AWS CDK security rules
Every check CDK Insights runs — 119 security, cost and best-practice rules across 35 AWS services. Each one explains what it catches, why it matters, and how to fix it in your CDK code.
$ npx cdk-insights scanACM
1 ruleAPI Gateway
4 rulesAPI Gateway Method Has No Authorization
HIGHDetects AWS::ApiGateway::Method and AWS::ApiGatewayV2::Route resources where AuthorizationType is missing or NONE (excluding OPTIONS preflight). Public-by-default endpoints expose backend Lambdas to anyone on the internet.
How to fixAPI Gateway Publicly Accessible
MEDIUMDetects API Gateway REST APIs configured with a non-PRIVATE endpoint, i.e. reachable from the public internet.
How to fixAPI Gateway Default Endpoint Enabled With Custom Domain
LOWDetects REST APIs that leave the default execute-api endpoint enabled while a custom domain is configured, letting clients bypass the domain and its edge controls.
How to fixAPI Gateway Stage Missing Throttling
LOWDetects API Gateway stages that configure no method-level rate or burst limits, leaving backends exposed to traffic spikes and uncontrolled cost.
How to fixAppSync
2 rulesAuto Scaling
2 rulesAutoScaling LaunchConfiguration Assigns Public IP
HIGHDetects AWS::AutoScaling::LaunchConfiguration with AssociatePublicIpAddress=true. Instances launched from this configuration get a public IP and are internet-reachable directly.
How to fixAutoScaling Group Not Using ELB Health Checks
MEDIUMDetects AWS::AutoScaling::AutoScalingGroup resources attached to a load balancer (LoadBalancerNames or TargetGroupARNs) but using EC2 health checks. EC2 health checks miss app-level outages the load balancer would otherwise detect.
How to fixBackup
2 rulesCloudFront
4 rulesCloudFront HTTPS Only
HIGHDetects CloudFront distributions allowing HTTP traffic.
How to fixCloudFront Logging Disabled
MEDIUMDetects CloudFront distributions without access logging.
How to fixCloudFront TLS Outdated
MEDIUMDetects CloudFront distributions using outdated TLS versions.
How to fixCloudFront WAF Missing
MEDIUMDetects CloudFront distributions without WAF association.
How to fixCloudTrail
1 ruleCloudWatch
3 rulesCloudWatch Alarm Actions Missing
MEDIUMDetects CloudWatch Alarms without alarm actions or missing-data handling.
How to fixCloudWatch Logs Retention Missing
MEDIUMDetects CloudWatch Log Groups without an explicit retention period (logs retained indefinitely).
How to fixCloudWatch Logs Encryption Disabled
LOWDetects CloudWatch Log Groups not encrypted with a customer-managed KMS key.
How to fixCognito
3 rulesCross-service
4 rulesCross-Resource Misconfiguration
HIGHDetects misconfigurations only visible across multiple resources: Lambda functions referencing VPC-only resources without VpcConfig, S3 replication without encryption configuration, and security groups exposing non-standard ports to the public when used by sensitive services.
How to fixEC2 IMDSv2 Not Enforced
HIGHDetects launch templates and launch configurations that do not require IMDSv2 (MetadataOptions.HttpTokens is not "required"), leaving instances exposed to SSRF-based credential theft.
How to fixAppSync WAF Missing
MEDIUMDetects AppSync APIs without an associated AWS WAF WebACL.
How to fixStack Architecture Recommendations
MEDIUMDetects architectural omissions across the stack: missing CloudWatch Alarms on critical resources, Lambda functions without X-Ray tracing, public-facing resources without WAF, RDS databases without Secrets Manager rotation, and excessive NAT Gateway usage.
How to fixDynamoDB
5 rulesDynamoDB Auto Scaling Missing
MEDIUMDetects DynamoDB tables without auto-scaling enabled.
How to fixDynamoDB Deletion Protection Disabled
MEDIUMDetects DynamoDB tables without deletion protection, which can be destroyed by an accidental stack update or delete.
How to fixDynamoDB Point-in-Time Recovery Disabled
MEDIUMDetects DynamoDB tables without Point-in-Time Recovery enabled. PITR provides continuous backups for the last 35 days and is required for SOC2 / HIPAA data resilience.
How to fixDynamoDB Table Uses AWS-Owned Encryption Key
MEDIUMDetects AWS::DynamoDB::Table resources without SSESpecification.SSEEnabled=true. DynamoDB always encrypts at rest, but the default AWS-owned key cannot be inspected, audited, or rotated by the customer — inadequate for HIPAA / PCI-DSS / FedRAMP workloads.
