NagPackProps
) No description- additionalLoggers (
Array<INagLogger>
) Additional NagLoggers for logging rule validation outputs. Optional - logIgnores (
boolean
) Whether or not to log suppressed rule violations as informational messages (default: false). Optional - reportFormats (
Array<NagReportFormat>
) If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV). Optional - reports (
boolean
) Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true). Optional - suppressionIgnoreCondition (
INagSuppressionIgnore
) Conditionally prevent rules from being suppressed (default: no user provided condition). Optional - verbose (
boolean
) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). Optional
- additionalLoggers (
All aspects can visit an IConstruct.
visit(node: IConstruct): void
- node (
IConstruct
) No description
Check for HIPAA Security compliance.
Based on the HIPAA Security AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-hipaa_security.html
Implements: IAspect Extends: NagPack
new HIPAASecurityChecks(props?: NagPackProps)
- props (
NagPackProps
) No description- additionalLoggers (
Array<INagLogger>
) Additional NagLoggers for logging rule validation outputs. Optional - logIgnores (
boolean
) Whether or not to log suppressed rule violations as informational messages (default: false). Optional - reportFormats (
Array<NagReportFormat>
) If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV). Optional - reports (
boolean
) Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true). Optional - suppressionIgnoreCondition (
INagSuppressionIgnore
) Conditionally prevent rules from being suppressed (default: no user provided condition). Optional - verbose (
boolean
) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). Optional
- additionalLoggers (
All aspects can visit an IConstruct.
visit(node: IConstruct): void
- node (
IConstruct
) No description
Check for NIST 800-53 rev 4 compliance.
Based on the NIST 800-53 rev 4 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_4.html
Implements: IAspect Extends: NagPack
new NIST80053R4Checks(props?: NagPackProps)
- props (
NagPackProps
) No description- additionalLoggers (
Array<INagLogger>
) Additional NagLoggers for logging rule validation outputs. Optional - logIgnores (
boolean
) Whether or not to log suppressed rule violations as informational messages (default: false). Optional - reportFormats (
Array<NagReportFormat>
) If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV). Optional - reports (
boolean
) Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true). Optional - suppressionIgnoreCondition (
INagSuppressionIgnore
) Conditionally prevent rules from being suppressed (default: no user provided condition). Optional - verbose (
boolean
) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). Optional
- additionalLoggers (
All aspects can visit an IConstruct.
visit(node: IConstruct): void
- node (
IConstruct
) No description
Check for NIST 800-53 rev 5 compliance.
Based on the NIST 800-53 rev 5 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_5.html
Implements: IAspect Extends: NagPack
new NIST80053R5Checks(props?: NagPackProps)
- props (
NagPackProps
) No description- additionalLoggers (
Array<INagLogger>
) Additional NagLoggers for logging rule validation outputs. Optional - logIgnores (
boolean
) Whether or not to log suppressed rule violations as informational messages (default: false). Optional - reportFormats (
Array<NagReportFormat>
) If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV). Optional - reports (
boolean
) Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true). Optional - suppressionIgnoreCondition (
INagSuppressionIgnore
) Conditionally prevent rules from being suppressed (default: no user provided condition). Optional - verbose (
boolean
) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). Optional
- additionalLoggers (
All aspects can visit an IConstruct.
visit(node: IConstruct): void
- node (
IConstruct
) No description
Base class for all rule packs.
Implements: IAspect Implemented by: AwsSolutionsChecks, HIPAASecurityChecks, NIST80053R4Checks, NIST80053R5Checks, PCIDSS321Checks
new NagPack(props?: NagPackProps)
- props (
NagPackProps
) No description- additionalLoggers (
Array<INagLogger>
) Additional NagLoggers for logging rule validation outputs. Optional - logIgnores (
boolean
) Whether or not to log suppressed rule violations as informational messages (default: false). Optional - reportFormats (
Array<NagReportFormat>
) If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV). Optional - reports (
boolean
) Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true). Optional - suppressionIgnoreCondition (
INagSuppressionIgnore
) Conditionally prevent rules from being suppressed (default: no user provided condition). Optional - verbose (
boolean
) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). Optional
- additionalLoggers (
Name | Type | Description |
---|---|---|
loggers | Array<INagLogger> |
|
packName | string |
|
readPackName | string |
|
packGlobalSuppressionIgnore? | INagSuppressionIgnore |
Optional |
userGlobalSuppressionIgnore? | INagSuppressionIgnore |
Optional |
All aspects can visit an IConstruct.
