Forem: Max Kryvych The latest articles on Forem by Max Kryvych (@maxkrivich). https://forem.com/maxkrivich https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F553926%2Fc89e81c2-162e-4746-a91f-ef999e19e20d.jpeg Forem: Max Kryvych https://forem.com/maxkrivich en Automating Cross-Account CDK Bootstrapping Using AWS Lambda Max Kryvych Thu, 09 Jan 2025 13:17:50 +0000 https://forem.com/maxkrivich/running-cdk-bootstrap-from-aws-lambda-1hi6 https://forem.com/maxkrivich/running-cdk-bootstrap-from-aws-lambda-1hi6 <h2> Introduction </h2> <p>In this article, we will explore how to perform cross-account <strong>AWS CDK Bootstrapping</strong> using AWS Lambda. Bootstrapping is a critical step when deploying infrastructure defined using AWS CDK, as it sets up the necessary resources for subsequent deployments.</p> <h2> What is CDK Bootstrapping? </h2> <p>CDK Bootstrapping involves creating a CloudFormation stack (<code>CDKToolkit</code>) that contains essential resources. The template for this stack can be found <a href="https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml" rel="noopener noreferrer">here</a>.</p> <p>There are two primary approaches to CDK Bootstrapping:</p> <ol> <li> <strong>Using CloudFormation StackSet</strong>: Create a StackSet with the provided template. Learn more in this <a href="https://aws.amazon.com/blogs/mt/bootstrapping-multiple-aws-accounts-for-aws-cdk-using-cloudformation-stacksets/" rel="noopener noreferrer">AWS blog post</a>.</li> <li> <strong>Using <code>cdk bootstrap</code></strong>: Run the command directly whenever a new account is created.</li> </ol> <p>Running <code>cdk bootstrap</code> in a Lambda function simplifies the process by eliminating the need to sync the template with a StackSet.</p> <h2> Lambda Function for CDK Bootstrapping </h2> <p>The Lambda function accepts an event containing a list of accounts to bootstrap. It logs into each account and executes the <code>cdk bootstrap</code> command.</p> <blockquote> <p><strong>Note</strong>: Ensure all required cross-account permissions are in place, and the Lambda function can assume a role in the target account.</p> </blockquote> <h3> Source Code </h3> <p>Here’s the implementation of the Lambda function:</p> <p><strong>index.ts</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">execSync</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">child_process</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">STSClient</span><span class="p">,</span> <span class="nx">AssumeRoleCommand</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-sdk/client-sts</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">getCredentials</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">accountId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">roleName</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">region</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">any</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Assuming role: </span><span class="p">${</span><span class="nx">roleName</span><span class="p">}</span><span class="s2"> in account: </span><span class="p">${</span><span class="nx">accountId</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">stsClient</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">STSClient</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="nx">region</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">stsClient</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="k">new</span> <span class="nc">AssumeRoleCommand</span><span class="p">({</span> <span class="na">RoleArn</span><span class="p">:</span> <span class="s2">`arn:aws:iam::</span><span class="p">${</span><span class="nx">accountId</span><span class="p">}</span><span class="s2">:role/</span><span class="p">${</span><span class="nx">roleName</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">RoleSessionName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">CDKBootstrap</span><span class="dl">"</span> <span class="p">}));</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Assumed role: </span><span class="p">${</span><span class="nx">roleName</span><span class="p">}</span><span class="s2"> in account: </span><span class="p">${</span><span class="nx">accountId</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">accessKeyId</span><span class="p">:</span> <span class="nx">response</span><span class="p">.</span><span class="nx">Credentials</span><span class="p">?.</span><span class="nx">AccessKeyId</span> <span class="o">||</span> <span class="dl">''</span><span class="p">,</span> <span class="na">secretAccessKey</span><span class="p">:</span> <span class="nx">response</span><span class="p">.</span><span class="nx">Credentials</span><span class="p">?.</span><span class="nx">SecretAccessKey</span> <span class="o">||</span> <span class="dl">''</span><span class="p">,</span> <span class="na">sessionToken</span><span class="p">:</span> <span class="nx">response</span><span class="p">.