From f39ca02b697264475f0a9d43fe52c8ccb3d8028a Mon Sep 17 00:00:00 2001 From: Leon Luttenberger Date: Thu, 7 Mar 2024 11:21:42 -0600 Subject: [PATCH] add CDK nag for fmops --- .../fmops/sagemaker-jumpstart-fm-endpoint/index.ts | 3 +++ .../lib/sagemaker-jumpstart-fm-endpoint-stack.ts | 8 ++++++++ .../package-lock.json | 13 +++++++------ .../sagemaker-jumpstart-fm-endpoint/package.json | 1 + 4 files changed, 19 insertions(+), 6 deletions(-) diff --git a/modules/fmops/sagemaker-jumpstart-fm-endpoint/index.ts b/modules/fmops/sagemaker-jumpstart-fm-endpoint/index.ts index 9aeed0fa..99265b94 100644 --- a/modules/fmops/sagemaker-jumpstart-fm-endpoint/index.ts +++ b/modules/fmops/sagemaker-jumpstart-fm-endpoint/index.ts @@ -1,5 +1,6 @@ import "source-map-support/register"; import * as cdk from "aws-cdk-lib"; +import * as cdk_nag from "cdk-nag"; import { SagemakerJumpStartFmEndpointStack } from "./lib/sagemaker-jumpstart-fm-endpoint-stack"; const account = process.env.CDK_DEFAULT_ACCOUNT; @@ -35,4 +36,6 @@ new cdk.CfnOutput(stack, "metadata", { }), }); +cdk.Aspects.of(app).add(new cdk_nag.AwsSolutionsChecks({ logIgnores: true })); + app.synth(); diff --git a/modules/fmops/sagemaker-jumpstart-fm-endpoint/lib/sagemaker-jumpstart-fm-endpoint-stack.ts b/modules/fmops/sagemaker-jumpstart-fm-endpoint/lib/sagemaker-jumpstart-fm-endpoint-stack.ts index 7428b13c..baf5f2c6 100644 --- a/modules/fmops/sagemaker-jumpstart-fm-endpoint/lib/sagemaker-jumpstart-fm-endpoint-stack.ts +++ b/modules/fmops/sagemaker-jumpstart-fm-endpoint/lib/sagemaker-jumpstart-fm-endpoint-stack.ts @@ -8,6 +8,7 @@ import { SageMakerInstanceType, JumpStartSageMakerEndpoint, } from "@cdklabs/generative-ai-cdk-constructs"; +import * as cdk_nag from "cdk-nag"; interface SagemakerJumpStartFmEndpointStackProps extends cdk.StackProps { projectName?: string; @@ -91,5 +92,12 @@ export class SagemakerJumpStartFmEndpointStack extends cdk.Stack { role: this.role, vpcConfig: vpcConfig, }); + + cdk_nag.NagSuppressions.addResourceSuppressions(this.role, [ + { + id: "AwsSolutions-IAM5", + reason: "Resource access restriced to S3 buckets (with a prefix) and ECR images", + }, + ]); } } diff --git a/modules/fmops/sagemaker-jumpstart-fm-endpoint/package-lock.json b/modules/fmops/sagemaker-jumpstart-fm-endpoint/package-lock.json index c4fdae8e..c64a2eb9 100644 --- a/modules/fmops/sagemaker-jumpstart-fm-endpoint/package-lock.json +++ b/modules/fmops/sagemaker-jumpstart-fm-endpoint/package-lock.json @@ -22,6 +22,7 @@ "@typescript-eslint/eslint-plugin": "^6.21.0", "@typescript-eslint/parser": "^6.21.0", "aws-cdk": "2.130.0", + "cdk-nag": "^2.28.55", "cypress": "^13.6.1", "jest": "^29.7.0", "prettier": "^3.1.1", @@ -2682,9 +2683,9 @@ "dev": true }, "node_modules/cdk-nag": { - "version": "2.28.47", - "resolved": "https://registry.npmjs.org/cdk-nag/-/cdk-nag-2.28.47.tgz", - "integrity": "sha512-QWDAehKW3KKh66dKOYlUdLno+HWdR+KrCw8/8gV/uS2srpKCKcPaK427RXnp6QNO/eV9g7HGIr+GL7fEJCv4RQ==", + "version": "2.28.55", + "resolved": "https://registry.npmjs.org/cdk-nag/-/cdk-nag-2.28.55.tgz", + "integrity": "sha512-ETdEB6zFQqxVrWXMZSI3c3EoMNOp919pdYsb11zlZyyfS99mgKf9wdXHpBWYu2gY+efxXktWj7HLoPU6g1sxrQ==", "peerDependencies": { "aws-cdk-lib": "^2.116.0", "constructs": "^10.0.5" @@ -8881,9 +8882,9 @@ "dev": true }, "cdk-nag": { - "version": "2.28.47", - "resolved": "https://registry.npmjs.org/cdk-nag/-/cdk-nag-2.28.47.tgz", - "integrity": "sha512-QWDAehKW3KKh66dKOYlUdLno+HWdR+KrCw8/8gV/uS2srpKCKcPaK427RXnp6QNO/eV9g7HGIr+GL7fEJCv4RQ==", + "version": "2.28.55", + "resolved": "https://registry.npmjs.org/cdk-nag/-/cdk-nag-2.28.55.tgz", + "integrity": "sha512-ETdEB6zFQqxVrWXMZSI3c3EoMNOp919pdYsb11zlZyyfS99mgKf9wdXHpBWYu2gY+efxXktWj7HLoPU6g1sxrQ==", "requires": {} }, "chalk": { diff --git a/modules/fmops/sagemaker-jumpstart-fm-endpoint/package.json b/modules/fmops/sagemaker-jumpstart-fm-endpoint/package.json index 59901bd0..5e73c630 100644 --- a/modules/fmops/sagemaker-jumpstart-fm-endpoint/package.json +++ b/modules/fmops/sagemaker-jumpstart-fm-endpoint/package.json @@ -18,6 +18,7 @@ "@types/jest": "^29.5.5", "@types/node": "20.7.1", "aws-cdk": "2.130.0", + "cdk-nag": "^2.28.55", "cypress": "^13.6.1", "jest": "^29.7.0", "prettier": "^3.1.1",