feat: Support for AWS Resource Tagging Standards #1680
Comments
Schwartz-Matthew-bah
added
feature-request
|
It looks the that standard requires users to provide a list key value pairs that should be used for each service. I don't think there is a good way to generalize this and have it as an included If you're looking for specific key value pairs it might be a better solution to make your own pack or to just use the CDKs native tagging Aspect |
|
Here is example how to check for tags: https://github.com/JohannesKonings/cdk-nag-custom-nag-pack Maybe this helper functions could be implemented in the cdk-nag library for easier creation of a custom nag pack for tag checking. |
Description
Hi,
AWS recently announced a new standard set related to resource tagging: https://docs.aws.amazon.com/securityhub/latest/userguide/standards-tagging.html
This standard is a list of config rules that check to make sure you have appropriate tags on the resources you create.
Use Case
The resource standard complements the existing AWS, NIST, CIS, and PCI rulepacks that are already supported by cdk-nag. By adding this new resource tagging standard, we can greatly improve the security and visibility of our resources. Additionally we would like to migrate our IAM permissions methodology to ABAC using tags.
Specifically using cdk-nag we can detect and block misconfigurations before they are even deployed.
Proposed Solution
Can be implemented as another rulepack https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/check-aws-cdk-applications-or-cloudformation-templates-for-best-practices-by-using-cdk-nag-rule-packs.html
Other information
Blog post announcement: https://aws.amazon.com/about-aws/whats-new/2024/04/aws-security-hub-resource-tagging-standard/
Acknowledge
The text was updated successfully, but these errors were encountered: