CtrlK
BlogDocsLog inGet started
Tessl Logo

pantheon-ai/cdk-nag

Enforce AWS CDK security and compliance controls with cdk-nag. Use when adding rule packs, triaging findings, writing justified suppressions, integrating checks in CI/CD, or preventing insecure infrastructure patterns in CDK stacks.

Overall
score

100%

Review100%

Does it follow best practices?

Validation11 / 11 Passed

Validation for skill structure

Overview
Skills
Evals
Files

rule-evolution.mdreferences/

Rule Evolution and Historical Context

Overview

CDK Nag rules evolve over time based on changes in AWS security best practices, compliance requirements, and user feedback. Understanding rule evolution helps maintain accurate suppressions and stay current with security recommendations.

Notable Rule Changes

AwsSolutions-SNS2: KMS Encryption Requirement (REMOVED)

Timeline:

  • Removed: October 30, 2024 (CDK Nag v2.29.0)
  • Partially Restored: January 23, 2025 (CDK Nag v2.30.0)

Background: AWS Security Hub retired the SNS.1 control on April 10, 2024, changing the official guidance on SNS encryption requirements.

AWS's Updated Position:

"By default, SNS encrypts topics at rest with disk encryption. Using AWS KMS to encrypt topics is no longer recommended as a security best practice."

  • AWS Security Hub Controls Change Log

Current Status:

  • Removed from: AwsSolutions pack (follows AWS Security Hub guidance)
  • Available in: HIPAA Security, NIST 800-53 Rev 4/5, PCI DSS 3.2.1 packs
  • Reason: Compliance frameworks still require KMS encryption regardless of AWS's updated general guidance

Impact on Code:

// Before October 2024 - this suppression was needed
NagSuppressions.addResourceSuppressions(topic, [
  { id: 'AwsSolutions-SNS2', reason: 'KMS encryption configured' }, // No longer needed
  { id: 'AwsSolutions-SNS3', reason: 'SSL auto-enforced with KMS' }, // Still needed
]);

// After October 2024 - SNS2 suppression can be removed for AwsSolutions pack
NagSuppressions.addResourceSuppressions(topic, [
  { id: 'AwsSolutions-SNS3', reason: 'SSL auto-enforced with KMS' },
]);

// For compliance packs - SNS2 rule is still active
if (usingHIPAA || usingNIST || usingPCI) {
  NagSuppressions.addResourceSuppressions(topic, [
    {
      id: 'HIPAA.Security-SNSEncryptedKMS',
      reason: 'KMS encryption required for HIPAA',
    },
  ]);
}

Key Insights:

  1. General vs. Compliance Requirements: AWS general best practices may differ from specific compliance requirements
  2. Rule Pack Differentiation: Different rule packs serve different purposes and may have different rules
  3. Breaking Change Management: Complete rule removal can break existing custom rule packs

Lambda Runtime Evolution

Ongoing Changes:

  • AwsSolutions-L1: Continuously updated as AWS deprecates older Lambda runtimes
  • New runtime versions trigger rule updates
  • Deprecated runtimes become compliance violations

Pattern:

// Rule behavior changes as runtimes are deprecated
const lambda = new Function(this, 'Function', {
  runtime: Runtime.PYTHON_3_8, // May trigger AwsSolutions-L1 if deprecated
});

// Suppressions need review when runtimes change
NagSuppressions.addResourceSuppressions(lambda, [
  {
    id: 'AwsSolutions-L1',
    reason:
      'Python 3.8 required for legacy dependency compatibility. Migration planned for Q2 2024.',
  },
]);

ECS and Container Security

Evolution Pattern: Container security rules have become more granular over time

  • Early versions: Basic container checks
  • Recent versions: Detailed logging, networking, and resource configuration checks

Example:

// Newer rules are more specific about container configurations
NagSuppressions.addResourceSuppressions(taskDefinition, [
  {
    id: 'AwsSolutions-ECS2',
    reason: 'Environment variables contain non-sensitive configuration only',
    appliesTo: ['ContainerDefinition::AppContainer::Environment::NODE_ENV'],
  },
]);

Rule Lifecycle Patterns

1. Introduction Phase

  • New rules added based on emerging security practices
  • Initially may have high false positive rates
  • Community feedback drives refinements

2. Maturation Phase

  • Rule logic becomes more precise
  • Granular suppression options added
  • Documentation and examples improved

3. Deprecation Phase

  • Security guidance changes (like SNS encryption)
  • Rules marked for deprecation with advance notice
  • Migration guidance provided

4. Removal Phase

  • Rules removed from specific rule packs
  • May remain in compliance-specific packs
  • Breaking change considerations

Impact on Suppressions

Cleaning Up Obsolete Suppressions

Regular Audit Process:

