CDK Insights Static Analysis

Name: CDK Insights
Author: CDK Insights

CDK Insights performs comprehensive static analysis of your CDK stacks, identifying security vulnerabilities, cost optimizations, and best practice violations.

How Static Analysis Works

CDK Insights analyzes your CDK application by:

Running cdk synth to generate CloudFormation templates
Parsing the CloudFormation output to understand your infrastructure
Applying a comprehensive set of rules to identify issues
Generating detailed reports with actionable recommendations

This approach ensures that we analyze exactly what AWS will deploy, not just your CDK code, giving you the most accurate results.

What Gets Analyzed

Security

Identifies security vulnerabilities and misconfigurations

Critical and High priority findings

S3 buckets allowing public ACLs

S3 bucket policies that lock the account out of the bucket (Deny without root carveout)

IAM policies with wildcard (*) actions or resources

RDS databases publicly accessible

ECS tasks with plaintext secrets

CloudFront distributions without HTTPS

Cognito user pools with weak password policies

Cost Optimization

Finds opportunities to reduce AWS costs

Medium and Low priority findings

Lambda functions with memory > 1024MB

S3 buckets not using Intelligent-Tiering

Lambda in VPC without NAT cost consideration

S3 buckets without lifecycle policies

Best Practices

Enforces AWS and CDK best practices

Medium and Low priority findings

ELB/ALB without deletion protection

Lambda functions without dead letter queues

RDS instances without backup retention

ECS tasks without logging configured

CloudFront without WAF association

Cognito without MFA enabled

Rule Sources

CDK Insights Rules

Custom rules specifically designed for CDK patterns and best practices

Rule Count:104 rules

Focus: CDK-specific patterns, construct usage, and modern AWS practices

CDK Nag Rules

Integration with the popular CDK Nag security analysis tool

Rule Count:200+ rules

Focus: AWS security best practices, compliance, and security standards

CDK Mixin Awareness

CDK Insights understands CDK Mixins — the composable property-mutating API that ships with aws-cdk-lib >= ~2.230. We read the aws:cdk:analytics:mixin manifest stream that aws-cdk-lib writes for every .with() / Mixins.of(scope).apply(...) call, so each finding tells you which mixins (if any) touched the resource and any remediation we suggest accounts for them re-applying at synth.

On top of attribution, two template-level rules detect the specific footguns mixins introduce:

TL-MIXIN-001

Compliance-Critical Mixin Applied Without Stack Coverage

Fires when a compliance-critical mixin (e.g. BucketEncryption, BucketVersioning, BucketBlockPublicAccess) is applied to some but not all resources of its target type. This is the template-visible signature of Mixins.of(scope).apply(...) silently skipping resources outside its selector. Recommends switching to requireAll() so synth fails when the mixin can't be applied.

TL-MIXIN-002

Custom Mixin Applied Across Many Resource Types

Fires when a user-defined mixin appears on resources spanning 3+ distinct CFN types in the same stack — the template-visible signature of .with(customMixin) recursing through every descendant because the mixin's supports() filter accepts every construct. Verify your mixin narrows to the intended type.

See the dedicated CDK Mixins page for the full picture, or our note on Aspects vs Mixins.

Supported AWS Services

CDK Insights analyzes resources across 35 AWS services, with targeted checks for each:

S3Encryption, public access, versioning, lifecycle, replication

IAMWildcard policies, permission boundaries, cross-account trust

LambdaMemory, environment variables, concurrency, DLQ, VPC costs

RDSEncryption, Multi-AZ, public access, backups, deletion protection

EC2Security groups, instance types, NAT gateways

CloudFrontHTTPS enforcement, WAF, logging, TLS versions

ELB/ALBHTTPS listeners, deletion protection, logging, security policies

ECS/FargateSecrets management, logging, resource limits

CognitoPassword policies, MFA configuration, advanced security

DynamoDBAuto-scaling, streams configuration

SQSEncryption, dead letter queues

SNSEncryption, access policies

KMSKey rotation, key policies

Secrets ManagerRotation configuration

API GatewayAuthorization, logging, throttling

Step FunctionsLogging, X-Ray tracing

CloudTrailMulti-region, log validation

EventBridgeDead letter queues, retry policies

EBSEncryption, snapshot policies

WAFRule groups, web ACL configuration, logging

CloudWatchAlarm configuration, log retention, metrics

Route53Health checks, DNS configuration

ElastiCacheEncryption, backup, multi-AZ

ECRImage scanning, lifecycle policies, encryption

OpenSearchEncryption, access policies, logging

ACMCertificate validation, renewal

BackupBackup plans, vault configuration

VPCFlow logs, network ACLs, subnet configuration

KinesisEncryption, shard configuration

AppSyncAuthentication, logging, caching

EKSCluster security, logging, encryption

RedshiftEncryption, public access, audit logging

MSKEncryption, authentication, logging

GlueEncryption, job configuration, security

Understanding Severity Levels

🔴

Critical

Immediate security or compliance issues that should be fixed immediately

Common examples:

RDS databases publicly accessible

ECS tasks with plaintext secrets

Security groups exposing dangerous ports to internet

🟠

High

Security or configuration issues that should be addressed soon

Common examples:

CloudFront without HTTPS-only policy

ELB/ALB without HTTPS listeners

Cognito with weak password policies

🟡

Medium

Best practice violations or potential optimization opportunities

Common examples:

Lambda functions without dead letter queues

ELB without deletion protection

CloudFront without access logging

🟢

Low

Minor issues or suggestions for improvement

Common examples:

S3 buckets without lifecycle policies

ECS tasks without resource limits defined

Cognito without advanced security features

Example Analysis Output

Here's what a typical static analysis output looks like:

# CDK Insights Static Analysis Results

🔴 CRITICAL: RDS instance 'MyDatabase' is publicly accessible

Location: lib/my-stack.ts:15

Recommendation: Set publiclyAccessible to false

🟠 HIGH: CloudFront distribution 'MyCDN' allows HTTP traffic

Location: lib/my-stack.ts:25

Recommendation: Set viewerProtocolPolicy to redirect-to-https

🟡 MEDIUM: ALB 'MyLoadBalancer' missing deletion protection

Location: lib/my-stack.ts:35

Recommendation: Enable deletion protection for production workloads

🟢 LOW: ECS task 'MyTask' has no CPU/memory limits defined

Location: lib/my-stack.ts:45

Recommendation: Define explicit resource limits for predictable scaling

Ready to Run Your First Analysis?

Start with static analysis to identify security and configuration issues in your CDK stacks.

Quick Start Guide Auto-Fix Diff Mode Scan History GitHub Action

Documentation

Static Analysis

Docs Home