Infrastructure as Code (IaC) benefits are known to everyone and one of the major benefits is to offer rapid infrastructure deployment as a major benefit, yet paradoxically, it can also contribute to slower deployment cycles.
Infrastructure Security and compliance issues will become that reason which will lead to slower deployment cycles using IaC.
In this blog I have tried to show how we can implement security and compliance i.e. Shift Left DevSecOps practices during the infrastructure development phase to achieve security by design, reducing the risks and issues of cloud infrastructure misconfigurations leading to the faster deployment phase of CDK applications using CDK and policy validation plugin called as Keeping Infrastructure as Code Secure(KICS).
Prerequisites
Access to AWS account.
Prior experience of working with CDK.
Understanding how CDK works.
Tools used
AWS CDK as IaC tool.
Programming language
Javascript/Typescript
Before jumping right into the usage of the plugin I would like to explain how did this approach to Shift Left with CDK came into existence.
About CDK KICS plugin
An amazing plugin which reads the synthesized cloudFormation template to security issues and infrastructure misconfigurations.
I like it because it tells the exact location of the resource in the CDK code, and gives a how-to-fix link which saves so much time.
Super easy to set up in the CDK application.
How is it possible to achieve validation using CDK?
Using static code analysis tool against Cloudformation templates is possible after April 3rd, 2023 with this update.
In very simple terms this updates means the following:
The AWS Cloud Development Kit (CDK) now facilitates developers in validating Infrastructure as Code (IaC) templates against policy-as-code tools throughout the development process.
This integration ensures prompt detection and resolution of security or configuration issues aligned with organizational policies.
Once the CDK application synthesizes the template, the plugin automatically triggers validation against policies, presenting a detailed report with compliance status and actionable insights for any detected misconfigurations.
Let’s see some security with CDK in action
To maintain the simplicity of the blog, I will be creating a CDK application( infrastructure) using CDK workshop by AWS which can be easily replicated and followed along even by first-time users of CDK.
Create a new Typescript CDK project
Note: I won’t be explaining the project structure as this information is provided in the workshop .
Install the KICS plugin to your CDK application
This will automatically modify the package.json file.
Enable the KICS plugin in your CDK application
To use the plugin we need to add it to the CDK app.
Under the /bin/<directory-name>.ts directory of this project modify the App construct for the CDK application.
policyValidationBeta1: [new KicsValidator()],
});
The final code for the entry point of the CDK application will look like the following:
#!/usr/bin/env node
import * as cdk from ‘aws-cdk-lib‘;
import { CdkLeftShiftStack } from ‘../lib/cdk-left-shift-stack‘;
import { KicsValidator, QueryCategory, Severity } from “@checkmarx/cdk-validator-kics/lib/plugin“;
const app = new cdk.App({
policyValidationBeta1: [new KicsValidator()],
});
new CdkLeftShiftStack(app, ‘CdkLeftShiftStack‘);
Important Note
When I was first trying to test this plugin from AWS blog (How to Shift Left Security in Infrastructure as Code Using AWS CDK and Checkmarx KICS), I couldn’t test it successfully as there is an error in the code provided in the blog.
const app = new App({
validationPluginsBeta1: [
new KicsValidator(),
],
});
If you try the above code you will not able to test this as property(validationPluginsBeta1) mentioned in the above code does not exist for the APP class in the current version of the CDK 2.132.1
The property policyValidationBeta1 exist which is used to in this blog to illustrate the use of KICS plugin.
I have mentioned the relevant authors of the blog about this and hopefully, it will fixed soon.
Add a s3 bucket to the Stack
Add s3 bucket to the stack to get observe more findings from KICS.
The final code would look like the following for the stack of the CDK application
import * as sns from ‘aws-cdk-lib/aws-sns‘;
import * as subs from ‘aws-cdk-lib/aws-sns-subscriptions‘;
import * as sqs from ‘aws-cdk-lib/aws-sqs‘;
import * as s3 from ‘aws-cdk-lib/aws-s3‘;
import { Construct } from ‘constructs‘;
export class CdkLeftShiftStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new s3.Bucket(this, ‘MyFirstBucket‘);
const queue = new sqs.Queue(this, ‘CdkLeftShiftQueue‘, {
visibilityTimeout: Duration.seconds(300)
});
const topic = new sns.Topic(this, ‘CdkLeftShiftTopic‘);
topic.addSubscription(new subs.SqsSubscription(queue));
}
}
Run cdk synth
Upon running CDK synth the plugin will be triggered and it will run its checks against the generated cloudFormation template.
