feat: Support for AWS Resource Tagging Standards
Opened this issue · 2 comments
Description
Hi,
AWS recently announced a new standard set related to resource tagging: https://docs.aws.amazon.com/securityhub/latest/userguide/standards-tagging.html
This standard is a list of config rules that check to make sure you have appropriate tags on the resources you create.
Use Case
The resource standard complements the existing AWS, NIST, CIS, and PCI rulepacks that are already supported by cdk-nag. By adding this new resource tagging standard, we can greatly improve the security and visibility of our resources. Additionally we would like to migrate our IAM permissions methodology to ABAC using tags.
Specifically using cdk-nag we can detect and block misconfigurations before they are even deployed.
Proposed Solution
Can be implemented as another rulepack https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/check-aws-cdk-applications-or-cloudformation-templates-for-best-practices-by-using-cdk-nag-rule-packs.html
Other information
Blog post announcement: https://aws.amazon.com/about-aws/whats-new/2024/04/aws-security-hub-resource-tagging-standard/
Acknowledge
- I may be able to implement this feature request
- This feature might incur a breaking change
It looks the that standard requires users to provide a list key value pairs that should be used for each service.
I don't think there is a good way to generalize this and have it as an included NagPack .
If you're looking for specific key value pairs it might be a better solution to make your own pack or to just use the CDKs native tagging Aspect
Here is example how to check for tags: https://github.com/JohannesKonings/cdk-nag-custom-nag-pack
For checking Tags, which are set per Aspect or via Stack parameter it needs a workaround like this one: https://github.com/JohannesKonings/cdk-nag-custom-nag-pack/blob/main/src/rules/utils/tagUtils.ts
Maybe this helper functions could be implemented in the cdk-nag library for easier creation of a custom nag pack for tag checking.