API Reference
June 12, 2026 ยท View on GitHub
Structs
NagPackProps
Interface for creating a NagPack.
Initializer
import { NagPackProps } from 'cdk-nag'
const nagPackProps: NagPackProps = { ... }
Properties
| Name | Type | Description |
|---|---|---|
verbose | boolean | Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). |
writeSuppressionsToCloudFormation | boolean | Whether to write acknowledged rules into CfnResource CloudFormation Metadata as cdk_nag: { rules_to_suppress: [...] } for backwards compatibility with v2 audit trail tooling (default: false). |
verboseOptional
public readonly verbose: boolean;
- Type: boolean
Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false).
writeSuppressionsToCloudFormationOptional
public readonly writeSuppressionsToCloudFormation: boolean;
- Type: boolean
Whether to write acknowledged rules into CfnResource CloudFormation Metadata as cdk_nag: { rules_to_suppress: [...] } for backwards compatibility with v2 audit trail tooling (default: false).
NagReportLine
A single line in a NagReport.
Initializer
import { NagReportLine } from 'cdk-nag'
const nagReportLine: NagReportLine = { ... }
Properties
| Name | Type | Description |
|---|---|---|
compliance | string | No description. |
resourceId | string | No description. |
ruleId | string | No description. |
ruleInfo | string | No description. |
ruleLevel | string | No description. |
complianceRequired
public readonly compliance: string;
- Type: string
resourceIdRequired
public readonly resourceId: string;
- Type: string
ruleIdRequired
public readonly ruleId: string;
- Type: string
ruleInfoRequired
public readonly ruleInfo: string;
- Type: string
ruleLevelRequired
public readonly ruleLevel: string;
- Type: string
NagReportSchema
Schema for the NagReport output.
Initializer
import { NagReportSchema } from 'cdk-nag'
const nagReportSchema: NagReportSchema = { ... }
Properties
| Name | Type | Description |
|---|---|---|
lines | NagReportLine[] | No description. |
linesRequired
public readonly lines: NagReportLine[];
- Type: NagReportLine[]
Classes
AwsSolutionsChecks
Check Best practices based on AWS Solutions Security Matrix.
Initializers
import { AwsSolutionsChecks } from 'cdk-nag'
new AwsSolutionsChecks(scope?: IConstruct, props?: NagPackProps)
| Name | Type | Description |
|---|---|---|
scope | constructs.IConstruct | No description. |
props | NagPackProps | No description. |
scopeOptional
- Type: constructs.IConstruct
propsOptional
- Type: NagPackProps
Methods
| Name | Description |
|---|---|
validate | Entry point called by the CDK validation framework. |
validateScope | Validate a construct tree directly. |
validate
public validate(context: IPolicyValidationContext): PolicyValidationPluginReport
Entry point called by the CDK validation framework.
Requires appConstruct to be present on the context (CDK core change).
For testing or direct invocation, use validateScope(scope).
contextRequired
- Type: aws-cdk-lib.IPolicyValidationContext
validateScope
public validateScope(scope: IConstruct): PolicyValidationPluginReport
Validate a construct tree directly.
This is the primary entry point
for testing and for CDK versions that do not yet provide appConstruct on
IPolicyValidationContext.
scopeRequired
- Type: constructs.IConstruct
Properties
| Name | Type | Description |
|---|---|---|
name | string | The name of the plugin that will be displayed in the validation report. |
readPackName | string | No description. |
ruleIds | string[] | The list of rule IDs that the plugin will evaluate. |
version | string | The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0. |
nameRequired
public readonly name: string;
- Type: string
The name of the plugin that will be displayed in the validation report.
readPackNameRequired
public readonly readPackName: string;
- Type: string
ruleIdsOptional
public readonly ruleIds: string[];
- Type: string[]
The list of rule IDs that the plugin will evaluate.
Used for analytics purposes.
versionOptional
public readonly version: string;
- Type: string
The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0.
HIPAASecurityChecks
Check for HIPAA Security compliance.
