chore: update ALB to recommended TLS policy (#198)

* chore: update ALB to recommended TLS policy * chore: add cdk-nag * fix: prettier
awslabs · Feb 11, 2025 · 308a779 · 308a779
1 parent 69f6d19
commit 308a779
Show file tree

Hide file tree

Showing 4 changed files with 999 additions and 1,255 deletions.
diff --git a/tests/cognito/bin/cognito.ts b/tests/cognito/bin/cognito.ts
@@ -1,6 +1,8 @@
 #!/usr/bin/env node
 import "source-map-support/register";
 import * as cdk from "aws-cdk-lib";
+import { AwsSolutionsChecks } from "cdk-nag";
+import { Aspects } from "aws-cdk-lib";
 import { CognitoStack } from "../lib/cognito-stack";
 import "dotenv/config";
 
@@ -13,6 +15,7 @@ if (!HOSTED_ZONE_ID || !HOSTED_ZONE_NAME || !ALB_DOMAIN_NAME) {
 }
 
 const app = new cdk.App();
+Aspects.of(app).add(new AwsSolutionsChecks({ verbose: true }));
 new CognitoStack(app, "AwsJwtCognitoTestStack", {
   albDomainName: ALB_DOMAIN_NAME,
   hostedZoneId: HOSTED_ZONE_ID,

diff --git a/tests/cognito/lib/cognito-stack.ts b/tests/cognito/lib/cognito-stack.ts
@@ -2,6 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 import * as cdk from "aws-cdk-lib";
+import { NagSuppressions } from "cdk-nag";
 import { Construct } from "constructs";
 import * as path from "node:path";
 
@@ -17,6 +18,32 @@ export class CognitoStack extends cdk.Stack {
   ) {
     super(scope, id, props);
 
+    NagSuppressions.addStackSuppressions(this, [
+      {
+        id: "AwsSolutions-L1",
+        reason: "Avoid workshop error when NODEJS runtime updates",
+      },
+      {
+        id: "AwsSolutions-IAM4",
+        reason: "Needs access to write to CloudWatch Logs",
+        appliesTo: [
+          "Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
+        ],
+      },
+      {
+        id: "AwsSolutions-ELB2",
+        reason: "Testing does not need access logging enabled",
+      },
+      {
+        id: "AwsSolutions-APIG1",
+        reason: "Testing does not need access logging enabled",
+      },
+      {
+        id: "AwsSolutions-VPC7",
+        reason: "Testing does not need flow logging enabled",
+      },
+    ]);
+
     new cdk.CfnOutput(this, "UserPoolRegion", {
       value: this.region,
     });
@@ -38,6 +65,21 @@ export class CognitoStack extends cdk.Stack {
       value: cup.userPoolId,
     });
 
+    NagSuppressions.addResourceSuppressions(cup, [
+      {
+        id: "AwsSolutions-COG1",
+        reason: "Testing does not need password policy.",
+      },
+      {
+        id: "AwsSolutions-COG2",
+        reason: "Testing does not use MFA.",
+      },
+      {
+        id: "AwsSolutions-COG3",
+        reason: "Testing does not use advanced security features.",
+      },
+    ]);
+
     const oauthDomain = cup.addDomain("OAuthDomain", {
       cognitoDomain: {
         domainPrefix: `oauthdomain-${this.account}`,
@@ -298,6 +340,7 @@ export class CognitoStack extends cdk.Stack {
       open: true,
       certificates: [cert],
       protocol: cdk.aws_elasticloadbalancingv2.ApplicationProtocol.HTTPS,
+      sslPolicy: cdk.aws_elasticloadbalancingv2.SslPolicy.RECOMMENDED_TLS, // This enforces TLS 1.2 and higher
       defaultAction:
         new cdk.aws_elasticloadbalancingv2_actions.AuthenticateCognitoAction({
           userPool: cup,
@@ -319,6 +362,16 @@ export class CognitoStack extends cdk.Stack {
           ]),
         }),
     });
+    NagSuppressions.addResourceSuppressions(
+      alb,
+      [
+        {
+          id: "AwsSolutions-EC23",
+          reason: "Testing needs an open Security Group",
+        },
+      ],
+      true
+    );
 
     new cdk.aws_route53.ARecord(this, "AliasRecord", {
       zone: hostedZoneRef,