https://github.com/alphacrack/aws-cdk-secure-constructs
Secure-by-Design AWS CDK Layer 2 Constructs with well architected Hardening
https://github.com/alphacrack/aws-cdk-secure-constructs
aws aws-cdk aws-security cdk cloud-security devsecops iac infrastructure-as-code security typescript
Last synced: 6 days ago
JSON representation
Secure-by-Design AWS CDK Layer 2 Constructs with well architected Hardening
- Host: GitHub
- URL: https://github.com/alphacrack/aws-cdk-secure-constructs
- Owner: alphacrack
- License: mit
- Created: 2025-06-27T20:51:50.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2026-06-06T16:40:03.000Z (about 1 month ago)
- Last Synced: 2026-06-06T18:17:01.257Z (about 1 month ago)
- Topics: aws, aws-cdk, aws-security, cdk, cloud-security, devsecops, iac, infrastructure-as-code, security, typescript
- Language: TypeScript
- Homepage:
- Size: 1.08 MB
- Stars: 1
- Watchers: 0
- Forks: 0
- Open Issues: 15
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Codeowners: .github/CODEOWNERS
- Security: SECURITY.md
- Roadmap: ROADMAP.md
Awesome Lists containing this project
README
# AWS CDK Secure Constructs
Secure-by-default AWS CDK constructs with [CDK property injection](https://docs.aws.amazon.com/cdk/v2/guide/blueprints.html) support.
**Status:** Early stage. Only **S3 (`SecureBucket`)** is implemented today. Requires `aws-cdk-lib` >= 2.196.0.
## What it does
- **Construct:** `SecureBucket` — CIS-critical settings (encryption, block public access, SSL, object ownership) are always enforced.
- **Tiers:** `HIGH` / `MEDIUM` / `LOW` for operational settings (versioning, logging, removal policy).
- **Injectors:** Property injectors including `TieredSecureBucketDefaults` (tighten-only).
- **Compliance:** `S3BucketCompliance.report()` — enforced controls are verified by synthesis tests.
Property injectors set defaults; they do not block someone from using L1 `CfnBucket` directly.
## Install
From npm (after publish):
```bash
npm install aws-cdk-secure-constructs
```
From this repo (local):
```bash
npm install
npm run build
npm run test:local-build # pack + install + cdk synth
```
## Usage
```typescript
import { App, Stack } from 'aws-cdk-lib';
import { SecureBucket, SecurityLevel } from 'aws-cdk-secure-constructs';
const app = new App();
const stack = new Stack(app, 'MyStack');
new SecureBucket(stack, 'Data', {
securityLevel: SecurityLevel.HIGH,
});
```
Tiered injector (org-wide floor):
```typescript
import { PropertyInjectors } from 'aws-cdk-lib';
import { Bucket } from 'aws-cdk-lib/aws-s3';
import { TieredSecureBucketDefaults, SecurityLevel } from 'aws-cdk-secure-constructs';
PropertyInjectors.of(app).add(
new TieredSecureBucketDefaults({ securityLevel: SecurityLevel.MEDIUM })
);
new Bucket(stack, 'RawBucket', { enforceSSL: false }); // CIS-critical fields still enforced
```
More examples: [examples/](examples/), [examples/local-consumer/](examples/local-consumer/) (tests the published tarball).
## Development
```bash
npm install
npm run build # jsii -> lib/
npm test
npm run lint
npm run test:local-build
npm run release -- patch # from clean main only; tags and triggers CI publish
```
## Docs
- [API](docs/API.md)
- [Security model](docs/SECURITY.md)
- [Design guidelines](docs/DESIGN.md)
- [Contributing](CONTRIBUTING.md)
- [Roadmap](ROADMAP.md)
## License
MIT — see [LICENSE](LICENSE).