How to fixDynamoDB Streams Disabled
LOWDetects DynamoDB tables without streams enabled.
How to fixEC2
8 rulesEBS Volume Unencrypted
HIGHDetects EBS volumes without encryption.
How to fixEC2 Instance Public IP
HIGHDetects EC2 instances whose NetworkInterfaces specify AssociatePublicIpAddress=true, exposing the instance directly to the internet.
How to fixSecurity Group Unrestricted Ingress
HIGHDetects security groups with unrestricted ingress (0.0.0.0/0).
How to fixEC2 Instance Type Outdated
MEDIUMDetects EC2 instances using older generation instance types.
How to fixEC2 Subnet Auto-Assigns Public IPs
MEDIUMDetects AWS::EC2::Subnet resources with MapPublicIpOnLaunch=true. Instances launched into the subnet inherit a public IP by default, which makes them internet-reachable without an explicit opt-in at the ENI level.
How to fixVPC Default Security Group Has Rules
MEDIUMDetects default VPC security groups with ingress or egress rules; defaults should be empty.
How to fixVPC Flow Logs Missing
MEDIUMDetects VPCs without flow logs configured.
How to fixNAT Gateway Usage
LOWIdentifies NAT Gateway usage for cost awareness.
How to fixECR
3 rulesECR Scan-on-Push Disabled
HIGHDetects ECR repositories without image vulnerability scanning on push.
How to fixECR Lifecycle Policy Missing
MEDIUMDetects ECR repositories without a lifecycle policy to clean up old images.
How to fixECR Mutable Image Tags
MEDIUMDetects ECR repositories that allow image tags to be overwritten.
How to fixECS
7 rulesECS Container Running In Privileged Mode
HIGHDetects ECS task definitions with a container running in privileged mode, which can access the host and escalate a container compromise into host compromise.
How to fixECS Secrets in Plaintext
HIGHDetects ECS task definitions with sensitive data in plaintext environment variables.
How to fixECS Deployment Circuit Breaker Disabled
MEDIUMDetects ECS services (rolling-update controller) that do not enable the deployment circuit breaker, so a failed deployment is not stopped or rolled back automatically.
How to fixECS Logging Disabled
MEDIUMDetects ECS task definitions without logging configured.
How to fixECS Service Connect Access Logs Missing
MEDIUMDetects ECS services with Service Connect enabled but no access log configuration, leaving inter-service traffic unaudited.
How to fixECS Resource Limits Missing
LOWDetects ECS task definitions without CPU/memory limits.
How to fixECS Task Definition Uses Mutable Image Tag
LOWDetects ECS task definition containers referencing an image by the mutable "latest" tag or no tag at all, so deployments are not reproducible and a changed upstream image can land without a code change.
How to fixEFS
1 ruleEKS
3 rulesEKS Public Endpoint Unrestricted
HIGHDetects EKS clusters with the API endpoint reachable from 0.0.0.0/0 or only via the public network.
How to fixEKS Secrets Encryption Disabled
HIGHDetects EKS clusters without envelope encryption for Kubernetes secrets in etcd.
How to fixEKS Control Plane Logging Disabled
MEDIUMDetects EKS clusters with no control plane log types enabled.
How to fixElastiCache
3 rulesElastiCache Encryption Disabled
HIGHDetects ElastiCache clusters without at-rest or in-transit encryption.
How to fixElastiCache AUTH Token Missing
MEDIUMDetects Redis replication groups with transit encryption but no AUTH token configured.
How to fixElastiCache Automatic Failover Disabled
MEDIUMDetects ElastiCache replication groups without automatic failover or Multi-AZ.
How to fixELB
4 rulesELB HTTPS Listeners Missing
HIGHDetects load balancers with HTTP listeners not redirecting to HTTPS.
How to fixELB Deletion Protection Disabled
MEDIUMDetects load balancers without deletion protection.
How to fixELB Logging Disabled
MEDIUMDetects load balancers without access logging.
How to fixELB Security Policy Outdated
MEDIUMDetects load balancers using outdated TLS security policies.
How to fixEventBridge
2 rulesEventBridge Bus Policy Allows Wildcard Principal
CRITICALDetects AWS::Events::EventBusPolicy with an Allow statement targeting Principal=* (or AWS=*) without a Condition restricting access. Without the condition, any AWS account can publish events to the bus.
How to fixEventBridge Rule Disabled or Has No Targets
HIGHDetects EventBridge rules that are disabled or have no targets configured, so matched events are silently dropped.