</span><span class="nx">Credentials</span><span class="p">?.</span><span class="nx">SessionToken</span> <span class="o">||</span> <span class="dl">''</span><span class="p">,</span> <span class="p">};</span> <span class="p">};</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">runBootstrap</span><span class="p">(</span><span class="nx">accountId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">roleName</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">region</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">credentials</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getCredentials</span><span class="p">(</span><span class="nx">accountId</span><span class="p">,</span> <span class="nx">roleName</span><span class="p">,</span> <span class="nx">region</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">env</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">,</span> <span class="na">AWS_ACCESS_KEY_ID</span><span class="p">:</span> <span class="nx">credentials</span><span class="p">.</span><span class="nx">accessKeyId</span><span class="p">,</span> <span class="na">AWS_SECRET_ACCESS_KEY</span><span class="p">:</span> <span class="nx">credentials</span><span class="p">.</span><span class="nx">secretAccessKey</span><span class="p">,</span> <span class="na">AWS_SESSION_TOKEN</span><span class="p">:</span> <span class="nx">credentials</span><span class="p">.</span><span class="nx">sessionToken</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">multiline</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">`pnpm cdk bootstrap aws://</span><span class="p">${</span><span class="nx">accountId</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">region</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">'</span><span class="s1">--cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">--trust 1111111111111</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// &lt;- Replace with your account ID </span> <span class="p">];</span> <span class="kd">const</span> <span class="nx">bootstrapCommand</span> <span class="o">=</span> <span class="nx">multiline</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">output</span> <span class="o">=</span> <span class="nf">execSync</span><span class="p">(</span><span class="nx">bootstrapCommand</span><span class="p">,</span> <span class="p">{</span> <span class="na">env</span><span class="p">:</span> <span class="nx">env</span> <span class="p">}).</span><span class="nf">toString</span><span class="p">();</span> <span class="c1">// console.log(output);</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handler</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">:</span> <span class="kr">any</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">any</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">output</span> <span class="o">=</span> <span class="nf">execSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">pnpm cdk version</span><span class="dl">'</span><span class="p">).</span><span class="nf">toString</span><span class="p">();</span> <span class="k">for</span><span class="p">(</span><span class="kd">const</span> <span class="nx">accountId</span> <span class="k">in</span> <span class="nx">event</span><span class="p">.</span><span class="nx">accountIds</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Bootstrapping account </span><span class="p">${</span><span class="nx">accountId</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">await</span> <span class="nf">runBootstrap</span><span class="p">(</span><span class="nx">accountId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">cdk-bootstrap-role</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">eu-west-1</span><span class="dl">"</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Bootstrapped account </span><span class="p">${</span><span class="nx">accountId</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">cdkVersion</span><span class="p">:</span> <span class="nx">output</span><span class="p">.</span><span class="nf">trim</span><span class="p">(),</span> <span class="na">accountIds</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">accountIds</span> <span class="p">}),</span> <span class="p">};</span> <span class="p">};</span> </code></pre> </div> <h2> Deployment </h2> <p>Define the Lambda function in your CDK application using TypeScript. Below is the Lambda function definition:</p> <p><strong>stack.ts</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">lambdaFunction</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">lambda</span><span class="p">.</span><span class="nc">DockerImageFunction</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">CdkBootstrapLambda</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="nx">lambda</span><span class="p">.</span><span class="nx">DockerImageCode</span><span class="p">.