We can easily KICS plugin has identified configuration and security issues and segregated them into HIGH, MEDIUM, LOW severity.
We can also see because its a failure to KICS it didn’t allow CDK to deploy the resources with these security issues and configurations hence perfectly displaying the Shift left principles in action leading to a secure cloud infrastructure deployment process.
Validation Report
—————–
╔═══════════════════════════════════════╗
║ Plugin Report ║
║ Plugin: kics-cdk-validator-plugin ║
║ Version: N/A ║
║ Status: failure ║
╚═══════════════════════════════════════╝
(Violations)
S3 Bucket Without SSL In Write Actions (1 occurrences)
Severity: HIGH
Occurrences:
– Construct Path: CdkLeftShiftStack/MyFirstBucket/Resource
– Template Path: cdk.out/CdkLeftShiftStack.template.json
– Creation Stack:
└── CdkLeftShiftStack (CdkLeftShiftStack)
│ Construct: aws-cdk-lib.Stack
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
└── MyFirstBucket (CdkLeftShiftStack/MyFirstBucket)
│ Construct: aws-cdk-lib.aws_s3.Bucket
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
└── Resource (CdkLeftShiftStack/MyFirstBucket/Resource)
│ Construct: aws-cdk-lib.aws_s3.CfnBucket
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
– Resource ID: MyFirstBucketB8884501
– Template Locations:
> Resources.MyFirstBucketB8884501
Description: S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)
How to fix: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html
Rule Metadata:
Category: Encryption
QueryId: 38c64e76-c71e-4d92-a337-60174d1de1c9
S3 Bucket Without Server-side-encryption (1 occurrences)
Severity: HIGH
Occurrences:
– Construct Path: CdkLeftShiftStack/MyFirstBucket/Resource
– Template Path: cdk.out/CdkLeftShiftStack.template.json
– Creation Stack:
└── CdkLeftShiftStack (CdkLeftShiftStack)
│ Construct: aws-cdk-lib.Stack
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
└── MyFirstBucket (CdkLeftShiftStack/MyFirstBucket)
│ Construct: aws-cdk-lib.aws_s3.Bucket
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
└── Resource (CdkLeftShiftStack/MyFirstBucket/Resource)
│ Construct: aws-cdk-lib.aws_s3.CfnBucket
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
– Resource ID: MyFirstBucketB8884501
– Template Locations:
> Resources.MyFirstBucketB8884501.Properties
Description: S3 Buckets should have server-side encryption at rest enabled to protect sensitive data
How to fix: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html
Rule Metadata:
Category: Encryption
QueryId: b2e8752c-3497-4255-98d2-e4ae5b46bbf5
S3 Bucket Should Have Bucket Policy (1 occurrences)
Severity: MEDIUM
Occurrences:
– Construct Path: CdkLeftShiftStack/MyFirstBucket/Resource
– Template Path: cdk.out/CdkLeftShiftStack.template.json
– Creation Stack:
└── CdkLeftShiftStack (CdkLeftShiftStack)
│ Construct: aws-cdk-lib.Stack
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
└── MyFirstBucket (CdkLeftShiftStack/MyFirstBucket)
│ Construct: aws-cdk-lib.aws_s3.Bucket
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
└── Resource (CdkLeftShiftStack/MyFirstBucket/Resource)
│ Construct: aws-cdk-lib.aws_s3.CfnBucket
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
– Resource ID: MyFirstBucketB8884501
– Template Locations:
> Resources.MyFirstBucketB8884501
Description: Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated
How to fix: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html
