{"id":16230097,"url":"https://github.com/skorfmann/cloudpatrol","last_synced_at":"2025-09-04T15:38:48.336Z","repository":{"id":42885084,"uuid":"254879522","full_name":"skorfmann/cloudpatrol","owner":"skorfmann","description":"Policy as Code for the Cloud Development Kit (CDK)","archived":false,"fork":false,"pushed_at":"2023-01-06T03:20:41.000Z","size":1544,"stargazers_count":22,"open_issues_count":20,"forks_count":4,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-02-28T19:06:49.668Z","etag":null,"topics":["aws","aws-cdk","cdk","cloud","policy-as-code","typescript"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/skorfmann.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-04-11T13:59:03.000Z","updated_at":"2023-05-12T21:06:19.000Z","dependencies_parsed_at":"2023-02-05T05:01:19.293Z","dependency_job_id":null,"html_url":"https://github.com/skorfmann/cloudpatrol","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skorfmann%2Fcloudpatrol","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skorfmann%2Fcloudpatrol/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skorfmann%2Fcloudpatrol/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skorfmann%2Fcloudpatrol/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/skorfmann","download_url":"https://codeload.github.com/skorfmann/cloudpatrol/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243997041,"owners_count":20380980,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-cdk","cdk","cloud","policy-as-code","typescript"],"created_at":"2024-10-10T13:00:14.187Z","updated_at":"2025-03-19T14:30:31.396Z","avatar_url":"https://github.com/skorfmann.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"![cloudpatrol.png](./cloudpatrol.png)\n\n# Policy as Code for the Cloud Development Kit\n\nCloud Patrol let's you define common policies with remediation strategies for your [AWS CDK](https://github.com/aws/aws-cdk/) stacks and enforce them across your CDK stacks / applications.\n\n*NB: This is an alpha release - Everything might change.*\n\n## Use Cases\n\nMake sure your Cloud resources are:\n\n- Tagged properly\n- Secure by default\n- Following naming conventions\n- Within your budget\n- Not provisioned with hardcoded secrets\n- Pretty much whatever you can think of :)\n\n## Geetting Started\n\n```\nyarn add cloudpatrol\n```\n\n### Example \n\nGiven this example:\n\n```typescript\nimport * as cdk from '@aws-cdk/core';\nimport { ExampleStack } from '../lib/example-stack';\nimport { AwsCdkPatrol } from 'cloudpatrol/lib'\nimport { awsDefaults } from 'cloudpatrol/policies/aws/packs/good-defaults'\n\nconst app = new cdk.App();\nconst stack = new ExampleStack(app, 'ExampleStack');\n\nconst cloudPatrol = new AwsCdkPatrol(awsDefaults)\ncloudPatrol.check(stack)\n```\n\nWe can do the following:\n\n![example](./example.png)\n\nCheck the full [example](./example/bin/example.ts).\n\n## Reports\n\nCurrently, there are two reporting mechanisms:\n\n### AWS CDK inline report\n\nAs part of your normal CDK commands (e.g. `cdk synth --app bin/example.js`), will perform reporting on the Construct nodes itself and stop the synth process on errors.\n\n### Terminal Report\n\nFor CI / CD workflows and local testing, just execute your CDK app directly with `node` (e.g. `node ./bin/example.js`). This is great for dedicated validation of policies without the synthesized output.\n\n### Custom Reporting\n\nHasn't been implemented, yet. But it's on the agenda, and probably possible right now with a bit of effort.