Based on the HIPAA Security AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-hipaa_security.html
Initializers
import { HIPAASecurityChecks } from 'cdk-nag'
new HIPAASecurityChecks(scope?: IConstruct, props?: NagPackProps)
| Name | Type | Description |
|---|---|---|
scope | constructs.IConstruct | No description. |
props | NagPackProps | No description. |
scopeOptional
- Type: constructs.IConstruct
propsOptional
- Type: NagPackProps
Methods
| Name | Description |
|---|---|
validate | Entry point called by the CDK validation framework. |
validateScope | Validate a construct tree directly. |
validate
public validate(context: IPolicyValidationContext): PolicyValidationPluginReport
Entry point called by the CDK validation framework.
Requires appConstruct to be present on the context (CDK core change).
For testing or direct invocation, use validateScope(scope).
contextRequired
- Type: aws-cdk-lib.IPolicyValidationContext
validateScope
public validateScope(scope: IConstruct): PolicyValidationPluginReport
Validate a construct tree directly.
This is the primary entry point
for testing and for CDK versions that do not yet provide appConstruct on
IPolicyValidationContext.
scopeRequired
- Type: constructs.IConstruct
Properties
| Name | Type | Description |
|---|---|---|
name | string | The name of the plugin that will be displayed in the validation report. |
readPackName | string | No description. |
ruleIds | string[] | The list of rule IDs that the plugin will evaluate. |
version | string | The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0. |
nameRequired
public readonly name: string;
- Type: string
The name of the plugin that will be displayed in the validation report.
readPackNameRequired
public readonly readPackName: string;
- Type: string
ruleIdsOptional
public readonly ruleIds: string[];
- Type: string[]
The list of rule IDs that the plugin will evaluate.
Used for analytics purposes.
versionOptional
public readonly version: string;
- Type: string
The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0.
NagPack
- Implements: aws-cdk-lib.IPolicyValidationPlugin
Base class for all rule packs.
Implements IPolicyValidationPlugin so that
packs are registered via Validations.of(app).addPlugins(new MyPack(app))
instead of Aspects.of(app).add(...).
Initializers
import { NagPack } from 'cdk-nag'
new NagPack(scope?: IConstruct, props?: NagPackProps)
| Name | Type | Description |
|---|---|---|
scope | constructs.IConstruct | No description. |
props | NagPackProps | No description. |
scopeOptional
- Type: constructs.IConstruct
propsOptional
- Type: NagPackProps
Methods
| Name | Description |
|---|---|
validate | Entry point called by the CDK validation framework. |
validateScope | Validate a construct tree directly. |
validate
public validate(context: IPolicyValidationContext): PolicyValidationPluginReport
Entry point called by the CDK validation framework.
Requires appConstruct to be present on the context (CDK core change).
For testing or direct invocation, use validateScope(scope).
contextRequired
- Type: aws-cdk-lib.IPolicyValidationContext
validateScope
public validateScope(scope: IConstruct): PolicyValidationPluginReport
Validate a construct tree directly.
This is the primary entry point
for testing and for CDK versions that do not yet provide appConstruct on
IPolicyValidationContext.
scopeRequired
- Type: constructs.IConstruct
Properties
| Name | Type | Description |
|---|---|---|
name | string | The name of the plugin that will be displayed in the validation report. |
readPackName | string | No description. |
ruleIds | string[] | The list of rule IDs that the plugin will evaluate. |
version | string | The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0. |
nameRequired
public readonly name: string;
- Type: string
The name of the plugin that will be displayed in the validation report.
readPackNameRequired
public readonly readPackName: string;
- Type: string
ruleIdsOptional
public readonly ruleIds: string[];
- Type: string[]
The list of rule IDs that the plugin will evaluate.
Used for analytics purposes.
versionOptional
public readonly version: string;
- Type: string
The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0.
NagRules
Helper class with methods for rule creation.