visit(node: IConstruct): void
- node (
IConstruct
) No description
Create a rule to be used in the NagPack.
protected applyRule(params: IApplyRule): void
- params (
IApplyRule
) The.
Check whether a specific rule should be ignored.
protected ignoreRule(suppressions: Array<NagPackSuppression>, ruleId: string, findingId: string, resource: CfnResource, level: NagMessageLevel, ignoreSuppressionCondition?: INagSuppressionIgnore): string
- suppressions (
Array<NagPackSuppression>
) The suppressions listed in the cdk-nag metadata. - ruleId (
string
) The id of the rule to ignore. - findingId (
string
) The id of the finding that is being checked. - resource (
CfnResource
) The resource being evaluated. - level (
NagMessageLevel
) No description - ignoreSuppressionCondition (
INagSuppressionIgnore
) No description
Returns:
string
A NagLogger that creates compliance reports.
Implements: INagLogger
new NagReportLogger(props: NagReportLoggerProps)
- props (
NagReportLoggerProps
) No description- formats (
Array<NagReportFormat>
) No description
- formats (
Name | Type | Description |
---|---|---|
formats | Array<NagReportFormat> |
getFormatStacks(format: NagReportFormat): Array<string>
- format (
NagReportFormat
) No description
Returns:
Array
Called when a CfnResource passes the compliance check for a given rule.
onCompliance(data: NagLoggerComplianceData): void
- data (
NagLoggerComplianceData
) No description- nagPackName (
string
) No description - resource (
CfnResource
) No description - ruleExplanation (
string
) No description - ruleId (
string
) No description - ruleInfo (
string
) No description - ruleLevel (
NagMessageLevel
) No description
- nagPackName (
Called when a rule throws an error during while validating a CfnResource for compliance.
onError(data: NagLoggerErrorData): void
- data (
NagLoggerErrorData
) No description- nagPackName (
string
) No description - resource (
CfnResource
) No description - ruleExplanation (
string
) No description - ruleId (
string
) No description - ruleInfo (
string
) No description - ruleLevel (
NagMessageLevel
) No description - errorMessage (
string
) No description
- nagPackName (
Called when a CfnResource does not pass the compliance check for a given rule and the the rule violation is not suppressed by the user.
onNonCompliance(data: NagLoggerNonComplianceData): void
- data (
NagLoggerNonComplianceData
) No description- nagPackName (
string
) No description - resource (
CfnResource
) No description - ruleExplanation (
string
) No description - ruleId (
string
) No description - ruleInfo (
string
) No description - ruleLevel (
NagMessageLevel
) No description - findingId (
string
) No description
- nagPackName (
Called when a rule does not apply to the given CfnResource.
onNotApplicable(data: NagLoggerNotApplicableData): void
- data (
NagLoggerNotApplicableData
) No description- nagPackName (
string
) No description - resource (
CfnResource
) No description - ruleExplanation (
string
) No description - ruleId (
string
) No description - ruleInfo (
string
) No description - ruleLevel (
NagMessageLevel
) No description
- nagPackName (
Called when a CfnResource does not pass the compliance check for a given rule and the rule violation is suppressed by the user.
onSuppressed(data: NagLoggerSuppressedData): void
- data (
NagLoggerSuppressedData
) No description- nagPackName (
string
) No description - resource (
CfnResource
) No description - ruleExplanation (
string
) No description - ruleId (
string
) No description - ruleInfo (
string
) No description - ruleLevel (
NagMessageLevel
) No description - findingId (
string
) No description - suppressionReason (
string
) No description
- nagPackName (
Called when a rule throws an error during while validating a CfnResource for compliance and the error is suppressed.
