Every public construct, what it wraps, the safeguards it enforces, and the cdk-nag rules each satisfies. All live in lib/constructs/ and are exported from lib/constructs/index.ts. Use lib/constructs/bucket.construct.ts as the quality bar when writing a new one.
Shared contract: every construct takes DisambiguationProps & RemovalPolicyProps. Encryptable constructs accept an optional encryptionKey?: CompliantKey to upgrade from AWS-managed SSE to a customer-managed key.
| Symbol | File | Role |
|---|---|---|
UnambiguousConstruct |
unambiguous.construct.ts |
Name disambiguation (disambiguate()) |
AlarmableUnambiguousConstruct |
alarmable-unambiguous.construct.ts |
Adds alarms[] + addAlarm() / getCriticalAlarms() |
Alarmable |
alarmable.construct.ts |
Interface for the above |
BasicAlarm |
basic-alarm.construct.ts |
CloudWatch alarm wrapper (DESTROY removal) |
DisambiguationProps, RemovalPolicyProps, getRemovalPolicy, disambiguate |
props/ |
Shared prop mixins + helpers |
- Automatic key rotation; alias disambiguated by stage/region; stage-driven removal policy.
- Satisfies: KMS5. Used as the opt-in
encryptionKeyfor the constructs below.
- Block-all public access; SSE (S3-managed, or KMS when
encryptionKeygiven) withbucketKeyEnabled;enforceSSL; versioning on; noncurrent-version lifecycle (Intelligent-Tiering @30d, expire @90d); optional server access logging; 4xx/5xx alarms. - Satisfies: S1 (with a logs bucket), S2, S5/S10.
- A hardened
CompliantBucketmeant to receive other buckets' access logs. - The only place
AwsSolutions-S1is suppressed (a log sink can't log to itself) — documented inline.
- Point-in-time recovery; SSE (AWS-managed, or CUSTOMER_MANAGED with
encryptionKey); on-demand billing; system-error alarm;alarmActionsEnabledprop (noPRODcoupling). - Satisfies: DDB3.
- SSE via
alias/aws/snsby default (or a CMK);enforceSSL. - Satisfies: SNS2, SNS3.
- SSE (SQS-managed or KMS);
enforceSSL; always attaches aCompliantDLQ; 14-day retention; message-flow alarm. - Satisfies: SQS2/SQS2(SSE), SQS3 (DLQ), SQS4 (SSL).
- Same SSE +
enforceSSL; depth alarms (low/high severity). - Satisfies: SQS2, SQS4.
- Least-privilege role: a pre-created, retention-bound encrypted log group with scoped
grantWrite(no broadAWSLambdaBasicExecutionRole); active X-Ray tracing; ARM64; memory metric filters; error/duration/throttle/memory alarms. Environment is entirely caller-supplied (no business env injection). Runtime is caller-supplied — keep it current for L1. - Suppressions (inline, documented): IAM4/IAM5 for the X-Ray tracing policy (X-Ray actions aren't resource-scopable).
- Composes
CompliantFunction+CompliantDLQ; scheduler execution role scoped to the exact function and DLQ ARNs; DLQ-backed retry policy.
- Access logging (retention-bound log group) + execution logging at INFO with metrics; default request validation; IAM authorization on methods; regional WAF WebACL associated to the stage (AWS Common Rule Set).
- Satisfies: APIG1, APIG2, APIG3, APIG4, APIG6. Suppression (inline): IAM4 for the AWS-managed API Gateway → CloudWatch Logs role (the logging control requires it).
- VPC flow logs (ALL traffic) to a retention-bound log group; restricted default security group (via the
restrictDefaultSecurityGroupfeature flag incdk.json); private egress subnets by default. - Satisfies: VPC7.
Stack (lib/stacks/) |
Constructs |
|---|---|
network.stack.ts |
CompliantVpc |
storage.stack.ts |
CompliantKey, CompliantLogBucket, CompliantBucket, CompliantTable |
messaging.stack.ts |
CompliantKey, CompliantTopic, CompliantQueue (+ its CompliantDLQ) |
compute.stack.ts |
CompliantFunction, CompliantScheduledLambda |
api.stack.ts |
CompliantApi |