in packages/constructs/L2/opensearch-constructs/lib/domain.ts [118:267]
constructor(scope: Construct, id: string, props: MdaaOpensearchDomainProps) {
super(scope, id, MdaaOpensearchDomain.setProps(props));
this.node.children.forEach(child => {
if (child.node.id.includes('ESLogGroupPolicy')) {
child.node.children.forEach(child2 => {
if (child2.node.id.includes('CustomResourcePolicy')) {
MdaaNagSuppressions.addCodeResourceSuppressions(child2, [
{
id: 'AwsSolutions-IAM5',
reason:
'Role is for Custom Resource Provider. https://docs.aws.amazon.com/opensearch-service/latest/developerguide/encryption-at-rest.html',
},
{
id: 'NIST.800.53.R5-IAMNoInlinePolicy',
reason: 'Role is for Custom Resource Provider. Inline policy automatically added.',
},
{
id: 'HIPAA.Security-IAMNoInlinePolicy',
reason: 'Role is for Custom Resource Provider. Inline policy automatically added.',
},
{
id: 'PCI.DSS.321-IAMNoInlinePolicy',
reason: 'Role is for Custom Resource Provider. Inline policy automatically added.',
},
]);
}
});
}
if (child.node.id.startsWith('Resource')) {
MdaaNagSuppressions.addCodeResourceSuppressions(child, [
{
id: 'AwsSolutions-OS3',
reason:
'The Opensearch domain is deployed within VPC. IP based access policies cannot be applied to domains that reside within VPC because security groups already enforce IP-based access policy. https://docs.aws.amazon.com/opensearch-service/latest/developerguide/vpc.html#vpc-security',
},
{
id: 'AwsSolutions-OS5',
reason:
'CDK Construct applies Domain Access Policy immedietely after the domain is created. Zero Trust is still applied, not as part of domain properties in CDK generated cloudformation template, but immediately after domain deployment via custom resource',
},
]);
}
if (child.node.id.startsWith('AccessPolicy')) {
child.node.children.forEach(child2 => {
if (child2.node.id.includes('CustomResourcePolicy')) {
MdaaNagSuppressions.addCodeResourceSuppressions(child2, [
{
id: 'NIST.800.53.R5-IAMNoInlinePolicy',
reason: 'Role is for Custom Resource Provider. Inline policy automatically added.',
},
{
id: 'HIPAA.Security-IAMNoInlinePolicy',
reason: 'Role is for Custom Resource Provider. Inline policy automatically added.',
},
{
id: 'PCI.DSS.321-IAMNoInlinePolicy',
reason: 'Role is for Custom Resource Provider. Inline policy automatically added.',
},
]);
}
});
}
});
this.stack.node.children.forEach(child => {
if (child.node.id.startsWith('AWS')) {
MdaaNagSuppressions.addCodeResourceSuppressions(child, [
{ id: 'AwsSolutions-L1', reason: 'Lambda function Runtime set by CDK Provider Framework' },
{
id: 'NIST.800.53.R5-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'NIST.800.53.R5-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with IAM.',
},
{
id: 'NIST.800.53.R5-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
{
id: 'HIPAA.Security-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'PCI.DSS.321-LambdaDLQ',
reason: 'Function is for custom resource and error handling will be handled by CloudFormation.',
},
{
id: 'HIPAA.Security-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with IAM.',
},
{
id: 'PCI.DSS.321-LambdaInsideVPC',
reason: 'Function is for custom resource and will interact only with IAM.',
},
{
id: 'HIPAA.Security-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
{
id: 'PCI.DSS.321-LambdaConcurrency',
reason:
'Function is for custom resource and will only execute during stack deployement. Reserved concurrency not appropriate.',
},
]);
child.node.children.forEach(child2 => {
if (child2.node.id.includes('ServiceRole')) {
MdaaNagSuppressions.addCodeResourceSuppressions(child2, [
{
id: 'AwsSolutions-IAM4',
reason:
'Role is for Custom Resource Provider Lambda Function. AWS Managed policy AWSLambdaBasicExecutionRole provides least privilege permissions.',
},
]);
}
child2.node.children.forEach(child3 => {
if (child3.node.id.includes('DefaultPolicy')) {
MdaaNagSuppressions.addCodeResourceSuppressions(child3, [
{
id: 'AwsSolutions-IAM5',
reason: 'Role is for Custom Resource Provider Lambda Function. KMS policy added is least privilege.',
},
{
id: 'NIST.800.53.R5-IAMNoInlinePolicy',
reason:
'Role is for Custom Resource Provider Lambda Function executed only at the time of infra deployment. Least privilege KMS policies automatically added.',
},
{
id: 'HIPAA.Security-IAMNoInlinePolicy',
reason:
'Role is for Custom Resource Provider Lambda Function executed only at the time of infra deployment. Least privilege KMS policies automatically added.',
},
{
id: 'PCI.DSS.321-IAMNoInlinePolicy',
reason:
'Role is for Custom Resource Provider Lambda Function executed only at the time of infra deployment. Least privilege KMS policies automatically added.',
},
]);
}
});
});
}
});
}