onSuppressedError(data: NagLoggerSuppressedErrorData): void
- data (
NagLoggerSuppressedErrorData
) No description- nagPackName (
string
) No description - resource (
CfnResource
) No description - ruleExplanation (
string
) No description - ruleId (
string
) No description - ruleInfo (
string
) No description - ruleLevel (
NagMessageLevel
) No description - errorMessage (
string
) No description - errorSuppressionReason (
string
) No description
- nagPackName (
Initialize the report for the rule pack's compliance report for the resource's Stack if it doesn't exist.
protected initializeStackReport(data: NagLoggerBaseData): void
- data (
NagLoggerBaseData
) No description- nagPackName (
string
) No description - resource (
CfnResource
) No description - ruleExplanation (
string
) No description - ruleId (
string
) No description - ruleInfo (
string
) No description - ruleLevel (
NagMessageLevel
) No description
- nagPackName (
protected writeToStackComplianceReport(data: NagLoggerBaseData, compliance: NagRuleCompliance | NagRulePostValidationStates): void
- data (
NagLoggerBaseData
) No description - compliance (
NagRuleCompliance | NagRulePostValidationStates
) No description
Helper class with methods for rule creation.
new NagRules()
Use in cases where a primitive value must be known to pass a rule.
https://developer.mozilla.org/en-US/docs/Glossary/Primitive
static resolveIfPrimitive(node: CfnResource, parameter: any): any
- node (
CfnResource
) The CfnResource to check. - parameter (
any
) The value to attempt to resolve.
Returns:
any
Use in cases where a token resolves to an intrinsic function and the referenced resource must be known to pass a rule.
static resolveResourceFromInstrinsic(node: CfnResource, parameter: any): any
- node (
CfnResource
) The CfnResource to check. - parameter (
any
) The value to attempt to resolve.
Returns:
any
Helper class with methods to add cdk-nag suppressions to cdk resources.
new NagSuppressions()
Add cdk-nag suppressions to a CfnResource and optionally its children.
static addResourceSuppressions(construct: IConstruct | Array<IConstruct>, suppressions: Array<NagPackSuppression>, applyToChildren?: boolean): void
- construct (
IConstruct | Array<IConstruct>
) The IConstruct(s) to apply the suppression to. - suppressions (
Array<NagPackSuppression>
) A list of suppressions to apply to the resource. - applyToChildren (
boolean
) Apply the suppressions to children CfnResources (default:false).
Add cdk-nag suppressions to a CfnResource and optionally its children via its path.
static addResourceSuppressionsByPath(stack: Stack, path: string | Array<string>, suppressions: Array<NagPackSuppression>, applyToChildren?: boolean): void
- stack (
Stack
) The Stack the construct belongs to. - path (
string | Array
) The path(s) to the construct in the provided stack. - suppressions (
Array<NagPackSuppression>
) A list of suppressions to apply to the resource. - applyToChildren (
boolean
) Apply the suppressions to children CfnResources (default:false).
Apply cdk-nag suppressions to a Stack and optionally nested stacks.
static addStackSuppressions(stack: Stack, suppressions: Array<NagPackSuppression>, applyToNestedStacks?: boolean): void
- stack (
Stack
) The Stack to apply the suppression to. - suppressions (
Array<NagPackSuppression>
) A list of suppressions to apply to the stack. - applyToNestedStacks (
boolean
) Apply the suppressions to children stacks (default:false).
Check for PCI DSS 3.2.1 compliance. Based on the PCI DSS 3.2.1 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-pci-dss.html.
