Table of contents

AWS Cloud Development Kit (CDK) Example

Example CDK definition

import cdk = require("aws-cdk-lib");
import {
  Table,
  AttributeType,
  StreamViewType,
  BillingMode,
} from "aws-cdk-lib/aws-dynamodb";
import { Construct } from "constructs";

export class AppSyncCdkStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const tableName = "items";

    new Table(this, "ItemsTable", {
      tableName: tableName,
      partitionKey: {
        name: `${tableName}Id`,
        type: AttributeType.STRING,
      },
      billingMode: BillingMode.PAY_PER_REQUEST,
      stream: StreamViewType.NEW_IMAGE,
    });
  }
}

const app = new cdk.App();
new AppSyncCdkStack(app, "DynamoDBExample");
app.synth();

Example cdk synth output

Resources:
  ItemsTable5AAC2C46:
    Type: AWS::DynamoDB::Table
    Properties:
      AttributeDefinitions:
        - AttributeName: itemsId
          AttributeType: S
      BillingMode: PAY_PER_REQUEST
      KeySchema:
        - AttributeName: itemsId
          KeyType: HASH
      StreamSpecification:
        StreamViewType: NEW_IMAGE
      TableName: items
    UpdateReplacePolicy: Retain
    DeletionPolicy: Retain
    Metadata:
      aws:cdk:path: DynamoDBExample/ItemsTable/Resource
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Analytics: v2:deflate64:H4sIAAAAAAAA/zPSMzQ20jNQTCwv1k1OydbNyUzSqw4uSUzO1gEKxadU5iXm5qcAxUISk3JSdZzT8sCMWp2g1OL80qJksBAy2zk/LyWzJDM/r1YnLz8lVS+rWL/M0EwPiAwUs4ozM3WLSvNKMnNT9YIgNABcnFrfgQAAAA==
    Metadata:
      aws:cdk:path: DynamoDBExample/CDKMetadata/Default
    Condition: CDKMetadataAvailable
Conditions:
  CDKMetadataAvailable:
    Fn::Or:
      - Fn::Or:
          - Fn::Equals:
              - Ref: AWS::Region
              - af-south-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-east-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-northeast-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-northeast-2
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-south-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-southeast-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-southeast-2
          - Fn::Equals:
              - Ref: AWS::Region
              - ca-central-1
          - Fn::Equals:
              - Ref: AWS::Region
              - cn-north-1
          - Fn::Equals:
              - Ref: AWS::Region
              - cn-northwest-1
      - Fn::Or:
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-central-1
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-north-1
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-south-1
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-west-1
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-west-2
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-west-3
          - Fn::Equals:
              - Ref: AWS::Region
              - il-central-1
          - Fn::Equals:
              - Ref: AWS::Region
              - me-central-1
          - Fn::Equals:
              - Ref: AWS::Region
              - me-south-1
          - Fn::Equals:
              - Ref: AWS::Region
              - sa-east-1
      - Fn::Or:
          - Fn::Equals:
              - Ref: AWS::Region
              - us-east-1
          - Fn::Equals:
              - Ref: AWS::Region
              - us-east-2
          - Fn::Equals:
              - Ref: AWS::Region
              - us-west-1
          - Fn::Equals:
              - Ref: AWS::Region
              - us-west-2
Parameters:
  BootstrapVersion:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /cdk-bootstrap/hnb659fds/version
    Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]
Rules:
  CheckBootstrapVersion:
    Assertions:
      - Assert:
          Fn::Not:
            - Fn::Contains:
                - - "1"
                  - "2"
                  - "3"
                  - "4"
                  - "5"
                - Ref: BootstrapVersion
        AssertDescription: CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.

Example scan command

#!/usr/bin/env bash
# Scans a template file
# Requires "cdk" (https://docs.aws.amazon.com/cdk/v2/guide/home.html) to be installed
# Requires "jq" (https://stedolan.github.io/jq/) to be installed

api_key="Your Trend API Key"
api_base_url="https://conformity.us-1.cloudone.trendmicro.com/api"

# Perform any language specific compilation steps before this line. (example transpiling typescript to javascript)

contents=$(cdk synth | jq '.' -MRs)
payload="{\"data\":{\"attributes\":{\"type\":\"cloudformation-template\",\"contents\":${contents}}}}"

echo Request:
echo ${payload} | jq '.' -M

echo Response:
curl -s -X POST \
     -H "Authorization: ApiKey ${api_key}" \
     -H "Content-Type: application/vnd.api+json" \
     ${api_base_url}/template-scanner/scan \
     --data-binary "${payload}" | jq '.' -M

Example Template Scanner API Output

Output truncated, actual number of checks generated for this template may be greater than seen below.