</span><span class="nf">fromImageAsset</span><span class="p">(</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">_baseFolder</span><span class="p">,</span> <span class="dl">'</span><span class="s1">src/cdk_bootstrap</span><span class="dl">'</span><span class="p">)</span> <span class="p">),</span> <span class="na">functionName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">cdk-bootstrap-lambda</span><span class="dl">'</span><span class="p">,</span> <span class="na">tracing</span><span class="p">:</span> <span class="nx">lambda</span><span class="p">.</span><span class="nx">Tracing</span><span class="p">.</span><span class="nx">ACTIVE</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">lambdaExecutionRole</span><span class="p">,</span> <span class="c1">// &lt;--- role that allows to assume roles in a target account</span> <span class="na">environment</span><span class="p">:</span> <span class="nx">handlerEnvironmentParams</span><span class="p">,</span> <span class="na">memorySize</span><span class="p">:</span> <span class="mi">512</span><span class="p">,</span> <span class="na">timeout</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">10</span><span class="p">),</span> <span class="na">currentVersionOptions</span><span class="p">:</span> <span class="p">{</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">RETAIN</span><span class="p">,</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>The DockerImageFunction enables the use of the CDK CLI. Below is the Dockerfile and .dockerignore for creating a lightweight Lambda image.<br> <strong>Dockerfile</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="w"> </span><span class="s">public.ecr.aws/lambda/nodejs:22</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /var/task</span> <span class="c"># Install pnpm</span> <span class="k">RUN </span>npm <span class="nb">install</span> <span class="nt">-g</span> pnpm <span class="c"># Copy package files and configs</span> <span class="k">COPY</span><span class="s"> package.json pnpm-lock.yaml .npmrc tsconfig.json ./</span> <span class="k">COPY</span><span class="s"> index.ts ./</span> <span class="c"># Install dependencies and build</span> <span class="k">RUN </span>pnpm <span class="nb">install</span> <span class="nt">--frozen-lockfile</span> <span class="k">RUN </span>pnpm build <span class="k">FROM</span><span class="s"> public.ecr.aws/lambda/nodejs:22</span> <span class="k">WORKDIR</span><span class="s"> /var/task</span> <span class="c"># Install pnpm</span> <span class="k">RUN </span>npm <span class="nb">install</span> <span class="nt">-g</span> pnpm <span class="c"># Copy package files and built assets</span> <span class="k">COPY</span><span class="s"> --from=builder /var/task/dist ./dist</span> <span class="k">COPY</span><span class="s"> package.json pnpm-lock.yaml .npmrc ./</span> <span class="c"># Install production dependencies only</span> <span class="k">RUN </span>pnpm <span class="nb">install</span> <span class="nt">--frozen-lockfile</span> <span class="nt">--prod</span> <span class="c"># Set the Lambda handler</span> <span class="k">CMD</span><span class="s"> ["dist/index.handler"]</span> </code></pre> </div> <p><strong>.dockerignore</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>node_modules npm-debug.log dist .git .env </code></pre> </div> <h2> Package Configuration </h2> <p>Below is a sample package.json for the Lambda function:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cdk-bootstrap"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Lambda for cdk bootstrapping"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"engines"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"node"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&gt;=20.0.0"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"build"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pnpm clean &amp;&amp; tsc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"clean"</span><span class="p">:</span><span class="w"> </span><span class="s2">"rimraf dist"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"@aws-sdk/client-sts"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^3.723.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"aws-cdk"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^2.174.1"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"devDependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"@types/aws-lambda"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^8.10.92"</span><span class="p">,</span><span class="w"> </span><span class="nl">"@types/jest"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^29.5.11"</span><span class="p">,</span><span class="w"> </span><span class="nl">"@types/node"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^20.