This is a Typescript implementation of AWS Foundational Security Best Practices for use with AWS CDK.
Aspects.of(app).add(new AWSFoundationalSecurityBestPracticesChecker());Each of the following checks has an associated config option that can be passed to the constructor. All options are enabled by default and must be explicitly opted-out.
- API Gateway
- [APIGateway.1] API Gateway REST and WebSocket API logging should be enabled.
- [APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication
- [APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled
- [APIGateway.5] API Gateway REST API cache data should be encrypted at rest
- Auto Scaling
- [AutoScaling.1] Auto Scaling groups associated with a load balancer should use load balancer health checks
- DynamoDB
- [DynamoDB.1] DynamoDB tables should automatically scale capacity with demand.
- [DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled.
- IAM
- Lambda
- [Lambda.2] Lambda functions should use supported runtimes.
- RDS
- [RDS.2] RDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration.
- [RDS.3] RDS DB instances should have encryption at rest enabled.
- [RDS.5] RDS DB instances should be configured with multiple Availability Zones.
- [RDS.6] Enhanced monitoring should be configured for RDS DB instances and clusters.
- [RDS.8] RDS DB instances should have deletion protection enabled.
- [RDS.9] Database logging should be enabled.
- [RDS.10] IAM authentication should be configured for RDS instances.
- [RDS.12] IAM authentication should be configured for RDS clusters.
- [RDS.13] RDS automatic minor version upgrades should be enabled.
- [RDS.16] RDS DB clusters should be configured to copy tags to snapshots.
- [RDS.17] RDS DB instances should be configured to copy tags to snapshots.