ran-isenberg
diff --git a/‎cdk/my_service/service_stack.py
Lines changed: 47 additions & 2 deletions b/‎cdk/my_service/service_stack.py
Lines changed: 47 additions & 2 deletions
diff --git a/‎docs/cdk.md
Lines changed: 4 additions & 2 deletions b/‎docs/cdk.md
Lines changed: 4 additions & 2 deletions
diff --git a/‎docs/pipeline.md
Lines changed: 3 additions & 3 deletions b/‎docs/pipeline.md
Lines changed: 3 additions & 3 deletions
@@ -1,7 +1,8 @@
 import os
 from pathlib import Path
 
-from aws_cdk import Stack, Tags
+from aws_cdk import Aspects, Stack, Tags
+from cdk_nag import AwsSolutionsChecks, NagSuppressions
 from constructs import Construct
 from git import Repo
 from my_service.api_construct import ApiConstruct  # type: ignore
@@ -36,4 +37,48 @@ def __init__(self, scope: Construct, id: str, **kwargs) -> None:
         # from running the service pipeline and without redeploying the service lambdas. For the sake of this template
         # example, it is deployed as part of the service stack
         self.dynamic_configuration = ConfigurationStore(self, f'{id}dynamic_conf'[0:64], ENVIRONMENT, SERVICE_NAME, CONFIGURATION_NAME)
-        self.lambdas = ApiConstruct(self, f'{id}Service'[0:64], self.dynamic_configuration.config_app.name)
+        self.api = ApiConstruct(self, f'{id}Service'[0:64], self.dynamic_configuration.config_app.name)
+
+        # add security check
+        self._add_security_tests()
+
+    def _add_security_tests(self) -> None:
+        Aspects.of(self).add(AwsSolutionsChecks(verbose=True))
+        # Suppress a specific rule for this resource
+        NagSuppressions.add_stack_suppressions(
+            self,
+            [
+                {
+                    'id': 'AwsSolutions-IAM4',
+                    'reason': 'policy for cloudwatch logs.'
+                },
+                {
+                    'id': 'AwsSolutions-IAM5',
+                    'reason': 'policy for cloudwatch logs.'
+                },
+                {
+                    'id': 'AwsSolutions-APIG2',
+                    'reason': 'lambda does input validation'
+                },
+                {
+                    'id': 'AwsSolutions-APIG1',
+                    'reason': 'not mandatory in a sample template'
+                },
+                {
+                    'id': 'AwsSolutions-APIG3',
+                    'reason': 'not mandatory in a sample template'
+                },
+                {
+                    'id': 'AwsSolutions-APIG6',
+                    'reason': 'not mandatory in a sample template'
+                },
+                {
+                    'id': 'AwsSolutions-APIG4',
+                    'reason': 'authorization not mandatory in a sample template'
+                },
+                {
+                    'id': 'AwsSolutions-COG4',
+                    'reason': 'not using cognito'
+                },
+            ],
+        )
@@ -50,8 +50,10 @@ All ASW Lambda function configurations are saved as constants at the `cdk.my_ser
 
 ### **Infrastructure CDK & Security Tests**
 
-Under tests there is an `infrastructure` folder for CDK & security infrastructure tests.
+Under tests there is an `infrastructure` folder for CDK infrastructure tests.
 
 The first test, 'test_cdk' uses CDK's testing framework which asserts that required resources exists so the application will not break anything upon deployment.
 
-The second test, 'test_cdk_nag' checks your cloudformation output for security best practices. For more information click [here](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/check-aws-cdk-applications-or-cloudformation-templates-for-best-practices-by-using-cdk-nag-rule-packs.html){:target="_blank" rel="noopener"}.
+The security tests are based on 'cdk_nag'. It checks your cloudformation output for security best practices. It can be found in the 'service_stack.py' as part of the stack definition. It will fail the deployment when there is a security issue.
+
+For more information click [here](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/check-aws-cdk-applications-or-cloudformation-templates-for-best-practices-by-using-cdk-nag-rule-packs.html){:target="_blank" rel="noopener"}.
@@ -18,10 +18,10 @@ All steps can be run locally using the makefile. See details below:
 - Python formatter Yapf as defined in `.style`  - run `make yapf` in the IDE
 - Python complexity checks: radon and xenon  - run `make complex` in the IDE
 - Unit tests. Run `make unit` to run unit tests in the IDE
-- Infrastructure test. Run `make infra-tests` to run the CDK & security infrastructure tests in the IDE
+- Infrastructure test. Run `make infra-tests` to run the CDK infrastructure tests in the IDE
 - Code coverage by [codecov.io](https://about.codecov.io/)
-- Deploy CDK - not run in GitHub yet (add your own AWS secrets), can be run locally at this moment - run `make deploy` in the IDE
-- E2E tests  - not run in GitHub yet (add your own AWS secrets), can be run locally at this moment - run `make e2e` in the IDE
+- Deploy CDK - run `make deploy` in the IDE, will also run security tests based on cdk_nag
+- E2E tests  - run `make e2e` in the IDE
 - Update GitHub documentation branch
 
 ### Other Capabilities