Implements: IAspect Extends: NagPack
new PCIDSS321Checks(props?: NagPackProps)
- props (
NagPackProps
) No description- additionalLoggers (
Array<INagLogger>
) Additional NagLoggers for logging rule validation outputs. Optional - logIgnores (
boolean
) Whether or not to log suppressed rule violations as informational messages (default: false). Optional - reportFormats (
Array<NagReportFormat>
) If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV). Optional - reports (
boolean
) Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true). Optional - suppressionIgnoreCondition (
INagSuppressionIgnore
) Conditionally prevent rules from being suppressed (default: no user provided condition). Optional - verbose (
boolean
) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). Optional
- additionalLoggers (
All aspects can visit an IConstruct.
visit(node: IConstruct): void
- node (
IConstruct
) No description
Always ignore the suppression.
Implements: INagSuppressionIgnore
new SuppressionIgnoreAlways(triggerMessage: string)
- triggerMessage (
string
) No description
createMessage(_input: SuppressionIgnoreInput): string
- _input (
SuppressionIgnoreInput
) No description- findingId (
string
) No description - reason (
string
) No description - resource (
CfnResource
) No description - ruleId (
string
) No description - ruleLevel (
NagMessageLevel
) No description
- findingId (
Returns:
string
Ignore the suppression if all of the given INagSuppressionIgnore return a non-empty message.
Implements: INagSuppressionIgnore
new SuppressionIgnoreAnd(...SuppressionIgnoreAnds: INagSuppressionIgnore[])
- SuppressionIgnoreAnds (
INagSuppressionIgnore
) No description
createMessage(input: SuppressionIgnoreInput): string
- input (
SuppressionIgnoreInput
) No description- findingId (
string
) No description - reason (
string
) No description - resource (
CfnResource
) No description - ruleId (
string
) No description - ruleLevel (
NagMessageLevel
) No description
- findingId (
Returns:
string
Ignore Suppressions for Rules with a NagMessageLevel.ERROR.
Implements: INagSuppressionIgnore
new SuppressionIgnoreErrors()
createMessage(input: SuppressionIgnoreInput): string
- input (
SuppressionIgnoreInput
) No description- findingId (
string
) No description - reason (
string
) No description - resource (
CfnResource
) No description - ruleId (
string
) No description - ruleLevel (
NagMessageLevel
) No description
- findingId (
Returns:
string
Don't ignore the suppression.
Implements: INagSuppressionIgnore
new SuppressionIgnoreNever()
createMessage(_input: SuppressionIgnoreInput): string
- _input (
SuppressionIgnoreInput
) No description- findingId (
string
) No description - reason (
string
) No description - resource (
CfnResource
) No description - ruleId (
string
) No description - ruleLevel (
NagMessageLevel
) No description
- findingId (
Returns:
string
Ignore the suppression if any of the given INagSuppressionIgnore return a non-empty message.
Implements: INagSuppressionIgnore
new SuppressionIgnoreOr(...orSuppressionIgnores: INagSuppressionIgnore[])
- orSuppressionIgnores (
INagSuppressionIgnore
) No description
createMessage(input: SuppressionIgnoreInput): string
- input (
SuppressionIgnoreInput
) No description- findingId (
string
) No description - reason (
string
) No description - resource (
CfnResource
) No description - ruleId (
string
) No description - ruleLevel (
NagMessageLevel
) No description
- findingId (
Returns:
string
Props for the AnnotationLogger.
Name | Type | Description |
---|---|---|
logIgnores? | boolean |
Whether or not to log suppressed rule violations as informational messages (default: false). Optional |
verbose? | boolean |
Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages. Optional |
Interface for JSII interoperability for passing parameters and the Rule Callback to @applyRule method.
Name | Type | Description |
---|---|---|
explanation | string |
Why the rule exists. |
info | string |
Why the rule was triggered. |
level | NagMessageLevel |
The annotations message level to apply to the rule if triggered. |
node | CfnResource |
The CfnResource to check. |
ignoreSuppressionCondition? | INagSuppressionIgnore |
A condition in which a suppression should be ignored. Optional |
ruleSuffixOverride? | string |
Override for the suffix of the Rule ID for this rule. Optional |
The callback to the rule.
rule(node: CfnResource): NagRuleCompliance | Array<string>
- node (
CfnResource
) The CfnResource to check.