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"rimraf"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^5.0.5"</span><span class="p">,</span><span class="w"> </span><span class="nl">"typescript"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^4.9.0"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Additional Resources </h2> <ul> <li><a href="https://medium.com/@triverah/cdk-bootstrap-permissions-bcaff3f76ed4" rel="noopener noreferrer">CDK Bootstrap Permissions</a></li> <li><a href="https://repost.aws/knowledge-center/lambda-function-assume-iam-role" rel="noopener noreferrer">Cross Account Access</a></li> <li><a href="https://github.com/raajheshkannaa/cdk-booty-strappin" rel="noopener noreferrer">raajheshkannaa/cdk-booty-strappin</a></li> <li><a href="https://medium.com/@andrewfrazer/automating-aws-account-bootstrapping-with-aws-cdk-117e5ead1c51" rel="noopener noreferrer">Automating AWS account bootstrapping with AWS-CDK</a></li> <li><a href="https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping-customizing.html" rel="noopener noreferrer">CDK Bootstrap Docs</a></li> </ul> awscdk cdk automation aws AWS CDK template validation during synthesis with Cloudformation Guard Max Kryvych Thu, 13 Apr 2023 13:22:14 +0000 https://forem.com/maxkrivich/aws-cdk-template-validation-during-synthesis-with-cloudformation-guard-3il8 https://forem.com/maxkrivich/aws-cdk-template-validation-during-synthesis-with-cloudformation-guard-3il8 <p><code>It takes about 5 minutes to integrate.</code></p> <p>Hey there! πŸ‘‹</p> <p>⚑️ CDK just <a href="https://aws.amazon.com/about-aws/whats-new/2023/04/aws-cloud-development-kit-cdk-policies-validations/">released</a> a new killer feature that increases user experience for those ones who develop infrastructure in CDK. πŸ’₯</p> <blockquote> <p>Note: Keep in mind that you can use different plugins (such as OPA, Chekov, KICS, etc) instead of Cloudfromation Guard to validate your infrastructure with the feature.</p> </blockquote> <h2> What is the benefit? </h2> <p>From what I see the biggest benefit of this feature is improved development flow of the CDK code. Being able to check your code on the fly against a ruleset of policies will warn you earlier which saves a lot of time and prevents accidental deployments of vulnerable infrastructure.</p> <p>That being said do note this is an experimental feature in the CDK which comes with its own pros/cons.</p> <h2> How to integrate the plugin into your project? </h2> <p>First thing first go to the terminal and add this <a href="https://github.com/cdklabs/cdk-validator-cfnguard">dependency</a> to your project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>npm <span class="nb">install</span> @cdklabs/cdk-validator-cfnguard </code></pre> </div> <p>The next step is to pass this into your <code>cdk.App</code> object<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">App</span><span class="p">({</span> <span class="na">policyValidationBeta1</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nx">CfnGuardValidator</span><span class="p">({</span> <span class="na">rules</span><span class="p">:</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">/workspace/aws-guard-rules-registry/rules/aws/amazon_s3/</span><span class="dl">"</span><span class="p">,</span> <span class="p">]</span> <span class="p">})</span> <span class="p">]</span> <span class="p">});</span> </code></pre> </div> <p>All done πŸƒ β€” Now you are ready to run use the plugin.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>cdk synth Performing Policy Validations Validation Report <span class="nt">-----------------</span> Policy Validation Report Summary ╔════════════════════════╀═════════╗ β•‘ Plugin β”‚ Status β•‘ β•Ÿβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β•’ β•‘ cdk-validator-cfnguard β”‚ success β•‘ β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•§β•β•β•β•β•β•β•β•β•β• Policy Validation Successful! ..... </code></pre> </div> <h2> What if I'm new to Guard? </h2> <p>Well, it's totally fine. Guard is less known to the general public. I will not talk about Guard in this blog post, and it deserves a separate article to talk about the pros/cons.</p> <p>I want to mention <a href="https://github.com/aws-cloudformation/aws-guard-rules-registry">repository</a> created by AWS that didn't get a lot of attention. The repository contains a collection of rules written in Guard DSL, which covers 80% of use cases. If you're just starting off with your journey on increasing security posture definitely follow the link. </p> <h2> Wrapping Up </h2> <p>Looks like it is a good step forward to improve the framework. So go there and give it a try!</p> <p>Thank you for your time! Stay awesome πŸŽƒ<br> Max</p> <p>Links:</p> <ul> <li><a href="https://github.com/cdklabs/cdk-validator-cfnguard">https://github.com/cdklabs/cdk-validator-cfnguard</a></li> <li><a href="https://github.com/aws/aws-cdk/blob/47468722786dd0faf7559dd0102687901814adbb/packages/%40aws-cdk/core/README.md#policy-validation">https://github.com/aws/aws-cdk/blob/47468722786dd0faf7559dd0102687901814adbb/packages/%40aws-cdk/core/README.md#policy-validation</a></li> </ul> cdk aws policymanagement security