Add cfn-guard suppressions for security violations

kris-szlapa · kris-szlapa · commit 77ef7777ff7e · 2025-07-28T13:13:04.000Z
diff --git a/packages/cdk/bin/EpsAssistMeApp.ts b/packages/cdk/bin/EpsAssistMeApp.ts
@@ -42,11 +42,37 @@ const EpsAssistMe = new EpsAssistMeStack(app, "EpsAssistMeStack", {
 app.synth()
 
 // Add metadata to lambda so they don't get flagged as failing cfn-guard
-addCfnGuardMetadata(EpsAssistMe, "AWS679f53fac002430cb0da5b7982bd2287", "Resource")
+addCfnGuardMetadata(EpsAssistMe, "AWS679f53fac002430cb0da5b7982bd2287", "Resource",
+  ["LAMBDA_DLQ_CHECK", "LAMBDA_INSIDE_VPC"]
+)
 addCfnGuardMetadata(EpsAssistMe, "EpsAssistAccessLogsBucket", "Resource",
   ["S3_BUCKET_LOGGING_ENABLED", "S3_BUCKET_SSL_REQUESTS_ONLY"]
 )
 
+// Suppress Lambda DLQ and VPC checks for application Lambda functions
+addCfnGuardMetadata(EpsAssistMe, "FunctionsCreateIndexFunctionepsam-CreateIndexFunction", "Resource",
+  ["LAMBDA_DLQ_CHECK", "LAMBDA_INSIDE_VPC"]
+)
+addCfnGuardMetadata(EpsAssistMe, "FunctionsSlackBotLambdaepsam-SlackBotFunction", "Resource",
+  ["LAMBDA_DLQ_CHECK", "LAMBDA_INSIDE_VPC"]
+)
+
+// Suppress cfn-guard rules for S3 buckets (SSL is enforced by CDK, replication not needed for this use case)
+addCfnGuardMetadata(EpsAssistMe, "StorageAccessLogsBucketAccessLogs86FA3BBC", "Resource",
+  ["S3_BUCKET_REPLICATION_ENABLED", "S3_BUCKET_LOGGING_ENABLED", "S3_BUCKET_VERSIONING_ENABLED"]
+)
+addCfnGuardMetadata(EpsAssistMe, "StorageDocsBucketDocs0C9A9D9E", "Resource",
+  ["S3_BUCKET_REPLICATION_ENABLED"]
+)
+
+// Suppress SSL policy format differences (CDK enforceSSL creates equivalent but different format)
+addCfnGuardMetadata(EpsAssistMe, "StorageAccessLogsBucketAccessLogsPolicy523966CD", "Resource",
+  ["S3_BUCKET_SSL_REQUESTS_ONLY"]
+)
+addCfnGuardMetadata(EpsAssistMe, "StorageDocsBucketDocsPolicy8F1C9E94", "Resource",
+  ["S3_BUCKET_SSL_REQUESTS_ONLY"]
+)
+
 // Finally run synth again with force to include the added metadata
 app.synth({
   force: true
