API Reference

June 12, 2026 ยท View on GitHub

Structs

NagPackProps

Interface for creating a NagPack.

Initializer

import { NagPackProps } from 'cdk-nag'

const nagPackProps: NagPackProps = { ... }

Properties

NameTypeDescription
verbosebooleanWhether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false).
writeSuppressionsToCloudFormationbooleanWhether to write acknowledged rules into CfnResource CloudFormation Metadata as cdk_nag: { rules_to_suppress: [...] } for backwards compatibility with v2 audit trail tooling (default: false).

verboseOptional
public readonly verbose: boolean;
  • Type: boolean

Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false).


writeSuppressionsToCloudFormationOptional
public readonly writeSuppressionsToCloudFormation: boolean;
  • Type: boolean

Whether to write acknowledged rules into CfnResource CloudFormation Metadata as cdk_nag: { rules_to_suppress: [...] } for backwards compatibility with v2 audit trail tooling (default: false).


NagReportLine

A single line in a NagReport.

Initializer

import { NagReportLine } from 'cdk-nag'

const nagReportLine: NagReportLine = { ... }

Properties

NameTypeDescription
compliancestringNo description.
resourceIdstringNo description.
ruleIdstringNo description.
ruleInfostringNo description.
ruleLevelstringNo description.

complianceRequired
public readonly compliance: string;
  • Type: string

resourceIdRequired
public readonly resourceId: string;
  • Type: string

ruleIdRequired
public readonly ruleId: string;
  • Type: string

ruleInfoRequired
public readonly ruleInfo: string;
  • Type: string

ruleLevelRequired
public readonly ruleLevel: string;
  • Type: string

NagReportSchema

Schema for the NagReport output.

Initializer

import { NagReportSchema } from 'cdk-nag'

const nagReportSchema: NagReportSchema = { ... }

Properties

NameTypeDescription
linesNagReportLine[]No description.

linesRequired
public readonly lines: NagReportLine[];

Classes

AwsSolutionsChecks

Check Best practices based on AWS Solutions Security Matrix.

Initializers

import { AwsSolutionsChecks } from 'cdk-nag'

new AwsSolutionsChecks(scope?: IConstruct, props?: NagPackProps)
NameTypeDescription
scopeconstructs.IConstructNo description.
propsNagPackPropsNo description.

scopeOptional
  • Type: constructs.IConstruct

propsOptional

Methods

NameDescription
validateEntry point called by the CDK validation framework.
validateScopeValidate a construct tree directly.

validate
public validate(context: IPolicyValidationContext): PolicyValidationPluginReport

Entry point called by the CDK validation framework.

Requires appConstruct to be present on the context (CDK core change). For testing or direct invocation, use validateScope(scope).

contextRequired
  • Type: aws-cdk-lib.IPolicyValidationContext

validateScope
public validateScope(scope: IConstruct): PolicyValidationPluginReport

Validate a construct tree directly.

This is the primary entry point for testing and for CDK versions that do not yet provide appConstruct on IPolicyValidationContext.

scopeRequired
  • Type: constructs.IConstruct

Properties

NameTypeDescription
namestringThe name of the plugin that will be displayed in the validation report.
readPackNamestringNo description.
ruleIdsstring[]The list of rule IDs that the plugin will evaluate.
versionstringThe version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0.

nameRequired
public readonly name: string;
  • Type: string

The name of the plugin that will be displayed in the validation report.


readPackNameRequired
public readonly readPackName: string;
  • Type: string

ruleIdsOptional
public readonly ruleIds: string[];
  • Type: string[]

The list of rule IDs that the plugin will evaluate.

Used for analytics purposes.


versionOptional
public readonly version: string;
  • Type: string

The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0.


HIPAASecurityChecks

Check for HIPAA Security compliance.

Based on the HIPAA Security AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-hipaa_security.html

Initializers

import { HIPAASecurityChecks } from 'cdk-nag'

new HIPAASecurityChecks(scope?: IConstruct, props?: NagPackProps)
NameTypeDescription
scopeconstructs.IConstructNo description.
propsNagPackPropsNo description.

scopeOptional
  • Type: constructs.IConstruct

propsOptional

Methods

NameDescription
validateEntry point called by the CDK validation framework.
validateScopeValidate a construct tree directly.

validate
public validate(context: IPolicyValidationContext): PolicyValidationPluginReport

Entry point called by the CDK validation framework.

Requires appConstruct to be present on the context (CDK core change). For testing or direct invocation, use validateScope(scope).

contextRequired
  • Type: aws-cdk-lib.IPolicyValidationContext

validateScope
public validateScope(scope: IConstruct): PolicyValidationPluginReport

Validate a construct tree directly.

