CDK Insights vs CDK Nag: Which AWS CDK Security Tool Should You Use?
If you are building AWS infrastructure with CDK, you have probably heard of CDK Nag. It has been the go-to open-source tool for catching security issues in CDK constructs since 2021. But the CDK ecosystem has matured, and newer tools like CDK Insights take a different approach to the same problem. This article breaks down the differences so you can pick the right tool for your workflow.
What is CDK Nag?
CDK Nag is an open-source library maintained by cdklabs that validates CDK applications against sets of rules (called "packs"). It runs as a CDK Aspect, which means it hooks into the construct tree during synthesis and checks each node against its rule set. If a construct violates a rule, CDK Nag either throws an error (blocking synthesis) or emits a warning.
The rule packs map to well-known compliance frameworks: AWS Solutions, HIPAA Security, NIST 800-53, and PCI DSS. Each pack contains rules specific to that framework. For example, the HIPAA pack checks that CloudTrail logs are encrypted, while the AWS Solutions pack checks for S3 bucket versioning.
CDK Nag is entirely local. There is no dashboard, no SaaS component, and no network calls. You add it to your CDK app, run cdk synth, and it reports findings inline. Suppressions are handled through construct metadata, letting teams acknowledge known issues directly in code.
What is CDK Insights?
CDK Insights is a security and best practices analysis tool built specifically for AWS CDK. It combines static rule-based analysis (including all CDK Nag rules) with AI-powered recommendations that go beyond pattern matching. The tool ships as an npm package that you can run locally via CLI or integrate into CI/CD pipelines.
The static analysis engine runs 280+ rules across 30+ AWS services. These rules cover security misconfigurations, cost optimization opportunities, and operational best practices. On the Pro and Team tiers, the AI analysis layer examines your synthesized CloudFormation template and produces context-aware recommendations that a rule engine alone would miss, like identifying that a Lambda function connected to an RDS instance should use IAM authentication instead of password-based credentials stored in environment variables.
CDK Insights also provides a web dashboard for tracking findings over time, comparing scans across branches, and assigning issues to team members. The free tier gives you unlimited static analysis scans forever with no account required.
Feature Comparison
| Feature | CDK Insights | CDK Nag |
|---|---|---|
| Static rule analysis | Yes (280+ rules) | Yes (~200 rules) |
| AI-powered analysis | Yes (Pro/Team) | No |
| CDK Nag rules included | Yes, all packs | Yes (native) |
| Custom CDK-specific rules | Yes (80+ additional) | Community contributions |
| Runs locally (no account) | Yes (static analysis) | Yes |
| Web dashboard | Yes | No |
| CI/CD integration | CLI + GitHub Action | CDK Aspect (synth-time) |
| Output formats | Table, JSON, Markdown, Summary | Warnings / Errors in console |
| Historical scan tracking | Yes | No |
| Team collaboration | Yes (Team plan) | No |
| Cost optimization rules | Yes | Limited |
| Compliance packs | Inherits from CDK Nag | HIPAA, NIST, PCI DSS, AWS Solutions |
| Pricing | Free tier + paid plans | Free (open-source) |
| CDK Aspect mode | Yes | Yes (primary mode) |
How They Approach Security Differently
CDK Nag takes a compliance-first approach. Its rule packs map directly to regulatory frameworks, making it straightforward to demonstrate compliance during audits. Each rule has a clear rationale tied to a specific compliance requirement. If you need to prove HIPAA compliance for your CDK stacks, CDK Nag gives you a checklist to work through.
CDK Insights takes a broader approach. The static analysis layer covers the same compliance ground (since it includes CDK Nag rules), but the AI analysis adds a second pass that looks at the overall architecture. This catches issues that fall outside the scope of individual rules. For instance, a rule can check whether an S3 bucket has encryption enabled, but it takes contextual understanding to flag that a bucket receiving CloudTrail logs should also have object lock enabled to prevent tampering.
The practical difference shows up in findings. CDK Nag produces binary pass/fail results per rule. CDK Insights produces findings with severity levels, affected resources, and specific remediation steps. The AI recommendations include code suggestions tailored to your actual construct code, not generic documentation links.
Integration and Workflow
CDK Nag integrates at the CDK level. You add it as an Aspect to your app or stack, and it runs every time you synthesize. This is both its strength and its limitation. It catches problems early in the development loop, but it only runs during synthesis. If you want to scan an existing CloudFormation template or run analysis in a separate CI step, CDK Nag requires you to have a full CDK synthesis pipeline set up.
// CDK Nag: Add as Aspect to your CDK app
import { AwsSolutionsChecks } from 'cdk-nag';
import { Aspects } from 'aws-cdk-lib';
Aspects.of(app).add(new AwsSolutionsChecks({ verbose: true }));CDK Insights works at the CLI level. You point it at your CDK project directory and it handles synthesis, template extraction, and analysis in one command. It also supports a CDK Aspect mode for teams that prefer the synth-time approach. The GitHub Action makes CI integration a one-file addition.
# CDK Insights: Run from CLI
npx cdk-insights scan
# Or add to your package.json scripts
npm run scanPricing
CDK Nag is completely free and open-source under the Apache 2.0 license. There are no paid tiers or premium features. You get the full rule set with no limitations.
CDK Insights offers a free tier with unlimited static analysis scans (the 280+ rules engine). The Pro plan adds AI-powered analysis, the web dashboard, and historical tracking. The Team plan adds collaboration features for engineering teams. See the pricing page for current rates.
When to Use Each Tool
Use CDK Nag if:
- You need a lightweight, zero-dependency compliance checker
- Your team operates in a strict air-gapped or offline environment
- You specifically need compliance pack attestation for audits
- You want synthesis to fail when rules are violated (shift-left enforcement)
Use CDK Insights if:
- You want CDK Nag rules plus additional CDK-specific checks
- You want AI-powered recommendations that catch architectural issues
- You need a dashboard to track security posture over time
- Your team needs to collaborate on findings and assign remediation work
- You want multiple output formats for different audiences (JSON for CI, Markdown for PRs)
The Bottom Line
CDK Nag is a solid, battle-tested tool that does one thing well: compliance-focused rule checking during CDK synthesis. It has earned its place in the CDK ecosystem.
CDK Insights builds on that foundation. It includes all CDK Nag rules as part of its static analysis engine, then adds 80+ additional CDK-specific rules and an AI analysis layer that finds issues no rule engine catches. For teams that want the broadest coverage with the least configuration, CDK Insights gives you everything CDK Nag does and more.
The free tier makes it easy to try. Run npx cdk-insights scan in your CDK project and compare the output to what CDK Nag finds. The static analysis results alone are worth the 30 seconds it takes to run.
Try CDK Insights for Free
280+ rules, zero configuration, no account required.