{
  "data": [
    {
      "type": "checks",
      "id": "ccc:OrganisationId:RG-001:ResourceGroup:us-east-1:itemstable5aac2c46-erjv68sb17u6",
      "attributes": {
        "region": "us-east-1",
        "status": "FAILURE",
        "risk-level": "LOW",
        "pretty-risk-level": "Low",
        "message": "dynamodb-table itemstable5aac2c46-erjv68sb17u6 has [Environment, Role, Owner, Name] tags missing",
        "resource": "itemstable5aac2c46-erjv68sb17u6",
        "descriptorType": "dynamodb-table",
        "categories": [
          "security",
          "reliability",
          "performance-efficiency",
          "cost-optimisation",
          "operational-excellence",
          "sustainability"
        ],
        "compliances": [
          "AWAF",
          "CIS-V8",
          "NIST4",
          "NIST5",
          "SOC2",
          "NIST-CSF",
          "NIST-CSF-2_0",
          "ISO27001",
          "ISO27001-2022",
          "AGISM",
          "HITRUST",
          "ASAE-3150",
          "PCI-V4",
          "FEDRAMP",
          "MAS",
          "CSA"
        ],
        "extradata": [
          {
            "name": "DETAILED_STATUS",
            "label": "Resource tags status for dynamodb-table itemstable5aac2c46-erjv68sb17u6",
            "value": "{\"service\":\"DynamoDB\",\"descriptorType\":\"dynamodb-table\",\"resourceName\":\"itemstable5aac2c46-erjv68sb17u6\",\"tags\":[{\"key\":\"Environment\",\"hasValue\":false},{\"key\":\"Role\",\"hasValue\":false},{\"key\":\"Owner\",\"hasValue\":false},{\"key\":\"Name\",\"hasValue\":false}]}",
            "type": "META",
            "internal": true
          }
        ],
        "cost": 0,
        "waste": 0,
        "not-scored": false,
        "ignored": false,
        "rule-title": "Tags",
        "provider": "aws",
        "resolution-page-url": "https://www.cloudconformity.com/knowledge-base/aws/ResourceGroup/tags.html",
        "service": "ResourceGroup"
      },
      "relationships": {
        "rule": {
          "data": {
            "type": "rules",
            "id": "RG-001"
          }
        },
        "account": {
          "data": null
        }
      }
    },
    {
      "type": "checks",
      "id": "ccc:OrganisationId:DynamoDB-003:DynamoDB:us-east-1:itemstable5aac2c46-erjv68sb17u6",
      "attributes": {
        "region": "us-east-1",
        "status": "FAILURE",
        "risk-level": "HIGH",
        "pretty-risk-level": "High",
        "message": "Continuous Backups aren't enabled for [itemstable5aac2c46-erjv68sb17u6]",
        "resource": "itemstable5aac2c46-erjv68sb17u6",
        "descriptorType": "dynamodb-table",
        "categories": ["reliability"],
        "compliances": [
          "AWAF",
          "CIS-V8",
          "NIST4",
          "NIST5",
          "SOC2",
          "NIST-CSF",
          "ISO27001",
          "ISO27001-2022",
          "AGISM",
          "HIPAA",
          "HITRUST",
          "ASAE-3150",
          "PCI",
          "PCI-V4",
          "APRA",
          "FEDRAMP",
          "MAS",
          "CSA",
          "ENISA",
          "FISC-V9"
        ],
        "last-updated-date": null,
        "tags": [],
        "cost": 0,
        "waste": 0,
        "not-scored": false,
        "ignored": false,
        "rule-title": "DynamoDB Continuous Backups",
        "provider": "aws",
        "resolution-page-url": "https://www.cloudconformity.com/knowledge-base/aws/DynamoDB/continuous-backups.html",
        "service": "DynamoDB",
        "logicalResourceId": "itemstable5aac2c46-erjv68sb17u6"
      },
      "relationships": {
        "rule": {
          "data": {
            "type": "rules",
            "id": "DynamoDB-003"
          }
        },
        "account": {
          "data": null
        }
      }
    },
    {
      "type": "checks",
      "id": "ccc:OrganisationId:DynamoDB-004:DynamoDB:us-east-1:itemstable5aac2c46-erjv68sb17u6",
      "attributes": {
        "region": "us-east-1",
        "status": "FAILURE",
        "risk-level": "HIGH",
        "pretty-risk-level": "High",
        "message": "Table [itemstable5aac2c46-erjv68sb17u6] is encrypted at rest using the AWS-owned key",
        "resource": "itemstable5aac2c46-erjv68sb17u6",
        "descriptorType": "dynamodb-table",
        "categories": ["security"],
        "compliances": [
          "GDPR",
          "AWAF",
          "CIS-V8",
          "NIST4",
          "NIST5",
          "SOC2",
          "NIST-CSF",
          "ISO27001",
          "ISO27001-2022",
          "AGISM",
          "HIPAA",
          "HITRUST",
          "ASAE-3150",
          "PCI",
          "PCI-V4",
          "APRA",
          "FEDRAMP",
          "MAS",
          "CSA",
          "ENISA",
          "FISC-V9",
          "LGPD"
        ],
        "last-updated-date": null,
        "tags": [],
        "cost": 0,
        "waste": 0,
        "not-scored": false,
        "ignored": false,
        "rule-title": "Enable Encryption at Rest with Amazon KMS Keys",
        "provider": "aws",
        "resolution-page-url": "https://www.cloudconformity.com/knowledge-base/aws/DynamoDB/encrypted-with-cmk.html",
        "service": "DynamoDB",
        "logicalResourceId": "itemstable5aac2c46-erjv68sb17u6"
      },
      "relationships": {
        "rule": {
          "data": {
            "type": "rules",
            "id": "DynamoDB-004"
          }
        },
        "account": {
          "data": null
        }
      }
    }
  ],
  "meta": {
    "missingParameters": [],
    "errors": []
  }
}