CDK Static Analysisbuilt around the construct tree

IAM wildcards, public S3 buckets, unencrypted data stores, open security groups, missing TLS enforcement. The pillar most static analysers cover, with the highest signal-to-noise ratio in this rule pack.

• IAM policies with wildcard actions or resources
• S3 bucket policies that lock the account out of the bucket
• RDS instances reachable from the public internet
• Lambda permissions granting public invoke

The static rules that surface obvious money leaks before deploy. Less interpretive than security, but easier to action — most of these have a one-line fix.

• Lambda functions over-provisioned on memory
• S3 buckets without lifecycle or Intelligent-Tiering
• NAT Gateway usage flagged for VPC architectures that could use endpoints
• EBS volumes oversized for their instance class

Findings that catch the day you wish you had backups. Backup retention, multi-AZ, point-in-time recovery, dead-letter queues — the operational hygiene that does not earn praise but earns trust.

• DynamoDB tables without point-in-time recovery
• RDS instances missing Multi-AZ and short backup retention
• Lambda functions without dead-letter queues
• CloudFront distributions without WAF associations

Operational and structural patterns that matter at scale: CloudWatch alarms wired up, VPC flow logs enabled, CloudTrail configured, encryption everywhere by default.

• CloudWatch log retention configured
• VPC flow logs enabled on production VPCs
• CloudTrail multi-region trails enabled
• Cognito user pools with MFA enabled