Rule Metadata:
Category: Insecure Defaults
QueryId: 37fa8188-738b-42c8-bf82-6334ea567738
SQS With SSE Disabled (1 occurrences)
Severity: MEDIUM
Occurrences:
– Construct Path: CdkLeftShiftStack/CdkLeftShiftQueue/Resource
– Template Path: cdk.out/CdkLeftShiftStack.template.json
– Creation Stack:
└── CdkLeftShiftStack (CdkLeftShiftStack)
│ Construct: aws-cdk-lib.Stack
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
└── CdkLeftShiftQueue (CdkLeftShiftStack/CdkLeftShiftQueue)
│ Construct: aws-cdk-lib.aws_sqs.Queue
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
└── Resource (CdkLeftShiftStack/CdkLeftShiftQueue/Resource)
│ Construct: aws-cdk-lib.aws_sqs.CfnQueue
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
– Resource ID: CdkLeftShiftQueue1CF96D0B
– Template Locations:
> Resources.CdkLeftShiftQueue1CF96D0B.Properties
Description: Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)
How to fix: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html#aws-sqs-queue-kmsmasterkeyid
Rule Metadata:
Category: Encryption
QueryId: 12726829-93ed-4d51-9cbe-13423f4299e1
IAM Access Analyzer Not Enabled (1 occurrences)
Severity: LOW
Occurrences:
– Construct Path: N/A
– Template Path: cdk.out/CdkLeftShiftStack.template.json
– Creation Stack:
Construct trace not available. Rerun with `–debug` to see trace information
– Resource ID: n/a
– Template Locations:
> Resources
Description: IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
How to fix: https://docs.amazonaws.cn/en_us/AWSCloudFormation/latest/UserGuide/aws-resource-accessanalyzer-analyzer.html
Rule Metadata:
Category: Best Practices
QueryId: 8d29754a-2a18-460d-a1ba-9509f8d359da
Policy Validation Report Summary
╔═══════════════════════════╤═════════╗
║ Plugin │ Status ║
╟───────────────────────────┼─────────╢
║ kics-cdk-validator-plugin │ failure ║
╚═══════════════════════════╧═════════╝
Validation failed. See the validation report above for details
Subprocess exited with error 1
What else can we do with KICS?
Disable Categories, Individual Queries
In the previous report if there was some finding which we want to disable it is possible to do so by 2 options either by disabling it as a category or as a query.
IAM Access Analyzer Not Enabled (1 occurrences)
Severity: LOW
Occurrences:
– Construct Path: N/A
– Template Path: cdk.out/CdkLeftShiftStack.template.json
– Creation Stack:
Construct trace not available. Rerun with `–debug` to see trace information
– Resource ID: n/a
– Template Locations:
> Resources
Description: IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
How to fix: https://docs.amazonaws.cn/en_us/AWSCloudFormation/latest/UserGuide/aws-resource-accessanalyzer-analyzer.html
Rule Metadata:
Category: Best Practices
QueryId: 8d29754a-2a18-460d-a1ba-9509f8d359da
To disable the above we can do this by category(Best Practices) by adding the following code:
const app = new cdk.App({
policyValidationBeta1: [new KicsValidator({
excludeCategories: [QueryCategory.BEST_PRACTICES]
})],
});
To disable the same we can do this by QueryId(8d29754a-2a18-460d-a1ba-9509f8d359da) by adding the following code:
const app = new cdk.App({
policyValidationBeta1: [new KicsValidator({
excludeQueries: [‘8d29754a-2a18-460d-a1ba-9509f8d359da‘]
})],
After running adding the above code we can observe IAM Access Analyzer Not Enabled (1 occurrences) is excluded from the final report.
