# API Reference **Classes** Name|Description ----|----------- [AnnotationLogger](#cdk-nag-annotationlogger)|A NagLogger that outputs to the CDK Annotations system. [AwsSolutionsChecks](#cdk-nag-awssolutionschecks)|Check Best practices based on AWS Solutions Security Matrix. [HIPAASecurityChecks](#cdk-nag-hipaasecuritychecks)|Check for HIPAA Security compliance. [NIST80053R4Checks](#cdk-nag-nist80053r4checks)|Check for NIST 800-53 rev 4 compliance. [NIST80053R5Checks](#cdk-nag-nist80053r5checks)|Check for NIST 800-53 rev 5 compliance. [NagPack](#cdk-nag-nagpack)|Base class for all rule packs. [NagReportLogger](#cdk-nag-nagreportlogger)|A NagLogger that creates compliance reports. [NagRules](#cdk-nag-nagrules)|Helper class with methods for rule creation. [NagSuppressions](#cdk-nag-nagsuppressions)|Helper class with methods to add cdk-nag suppressions to cdk resources. [PCIDSS321Checks](#cdk-nag-pcidss321checks)|Check for PCI DSS 3.2.1 compliance. Based on the PCI DSS 3.2.1 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-pci-dss.html. [SuppressionIgnoreAlways](#cdk-nag-suppressionignorealways)|Always ignore the suppression. [SuppressionIgnoreAnd](#cdk-nag-suppressionignoreand)|Ignore the suppression if all of the given INagSuppressionIgnore return a non-empty message. [SuppressionIgnoreErrors](#cdk-nag-suppressionignoreerrors)|Ignore Suppressions for Rules with a NagMessageLevel.ERROR. [SuppressionIgnoreNever](#cdk-nag-suppressionignorenever)|Don't ignore the suppression. [SuppressionIgnoreOr](#cdk-nag-suppressionignoreor)|Ignore the suppression if any of the given INagSuppressionIgnore return a non-empty message. **Structs** Name|Description ----|----------- [AnnotationLoggerProps](#cdk-nag-annotationloggerprops)|Props for the AnnotationLogger. [NagLoggerBaseData](#cdk-nag-nagloggerbasedata)|Shared data for all INagLogger methods. [NagLoggerComplianceData](#cdk-nag-nagloggercompliancedata)|Data for onCompliance method of an INagLogger. [NagLoggerErrorData](#cdk-nag-nagloggererrordata)|Data for onError method of an INagLogger. [NagLoggerNonComplianceData](#cdk-nag-nagloggernoncompliancedata)|Data for onNonCompliance method of an INagLogger. [NagLoggerNotApplicableData](#cdk-nag-nagloggernotapplicabledata)|Data for onNotApplicable method of an INagLogger. [NagLoggerSuppressedData](#cdk-nag-nagloggersuppresseddata)|Data for onSuppressed method of an INagLogger. [NagLoggerSuppressedErrorData](#cdk-nag-nagloggersuppressederrordata)|Data for onSuppressedError method of an INagLogger. [NagPackProps](#cdk-nag-nagpackprops)|Interface for creating a NagPack. [NagPackSuppression](#cdk-nag-nagpacksuppression)|Interface for creating a rule suppression. [NagReportLine](#cdk-nag-nagreportline)|*No description* [NagReportLoggerProps](#cdk-nag-nagreportloggerprops)|Props for the NagReportLogger. [NagReportSchema](#cdk-nag-nagreportschema)|*No description* [RegexAppliesTo](#cdk-nag-regexappliesto)|A regular expression to apply to matching findings. [SuppressionIgnoreInput](#cdk-nag-suppressionignoreinput)|Information about the NagRule and the relevant NagSuppression for the INagSuppressionIgnore. **Interfaces** Name|Description ----|----------- [IApplyRule](#cdk-nag-iapplyrule)|Interface for JSII interoperability for passing parameters and the Rule Callback to @applyRule method. [INagLogger](#cdk-nag-inaglogger)|Interface for creating NagSuppression Ignores. [INagSuppressionIgnore](#cdk-nag-inagsuppressionignore)|Interface for creating NagSuppression Ignores. **Enums** Name|Description ----|----------- [NagMessageLevel](#cdk-nag-nagmessagelevel)|The severity level of the rule. [NagReportFormat](#cdk-nag-nagreportformat)|Possible output formats of the NagReport. [NagRuleCompliance](#cdk-nag-nagrulecompliance)|The compliance level of a resource in relation to a rule. [NagRulePostValidationStates](#cdk-nag-nagrulepostvalidationstates)|Additional states a rule can be in post compliance validation. ## class AnnotationLogger A NagLogger that outputs to the CDK Annotations system. __Implements__: [INagLogger](#cdk-nag-inaglogger) ### Initializer ```ts new AnnotationLogger(props?: AnnotationLoggerProps) ``` * **props** ([AnnotationLoggerProps](#cdk-nag-annotationloggerprops)) *No description* * **logIgnores** (boolean) Whether or not to log suppressed rule violations as informational messages (default: false). __*Optional*__ * **verbose** (boolean) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages. __*Optional*__ ### Properties Name | Type | Description -----|------|------------- **logIgnores** | boolean | **suppressionId** | string | **verbose** | boolean | ### Methods #### onCompliance(_data) Called when a CfnResource passes the compliance check for a given rule. ```ts onCompliance(_data: NagLoggerComplianceData): void ``` * **_data** ([NagLoggerComplianceData](#cdk-nag-nagloggercompliancedata)) *No description* * **nagPackName** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleExplanation** (string) *No description* * **ruleId** (string) *No