Returns:
NagRuleCompliance | Array
Implemented by: AnnotationLogger, NagReportLogger
Interface for creating NagSuppression Ignores.
Called when a CfnResource passes the compliance check for a given rule.
onCompliance(data: NagLoggerComplianceData): void
- data (
NagLoggerComplianceData
) No description- nagPackName (
string
) No description - resource (
CfnResource
) No description - ruleExplanation (
string
) No description - ruleId (
string
) No description - ruleInfo (
string
) No description - ruleLevel (
NagMessageLevel
) No description
- nagPackName (
Called when a rule throws an error during while validating a CfnResource for compliance.
onError(data: NagLoggerErrorData): void
- data (
NagLoggerErrorData
) No description- nagPackName (
string
) No description - resource (
CfnResource
) No description - ruleExplanation (
string
) No description - ruleId (
string
) No description - ruleInfo (
string
) No description - ruleLevel (
NagMessageLevel
) No description - errorMessage (
string
) No description
- nagPackName (
Called when a CfnResource does not pass the compliance check for a given rule and the the rule violation is not suppressed by the user.
onNonCompliance(data: NagLoggerNonComplianceData): void
- data (
NagLoggerNonComplianceData
) No description- nagPackName (
string
) No description - resource (
CfnResource
) No description - ruleExplanation (
string
) No description - ruleId (
string
) No description - ruleInfo (
string
) No description - ruleLevel (
NagMessageLevel
) No description - findingId (
string
) No description
- nagPackName (
Called when a rule does not apply to the given CfnResource.
onNotApplicable(data: NagLoggerNotApplicableData): void
- data (
NagLoggerNotApplicableData
) No description- nagPackName (
string
) No description - resource (
CfnResource
) No description - ruleExplanation (
string
) No description - ruleId (
string
) No description - ruleInfo (
string
) No description - ruleLevel (
NagMessageLevel
) No description
- nagPackName (
Called when a CfnResource does not pass the compliance check for a given rule and the rule violation is suppressed by the user.
onSuppressed(data: NagLoggerSuppressedData): void
- data (
NagLoggerSuppressedData
) No description- nagPackName (
string
) No description - resource (
CfnResource
) No description - ruleExplanation (
string
) No description - ruleId (
string
) No description - ruleInfo (
string
) No description - ruleLevel (
NagMessageLevel
) No description - findingId (
string
) No description - suppressionReason (
string
) No description
- nagPackName (
Called when a rule throws an error during while validating a CfnResource for compliance and the error is suppressed.
onSuppressedError(data: NagLoggerSuppressedErrorData): void
- data (
NagLoggerSuppressedErrorData
) No description- nagPackName (
string
) No description - resource (
CfnResource
) No description - ruleExplanation (
string
) No description - ruleId (
string
) No description - ruleInfo (
string
) No description - ruleLevel (
NagMessageLevel
) No description - errorMessage (
string
) No description - errorSuppressionReason (
string
) No description
- nagPackName (
Implemented by: SuppressionIgnoreAlways, SuppressionIgnoreAnd, SuppressionIgnoreErrors, SuppressionIgnoreNever, SuppressionIgnoreOr
Interface for creating NagSuppression Ignores.
createMessage(input: SuppressionIgnoreInput): string
- input (
SuppressionIgnoreInput
) No description- findingId (
string
) No description - reason (
string
) No description - resource (
CfnResource
) No description - ruleId (
string
) No description - ruleLevel (
NagMessageLevel
) No description
- findingId (
Returns:
string
Shared data for all INagLogger methods.
Name | Type | Description |
---|---|---|
nagPackName | string |
|
resource | CfnResource |
|
ruleExplanation | string |
|
ruleId | string |
|
ruleInfo | string |
|
ruleLevel | NagMessageLevel |
Data for onCompliance method of an INagLogger.