Validation Report
—————–
╔═══════════════════════════════════════╗
║ Plugin Report ║
║ Plugin: kics-cdk-validator-plugin ║
║ Version: N/A ║
║ Status: failure ║
╚═══════════════════════════════════════╝
(Violations)
S3 Bucket Without SSL In Write Actions (1 occurrences)
Severity: HIGH
Occurrences:
– Construct Path: CdkLeftShiftStack/MyFirstBucket/Resource
– Template Path: cdk.out/CdkLeftShiftStack.template.json
– Creation Stack:
└── CdkLeftShiftStack (CdkLeftShiftStack)
│ Construct: aws-cdk-lib.Stack
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
└── MyFirstBucket (CdkLeftShiftStack/MyFirstBucket)
│ Construct: aws-cdk-lib.aws_s3.Bucket
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
└── Resource (CdkLeftShiftStack/MyFirstBucket/Resource)
│ Construct: aws-cdk-lib.aws_s3.CfnBucket
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
– Resource ID: MyFirstBucketB8884501
– Template Locations:
> Resources.MyFirstBucketB8884501
Description: S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)
How to fix: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html
Rule Metadata:
Category: Encryption
QueryId: 38c64e76-c71e-4d92-a337-60174d1de1c9
S3 Bucket Without Server-side-encryption (1 occurrences)
Severity: HIGH
Occurrences:
– Construct Path: CdkLeftShiftStack/MyFirstBucket/Resource
– Template Path: cdk.out/CdkLeftShiftStack.template.json
– Creation Stack:
└── CdkLeftShiftStack (CdkLeftShiftStack)
│ Construct: aws-cdk-lib.Stack
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
└── MyFirstBucket (CdkLeftShiftStack/MyFirstBucket)
│ Construct: aws-cdk-lib.aws_s3.Bucket
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
└── Resource (CdkLeftShiftStack/MyFirstBucket/Resource)
│ Construct: aws-cdk-lib.aws_s3.CfnBucket
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
– Resource ID: MyFirstBucketB8884501
– Template Locations:
> Resources.MyFirstBucketB8884501.Properties
Description: S3 Buckets should have server-side encryption at rest enabled to protect sensitive data
How to fix: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html
Rule Metadata:
Category: Encryption
QueryId: b2e8752c-3497-4255-98d2-e4ae5b46bbf5
S3 Bucket Should Have Bucket Policy (1 occurrences)
Severity: MEDIUM
Occurrences:
– Construct Path: CdkLeftShiftStack/MyFirstBucket/Resource
– Template Path: cdk.out/CdkLeftShiftStack.template.json
– Creation Stack:
└── CdkLeftShiftStack (CdkLeftShiftStack)
│ Construct: aws-cdk-lib.Stack
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
└── MyFirstBucket (CdkLeftShiftStack/MyFirstBucket)
│ Construct: aws-cdk-lib.aws_s3.Bucket
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
└── Resource (CdkLeftShiftStack/MyFirstBucket/Resource)
│ Construct: aws-cdk-lib.aws_s3.CfnBucket
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
– Resource ID: MyFirstBucketB8884501
– Template Locations:
> Resources.MyFirstBucketB8884501
Description: Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated
How to fix: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html
Rule Metadata:
Category: Insecure Defaults
QueryId: 37fa8188-738b-42c8-bf82-6334ea567738
SQS With SSE Disabled (1 occurrences)
Severity: MEDIUM
Occurrences:
– Construct Path: CdkLeftShiftStack/CdkLeftShiftQueue/Resource
– Template Path: cdk.out/CdkLeftShiftStack.template.json
– Creation Stack:
└── CdkLeftShiftStack (CdkLeftShiftStack)
│ Construct: aws-cdk-lib.Stack
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
└── CdkLeftShiftQueue (CdkLeftShiftStack/CdkLeftShiftQueue)
│ Construct: aws-cdk-lib.aws_sqs.Queue
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
└── Resource (CdkLeftShiftStack/CdkLeftShiftQueue/Resource)
│ Construct: aws-cdk-lib.aws_sqs.CfnQueue
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
– Resource ID: CdkLeftShiftQueue1CF96D0B
– Template Locations:
> Resources.CdkLeftShiftQueue1CF96D0B.Properties
Description: Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)
How to fix: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html#aws-sqs-queue-kmsmasterkeyid
Rule Metadata:
Category: Encryption
QueryId: 12726829-93ed-4d51-9cbe-13423f4299e1
Policy Validation Report Summary
╔═══════════════════════════╤═════════╗
║ Plugin │ Status ║
╟───────────────────────────┼─────────╢
║ kics-cdk-validator-plugin │ failure ║
╚═══════════════════════════╧═════════╝
Validation failed. See the validation report above for details
Exclude based on Severity
KICS queries can fall under 5 different severities: high, medium, low, info, and trace.
Let’s say we want to remove MEDIUM category serverity form out the report. (only for example per se, not advised for production system)
Add the following to the KICS configuration
const app = new cdk.App({
policyValidationBeta1: [new KicsValidator({
excludeSeverities: [Severity.MEDIUM],
})],
});
Report after the above configuration only contains HIGH and LOW category issues.