How to fixGlue
2 rulesIAM
4 rulesIAM Overly Permissive Policies
HIGHDetects IAM policies with overly permissive actions like * wildcards.
How to fixIAM Cross-Account Trust
MEDIUMDetects IAM roles with cross-account trust relationships.
How to fixIAM User Direct Policies
MEDIUMDetects IAM Users with policies attached directly (inline Policies or ManagedPolicyArns). CIS AWS Foundations 1.15 requires users to inherit permissions through groups.
How to fixIAM Permission Boundary Missing
LOWDetects IAM roles without permission boundaries.
How to fixKinesis
2 rulesKMS
2 rulesKMS Key Policy Allows Public Access
CRITICALDetects KMS keys whose key policy grants access to a wildcard or public principal.
How to fixKMS Key Policy Self-Lockout
CRITICALDetects AWS::KMS::Key resources whose KeyPolicy contains a Deny statement on kms:*, kms:PutKeyPolicy, or * with a broad Principal and no carveout for the account root or admin role. Such a policy locks the account out of its own key — recovery requires breaking glass on the account root credentials AND scheduling a 7-30 day key deletion (which does not actually let you recover the key, just remove it). Effectively unrecoverable for any data the key has encrypted; AWS Support typically declines to intervene where customers have a self-service path via root.
How to fixLambda
10 rulesLambda Permission Permits Public Access
CRITICALDetects AWS::Lambda::Permission and AWS::Lambda::LayerVersionPermission resources that grant invoke / use rights with a wildcard Principal, or grant a service principal without a SourceArn / SourceAccount / PrincipalOrgID restriction (confused-deputy risk).
How to fixLambda Deprecated Runtime
HIGHDetects Lambda functions using runtimes that have reached or are approaching end-of-life.
How to fixLambda Function URL Without Authentication
HIGHDetects Lambda Function URLs configured with AuthType NONE, which allows unauthenticated public invocation.
How to fixLambda Sensitive Environment Variables
HIGHDetects Lambda functions with sensitive data in environment variables.
How to fixLambda Memory Optimization
MEDIUMDetects Lambda functions with suboptimal memory configuration.
How to fixLambda Variable Runtime
MEDIUMDetects Lambda functions using a variable runtime (Runtime.NODEJS_LATEST or useLatestRuntimeVersion) that resolves to the newest runtime at synth time, causing silent in-place runtime upgrades on the next deploy after a CDK bump.
How to fixLambda VPC NAT Gateway Cost Warning
MEDIUMWarns about potential NAT Gateway costs for VPC-attached Lambda functions.
How to fixLambda Dead Letter Queue Missing
LOWDetects Lambda functions without dead letter queue configuration.
How to fixLambda Reserved Concurrency Missing
LOWDetects Lambda functions without reserved concurrency.
How to fixLambda X-Ray Tracing Disabled
LOWDetects Lambda functions without active X-Ray tracing, reducing observability into latency and errors.
How to fixMSK
3 rulesMSK Client Authentication Missing
HIGHDetects MSK clusters without client authentication or that allow unauthenticated access.
How to fixMSK Encryption Weak
HIGHDetects MSK clusters without TLS for client-broker traffic, without inter-broker encryption, or using AWS-managed keys for at-rest encryption.
How to fixMSK Broker Logging Disabled
MEDIUMDetects MSK clusters without broker logs configured.
How to fixOpenSearch
3 rulesOpenSearch Encryption Disabled
HIGHDetects OpenSearch domains without at-rest encryption or node-to-node encryption.
How to fixOpenSearch Access Control Weak
MEDIUMDetects OpenSearch domains without fine-grained access control or VPC placement.
How to fixOpenSearch Logging Disabled
LOWDetects OpenSearch domains without audit logs or application logs published to CloudWatch.
How to fixRDS
8 rulesRDS Encryption Disabled
CRITICALDetects RDS instances without encryption at rest.
How to fixRDS Publicly Accessible
CRITICALDetects RDS instances that are publicly accessible.
How to fixRDS Backup Retention Low
MEDIUMDetects RDS instances with insufficient backup retention.
How to fixRDS Deletion Protection Disabled
MEDIUMDetects RDS instances without deletion protection.
How to fixRDS Enhanced Monitoring Disabled
MEDIUMDetects RDS instances without enhanced monitoring (MonitoringInterval missing or set to 0). OS-level metrics are not published to CloudWatch Logs.
How to fixRDS Instance Using gp2 Storage
MEDIUMDetects Multi-AZ RDS instances on gp2 storage; gp3 offers better baseline performance at lower cost.