Initializers
import { NagRules } from 'cdk-nag'
new NagRules()
| Name | Type | Description |
|---|
Static Functions
| Name | Description |
|---|---|
resolveIfPrimitive | Use in cases where a primitive value must be known to pass a rule. |
resolveResourceFromInstrinsic | No description. |
resolveResourceFromIntrinsic | Use in cases where a token resolves to an intrinsic function and the referenced resource must be known to pass a rule. |
resolveIfPrimitive
import { NagRules } from 'cdk-nag'
NagRules.resolveIfPrimitive(node: CfnResource, parameter: any)
Use in cases where a primitive value must be known to pass a rule.
https://developer.mozilla.org/en-US/docs/Glossary/Primitive
nodeRequired
- Type: aws-cdk-lib.CfnResource
The CfnResource to check.
parameterRequired
- Type: any
The value to attempt to resolve.
resolveResourceFromInstrinsic
resolveResourceFromInstrinsicimport { NagRules } from 'cdk-nag'
NagRules.resolveResourceFromInstrinsic(node: CfnResource, parameter: any)
nodeRequired
- Type: aws-cdk-lib.CfnResource
The CfnResource to check.
parameterRequired
- Type: any
The value to attempt to resolve.
resolveResourceFromIntrinsic
import { NagRules } from 'cdk-nag'
NagRules.resolveResourceFromIntrinsic(node: CfnResource, parameter: any)
Use in cases where a token resolves to an intrinsic function and the referenced resource must be known to pass a rule.
nodeRequired
- Type: aws-cdk-lib.CfnResource
The CfnResource to check.
parameterRequired
- Type: any
The value to attempt to resolve.
NIST80053R4Checks
Check for NIST 800-53 rev 4 compliance.
Based on the NIST 800-53 rev 4 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_4.html
Initializers
import { NIST80053R4Checks } from 'cdk-nag'
new NIST80053R4Checks(scope?: IConstruct, props?: NagPackProps)
| Name | Type | Description |
|---|---|---|
scope | constructs.IConstruct | No description. |
props | NagPackProps | No description. |
scopeOptional
- Type: constructs.IConstruct
propsOptional
- Type: NagPackProps
Methods
| Name | Description |
|---|---|
validate | Entry point called by the CDK validation framework. |
validateScope | Validate a construct tree directly. |
validate
public validate(context: IPolicyValidationContext): PolicyValidationPluginReport
Entry point called by the CDK validation framework.
Requires appConstruct to be present on the context (CDK core change).
For testing or direct invocation, use validateScope(scope).
contextRequired
- Type: aws-cdk-lib.IPolicyValidationContext
validateScope
public validateScope(scope: IConstruct): PolicyValidationPluginReport
Validate a construct tree directly.
This is the primary entry point
for testing and for CDK versions that do not yet provide appConstruct on
IPolicyValidationContext.
scopeRequired
- Type: constructs.IConstruct
Properties
| Name | Type | Description |
|---|---|---|
name | string | The name of the plugin that will be displayed in the validation report. |
readPackName | string | No description. |
ruleIds | string[] | The list of rule IDs that the plugin will evaluate. |
version | string | The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0. |
nameRequired
public readonly name: string;
- Type: string
The name of the plugin that will be displayed in the validation report.
readPackNameRequired
public readonly readPackName: string;
- Type: string
ruleIdsOptional
public readonly ruleIds: string[];
- Type: string[]
The list of rule IDs that the plugin will evaluate.
Used for analytics purposes.
versionOptional
public readonly version: string;
- Type: string
The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0.
NIST80053R5Checks
Check for NIST 800-53 rev 5 compliance.
Based on the NIST 800-53 rev 5 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_5.html
Initializers
import { NIST80053R5Checks } from 'cdk-nag'
new NIST80053R5Checks(scope?: IConstruct, props?: NagPackProps)
| Name | Type | Description |
|---|---|---|
scope | constructs.IConstruct | No description. |
props | NagPackProps | No description. |
scopeOptional
- Type: constructs.IConstruct
propsOptional
- Type: NagPackProps
Methods
| Name | Description |
|---|---|
validate | Entry point called by the CDK validation framework. |
validateScope | Validate a construct tree directly. |
validate
public validate(context: IPolicyValidationContext): PolicyValidationPluginReport
Entry point called by the CDK validation framework.
Requires appConstruct to be present on the context (CDK core change).
For testing or direct invocation, use validateScope(scope).
contextRequired
- Type: aws-cdk-lib.IPolicyValidationContext
validateScope
public validateScope(scope: IConstruct): PolicyValidationPluginReport
Validate a construct tree directly.