description* * **ruleInfo** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* #### onError(data) Called when a rule throws an error during while validating a CfnResource for compliance. ```ts onError(data: NagLoggerErrorData): void ``` * **data** ([NagLoggerErrorData](#cdk-nag-nagloggererrordata)) *No description* * **nagPackName** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleExplanation** (string) *No description* * **ruleId** (string) *No description* * **ruleInfo** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* * **errorMessage** (string) *No description* #### onNonCompliance(data) Called when a CfnResource does not pass the compliance check for a given rule and the the rule violation is not suppressed by the user. ```ts onNonCompliance(data: NagLoggerNonComplianceData): void ``` * **data** ([NagLoggerNonComplianceData](#cdk-nag-nagloggernoncompliancedata)) *No description* * **nagPackName** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleExplanation** (string) *No description* * **ruleId** (string) *No description* * **ruleInfo** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* * **findingId** (string) *No description* #### onNotApplicable(_data) Called when a rule does not apply to the given CfnResource. ```ts onNotApplicable(_data: NagLoggerNotApplicableData): void ``` * **_data** ([NagLoggerNotApplicableData](#cdk-nag-nagloggernotapplicabledata)) *No description* * **nagPackName** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleExplanation** (string) *No description* * **ruleId** (string) *No description* * **ruleInfo** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* #### onSuppressed(data) Called when a CfnResource does not pass the compliance check for a given rule and the rule violation is suppressed by the user. ```ts onSuppressed(data: NagLoggerSuppressedData): void ``` * **data** ([NagLoggerSuppressedData](#cdk-nag-nagloggersuppresseddata)) *No description* * **nagPackName** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleExplanation** (string) *No description* * **ruleId** (string) *No description* * **ruleInfo** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* * **findingId** (string) *No description* * **suppressionReason** (string) *No description* #### onSuppressedError(data) Called when a rule throws an error during while validating a CfnResource for compliance and the error is suppressed. ```ts onSuppressedError(data: NagLoggerSuppressedErrorData): void ``` * **data** ([NagLoggerSuppressedErrorData](#cdk-nag-nagloggersuppressederrordata)) *No description* * **nagPackName** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleExplanation** (string) *No description* * **ruleId** (string) *No description* * **ruleInfo** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* * **errorMessage** (string) *No description* * **errorSuppressionReason** (string) *No description* #### protected createMessage(ruleId, findingId, ruleInfo, ruleExplanation, verbose) ```ts protected createMessage(ruleId: string, findingId: string, ruleInfo: string, ruleExplanation: string, verbose: boolean): string ``` * **ruleId** (string) *No description* * **findingId** (string) *No description* * **ruleInfo** (string) *No description* * **ruleExplanation** (string) *No description* * **verbose** (boolean) *No description* __Returns__: * string ## class AwsSolutionsChecks Check Best practices based on AWS Solutions Security Matrix. __Implements__: [IAspect](#aws-cdk-lib-iaspect) __Extends__: [NagPack](#cdk-nag-nagpack) ### Initializer ```ts new AwsSolutionsChecks(props?: NagPackProps) ``` * **props** ([NagPackProps](#cdk-nag-nagpackprops)) *No description* * **additionalLoggers** (Array<[INagLogger](#cdk-nag-inaglogger)>) Additional NagLoggers for logging rule validation outputs. __*Optional*__ * **logIgnores** (boolean) Whether or not to log suppressed rule violations as informational messages (default: false). __*Optional*__ * **reportFormats** (Array<[NagReportFormat](#cdk-nag-nagreportformat)>) If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV). __*Optional*__ * **reports** (boolean) Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true). __*Optional*__ * **suppressionIgnoreCondition** ([INagSuppressionIgnore](#cdk-nag-inagsuppressionignore)) Conditionally prevent rules from being suppressed (default: no user provided condition). __*Optional*__ * **verbose** (boolean) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). __*Optional*__ ### Methods #### visit(node) All aspects can visit an IConstruct. ```ts visit(node: IConstruct): void ``` * **node** ([IConstruct](#constructs-iconstruct)) *No description* ## class HIPAASecurityChecks Check for HIPAA Security compliance. Based on the HIPAA Security AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-hipaa_security.html __Implements__: [IAspect](#aws-cdk-lib-iaspect) __Extends__: [NagPack](#cdk-nag-nagpack) ### Initializer ```ts new HIPAASecurityChecks(props?: NagPackProps) ``` * **props** ([NagPackProps](#cdk-nag-nagpackprops)) *No description* * **additionalLoggers** (Array<[INagLogger](#cdk-nag-inaglogger)>) Additional