How to fixRDS Logging Disabled
MEDIUMDetects RDS DBInstance and DBCluster resources without EnableCloudwatchLogsExports configured. Engine logs (error, slow query, audit) are not exported to CloudWatch for retention or analysis.
How to fixRDS Managed Master Secret Without Customer-Managed Key
MEDIUMDetects RDS instances/clusters using the native Secrets Manager integration (ManageMasterUserPassword) whose managed master-user secret is encrypted with the AWS-managed aws/secretsmanager key instead of a customer-managed KMS key.
How to fixRedshift
3 rulesRedshift Publicly Accessible
CRITICALDetects Redshift clusters reachable from the public internet.
How to fixRedshift Encryption Disabled
HIGHDetects Redshift clusters without at-rest encryption.
How to fixRedshift Audit Logging Disabled
MEDIUMDetects Redshift clusters without audit logging to S3 (connection, user, query activity).
How to fixRoute 53
3 rulesRoute 53 DNSSEC Disabled
LOWDetects Route 53 hosted zones without DNSSEC signing enabled.
How to fixRoute 53 Health Check Suboptimal
LOWDetects Route 53 health checks using HTTP instead of HTTPS or the standard request interval.
How to fixRoute 53 Query Logging Disabled
LOWDetects Route 53 hosted zones without query logging.
How to fixS3
8 rulesS3 Bucket Public Access
CRITICALDetects S3 buckets with public access enabled.
How to fixS3 BucketPolicy Self-Lockout
CRITICALDetects AWS::S3::BucketPolicy resources containing a Deny statement on s3:DeleteBucket, s3:*, or * with a broad Principal and no NotPrincipal or aws:PrincipalArn carveout for the account root or admin role. Such a policy locks the account out of its own bucket — recovery requires breaking glass on the account root credentials, since AWS Support typically declines to intervene where customers have a self-service path via root.
How to fixS3 BucketPolicy Permits Non-SSL Requests
HIGHDetects AWS::S3::BucketPolicy resources that lack a Deny statement enforcing aws:SecureTransport. Without this, the bucket accepts plain HTTP requests in addition to HTTPS.
How to fixS3 Bucket Access Logging Disabled
MEDIUMDetects S3 buckets without server access logging configured. Required by CIS AWS Foundations 2.1.2 and useful for incident forensics.
How to fixS3 Bucket Versioning Disabled
MEDIUMDetects S3 buckets without versioning enabled, leaving overwritten or deleted objects unrecoverable.
How to fixS3 Lifecycle Policy Missing
MEDIUMDetects S3 buckets without lifecycle policies.
How to fixS3 Intelligent Tiering
LOWRecommends S3 Intelligent Tiering for cost optimization.
How to fixS3 Replication Missing
LOWDetects critical S3 buckets without cross-region replication.
How to fixSecrets Manager
1 ruleSNS
2 rulesSNS TopicPolicy Self-Lockout
CRITICALDetects AWS::SNS::TopicPolicy resources containing a Deny statement on sns:DeleteTopic, sns:RemovePermission, sns:*, or * with a broad Principal and no NotPrincipal or aws:PrincipalArn carveout for the account root or admin role. Such a policy locks the account out of its own topic — recovery requires breaking glass on the account root credentials to remove the topic policy, or delete-and-recreate the topic if no subscribers depend on its ARN. In fan-out architectures that is often a multi-stack rebuild.
How to fixSNS Encryption Disabled
HIGHDetects SNS topics without encryption.
How to fixSQS
3 rulesSQS QueuePolicy Self-Lockout
CRITICALDetects AWS::SQS::QueuePolicy resources containing a Deny statement on sqs:DeleteQueue, sqs:RemovePermission, sqs:*, or * with a broad Principal and no NotPrincipal or aws:PrincipalArn carveout for the account root or admin role. Such a policy locks the account out of its own queue — recovery requires breaking glass on the account root credentials to remove the queue policy, or delete-and-recreate the queue if nothing else depends on its ARN. In event-driven systems that is often a multi-stack rebuild.
How to fixSQS Encryption Disabled
HIGHDetects SQS queues without encryption.
How to fixSQS Queue Without Dead-Letter Queue
LOWDetects SQS queues with no RedrivePolicy, so messages that repeatedly fail processing are lost instead of captured for inspection.
How to fixStep Functions
1 ruleWAF
2 rulesScan your CDK app against all 119 rules
One command, no signup. The full rule pack is free forever via npm.