This is the primary entry point
for testing and for CDK versions that do not yet provide appConstruct on
IPolicyValidationContext.
scopeRequired
- Type: constructs.IConstruct
Properties
| Name | Type | Description |
|---|---|---|
name | string | The name of the plugin that will be displayed in the validation report. |
readPackName | string | No description. |
ruleIds | string[] | The list of rule IDs that the plugin will evaluate. |
version | string | The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0. |
nameRequired
public readonly name: string;
- Type: string
The name of the plugin that will be displayed in the validation report.
readPackNameRequired
public readonly readPackName: string;
- Type: string
ruleIdsOptional
public readonly ruleIds: string[];
- Type: string[]
The list of rule IDs that the plugin will evaluate.
Used for analytics purposes.
versionOptional
public readonly version: string;
- Type: string
The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0.
PCIDSS321Checks
Check for PCI DSS 3.2.1 compliance. Based on the PCI DSS 3.2.1 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-pci-dss.html.
Initializers
import { PCIDSS321Checks } from 'cdk-nag'
new PCIDSS321Checks(scope?: IConstruct, props?: NagPackProps)
| Name | Type | Description |
|---|---|---|
scope | constructs.IConstruct | No description. |
props | NagPackProps | No description. |
scopeOptional
- Type: constructs.IConstruct
propsOptional
- Type: NagPackProps
Methods
| Name | Description |
|---|---|
validate | Entry point called by the CDK validation framework. |
validateScope | Validate a construct tree directly. |
validate
public validate(context: IPolicyValidationContext): PolicyValidationPluginReport
Entry point called by the CDK validation framework.
Requires appConstruct to be present on the context (CDK core change).
For testing or direct invocation, use validateScope(scope).
contextRequired
- Type: aws-cdk-lib.IPolicyValidationContext
validateScope
public validateScope(scope: IConstruct): PolicyValidationPluginReport
Validate a construct tree directly.
This is the primary entry point
for testing and for CDK versions that do not yet provide appConstruct on
IPolicyValidationContext.
scopeRequired
- Type: constructs.IConstruct
Properties
| Name | Type | Description |
|---|---|---|
name | string | The name of the plugin that will be displayed in the validation report. |
readPackName | string | No description. |
ruleIds | string[] | The list of rule IDs that the plugin will evaluate. |
version | string | The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0. |
nameRequired
public readonly name: string;
- Type: string
The name of the plugin that will be displayed in the validation report.
readPackNameRequired
public readonly readPackName: string;
- Type: string
ruleIdsOptional
public readonly ruleIds: string[];
- Type: string[]
The list of rule IDs that the plugin will evaluate.
Used for analytics purposes.
versionOptional
public readonly version: string;
- Type: string
The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0.
ServerlessChecks
Serverless Checks are a compilation of rules to validate infrastructure-as-code template against recommended practices.
Initializers
import { ServerlessChecks } from 'cdk-nag'
new ServerlessChecks(scope?: IConstruct, props?: NagPackProps)
| Name | Type | Description |
|---|---|---|
scope | constructs.IConstruct | No description. |
props | NagPackProps | No description. |
scopeOptional
- Type: constructs.IConstruct
propsOptional
- Type: NagPackProps
Methods
| Name | Description |
|---|---|
validate | Entry point called by the CDK validation framework. |
validateScope | Validate a construct tree directly. |
validate
public validate(context: IPolicyValidationContext): PolicyValidationPluginReport
Entry point called by the CDK validation framework.
Requires appConstruct to be present on the context (CDK core change).
For testing or direct invocation, use validateScope(scope).
contextRequired
- Type: aws-cdk-lib.IPolicyValidationContext
validateScope
public validateScope(scope: IConstruct): PolicyValidationPluginReport
Validate a construct tree directly.
