AWS CDK for JavaScript and TypeScript: 20+ new security rules 🤯

Buckle up, your AWS CDK code in JavaScript and TypeScript is about to get more secure!

AWS CDK: 20+ new security rules :rocket:

S3 buckets:

  • S6265 Granting access to S3 buckets to all or authenticated users is security-sensitive
  • S6249 Authorizing HTTP communications with S3 buckets is security-sensitive
  • S6245 Disabling server-side encryption of S3 buckets is security-sensitive
  • S6252 Disabling versioning of S3 buckets is security-sensitive
  • S6281 Allowing public ACLs or policies on a S3 bucket is security-sensitive

Access control:

  • S6270 Policies authorizing public access to resources are security-sensitive
  • S6302 Policies granting all privileges are security-sensitive
  • S6304 Policies granting access to all resources of an account are security-sensitive
  • S6317 AWS IAM policies should not allow privilege escalation

Network privacy:

  • S6321 Administration services access should be restricted to specific IP addresses
  • S6329 Allowing public network access to cloud resources is security-sensitive
  • S6333 Creating public APIs is security sensitive

Transit encryption:

  • S4423: Weak SSL/TLS protocols should not be used
  • S5332: Using clear-text protocols is security-sensitive
  • S6275: Using unencrypted EBS volumes is security-sensitive
  • S6332: Using unencrypted EFS file systems is security-sensitive
  • S6308: Using unencrypted Elasticsearch domains is security-sensitive
  • S6303: Using unencrypted RDS databases is security-sensitive
  • S6319: Using unencrypted SageMaker notebook instances is security-sensitive
  • S6327: Using unencrypted SNS topics is security-sensitive
  • S6330: Using unencrypted SQS queues is security-sensitive

Yaml + JavaScript + TypeScript = :exploding_head:

You can now analyze the inline JavaScript and TypeScript code inside YAML for:

  • AWS::Lambda::Function
  • AWS::Serverless::Function

You’ll benefit from all the same rules that are supported when analyzing .js or .ts files.
This works out-of-the-box, without any additional action on your side.

See the example below :diving_mask:.

Note that this applies to inline code, zipped assets are not included in the analysis.

All of this is available now in SonarCloud and will be in the next version of SonarQube and SonarLint when released.

Let us know what you think!