This is the primary entry point for testing and for CDK versions that do not yet provide appConstruct on IPolicyValidationContext.

scopeRequired
  • Type: constructs.IConstruct

Properties

NameTypeDescription
namestringThe name of the plugin that will be displayed in the validation report.
readPackNamestringNo description.
ruleIdsstring[]The list of rule IDs that the plugin will evaluate.
versionstringThe version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0.

nameRequired
public readonly name: string;
  • Type: string

The name of the plugin that will be displayed in the validation report.


readPackNameRequired
public readonly readPackName: string;
  • Type: string

ruleIdsOptional
public readonly ruleIds: string[];
  • Type: string[]

The list of rule IDs that the plugin will evaluate.

Used for analytics purposes.


versionOptional
public readonly version: string;
  • Type: string

The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0.


NagPack

  • Implements: aws-cdk-lib.IPolicyValidationPlugin

Base class for all rule packs.

Implements IPolicyValidationPlugin so that packs are registered via Validations.of(app).addPlugins(new MyPack(app)) instead of Aspects.of(app).add(...).

Initializers

import { NagPack } from 'cdk-nag'

new NagPack(scope?: IConstruct, props?: NagPackProps)
NameTypeDescription
scopeconstructs.IConstructNo description.
propsNagPackPropsNo description.

scopeOptional
  • Type: constructs.IConstruct

propsOptional

Methods

NameDescription
validateEntry point called by the CDK validation framework.
validateScopeValidate a construct tree directly.

validate
public validate(context: IPolicyValidationContext): PolicyValidationPluginReport

Entry point called by the CDK validation framework.

Requires appConstruct to be present on the context (CDK core change). For testing or direct invocation, use validateScope(scope).

contextRequired
  • Type: aws-cdk-lib.IPolicyValidationContext

validateScope
public validateScope(scope: IConstruct): PolicyValidationPluginReport

Validate a construct tree directly.

This is the primary entry point for testing and for CDK versions that do not yet provide appConstruct on IPolicyValidationContext.

scopeRequired
  • Type: constructs.IConstruct

Properties

NameTypeDescription
namestringThe name of the plugin that will be displayed in the validation report.
readPackNamestringNo description.
ruleIdsstring[]The list of rule IDs that the plugin will evaluate.
versionstringThe version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0.

nameRequired
public readonly name: string;
  • Type: string

The name of the plugin that will be displayed in the validation report.


readPackNameRequired
public readonly readPackName: string;
  • Type: string

ruleIdsOptional
public readonly ruleIds: string[];
  • Type: string[]

The list of rule IDs that the plugin will evaluate.

Used for analytics purposes.


versionOptional
public readonly version: string;
  • Type: string

The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0.


NagRules

Helper class with methods for rule creation.

Initializers

import { NagRules } from 'cdk-nag'

new NagRules()
NameTypeDescription

Static Functions

NameDescription
resolveIfPrimitiveUse in cases where a primitive value must be known to pass a rule.
resolveResourceFromInstrinsicNo description.
resolveResourceFromIntrinsicUse in cases where a token resolves to an intrinsic function and the referenced resource must be known to pass a rule.

resolveIfPrimitive
import { NagRules } from 'cdk-nag'

NagRules.resolveIfPrimitive(node: CfnResource, parameter: any)

Use in cases where a primitive value must be known to pass a rule.

https://developer.mozilla.org/en-US/docs/Glossary/Primitive

nodeRequired
  • Type: aws-cdk-lib.CfnResource

The CfnResource to check.


parameterRequired
  • Type: any

The value to attempt to resolve.


resolveResourceFromInstrinsic
import { NagRules } from 'cdk-nag'

NagRules.resolveResourceFromInstrinsic(node: CfnResource, parameter: any)
nodeRequired
  • Type: aws-cdk-lib.CfnResource

The CfnResource to check.


parameterRequired
  • Type: any

The value to attempt to resolve.


resolveResourceFromIntrinsic
import { NagRules } from 'cdk-nag'

NagRules.resolveResourceFromIntrinsic(node: CfnResource, parameter: any)

Use in cases where a token resolves to an intrinsic function and the referenced resource must be known to pass a rule.

nodeRequired
  • Type: aws-cdk-lib.CfnResource

The CfnResource to check.


parameterRequired
  • Type: any

The value to attempt to resolve.


NIST80053R4Checks

Check for NIST 800-53 rev 4 compliance.

Based on the NIST 800-53 rev 4 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_4.html

Initializers

import { NIST80053R4Checks } from 'cdk-nag'

new NIST80053R4Checks(scope?: IConstruct, props?: NagPackProps)
NameTypeDescription
scopeconstructs.IConstructNo description.
propsNagPackPropsNo description.

scopeOptional
  • Type: constructs.IConstruct

propsOptional

Methods

NameDescription
validateEntry point called by the CDK validation framework.
validateScopeValidate a construct tree directly.

validate
public validate(context: IPolicyValidationContext): PolicyValidationPluginReport

Entry point called by the CDK validation framework.