NagLoggers for logging rule validation outputs. __*Optional*__ * **logIgnores** (boolean) Whether or not to log suppressed rule violations as informational messages (default: false). __*Optional*__ * **reportFormats** (Array<[NagReportFormat](#cdk-nag-nagreportformat)>) If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV). __*Optional*__ * **reports** (boolean) Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true). __*Optional*__ * **suppressionIgnoreCondition** ([INagSuppressionIgnore](#cdk-nag-inagsuppressionignore)) Conditionally prevent rules from being suppressed (default: no user provided condition). __*Optional*__ * **verbose** (boolean) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). __*Optional*__ ### Methods #### visit(node) All aspects can visit an IConstruct. ```ts visit(node: IConstruct): void ``` * **node** ([IConstruct](#constructs-iconstruct)) *No description* ## class NIST80053R4Checks Check for NIST 800-53 rev 4 compliance. Based on the NIST 800-53 rev 4 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_4.html __Implements__: [IAspect](#aws-cdk-lib-iaspect) __Extends__: [NagPack](#cdk-nag-nagpack) ### Initializer ```ts new NIST80053R4Checks(props?: NagPackProps) ``` * **props** ([NagPackProps](#cdk-nag-nagpackprops)) *No description* * **additionalLoggers** (Array<[INagLogger](#cdk-nag-inaglogger)>) Additional NagLoggers for logging rule validation outputs. __*Optional*__ * **logIgnores** (boolean) Whether or not to log suppressed rule violations as informational messages (default: false). __*Optional*__ * **reportFormats** (Array<[NagReportFormat](#cdk-nag-nagreportformat)>) If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV). __*Optional*__ * **reports** (boolean) Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true). __*Optional*__ * **suppressionIgnoreCondition** ([INagSuppressionIgnore](#cdk-nag-inagsuppressionignore)) Conditionally prevent rules from being suppressed (default: no user provided condition). __*Optional*__ * **verbose** (boolean) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). __*Optional*__ ### Methods #### visit(node) All aspects can visit an IConstruct. ```ts visit(node: IConstruct): void ``` * **node** ([IConstruct](#constructs-iconstruct)) *No description* ## class NIST80053R5Checks Check for NIST 800-53 rev 5 compliance. Based on the NIST 800-53 rev 5 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_5.html __Implements__: [IAspect](#aws-cdk-lib-iaspect) __Extends__: [NagPack](#cdk-nag-nagpack) ### Initializer ```ts new NIST80053R5Checks(props?: NagPackProps) ``` * **props** ([NagPackProps](#cdk-nag-nagpackprops)) *No description* * **additionalLoggers** (Array<[INagLogger](#cdk-nag-inaglogger)>) Additional NagLoggers for logging rule validation outputs. __*Optional*__ * **logIgnores** (boolean) Whether or not to log suppressed rule violations as informational messages (default: false). __*Optional*__ * **reportFormats** (Array<[NagReportFormat](#cdk-nag-nagreportformat)>) If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV). __*Optional*__ * **reports** (boolean) Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true). __*Optional*__ * **suppressionIgnoreCondition** ([INagSuppressionIgnore](#cdk-nag-inagsuppressionignore)) Conditionally prevent rules from being suppressed (default: no user provided condition). __*Optional*__ * **verbose** (boolean) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). __*Optional*__ ### Methods #### visit(node) All aspects can visit an IConstruct. ```ts visit(node: IConstruct): void ``` * **node** ([IConstruct](#constructs-iconstruct)) *No description* ## class NagPack Base class for all rule packs. __Implements__: [IAspect](#aws-cdk-lib-iaspect) __Implemented by__: [AwsSolutionsChecks](#cdk-nag-awssolutionschecks), [HIPAASecurityChecks](#cdk-nag-hipaasecuritychecks), [NIST80053R4Checks](#cdk-nag-nist80053r4checks), [NIST80053R5Checks](#cdk-nag-nist80053r5checks), [PCIDSS321Checks](#cdk-nag-pcidss321checks) ### Initializer ```ts new NagPack(props?: NagPackProps) ``` * **props** ([NagPackProps](#cdk-nag-nagpackprops)) *No description* * **additionalLoggers** (Array<[INagLogger](#cdk-nag-inaglogger)>) Additional NagLoggers for logging rule validation outputs. __*Optional*__ * **logIgnores** (boolean) Whether or not to log suppressed rule violations as informational messages (default: false). __*Optional*__ * **reportFormats** (Array<[NagReportFormat](#cdk-nag-nagreportformat)>) If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV). __*Optional*__ * **reports** (boolean) Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true). __*Optional*__ * **suppressionIgnoreCondition** ([INagSuppressionIgnore](#cdk-nag-inagsuppressionignore)) Conditionally prevent rules from being suppressed (default: no user provided condition). __*Optional*__ * **verbose** (boolean) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). __*Optional*__ ### Properties Name | Type | Description -----|------|------------- **loggers** | Array<[INagLogger](#cdk-nag-inaglogger)> | **packName** | string | **readPackName** | string | **packGlobalSuppressionIgnore**? | [INagSuppressionIgnore](#cdk-nag-inagsuppressionignore) | __*Optional*__ **userGlobalSuppressionIgnore**? | [INagSuppressionIgnore](#cdk-nag-inagsuppressionignore) | __*Optional*__ ### Methods #### visit(node) All aspects can visit an IConstruct. ```ts visit(node: IConstruct): void ``` * **node** ([IConstruct](#constructs-iconstruct)) *No description* #### protected applyRule(params) Create a rule to be used in the NagPack. ```ts protected applyRule(params: IApplyRule): void ``` * **params** ([IApplyRule](#cdk-nag-iapplyrule)) The. #### protected ignoreRule(suppressions, ruleId, findingId, resource, level, ignoreSuppressionCondition?) Check whether a specific rule should be ignored. ```ts protected ignoreRule(suppressions: Array, ruleId: string, findingId: string, resource: CfnResource, level: NagMessageLevel, ignoreSuppressionCondition?: INagSuppressionIgnore): string ``` * **suppressions** (Array<[NagPackSuppression](#cdk-nag-nagpacksuppression)>) The suppressions listed in the cdk-nag metadata. * **ruleId** (string) The id of the rule to ignore. * **findingId** (string) The id of the finding that is being checked. * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) The resource being evaluated. * **level** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* * **ignoreSuppressionCondition** ([INagSuppressionIgnore](#cdk-nag-inagsuppressionignore)) *No description* __Returns__: * string ## class NagReportLogger A NagLogger that creates compliance reports. __Implements__: [INagLogger](#cdk-nag-inaglogger) ### Initializer ```ts new NagReportLogger(props: NagReportLoggerProps) ``` * **props** ([NagReportLoggerProps](#cdk-nag-nagreportloggerprops)) *No description* * **formats** (Array<[NagReportFormat](#cdk-nag-nagreportformat)>) *No description* ### Properties Name | Type | Description -----|------|------------- **formats** | Array<[NagReportFormat](#cdk-nag-nagreportformat)> | ### Methods #### getFormatStacks(format) ```ts getFormatStacks(format: NagReportFormat): Array ``` * **format** ([NagReportFormat](#cdk-nag-nagreportformat)) *No description* __Returns__: * Array #### onCompliance(data) Called when a CfnResource passes the compliance check for a given rule. ```ts onCompliance(data: NagLoggerComplianceData): void ``` * **data** ([NagLoggerComplianceData](#cdk-nag-nagloggercompliancedata)) *No description* * **nagPackName** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleExplanation** (string) *No description* * **ruleId** (string) *No description* * **ruleInfo** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* #### onError(data) Called when a rule throws an error during while validating a CfnResource for compliance. ```ts onError(data: NagLoggerErrorData): void ``` * **data** ([NagLoggerErrorData](#cdk-nag-nagloggererrordata)) *No description* * **nagPackName** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleExplanation** (string) *No description* * **ruleId** (string) *No description* * **ruleInfo** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* * **errorMessage** (string) *No description* #### onNonCompliance(data) Called when a CfnResource does not pass the compliance check for a given rule and the the rule violation is not suppressed by the user. ```ts onNonCompliance(data: NagLoggerNonComplianceData): void ``` * **data** ([NagLoggerNonComplianceData](#cdk-nag-nagloggernoncompliancedata)) *No description* * **nagPackName** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleExplanation** (string) *No description* * **ruleId** (string) *No description* * **ruleInfo** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* * **findingId** (string) *No description* #### onNotApplicable(data) Called when a rule does not apply to the given CfnResource. ```ts onNotApplicable(data: NagLoggerNotApplicableData): void ``` * **data** ([NagLoggerNotApplicableData](#cdk-nag-nagloggernotapplicabledata)) *No description* * **nagPackName** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleExplanation** (string) *No description* * **ruleId** (string) *No description* * **ruleInfo** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* #### onSuppressed(data) Called when a CfnResource does not pass the compliance check for a given rule and the rule violation is suppressed by the user. ```ts onSuppressed(data: NagLoggerSuppressedData): void ``` * **data** ([NagLoggerSuppressedData](#cdk-nag-nagloggersuppresseddata)) *No description* * **nagPackName** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleExplanation** (string) *No description* * **ruleId** (string) *No description* * **ruleInfo** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* * **findingId** (string) *No description* * **suppressionReason** (string) *No description* #### onSuppressedError(data) Called when a rule throws an error during while validating a CfnResource for compliance and the error is suppressed. ```ts onSuppressedError(data: