Posted On: Apr 3, 2023

AWS Cloud Development Kit (CDK) now enables developers to validate Infrastructure as Code (IaC) templates against policy-as-code tools during the development lifecycle. Developers can now receive fast and actionable feedback about security or configuration issues, as defined by organizational policies, during CDK application development cycles. By verifying compliance with organizational policies at the early stages of development, the teams can enhance the success rate of the deployment phase for their CDK applications.

On release, AWS CDK will include support for AWS CloudFormation Guard with CfnGuardValidator - A policy validation plugin which enables the use of AWS CloudFormation Guard for policy validations. A pre-defined set of AWS Control Tower proactive controls are included with the plugin. 

With plugin enabled, once your CDK application has finished synthesizing the template, the plugin is triggered automatically to validate generated CloudFormation templates against your policies. The plugin will execute policies validations, interpret the results, and provide a final report. The report presents a summary of the validation outcome (allow/deny), along with details about any detected misconfigurations. If non-compliance is found with respect to a specific policy, a root-cause analysis is provided, along with suggestions for mitigation. Customers can utilize this feature with other tools, including but not limited to KICS, Open Policy Agent (OPA), and Checkov. Developers can create validation plugins for these tools based on their organization's specific requirements and preferences.

To learn more about AWS CDK policy validation at synthesis time, visit AWS CDK Documentation.