You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The resultant CFN Output had two AWS Lambda Functions, neither are in a VPC, have a DLQ, etc. I expected those to both be flagged for the Lambda CDK Nag Checks
What actually happened?
[Error at /TestStack/L2Lambda/ServiceRole/Resource] AwsSolutions-IAM4[Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole]: The IAM user, role, or group uses AWS managed policies.
[Error at /TestStack/L2Lambda/Resource] AwsSolutions-L1: The non-container Lambda function is not configured to use the latest runtime version.
[Error at /TestStack/L2Lambda/Resource] NIST.800.53.R5-LambdaConcurrency: The Lambda function is not configured with function-level concurrent execution limits - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-6).
[Error at /TestStack/L2Lambda/Resource] NIST.800.53.R5-LambdaDLQ: The Lambda function is not configured with a dead-letter configuration - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, PM-14a.1, PM-14b, PM-31, SC-36(1)(a), SI-2a).
[Error at /TestStack/L2Lambda/Resource] NIST.800.53.R5-LambdaInsideVPC: The Lambda function is not VPC enabled - (Control IDs: AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-25).
[Error at /TestStack/BucketNotificationsHandler050a0587b7544547bf325f094a3db834/Role/Resource] AwsSolutions-IAM4[Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole]: The IAM user, role, or group uses AWS managed policies.
[Error at /TestStack/BucketNotificationsHandler050a0587b7544547bf325f094a3db834/Role/DefaultPolicy/Resource] AwsSolutions-IAM5[Resource::*]: The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.
[Error at /TestStack/BucketNotificationsHandler050a0587b7544547bf325f094a3db834/Role/DefaultPolicy/Resource] NIST.800.53.R5-IAMNoInlinePolicy: The IAM Group, User, or Role contains an inline policy - (Control IDs: AC-2i.2, AC-2(1), AC-2(6), AC-3, AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(7), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-6, AC-6(3), AC-24, CM-5(1)(a), CM-6a, CM-9b, MP-2, SC-23(3)).
cdk-nag version
2.27.51
Language
Python
Other information
This appears to be caused just by the type check being done on the L1 construct (for Lambda:
What is the problem?
Some internal CDK Features use CfnResource instead of the normal L1 Constructs.
(see https://github.com/aws/aws-cdk/blob/4ff3565a9d7b0298bf884822fecabdd3cff643aa/packages/aws-cdk-lib/aws-s3/lib/notifications-resource/notifications-resource-handler.ts#L26 as an example).
This causes some type checks in CDK Nag to fail, and resources go unchecked.
Reproduction Steps
What did you expect to happen?
The resultant CFN Output had two AWS Lambda Functions, neither are in a VPC, have a DLQ, etc. I expected those to both be flagged for the Lambda CDK Nag Checks
What actually happened?
cdk-nag version
2.27.51
Language
Python
Other information
This appears to be caused just by the type check being done on the L1 construct (for Lambda:
cdk-nag/src/rules/lambda/LambdaInsideVPC.ts
Line 16 in 75acc38
We had a separate aspect (Python3) created, and were able to use
node.cfn_resource_type == "AWS::Lambda::Function"
as our type check.The text was updated successfully, but these errors were encountered: