The Aitool CDK Factory is built with a "Security First" philosophy. It enforces NIST 800-53 compliance checks at the factory level, ensuring that generated infrastructure is secure by default.
The following controls are enforced by the SecurityValidator and SafetyAspects (cdk-nag):
| Control ID | Description | Implementation |
|---|---|---|
| SC-13 | Cryptographic Protection | All data at rest (S3, RDS, DynamoDB) must be encrypted. |
| AC-3 | Access Enforcement | Public access to S3 buckets is blocked by default. |
| SC-7 | Boundary Protection | Security Groups must restrict inbound traffic to known ports. |
| AU-3 | Content of Audit Records | Access logging is enabled for LB and S3. |
The factory analyzes the ProjectConfig to generate IAM roles with minimum necessary permissions.
- Task Execution Role: Grants permission to pull images (ECR) and write logs (CloudWatch).
- Task Role: Grants application-specific permissions (e.g.,
s3:GetObjectonly if an S3 resource is defined).
We use AWS Access Analyzer during validation to detect over-permissive policies (like Action: *) before any code is deployed.
Never commit secrets to git.
The factory uses a reference system for secrets:
- Define in IR:
secrets: { DB_PASSWORD: "dev/myservice/db_primary_password" }
- Resolve at Runtime:
The ECS Task Definition maps the environment variable
DB_PASSWORDto the value from SSM Parameter Store or Secrets Manager.
To run security checks without generating code:
pnpm exec factory generate --type docker ... --dry-run(Note: Failed validation will exit with a non-zero code).