Name | Type | Description |
---|---|---|
nagPackName | string |
|
resource | CfnResource |
|
ruleExplanation | string |
|
ruleId | string |
|
ruleInfo | string |
|
ruleLevel | NagMessageLevel |
Data for onError method of an INagLogger.
Name | Type | Description |
---|---|---|
errorMessage | string |
|
nagPackName | string |
|
resource | CfnResource |
|
ruleExplanation | string |
|
ruleId | string |
|
ruleInfo | string |
|
ruleLevel | NagMessageLevel |
Data for onNonCompliance method of an INagLogger.
Name | Type | Description |
---|---|---|
findingId | string |
|
nagPackName | string |
|
resource | CfnResource |
|
ruleExplanation | string |
|
ruleId | string |
|
ruleInfo | string |
|
ruleLevel | NagMessageLevel |
Data for onNotApplicable method of an INagLogger.
Name | Type | Description |
---|---|---|
nagPackName | string |
|
resource | CfnResource |
|
ruleExplanation | string |
|
ruleId | string |
|
ruleInfo | string |
|
ruleLevel | NagMessageLevel |
Data for onSuppressed method of an INagLogger.
Name | Type | Description |
---|---|---|
findingId | string |
|
nagPackName | string |
|
resource | CfnResource |
|
ruleExplanation | string |
|
ruleId | string |
|
ruleInfo | string |
|
ruleLevel | NagMessageLevel |
|
suppressionReason | string |
Data for onSuppressedError method of an INagLogger.
Name | Type | Description |
---|---|---|
errorMessage | string |
|
errorSuppressionReason | string |
|
nagPackName | string |
|
resource | CfnResource |
|
ruleExplanation | string |
|
ruleId | string |
|
ruleInfo | string |
|
ruleLevel | NagMessageLevel |
Interface for creating a NagPack.
Name | Type | Description |
---|---|---|
additionalLoggers? | Array<INagLogger> |
Additional NagLoggers for logging rule validation outputs. Optional |
logIgnores? | boolean |
Whether or not to log suppressed rule violations as informational messages (default: false). Optional |
reportFormats? | Array<NagReportFormat> |
If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV). Optional |
reports? | boolean |
Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true). Optional |
suppressionIgnoreCondition? | INagSuppressionIgnore |
Conditionally prevent rules from being suppressed (default: no user provided condition). Optional |
verbose? | boolean |
Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). Optional |
Interface for creating a rule suppression.
Name | Type | Description |
---|---|---|
id | string |
The id of the rule to ignore. |
reason | string |
The reason to ignore the rule (minimum 10 characters). |
appliesTo? | Array<string | RegexAppliesTo> |
Rule specific granular suppressions. Optional |
Name | Type | Description |
---|---|---|
compliance | string |
|
exceptionReason | string |
|
resourceId | string |
|
ruleId | string |
|
ruleInfo | string |
|
ruleLevel | string |
Props for the NagReportLogger.
Name | Type | Description |
---|---|---|
formats | Array<NagReportFormat> |
Name | Type | Description |
---|---|---|
lines | Array<NagReportLine> |
A regular expression to apply to matching findings.
Name | Type | Description |
---|---|---|
regex | string |
An ECMA-262 regex string. |
Information about the NagRule and the relevant NagSuppression for the INagSuppressionIgnore.
Name | Type | Description |
---|---|---|
findingId | string |
|
reason | string |
|
resource | CfnResource |
|
ruleId | string |
|
ruleLevel | NagMessageLevel |
The severity level of the rule.
Name | Description |
---|---|
WARN | |
ERROR |
Possible output formats of the NagReport.
Name | Description |
---|---|
CSV | |
JSON |
The compliance level of a resource in relation to a rule.
Name | Description |
---|---|
COMPLIANT | |
NON_COMPLIANT | |
NOT_APPLICABLE |
Additional states a rule can be in post compliance validation.
Name | Description |
---|---|
SUPPRESSED | |
UNKNOWN |