NagLoggerSuppressedErrorData): void ``` * **data** ([NagLoggerSuppressedErrorData](#cdk-nag-nagloggersuppressederrordata)) *No description* * **nagPackName** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleExplanation** (string) *No description* * **ruleId** (string) *No description* * **ruleInfo** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* * **errorMessage** (string) *No description* * **errorSuppressionReason** (string) *No description* #### protected initializeStackReport(data) Initialize the report for the rule pack's compliance report for the resource's Stack if it doesn't exist. ```ts protected initializeStackReport(data: NagLoggerBaseData): void ``` * **data** ([NagLoggerBaseData](#cdk-nag-nagloggerbasedata)) *No description* * **nagPackName** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleExplanation** (string) *No description* * **ruleId** (string) *No description* * **ruleInfo** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* #### protected writeToStackComplianceReport(data, compliance) ```ts protected writeToStackComplianceReport(data: NagLoggerBaseData, compliance: NagRuleCompliance | NagRulePostValidationStates): void ``` * **data** ([NagLoggerBaseData](#cdk-nag-nagloggerbasedata)) *No description* * **compliance** ([NagRuleCompliance](#cdk-nag-nagrulecompliance) | [NagRulePostValidationStates](#cdk-nag-nagrulepostvalidationstates)) *No description* ## class NagRules Helper class with methods for rule creation. ### Initializer ```ts new NagRules() ``` ### Methods #### *static* resolveIfPrimitive(node, parameter) Use in cases where a primitive value must be known to pass a rule. https://developer.mozilla.org/en-US/docs/Glossary/Primitive ```ts static resolveIfPrimitive(node: CfnResource, parameter: any): any ``` * **node** ([CfnResource](#aws-cdk-lib-cfnresource)) The CfnResource to check. * **parameter** (any) The value to attempt to resolve. __Returns__: * any #### *static* resolveResourceFromInstrinsic(node, parameter) Use in cases where a token resolves to an intrinsic function and the referenced resource must be known to pass a rule. ```ts static resolveResourceFromInstrinsic(node: CfnResource, parameter: any): any ``` * **node** ([CfnResource](#aws-cdk-lib-cfnresource)) The CfnResource to check. * **parameter** (any) The value to attempt to resolve. __Returns__: * any ## class NagSuppressions Helper class with methods to add cdk-nag suppressions to cdk resources. ### Initializer ```ts new NagSuppressions() ``` ### Methods #### *static* addResourceSuppressions(construct, suppressions, applyToChildren?) Add cdk-nag suppressions to a CfnResource and optionally its children. ```ts static addResourceSuppressions(construct: IConstruct | Array, suppressions: Array, applyToChildren?: boolean): void ``` * **construct** ([IConstruct](#constructs-iconstruct) | Array<[IConstruct](#constructs-iconstruct)>) The IConstruct(s) to apply the suppression to. * **suppressions** (Array<[NagPackSuppression](#cdk-nag-nagpacksuppression)>) A list of suppressions to apply to the resource. * **applyToChildren** (boolean) Apply the suppressions to children CfnResources (default:false). #### *static* addResourceSuppressionsByPath(stack, path, suppressions, applyToChildren?) Add cdk-nag suppressions to a CfnResource and optionally its children via its path. ```ts static addResourceSuppressionsByPath(stack: Stack, path: string | Array, suppressions: Array, applyToChildren?: boolean): void ``` * **stack** ([Stack](#aws-cdk-lib-stack)) The Stack the construct belongs to. * **path** (string | Array) The path(s) to the construct in the provided stack. * **suppressions** (Array<[NagPackSuppression](#cdk-nag-nagpacksuppression)>) A list of suppressions to apply to the resource. * **applyToChildren** (boolean) Apply the suppressions to children CfnResources (default:false). #### *static* addStackSuppressions(stack, suppressions, applyToNestedStacks?) Apply cdk-nag suppressions to a Stack and optionally nested stacks. ```ts static addStackSuppressions(stack: Stack, suppressions: Array, applyToNestedStacks?: boolean): void ``` * **stack** ([Stack](#aws-cdk-lib-stack)) The Stack to apply the suppression to. * **suppressions** (Array<[NagPackSuppression](#cdk-nag-nagpacksuppression)>) A list of suppressions to apply to the stack. * **applyToNestedStacks** (boolean) Apply the suppressions to children stacks (default:false). ## class PCIDSS321Checks Check for PCI DSS 3.2.1 compliance. Based on the PCI DSS 3.2.1 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-pci-dss.html. __Implements__: [IAspect](#aws-cdk-lib-iaspect) __Extends__: [NagPack](#cdk-nag-nagpack) ### Initializer ```ts new PCIDSS321Checks(props?: NagPackProps) ``` * **props** ([NagPackProps](#cdk-nag-nagpackprops)) *No description* * **additionalLoggers** (Array<[INagLogger](#cdk-nag-inaglogger)>) Additional NagLoggers for logging rule validation outputs. __*Optional*__ * **logIgnores** (boolean) Whether or not to log suppressed rule violations as informational messages (default: false). __*Optional*__ * **reportFormats** (Array<[NagReportFormat](#cdk-nag-nagreportformat)>) If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV). __*Optional*__ * **reports** (boolean) Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true). __*Optional*__ * **suppressionIgnoreCondition** ([INagSuppressionIgnore](#cdk-nag-inagsuppressionignore)) Conditionally prevent rules from being suppressed (default: no user provided condition). __*Optional*__ * **verbose** (boolean) Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). __*Optional*__ ### Methods #### visit(node) All aspects can visit an IConstruct. ```ts visit(node: IConstruct): void ``` * **node** ([IConstruct](#constructs-iconstruct)) *No description* ## class SuppressionIgnoreAlways Always ignore the suppression. __Implements__: [INagSuppressionIgnore](#cdk-nag-inagsuppressionignore) ### Initializer ```ts new SuppressionIgnoreAlways(triggerMessage: string) ``` * **triggerMessage** (string) *No description* ### Methods #### createMessage(_input) ```ts createMessage(_input: SuppressionIgnoreInput): string ``` * **_input** ([SuppressionIgnoreInput](#cdk-nag-suppressionignoreinput)) *No description* * **findingId** (string) *No description* * **reason** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleId** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* __Returns__: * string ## class SuppressionIgnoreAnd Ignore the suppression if all of the given INagSuppressionIgnore return a non-empty message. __Implements__: [INagSuppressionIgnore](#cdk-nag-inagsuppressionignore) ### Initializer ```ts new SuppressionIgnoreAnd(...SuppressionIgnoreAnds: INagSuppressionIgnore[]) ``` * **SuppressionIgnoreAnds** ([INagSuppressionIgnore](#cdk-nag-inagsuppressionignore)) *No description* ### Methods #### createMessage(input) ```ts createMessage(input: SuppressionIgnoreInput): string ``` * **input** ([SuppressionIgnoreInput](#cdk-nag-suppressionignoreinput)) *No description* * **findingId** (string) *No description* * **reason** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleId** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* __Returns__: * string ## class SuppressionIgnoreErrors Ignore Suppressions for Rules with a NagMessageLevel.ERROR. __Implements__: [INagSuppressionIgnore](#cdk-nag-inagsuppressionignore) ### Initializer ```ts new SuppressionIgnoreErrors() ``` ### Methods #### createMessage(input) ```ts createMessage(input: SuppressionIgnoreInput): string ``` * **input** ([SuppressionIgnoreInput](#cdk-nag-suppressionignoreinput)) *No description* * **findingId** (string) *No description* * **reason** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleId** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* __Returns__: * string ## class SuppressionIgnoreNever Don't ignore the suppression. __Implements__: [INagSuppressionIgnore](#cdk-nag-inagsuppressionignore) ### Initializer ```ts new SuppressionIgnoreNever() ``` ### Methods #### createMessage(_input) ```ts createMessage(_input: SuppressionIgnoreInput): string ``` * **_input** ([SuppressionIgnoreInput](#cdk-nag-suppressionignoreinput)) *No description* * **findingId** (string) *No description* * **reason** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleId** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* __Returns__: * string ## class SuppressionIgnoreOr Ignore the suppression if any of the given INagSuppressionIgnore return a non-empty message. __Implements__: [INagSuppressionIgnore](#cdk-nag-inagsuppressionignore) ### Initializer ```ts new SuppressionIgnoreOr(...orSuppressionIgnores: INagSuppressionIgnore[]) ``` * **orSuppressionIgnores** ([INagSuppressionIgnore](#cdk-nag-inagsuppressionignore)) *No description* ### Methods #### createMessage(input) ```ts createMessage(input: SuppressionIgnoreInput): string ``` * **input** ([SuppressionIgnoreInput](#cdk-nag-suppressionignoreinput)) *No description* * **findingId** (string) *No description* * **reason** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleId** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* __Returns__: * string ## struct AnnotationLoggerProps Props for the AnnotationLogger. Name | Type | Description -----|------|------------- **logIgnores**? | boolean | Whether or not to log suppressed rule violations as informational messages (default: false).
__*Optional*__ **verbose**? | boolean | Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages.
__*Optional*__ ## interface IApplyRule Interface for JSII interoperability for passing parameters and the Rule Callback to @applyRule method. ### Properties Name | Type | Description -----|------|------------- **explanation** | string | Why the rule exists. **info** | string | Why the rule was triggered. **level** | [NagMessageLevel](#cdk-nag-nagmessagelevel) | The annotations message level to apply to the rule if triggered. **node** | [CfnResource](#aws-cdk-lib-cfnresource) | The CfnResource to check. **ignoreSuppressionCondition**? | [INagSuppressionIgnore](#cdk-nag-inagsuppressionignore) | A condition in which a suppression should be ignored.
