How CDK-nag can help your engineering teams improve & accelerate

Mart Noten


How do you validate that your CDK infrastructure adheres to your company’s best practices? Imagine you’re building away in your application, creating all the necessary infrastructure. Is there a way you validate what you produce?

Enterprise companies often have a Cloud Center of Excellence (CCoE) that paves the way for internal cloud usage. It’s an opinionated bunch of experts that should help you move quickly once you’ve onboarded AWS. But.. Communication is no small feat. It might be hard to find what opinions they’ve published on every service, and identifying how it relates to your application might be even more challenging. Heck, you might even be developing a service that an SCP prohibits. You won’t know until you deploy.

Often we talk about security scanning or dependency scanning to ensure that what we do is correct. We run tools like Bandit or Snyk to help us identify any open issues with our application. For verifying your CDK infrastructure AWS has published a tool called CDK nag. It checks CDK applications or CloudFormation templates for best practices using a combination of available rule packs.

How does it work?

CDK-nag (inspired by cfn_nag) validates that the state of constructs within a given scope complies with a set of rules. It validates constructs by extending AWS CDK Aspects. You should check out this post to learn more about the AWS CDK Aspect system.

CDK-nag includes several rule sets (NagPacks) to validate your application. It consists of the AWS Solutions, HIPAA Security, NIST 800–53 rev 4, NIST 800–53 rev 5, and PCI DSS 3.2.1 NagPacks. You can pick and choose different NagPacks and apply as many as you wish to a given scope.

Example of how CDK-nag is integrated in your application

Is it worth trying?

It’s a great addition to a developer’s toolbox. The out-of-the-box rule sets include recommendations you may adhere to but may miss. In that same thought, it makes more sense for beginners than it does for experts. I would recommend Cloud Center of Excellence require this as part of a pipeline to ensure developers adhere to your and AWS’ best practices.

What’s bad about it?

If you are not a fan of opinionated platforms and think developers should be left alone, this might not be for you. In our specific case, we have created our ruleset based on the AWS Solutions one to inform users of recommendations but not block them. By doing it that way, we hope developers will take the recommendations when and if they are applicable and only stop them in case our SCPs will. It should offer benefits to our end-user and not us.

What can you do to make it more interesting for your organisation?

We’re publishing a rule set based on our SCPs and best practices. This rule set allows us to bring our opinions directly to the hands of our developers within seconds of them synthesising their applications. We are publishing this NagPack in our internal NPM repository, meaning they can easily install and configure it using their well-known tools.

Creating a basic ruleset that adheres to our SCPs will take some time, but luckily they don’t change much over time. We’ll have to maintain them to get maximum benefit.

CDK Nag offers an easy way to increase the quality of our engineers’ infrastructure and allow them to find our recommendations in the longer term easily.

Want to read more?

Are you interested in reading more about validating your infrastructure as code? AWS has a couple of interesting links to help you get started:

This is a NBTL newsletter published weekly — consider subscribing if you want it in your inbox every Monday morning.



Mart Noten
Editor for

AWS Architect from the writing technical articles focussing on cloud technologies.