// 1. Review suppressions for non-existent rules
NagSuppressions.addResourceSuppressions(topic, [
  // This rule no longer exists in AwsSolutions pack
  { id: 'AwsSolutions-SNS2', reason: 'Can be removed' }, // Remove this
  { id: 'AwsSolutions-SNS3', reason: 'Still needed' }, // Keep this
]);

// 2. Check if suppressions are still needed
const bucket = new Bucket(this, 'Bucket', {
  accessLogsBucket: logsBucket, // Now configured
});
// This suppression may no longer be needed:
// { id: 'AwsSolutions-S1', reason: 'Access logging configured' }

Version-Specific Suppressions

// Consider documenting version context in suppressions
NagSuppressions.addResourceSuppressions(resource, [
  {
    id: 'AwsSolutions-L1',
    reason:
      'Python 3.9 required for compatibility. CDK Nag v2.28 considers this deprecated. Review after CDK Nag v3.0.',
  },
]);

Staying Current with Rule Changes

1. Monitor Releases

  • Subscribe to CDK Nag releases
  • Review release notes for rule changes
  • Pay attention to breaking changes

2. Test New Versions

# Test CDK Nag updates in non-production first
npm install cdk-nag@latest --save-dev
npm run cdk -- synth

# Review any new violations or removed rules
# Update suppressions as needed

3. Automated Suppression Review

// Include review metadata in suppressions
NagSuppressions.addResourceSuppressions(resource, [
  {
    id: 'AwsSolutions-IAM5',
    reason:
      'CloudWatch Logs wildcard pattern required. Last reviewed: 2024-01-15 with CDK Nag v2.28',
  },
]);

4. Suppression Cleanup Scripts

// Script to identify potentially obsolete suppressions
const suppressionAudit = {
  checkObsoleteRules: (stackSuppressions: any[]) => {
    const obsoleteRules = ['AwsSolutions-SNS2']; // Known removed rules
    return stackSuppressions.filter((s) => obsoleteRules.includes(s.id));
  },

  checkRulePackMismatch: (ruleId: string, activePacks: string[]) => {
    // Logic to check if rule exists in active rule packs
  },
};

Migration Strategies

When Rules Are Deprecated

  1. Assess Impact: Understand why the rule is being deprecated
  2. Review Alternatives: Check if similar rules exist or new ones replace it
  3. Update Suppressions: Remove suppressions for deprecated rules
  4. Document Changes: Update team documentation about rule changes

When New Rules Are Added

  1. Understand Purpose: Read rule documentation and rationale
  2. Assess Violations: Run CDK Nag to see which resources violate the new rule
  3. Implement Fixes: Address violations where possible
  4. Add Suppressions: For legitimate exceptions, add well-reasoned suppressions

Rule Pack Migration

// Migrating from deprecated to new rule pack
// OLD:
// Aspects.of(app).add(new DeprecatedChecks());

// NEW:
Aspects.of(app).add(new UpdatedSecurityChecks());

// Update related suppressions to use new rule IDs
NagSuppressions.addResourceSuppressions(resource, [
  // { id: 'Deprecated-Rule1', reason: 'Old rule' }, // Remove
  { id: 'Updated-Rule1', reason: 'Same logic, new rule ID' }, // Add
]);

Best Practices for Rule Evolution

1. Version Tracking

  • Document CDK Nag version used when suppressions are created
  • Track rule pack versions in deployment documentation
  • Plan regular suppression reviews aligned with CDK Nag updates

2. Environment Isolation

  • Test rule updates in development environments first
  • Use feature flags for rule pack changes
  • Maintain consistent rule versions across environments during deployment

3. Team Communication

  • Communicate rule changes to development teams
  • Update coding standards to reflect rule evolution
  • Provide training on new security requirements

4. Suppression Hygiene

  • Regular cleanup of obsolete suppressions
  • Review suppression reasons for continued validity
  • Update suppression documentation with rule evolution context

Future Considerations

Anticipated Changes

  • Container Security: More granular ECS and EKS security rules
  • Serverless: Enhanced Lambda and API Gateway security requirements
  • Data Protection: Stricter encryption and data handling rules
  • Network Security: Evolving VPC and networking security patterns

Preparation Strategies

  • Stay informed about AWS security best practices evolution
  • Participate in CDK Nag community discussions
  • Plan for regular rule compliance reviews
  • Maintain flexible suppression management processes

Rule evolution reflects the dynamic nature of cloud security. Regular review and updates ensure continued compliance with current best practices.

Install with Tessl CLI

npx tessl i pantheon-ai/cdk-nag@0.1.1

references

implementation-guide.md

integration-patterns.md

rule-evolution.md

rule-packs.md

suppression-guide.md

troubleshooting.md

SKILL.md

tile.json