This is the primary entry point
for testing and for CDK versions that do not yet provide appConstruct on
IPolicyValidationContext.
scopeRequired
- Type: constructs.IConstruct
Properties
| Name | Type | Description |
|---|---|---|
name | string | The name of the plugin that will be displayed in the validation report. |
readPackName | string | No description. |
ruleIds | string[] | The list of rule IDs that the plugin will evaluate. |
version | string | The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0. |
nameRequired
public readonly name: string;
- Type: string
The name of the plugin that will be displayed in the validation report.
readPackNameRequired
public readonly readPackName: string;
- Type: string
ruleIdsOptional
public readonly ruleIds: string[];
- Type: string[]
The list of rule IDs that the plugin will evaluate.
Used for analytics purposes.
versionOptional
public readonly version: string;
- Type: string
The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as 0.0.0.
WriteNagSuppressionsToCloudFormationAspect
- Implements: aws-cdk-lib.IAspect
An IAspect that reads acknowledged rules from construct metadata and writes them into the CfnResource's CloudFormation Metadata for audit trail persistence in the synthesized template.
Preserves the v2 cdk_nag
metadata format.
Initializers
import { WriteNagSuppressionsToCloudFormationAspect } from 'cdk-nag'
new WriteNagSuppressionsToCloudFormationAspect()
| Name | Type | Description |
|---|
Methods
| Name | Description |
|---|---|
visit | All aspects can visit an IConstruct. |
visit
public visit(node: IConstruct): void
All aspects can visit an IConstruct.
nodeRequired
- Type: constructs.IConstruct
Protocols
IApplyRule
- Implemented By: IApplyRule
Interface for JSII interoperability for passing parameters and the Rule Callback to.
Methods
| Name | Description |
|---|---|
rule | The callback to the rule. |
rule
public rule(node: CfnResource): NagRuleCompliance | string[]
The callback to the rule.
nodeRequired
- Type: aws-cdk-lib.CfnResource
The CfnResource to check.
Properties
| Name | Type | Description |
|---|---|---|
explanation | string | Why the rule exists. |
info | string | Why the rule was triggered. |
level | NagMessageLevel | The annotations message level to apply to the rule if triggered. |
node | aws-cdk-lib.CfnResource | The CfnResource to check. |
ruleSuffixOverride | string | Override for the suffix of the Rule ID for this rule. |
explanationRequired
public readonly explanation: string;
- Type: string
Why the rule exists.
infoRequired
public readonly info: string;
- Type: string
Why the rule was triggered.
levelRequired
public readonly level: NagMessageLevel;
- Type: NagMessageLevel
The annotations message level to apply to the rule if triggered.
nodeRequired
public readonly node: CfnResource;
- Type: aws-cdk-lib.CfnResource
The CfnResource to check.
ruleSuffixOverrideOptional
public readonly ruleSuffixOverride: string;
- Type: string
Override for the suffix of the Rule ID for this rule.
INagValidationContext
-
Extends: aws-cdk-lib.IPolicyValidationContext
-
Implemented By: INagValidationContext
Extended validation context that includes the construct tree.
Requires CDK core change to populate appConstruct during plugin validation.
Properties
| Name | Type | Description |
|---|---|---|
templatePaths | string[] | The absolute path of all templates to be processed. |
appConstruct | constructs.IConstruct | No description. |
templatePathsRequired
public readonly templatePaths: string[];
- Type: string[]
The absolute path of all templates to be processed.
appConstructRequired
public readonly appConstruct: IConstruct;
- Type: constructs.IConstruct
Enums
NagMessageLevel
The severity level of the rule.
Members
| Name | Description |
|---|---|
WARN | No description. |
ERROR | No description. |
INFO | No description. |
WARN
ERROR
INFO
NagReportFormat
Possible output formats of the NagReport.
Members
| Name | Description |
|---|---|
CSV | No description. |
JSON | No description. |
CSV
JSON
NagRuleCompliance
The compliance level of a resource in relation to a rule.
Members
| Name | Description |
|---|---|
COMPLIANT | No description. |
NON_COMPLIANT | No description. |
NOT_APPLICABLE | No description. |
COMPLIANT
NON_COMPLIANT
NOT_APPLICABLE
NagRulePostValidationStates
Additional states a rule can be in post compliance validation.
Members
| Name | Description |
|---|---|
UNKNOWN | No description. |