Skip to main content
Skip to main content

Static Analysis

CDK Insights performs comprehensive static analysis of your CDK stacks, identifying security vulnerabilities, cost optimizations, and best practice violations.

How Static Analysis Works

CDK Insights analyzes your CDK application by:

  1. Running cdk synth to generate CloudFormation templates
  2. Parsing the CloudFormation output to understand your infrastructure
  3. Applying a comprehensive set of rules to identify issues
  4. Generating detailed reports with actionable recommendations

This approach ensures that we analyze exactly what AWS will deploy, not just your CDK code, giving you the most accurate results.

What Gets Analyzed

Security

Identifies security vulnerabilities and misconfigurations

Critical and High priority findings
S3 buckets allowing public ACLs
IAM policies with wildcard (*) actions or resources
RDS databases publicly accessible
ECS tasks with plaintext secrets
CloudFront distributions without HTTPS
Cognito user pools with weak password policies

Cost Optimization

Finds opportunities to reduce AWS costs

Medium and Low priority findings
Lambda functions with memory > 1024MB
S3 buckets not using Intelligent-Tiering
Lambda in VPC without NAT cost consideration
S3 buckets without lifecycle policies

Best Practices

Enforces AWS and CDK best practices

Medium and Low priority findings
ELB/ALB without deletion protection
Lambda functions without dead letter queues
RDS instances without backup retention
ECS tasks without logging configured
CloudFront without WAF association
Cognito without MFA enabled

Rule Sources

CDK Insights Rules

Custom rules specifically designed for CDK patterns and best practices

Rule Count:80+ rules
Focus: CDK-specific patterns, construct usage, and modern AWS practices

CDK Nag Rules

Integration with the popular CDK Nag security analysis tool

Rule Count:200+ rules
Focus: AWS security best practices, compliance, and security standards

Supported AWS Services

CDK Insights analyzes resources across 30+ AWS services, with targeted checks for each:

S3Encryption, public access, versioning, lifecycle, replication
IAMWildcard policies, permission boundaries, cross-account trust
LambdaMemory, environment variables, concurrency, DLQ, VPC costs
RDSEncryption, Multi-AZ, public access, backups, deletion protection
EC2Security groups, instance types, NAT gateways
CloudFrontHTTPS enforcement, WAF, logging, TLS versions
ELB/ALBHTTPS listeners, deletion protection, logging, security policies
ECS/FargateSecrets management, logging, resource limits
CognitoPassword policies, MFA configuration, advanced security
DynamoDBAuto-scaling, streams configuration
SQSEncryption, dead letter queues
SNSEncryption, access policies
KMSKey rotation, key policies
Secrets ManagerRotation configuration
API GatewayAuthorization, logging, throttling
Step FunctionsLogging, X-Ray tracing
CloudTrailMulti-region, log validation
EventBridgeDead letter queues, retry policies
EBSEncryption, snapshot policies

Understanding Severity Levels

🔴

Critical

Immediate security or compliance issues that should be fixed immediately

Common examples:
RDS databases publicly accessible
ECS tasks with plaintext secrets
Security groups exposing dangerous ports to internet
🟠

High

Security or configuration issues that should be addressed soon

Common examples:
CloudFront without HTTPS-only policy
ELB/ALB without HTTPS listeners
Cognito with weak password policies
🟡

Medium

Best practice violations or potential optimization opportunities

Common examples:
Lambda functions without dead letter queues
ELB without deletion protection
CloudFront without access logging
🟢

Low

Minor issues or suggestions for improvement

Common examples:
S3 buckets without lifecycle policies
ECS tasks without resource limits defined
Cognito without advanced security features

Example Analysis Output

Here's what a typical static analysis output looks like:

# CDK Insights Static Analysis Results
🔴 CRITICAL: RDS instance 'MyDatabase' is publicly accessible
Location: lib/my-stack.ts:15
Recommendation: Set publiclyAccessible to false
🟠 HIGH: CloudFront distribution 'MyCDN' allows HTTP traffic
Location: lib/my-stack.ts:25
Recommendation: Set viewerProtocolPolicy to redirect-to-https
🟡 MEDIUM: ALB 'MyLoadBalancer' missing deletion protection
Location: lib/my-stack.ts:35
Recommendation: Enable deletion protection for production workloads
🟢 LOW: ECS task 'MyTask' has no CPU/memory limits defined
Location: lib/my-stack.ts:45
Recommendation: Define explicit resource limits for predictable scaling

Ready to Run Your First Analysis?

Start with static analysis to identify security and configuration issues in your CDK stacks.

Quick Start GuideAI Recommendations

Documentation

Static Analysis

Docs Home