Requires appConstruct to be present on the context (CDK core change). For testing or direct invocation, use validateScope(scope).

contextRequired
  • Type: aws-cdk-lib.IPolicyValidationContext

validateScope
public validateScope(scope: IConstruct): PolicyValidationPluginReport

Validate a construct tree directly.

This is the primary entry point for testing and for CDK versions that do not yet provide appConstruct on IPolicyValidationContext.

scopeRequired
  • Type: constructs.IConstruct

Properties

NameTypeDescription
namestringThe name of the plugin that will be displayed in the validation report.
readPackNamestringNo description.
ruleIdsstring[]The list of rule IDs that the plugin will evaluate.
versionstringThe version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0.

nameRequired
public readonly name: string;
  • Type: string

The name of the plugin that will be displayed in the validation report.


readPackNameRequired
public readonly readPackName: string;
  • Type: string

ruleIdsOptional
public readonly ruleIds: string[];
  • Type: string[]

The list of rule IDs that the plugin will evaluate.

Used for analytics purposes.


versionOptional
public readonly version: string;
  • Type: string

The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0.


NIST80053R5Checks

Check for NIST 800-53 rev 5 compliance.

Based on the NIST 800-53 rev 5 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_5.html

Initializers

import { NIST80053R5Checks } from 'cdk-nag'

new NIST80053R5Checks(scope?: IConstruct, props?: NagPackProps)
NameTypeDescription
scopeconstructs.IConstructNo description.
propsNagPackPropsNo description.

scopeOptional
  • Type: constructs.IConstruct

propsOptional

Methods

NameDescription
validateEntry point called by the CDK validation framework.
validateScopeValidate a construct tree directly.

validate
public validate(context: IPolicyValidationContext): PolicyValidationPluginReport

Entry point called by the CDK validation framework.

Requires appConstruct to be present on the context (CDK core change). For testing or direct invocation, use validateScope(scope).

contextRequired
  • Type: aws-cdk-lib.IPolicyValidationContext

validateScope
public validateScope(scope: IConstruct): PolicyValidationPluginReport

Validate a construct tree directly.

This is the primary entry point for testing and for CDK versions that do not yet provide appConstruct on IPolicyValidationContext.

scopeRequired
  • Type: constructs.IConstruct

Properties

NameTypeDescription
namestringThe name of the plugin that will be displayed in the validation report.
readPackNamestringNo description.
ruleIdsstring[]The list of rule IDs that the plugin will evaluate.
versionstringThe version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0.

nameRequired
public readonly name: string;
  • Type: string

The name of the plugin that will be displayed in the validation report.


readPackNameRequired
public readonly readPackName: string;
  • Type: string

ruleIdsOptional
public readonly ruleIds: string[];
  • Type: string[]

The list of rule IDs that the plugin will evaluate.

Used for analytics purposes.


versionOptional
public readonly version: string;
  • Type: string

The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0.


PCIDSS321Checks

Check for PCI DSS 3.2.1 compliance. Based on the PCI DSS 3.2.1 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-pci-dss.html.

Initializers

import { PCIDSS321Checks } from 'cdk-nag'

new PCIDSS321Checks(scope?: IConstruct, props?: NagPackProps)
NameTypeDescription
scopeconstructs.IConstructNo description.
propsNagPackPropsNo description.

scopeOptional
  • Type: constructs.IConstruct

propsOptional

Methods

NameDescription
validateEntry point called by the CDK validation framework.
validateScopeValidate a construct tree directly.

validate
public validate(context: IPolicyValidationContext): PolicyValidationPluginReport

Entry point called by the CDK validation framework.

Requires appConstruct to be present on the context (CDK core change). For testing or direct invocation, use validateScope(scope).

contextRequired
  • Type: aws-cdk-lib.IPolicyValidationContext

validateScope
public validateScope(scope: IConstruct): PolicyValidationPluginReport

Validate a construct tree directly.

This is the primary entry point for testing and for CDK versions that do not yet provide appConstruct on IPolicyValidationContext.

scopeRequired
  • Type: constructs.IConstruct

Properties

NameTypeDescription
namestringThe name of the plugin that will be displayed in the validation report.
readPackNamestringNo description.
ruleIdsstring[]The list of rule IDs that the plugin will evaluate.
versionstringThe version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0.

nameRequired
public readonly name: string;
  • Type: string

The name of the plugin that will be displayed in the validation report.


readPackNameRequired
public readonly readPackName: string;
  • Type: string

ruleIdsOptional
public readonly ruleIds: string[];
  • Type: string[]

The list of rule IDs that the plugin will evaluate.

Used for analytics purposes.


versionOptional
public readonly version: string;
  • Type: string

The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0.


ServerlessChecks

Serverless Checks are a compilation of rules to validate infrastructure-as-code template against recommended practices.