\n\n## Policies\n\n### Full Example\n\n```typescript\n/**\n * This Policy ensures that a bucket is properly versioned\n *\n * @cloudformationResource AWS::S3::Bucket\n * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-versioningconfig.html\n */\nexport class BucketVersioningPolicy extends Policy implements PolicyInterface {  \n  public policyName = 'Bucket Versioning'\n  public description = 'This ensures that a bucket is properly versioned'\n  public link = 'https//docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-versioningconfig.html'\n  public scope = s3.CfnBucket\n  \n  public validator(node: s3.CfnBucket, reporter: Reportable): void { \n    if (!node.versioningConfiguration || \n      (!cdk.Tokenization.isResolvable(node.versioningConfiguration) \u0026\u0026 node.versioningConfiguration.status !== 'Enabled')) {\n      reporter.addWarning(node, this, 'Bucket versioning is not enabled');\n    }\n  }\n}\n```\n\n### Implemented Policies\n\n- [Ec2InstanceTypePolicy](./policies/aws/ec2.ts)\n- [BucketVersioningPolicy](./policies/aws/s3-bucket.ts)\n- [BucketEncryptionPolicy](./policies/aws/s3-bucket.ts)\n- ... create a Pull Request to add yours :)\n\n### Custom Policies\n\nPolicies have to follow this schema\n\n```typescript\nclass YourCustomPolicy extends Policy implements PolicyInterface {\n  //...\n}\n```\n\n#### Scope\nThere are two options to define the scope of a Policy:\n\n*Define an explicit scope:*\n\n```typescript\nclass YourCustomPolicy extends Policy implements PolicyInterface {\n  //...\n  public scope = s3.CfnBucket\n  //...\n}\n```\n\n*Overwrite `isApplicable`:*\n\n```typescript\nclass YourCustomPolicy extends Policy implements PolicyInterface {\n  //...\n  public isApplicable(node: cdk.Resource): boolean {\n    // your custom logic here\n  }\n  //...\n```\n\n#### Policy Validation Logic\n\n```typescript\nclass YourCustomPolicy extends Policy implements PolicyInterface {\n  //...\n  public validator(node: s3.CfnBucket, reporter: Reportable, context: PolicyContext): void { \n    // your custom logic here.\n  }\n  //...\n```\n\nFound issues can be reported via the `reporter` object. You can report multiple issues per Policy. There are three different issue severities:\n\n- Info\n- Warning\n- Error \n\n`context` is persistent across the entire Stack validation and can be passed in for dynamic information.\n\n## How does it work?\n\nCloud Patrol makes use of [Aspects](https://docs.aws.amazon.com/cdk/latest/guide/aspects.html) to visit all nodes in a given [Construct](https://github.com/aws/constructs) (e.g. your stack). Aspects will be applied in the [prepare](https://github.com/aws/constructs/blob/166ba7ef9e88fd9ffbedd6fa2e6d096ace370ca4/lib/construct.ts#L427-L445) stage, which will be called before synthesizing the stack. That's great if you're going to synthesize anyway. However, if you just wanna run the Cloud Patrol checks, we have to invoke the preparation by ourselves. Something along the lines of this:\n\n```typescript\n  stack.node.applyAspect(this);\n  cdk.ConstructNode.prepare(stack.node);\n```\n\n## Roadmap\n\n- [ ] Simplify Policy definition\n- [ ] Drop dependency to aws-cdk/core where possible, extract the rest to dedicated package\n- [ ] Publish policies as separate package (e.g. @cloudpatrol/aws-policies)\n- [ ] Implement remediation strategies\n- [ ] Documentation\n- [ ] Policy generator\n- [ ] Modularize and detangle `Reporter` to allow multiple ways of reporting\n- [ ] [Github Actions](https://github.com/features/actions) for easy integration\n- [ ] `.cloudpatrol` file?\n- [ ] Provide more policies out of the box \n- [ ] CLI which autodetects Stacks for inspection\n- [ ] Integration tests against the last X releases of the [AWS CDK](https://github.com/aws/aws-cdk/)\n- [ ] Integrate supported languages of [jsii](https://github.com/aws/jsii)\n- [ ] Integrate in CDK based frameworks like [cdk8s](https://github.com/awslabs/cdk8s) and [terrastack](https://github.com/terrastackio/terrastack)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fskorfmann%2Fcloudpatrol","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fskorfmann%2Fcloudpatrol","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fskorfmann%2Fcloudpatrol/lists"}