__*Optional*__ **ruleSuffixOverride**? | string | Override for the suffix of the Rule ID for this rule.
__*Optional*__ ### Methods #### rule(node) The callback to the rule. ```ts rule(node: CfnResource): NagRuleCompliance | Array ``` * **node** ([CfnResource](#aws-cdk-lib-cfnresource)) The CfnResource to check. __Returns__: * [NagRuleCompliance](#cdk-nag-nagrulecompliance) | Array ## interface INagLogger __Implemented by__: [AnnotationLogger](#cdk-nag-annotationlogger), [NagReportLogger](#cdk-nag-nagreportlogger) Interface for creating NagSuppression Ignores. ### Methods #### onCompliance(data) Called when a CfnResource passes the compliance check for a given rule. ```ts onCompliance(data: NagLoggerComplianceData): void ``` * **data** ([NagLoggerComplianceData](#cdk-nag-nagloggercompliancedata)) *No description* * **nagPackName** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleExplanation** (string) *No description* * **ruleId** (string) *No description* * **ruleInfo** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* #### onError(data) Called when a rule throws an error during while validating a CfnResource for compliance. ```ts onError(data: NagLoggerErrorData): void ``` * **data** ([NagLoggerErrorData](#cdk-nag-nagloggererrordata)) *No description* * **nagPackName** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleExplanation** (string) *No description* * **ruleId** (string) *No description* * **ruleInfo** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* * **errorMessage** (string) *No description* #### onNonCompliance(data) Called when a CfnResource does not pass the compliance check for a given rule and the the rule violation is not suppressed by the user. ```ts onNonCompliance(data: NagLoggerNonComplianceData): void ``` * **data** ([NagLoggerNonComplianceData](#cdk-nag-nagloggernoncompliancedata)) *No description* * **nagPackName** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleExplanation** (string) *No description* * **ruleId** (string) *No description* * **ruleInfo** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* * **findingId** (string) *No description* #### onNotApplicable(data) Called when a rule does not apply to the given CfnResource. ```ts onNotApplicable(data: NagLoggerNotApplicableData): void ``` * **data** ([NagLoggerNotApplicableData](#cdk-nag-nagloggernotapplicabledata)) *No description* * **nagPackName** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleExplanation** (string) *No description* * **ruleId** (string) *No description* * **ruleInfo** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* #### onSuppressed(data) Called when a CfnResource does not pass the compliance check for a given rule and the rule violation is suppressed by the user. ```ts onSuppressed(data: NagLoggerSuppressedData): void ``` * **data** ([NagLoggerSuppressedData](#cdk-nag-nagloggersuppresseddata)) *No description* * **nagPackName** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleExplanation** (string) *No description* * **ruleId** (string) *No description* * **ruleInfo** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* * **findingId** (string) *No description* * **suppressionReason** (string) *No description* #### onSuppressedError(data) Called when a rule throws an error during while validating a CfnResource for compliance and the error is suppressed. ```ts onSuppressedError(data: NagLoggerSuppressedErrorData): void ``` * **data** ([NagLoggerSuppressedErrorData](#cdk-nag-nagloggersuppressederrordata)) *No description* * **nagPackName** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleExplanation** (string) *No description* * **ruleId** (string) *No description* * **ruleInfo** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* * **errorMessage** (string) *No description* * **errorSuppressionReason** (string) *No description* ## interface INagSuppressionIgnore __Implemented by__: [SuppressionIgnoreAlways](#cdk-nag-suppressionignorealways), [SuppressionIgnoreAnd](#cdk-nag-suppressionignoreand), [SuppressionIgnoreErrors](#cdk-nag-suppressionignoreerrors), [SuppressionIgnoreNever](#cdk-nag-suppressionignorenever), [SuppressionIgnoreOr](#cdk-nag-suppressionignoreor) Interface for creating NagSuppression Ignores. ### Methods #### createMessage(input) ```ts createMessage(input: SuppressionIgnoreInput): string ``` * **input** ([SuppressionIgnoreInput](#cdk-nag-suppressionignoreinput)) *No description* * **findingId** (string) *No description* * **reason** (string) *No description* * **resource** ([CfnResource](#aws-cdk-lib-cfnresource)) *No description* * **ruleId** (string) *No description* * **ruleLevel** ([NagMessageLevel](#cdk-nag-nagmessagelevel)) *No description* __Returns__: * string ## struct NagLoggerBaseData Shared data for all INagLogger methods. Name | Type | Description -----|------|------------- **nagPackName** | string | **resource** | [CfnResource](#aws-cdk-lib-cfnresource) | **ruleExplanation** | string | **ruleId** | string | **ruleInfo** | string | **ruleLevel** | [NagMessageLevel](#cdk-nag-nagmessagelevel) | ## struct NagLoggerComplianceData Data for onCompliance method of an INagLogger. Name | Type | Description -----|------|------------- **nagPackName** | string | **resource** | [CfnResource](#aws-cdk-lib-cfnresource) | **ruleExplanation** | string | **ruleId** | string | **ruleInfo** | string | **ruleLevel** | [NagMessageLevel](#cdk-nag-nagmessagelevel) | ## struct NagLoggerErrorData Data for onError method of an INagLogger. Name | Type | Description -----|------|------------- **errorMessage** | string | **nagPackName** | string | **resource** | [CfnResource](#aws-cdk-lib-cfnresource) | **ruleExplanation** | string | **ruleId** | string | **ruleInfo** | string | **ruleLevel** | [NagMessageLevel](#cdk-nag-nagmessagelevel) | ## struct NagLoggerNonComplianceData Data for onNonCompliance method of an INagLogger. Name | Type | Description -----|------|------------- **findingId** | string | **nagPackName** | string | **resource** | [CfnResource](#aws-cdk-lib-cfnresource) | **ruleExplanation** | string | **ruleId** | string | **ruleInfo** | string | **ruleLevel** | [NagMessageLevel](#cdk-nag-nagmessagelevel) | ## struct NagLoggerNotApplicableData Data for onNotApplicable method of an INagLogger. Name | Type | Description -----|------|------------- **nagPackName** | string | **resource** | [CfnResource](#aws-cdk-lib-cfnresource) | **ruleExplanation** | string | **ruleId** | string | **ruleInfo** | string | **ruleLevel** | [NagMessageLevel](#cdk-nag-nagmessagelevel) | ## struct NagLoggerSuppressedData Data for onSuppressed method of an INagLogger. Name | Type | Description -----|------|------------- **findingId** | string | **nagPackName** | string | **resource** | [CfnResource](#aws-cdk-lib-cfnresource) | **ruleExplanation** | string | **ruleId** | string | **ruleInfo** | string | **ruleLevel** | [NagMessageLevel](#cdk-nag-nagmessagelevel) | **suppressionReason** | string | ## struct NagLoggerSuppressedErrorData Data for onSuppressedError method of an INagLogger. Name | Type | Description -----|------|------------- **errorMessage** | string | **errorSuppressionReason** | string | **nagPackName** | string | **resource** | [CfnResource](#aws-cdk-lib-cfnresource) | **ruleExplanation** | string | **ruleId** | string | **ruleInfo** | string | **ruleLevel** | [NagMessageLevel](#cdk-nag-nagmessagelevel) | ## struct NagPackProps Interface for creating a NagPack. Name | Type | Description -----|------|------------- **additionalLoggers**? | Array<[INagLogger](#cdk-nag-inaglogger)> | Additional NagLoggers for logging rule validation outputs.
__*Optional*__ **logIgnores**? | boolean | Whether or not to log suppressed rule violations as informational messages (default: false).
__*Optional*__ **reportFormats**? | Array<[NagReportFormat](#cdk-nag-nagreportformat)> | If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV).
__*Optional*__ **reports**? | boolean | Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true).
__*Optional*__ **suppressionIgnoreCondition**? | [INagSuppressionIgnore](#cdk-nag-inagsuppressionignore) | Conditionally prevent rules from being suppressed (default: no user provided condition).
__*Optional*__ **verbose**? | boolean | Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false).
__*Optional*__ ## struct NagPackSuppression Interface for creating a rule suppression. Name | Type | Description -----|------|------------- **id** | string | The id of the rule to ignore. **reason** | string | The reason to ignore the rule (minimum 10 characters). **appliesTo**? | Array | Rule specific granular suppressions.
__*Optional*__ ## struct NagReportLine Name | Type | Description -----|------|------------- **compliance** | string | **exceptionReason** | string | **resourceId** | string | **ruleId** | string | **ruleInfo** | string | **ruleLevel** | string | ## struct NagReportLoggerProps Props for the NagReportLogger. Name | Type | Description -----|------|------------- **formats** | Array<[NagReportFormat](#cdk-nag-nagreportformat)> | ## struct NagReportSchema Name | Type | Description -----|------|------------- **lines** | Array<[NagReportLine](#cdk-nag-nagreportline)> | ## struct RegexAppliesTo A regular expression to apply to matching findings. Name | Type | Description -----|------|------------- **regex** | string | An ECMA-262 regex string. ## struct SuppressionIgnoreInput Information about the NagRule and the relevant NagSuppression for the INagSuppressionIgnore. Name | Type | Description -----|------|------------- **findingId** | string | **reason** | string | **resource** | [CfnResource](#aws-cdk-lib-cfnresource) | **ruleId** | string | **ruleLevel** | [NagMessageLevel](#cdk-nag-nagmessagelevel) | ## enum NagMessageLevel The severity level of the rule. Name | Description -----|----- **WARN** | **ERROR** | ## enum NagReportFormat Possible output formats of the NagReport. Name | Description -----|----- **CSV** | **JSON** | ## enum NagRuleCompliance The compliance level of a resource in relation to a rule. Name | Description -----|----- **COMPLIANT** | **NON_COMPLIANT** | **NOT_APPLICABLE** | ## enum NagRulePostValidationStates Additional states a rule can be in post compliance validation. Name | Description -----|----- **SUPPRESSED** | **UNKNOWN** |