Validation Report
—————–
╔═══════════════════════════════════════╗
║ Plugin Report ║
║ Plugin: kics-cdk-validator-plugin ║
║ Version: N/A ║
║ Status: failure ║
╚═══════════════════════════════════════╝
(Violations)
S3 Bucket Without SSL In Write Actions (1 occurrences)
Severity: HIGH
Occurrences:
– Construct Path: CdkLeftShiftStack/MyFirstBucket/Resource
– Template Path: cdk.out/CdkLeftShiftStack.template.json
– Creation Stack:
└── CdkLeftShiftStack (CdkLeftShiftStack)
│ Construct: aws-cdk-lib.Stack
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
└── MyFirstBucket (CdkLeftShiftStack/MyFirstBucket)
│ Construct: aws-cdk-lib.aws_s3.Bucket
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
└── Resource (CdkLeftShiftStack/MyFirstBucket/Resource)
│ Construct: aws-cdk-lib.aws_s3.CfnBucket
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
– Resource ID: MyFirstBucketB8884501
– Template Locations:
> Resources.MyFirstBucketB8884501
Description: S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)
How to fix: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html
Rule Metadata:
Category: Encryption
QueryId: 38c64e76-c71e-4d92-a337-60174d1de1c9
S3 Bucket Without Server-side-encryption (1 occurrences)
Severity: HIGH
Occurrences:
– Construct Path: CdkLeftShiftStack/MyFirstBucket/Resource
– Template Path: cdk.out/CdkLeftShiftStack.template.json
– Creation Stack:
└── CdkLeftShiftStack (CdkLeftShiftStack)
│ Construct: aws-cdk-lib.Stack
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
└── MyFirstBucket (CdkLeftShiftStack/MyFirstBucket)
│ Construct: aws-cdk-lib.aws_s3.Bucket
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
└── Resource (CdkLeftShiftStack/MyFirstBucket/Resource)
│ Construct: aws-cdk-lib.aws_s3.CfnBucket
│ Library Version: 2.132.1
│ Location: Run with ‘–debug’ to include location info
– Resource ID: MyFirstBucketB8884501
– Template Locations:
> Resources.MyFirstBucketB8884501.Properties
Description: S3 Buckets should have server-side encryption at rest enabled to protect sensitive data
How to fix: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html
Rule Metadata:
Category: Encryption
QueryId: b2e8752c-3497-4255-98d2-e4ae5b46bbf5
IAM Access Analyzer Not Enabled (1 occurrences)
Severity: LOW
Occurrences:
– Construct Path: N/A
– Template Path: cdk.out/CdkLeftShiftStack.template.json
– Creation Stack:
Construct trace not available. Rerun with `–debug` to see trace information
– Resource ID: n/a
– Template Locations:
> Resources
Description: IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
How to fix: https://docs.amazonaws.cn/en_us/AWSCloudFormation/latest/UserGuide/aws-resource-accessanalyzer-analyzer.html
Rule Metadata:
Category: Best Practices
QueryId: 8d29754a-2a18-460d-a1ba-9509f8d359da
Policy Validation Report Summary
╔═══════════════════════════╤═════════╗
║ Plugin │ Status ║
╟───────────────────────────┼─────────╢
║ kics-cdk-validator-plugin │ failure ║
╚═══════════════════════════╧═════════╝
Don’t fail the execution
This option is most likely to be used when you have decided the policy on what to exclude and what to include after reviewing the merits and demerits of the policy
The last option be used to list the severities which should cause the execution to fail. By default, this is set to [Severity.HIGH, Severity.MEDIUM].
In our case now I just want it to deploy the resources even irrespective of the severities.
const app = new cdk.App({
policyValidationBeta1: [new KicsValidator({
failureSeverities: [],
})],
});
With the following configuration cdk deploy will set the report to success and continue to deploy the resources.
From DevSecOps Perspective
The support to validate IaC templates against policy-as-code tools has further increased the trust in IaC by enabling Security first and compliance practice during CDK application development cycles.
By verifying compliance with organizational policies at the early stages of development, the teams can enhance the success rate of the deployment phase for their CDK applications.
There will be many tools and plugins leveraging this feature to further enhance the DevSecops Shift Left principles for IaC which will not be just limited to KICS, Open Policy Agent(OPA),CfnGuardValidator, Checkov etc.
No doubt, these tools are still young and many features are still in the experimental phase but at least we have a starting point to implement Shift Left practices into IaC.
I would be happy to know what kind of tools the community is using for their Iac with AWS CDK to take security and compliance first approach.
