Can CDK Custom Resources managed by CDK be forced to be more security compliant?

[matt3621]

Hi

I'm running a deployment that used ssm parameters and S3 buckets, as part of the deployment cdk deploys additional lambda functions (with associated cloud watch log groups), these additional functions do things like "delete all bucket objects" on destroy.

There appears to be no way to configure these resources, for example;
We have a security config policy configured in AWS that flags any unencrypted cloudwatch loggroup and another that flags any lambda function without a dead letter queue configured.

When we define a lambda function we can configure it with CDK to have a DLQ and to have a KMS role and force the loggroup to have a KMS (Customer Managed) key enabled on it.

Is there any mechanism to define the default behaviour of the cdk managed resources ? to force them to encrypt the loggroups it creates for example ?

[peterwoodworth]

There currently isn't any mechanism for this as a catch-all. There are a number of custom resources we spin up throughout our codebase - I won't confidently say that none of them have these configurability options, but I would assume that most don't since I'm unfamiliar with being able to configure a DLQ on any of our custom resources. Here's a somewhat related feature request, for instance

I think if you have these strict security requirements, it would be best to avoid provisioning any of our resources which automatically break these rules and instead find other ways to accomplish what you need. Feel free to cut us a feature request with some specific asks for specific constructs 🙂

[matt3621]

Thanks, that's the approach I have been forced into, removing the code that triggers the custom resources. When I get time i'll log a couple of issues, because I found (for example) the S3Deploy custom resource (appears to support a KMS key) fails if you apply a KMS key to the cdk bootstrap that is different from the KMS key of the target bucket (because the role it creates only handles the target KMS not the source cdk asset bucket KMS key).

The other resource I was using was a bucketnotificationhandler that is created when you add a notification to S3 to a lambda function. For now (as that resource appears to be used just once) I have some bash/cli locating and deleting it after each cdk deployment, which I know can upset the cdk stack and might make my life difficult later!

Having KMS keys (customer managed) on resources is a very common requirement, especially in any regulated environment (like PCI or government), it would be great to see that factored into all the "Helper" resources that cdk manages. I'd hoped there was a switch somewhere we could set that would just (as a min) apply a common KMS key to any custom resource or every resource unless defined in the resource itself. The target for me here "can I set KMS on every resource", sadly on a few this is a challenge.

Encryption isn't the only setting the customer I'm currently working with wants set, they also want DLQs on all lamdbas , lambdas to sit in VPCs by default, encrypt their secrets etc... its a shame there isn't a generic property that can be configured for any resource that triggers a cdk lambda function so those functions can be customised a bit.

Thanks for replying so fast, I might be forced into converting my project into terraform because of some of this!

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.