Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Support for AWS Resource Tagging Standards #1680

Open
2 tasks
Schwartz-Matthew-bah opened this issue May 1, 2024 · 2 comments
Open
2 tasks

feat: Support for AWS Resource Tagging Standards #1680

Schwartz-Matthew-bah opened this issue May 1, 2024 · 2 comments
Labels
feature-request A feature should be added or improved.

Comments

@Schwartz-Matthew-bah
Copy link

Schwartz-Matthew-bah commented May 1, 2024

Description

Hi,

AWS recently announced a new standard set related to resource tagging: https://docs.aws.amazon.com/securityhub/latest/userguide/standards-tagging.html

This standard is a list of config rules that check to make sure you have appropriate tags on the resources you create.

Use Case

The resource standard complements the existing AWS, NIST, CIS, and PCI rulepacks that are already supported by cdk-nag. By adding this new resource tagging standard, we can greatly improve the security and visibility of our resources. Additionally we would like to migrate our IAM permissions methodology to ABAC using tags.

Specifically using cdk-nag we can detect and block misconfigurations before they are even deployed.

Proposed Solution

Can be implemented as another rulepack https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/check-aws-cdk-applications-or-cloudformation-templates-for-best-practices-by-using-cdk-nag-rule-packs.html

Other information

Blog post announcement: https://aws.amazon.com/about-aws/whats-new/2024/04/aws-security-hub-resource-tagging-standard/

Acknowledge

  • I may be able to implement this feature request
  • This feature might incur a breaking change
@Schwartz-Matthew-bah Schwartz-Matthew-bah added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels May 1, 2024
@dontirun
Copy link
Collaborator

dontirun commented May 9, 2024

It looks the that standard requires users to provide a list key value pairs that should be used for each service.

I don't think there is a good way to generalize this and have it as an included NagPack .

If you're looking for specific key value pairs it might be a better solution to make your own pack or to just use the CDKs native tagging Aspect

@dontirun dontirun removed the needs-triage This issue or PR still needs to be triaged. label May 9, 2024
@JohannesKonings
Copy link
Contributor

Here is example how to check for tags: https://github.com/JohannesKonings/cdk-nag-custom-nag-pack
For checking Tags, which are set per Aspect or via Stack parameter it needs a workaround like this one: https://github.com/JohannesKonings/cdk-nag-custom-nag-pack/blob/main/src/rules/utils/tagUtils.ts

Maybe this helper functions could be implemented in the cdk-nag library for easier creation of a custom nag pack for tag checking.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature-request A feature should be added or improved.
Projects
None yet
Development

No branches or pull requests

3 participants