Static Analysis

Name: CDK Insights
Author: CDK Insights

CDK Insights performs comprehensive static analysis of your CDK stacks, identifying security vulnerabilities, cost optimizations, and best practice violations.

How Static Analysis Works

CDK Insights analyzes your CDK application by:

Running cdk synth to generate CloudFormation templates
Parsing the CloudFormation output to understand your infrastructure
Applying a comprehensive set of rules to identify issues
Generating detailed reports with actionable recommendations

This approach ensures that we analyze exactly what AWS will deploy, not just your CDK code, giving you the most accurate results.

What Gets Analyzed

Security

Identifies security vulnerabilities and misconfigurations

Critical and High priority findings

S3 buckets allowing public ACLs

IAM policies with wildcard (*) actions or resources

Unencrypted RDS databases

S3 buckets missing encryption

Cost Optimization

Finds opportunities to reduce AWS costs

Medium and Low priority findings

Lambda functions with memory > 1024MB

S3 buckets not using Intelligent-Tiering

NAT Gateways without route table associations

DynamoDB tables without auto-scaling

Best Practices

Enforces AWS and CDK best practices

Medium and Low priority findings

S3 buckets without versioning

Security groups with unrestricted access

API Gateway publicly accessible

CloudTrail logging not enabled

Rule Sources

CDK Insights Rules

Custom rules specifically designed for CDK patterns and best practices

Rule Count:50+ rules

Focus: CDK-specific patterns, construct usage, and modern AWS practices

CDK Nag Rules

Integration with the popular CDK Nag security analysis tool

Rule Count:200+ rules

Focus: AWS security best practices, compliance, and security standards

Understanding Severity Levels

🔴

Critical

Immediate security or compliance issues that should be fixed immediately

Common examples:

S3 buckets allowing public ACLs

IAM policies with wildcard (*) permissions

Unencrypted RDS databases

🟠

High

Security or configuration issues that should be addressed soon

Common examples:

S3 buckets without encryption

Security groups allowing unrestricted ingress

Lambda functions with sensitive environment variables

🟡

Medium

Best practice violations or potential optimization opportunities

Common examples:

S3 buckets without versioning

Lambda functions with high memory (> 1024MB)

RDS instances not in Multi-AZ

🟢

Low

Minor issues or suggestions for improvement

Common examples:

S3 buckets not using Intelligent-Tiering

NAT Gateways without route table associations

Cost optimization opportunities

Example Analysis Output

Here's what a typical static analysis output looks like:

# CDK Insights Static Analysis Results

🔴 CRITICAL: S3 bucket 'MyBucket' has public read access

Location: lib/my-stack.ts:15

Recommendation: Remove public access or use private bucket

🟠 HIGH: IAM role 'MyRole' has AdministratorAccess policy

Location: lib/my-stack.ts:25

Recommendation: Use least privilege principle

🟡 MEDIUM: Lambda function 'MyFunction' has high memory allocation (3008MB)

Location: lib/my-stack.ts:35

Recommendation: Consider reducing memory if not needed

Ready to Run Your First Analysis?

Start with static analysis to identify security and configuration issues in your CDK stacks.

Quick Start Guide AI Recommendations