Initializers

import { ServerlessChecks } from 'cdk-nag'

new ServerlessChecks(scope?: IConstruct, props?: NagPackProps)
NameTypeDescription
scopeconstructs.IConstructNo description.
propsNagPackPropsNo description.

scopeOptional
  • Type: constructs.IConstruct

propsOptional

Methods

NameDescription
validateEntry point called by the CDK validation framework.
validateScopeValidate a construct tree directly.

validate
public validate(context: IPolicyValidationContext): PolicyValidationPluginReport

Entry point called by the CDK validation framework.

Requires appConstruct to be present on the context (CDK core change). For testing or direct invocation, use validateScope(scope).

contextRequired
  • Type: aws-cdk-lib.IPolicyValidationContext

validateScope
public validateScope(scope: IConstruct): PolicyValidationPluginReport

Validate a construct tree directly.

This is the primary entry point for testing and for CDK versions that do not yet provide appConstruct on IPolicyValidationContext.

scopeRequired
  • Type: constructs.IConstruct

Properties

NameTypeDescription
namestringThe name of the plugin that will be displayed in the validation report.
readPackNamestringNo description.
ruleIdsstring[]The list of rule IDs that the plugin will evaluate.
versionstringThe version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0.

nameRequired
public readonly name: string;
  • Type: string

The name of the plugin that will be displayed in the validation report.


readPackNameRequired
public readonly readPackName: string;
  • Type: string

ruleIdsOptional
public readonly ruleIds: string[];
  • Type: string[]

The list of rule IDs that the plugin will evaluate.

Used for analytics purposes.


versionOptional
public readonly version: string;
  • Type: string

The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0.


WriteNagSuppressionsToCloudFormationAspect

  • Implements: aws-cdk-lib.IAspect

An IAspect that reads acknowledged rules from construct metadata and writes them into the CfnResource's CloudFormation Metadata for audit trail persistence in the synthesized template.

Preserves the v2 cdk_nag metadata format.

Initializers

import { WriteNagSuppressionsToCloudFormationAspect } from 'cdk-nag'

new WriteNagSuppressionsToCloudFormationAspect()
NameTypeDescription

Methods

NameDescription
visitAll aspects can visit an IConstruct.

visit
public visit(node: IConstruct): void

All aspects can visit an IConstruct.

nodeRequired
  • Type: constructs.IConstruct

Protocols

IApplyRule

Interface for JSII interoperability for passing parameters and the Rule Callback to.

Methods

NameDescription
ruleThe callback to the rule.

rule
public rule(node: CfnResource): NagRuleCompliance | string[]

The callback to the rule.

nodeRequired
  • Type: aws-cdk-lib.CfnResource

The CfnResource to check.


Properties

NameTypeDescription
explanationstringWhy the rule exists.
infostringWhy the rule was triggered.
levelNagMessageLevelThe annotations message level to apply to the rule if triggered.
nodeaws-cdk-lib.CfnResourceThe CfnResource to check.
ruleSuffixOverridestringOverride for the suffix of the Rule ID for this rule.

explanationRequired
public readonly explanation: string;
  • Type: string

Why the rule exists.


infoRequired
public readonly info: string;
  • Type: string

Why the rule was triggered.


levelRequired
public readonly level: NagMessageLevel;

The annotations message level to apply to the rule if triggered.


nodeRequired
public readonly node: CfnResource;
  • Type: aws-cdk-lib.CfnResource

The CfnResource to check.


ruleSuffixOverrideOptional
public readonly ruleSuffixOverride: string;
  • Type: string

Override for the suffix of the Rule ID for this rule.


INagValidationContext

Extended validation context that includes the construct tree.

Requires CDK core change to populate appConstruct during plugin validation.

Properties

NameTypeDescription
templatePathsstring[]The absolute path of all templates to be processed.
appConstructconstructs.IConstructNo description.

templatePathsRequired
public readonly templatePaths: string[];
  • Type: string[]

The absolute path of all templates to be processed.


appConstructRequired
public readonly appConstruct: IConstruct;
  • Type: constructs.IConstruct

Enums

NagMessageLevel

The severity level of the rule.

Members

NameDescription
WARNNo description.
ERRORNo description.
INFONo description.

WARN

ERROR

INFO

NagReportFormat

Possible output formats of the NagReport.

Members

NameDescription
CSVNo description.
JSONNo description.

CSV

JSON

NagRuleCompliance

The compliance level of a resource in relation to a rule.

Members

NameDescription
COMPLIANTNo description.
NON_COMPLIANTNo description.
NOT_APPLICABLENo description.

COMPLIANT

NON_COMPLIANT

NOT_APPLICABLE

NagRulePostValidationStates

Additional states a rule can be in post compliance validation.

Members

NameDescription
UNKNOWNNo description.

UNKNOWN