Skip to main content
The CDK Insights rule library

AWS CDK security rules

Every check CDK Insights runs — 119 security, cost and best-practice rules across 35 AWS services. Each one explains what it catches, why it matters, and how to fix it in your CDK code.

$ npx cdk-insights scan

ACM

1 rule

API Gateway

4 rules

AppSync

2 rules

Auto Scaling

2 rules

Backup

2 rules

CloudFront

4 rules

CloudTrail

1 rule

CloudWatch

3 rules

Cognito

3 rules

Cross-service

4 rules

DynamoDB

5 rules

EC2

8 rules

ECR

3 rules

ECS

7 rules

EFS

1 rule

EKS

3 rules

ElastiCache

3 rules

ELB

4 rules

EventBridge

2 rules

Glue

2 rules

IAM

4 rules

Kinesis

2 rules

KMS

2 rules

Lambda

10 rules

Lambda Permission Permits Public Access

CRITICAL

Detects AWS::Lambda::Permission and AWS::Lambda::LayerVersionPermission resources that grant invoke / use rights with a wildcard Principal, or grant a service principal without a SourceArn / SourceAccount / PrincipalOrgID restriction (confused-deputy risk).

How to fix

Lambda Deprecated Runtime

HIGH

Detects Lambda functions using runtimes that have reached or are approaching end-of-life.

How to fix

Lambda Function URL Without Authentication

HIGH

Detects Lambda Function URLs configured with AuthType NONE, which allows unauthenticated public invocation.

How to fix

Lambda Sensitive Environment Variables

HIGH

Detects Lambda functions with sensitive data in environment variables.

How to fix

Lambda Memory Optimization

MEDIUM

Detects Lambda functions with suboptimal memory configuration.

How to fix

Lambda Variable Runtime

MEDIUM

Detects Lambda functions using a variable runtime (Runtime.NODEJS_LATEST or useLatestRuntimeVersion) that resolves to the newest runtime at synth time, causing silent in-place runtime upgrades on the next deploy after a CDK bump.

How to fix

Lambda VPC NAT Gateway Cost Warning

MEDIUM

Warns about potential NAT Gateway costs for VPC-attached Lambda functions.

How to fix

Lambda Dead Letter Queue Missing

LOW

Detects Lambda functions without dead letter queue configuration.

How to fix

Lambda Reserved Concurrency Missing

LOW

Detects Lambda functions without reserved concurrency.

How to fix

Lambda X-Ray Tracing Disabled

LOW

Detects Lambda functions without active X-Ray tracing, reducing observability into latency and errors.

How to fix

MSK

3 rules

OpenSearch

3 rules

RDS

8 rules

Redshift

3 rules

Route 53

3 rules

S3

8 rules

Secrets Manager

1 rule

SNS

2 rules

SQS

3 rules

Step Functions

1 rule

WAF

2 rules

Scan your CDK app against all 119 rules

One command, no signup. The full rule pack is free forever via npm.