Skip to content
/ cdk-to-scp Public

Package that reads the CDK output, determines what resources are in use and then generates a Service Control Policy

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

instil/cdk-to-scp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
src
src
 
 
.gitignore
.gitignore
 
 
.node-version
.node-version
 
 
README.md
README.md
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

cdk-to-scp

This project parses your CDK output, determines what services are in use by your application and generates a Service Control Policy (SCP) that can be used to restrict access to services that are not in use.

Usage

Install the package

  npm install -g @instil/cdk-to-scp

Navigate to the folder in your project that contains the cdk.out folder

Then run

  cdk-to-scp

This will output a Service Control Policy to the console that only allows the services used by your project e.g.:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyActionsNotInUse",
      "Effect": "Deny",
      "NotAction": [
        "s3:*",
        "iam:*",
        "lambda:*",
        "sqs:*",
        "cloudwatch:*",
        "dynamodb:*",
        "sns:*",
        "ses:*",
        "ssm:*",
        "apigateway:*",
        "wafv2:*",
        "cognito:*",
        "cloudfront:*",
        "appsync:*",
      ],
      "Resource": "*"
    }
  ]
}

You can then use this as a starting point for your SCP.

About

Package that reads the CDK output, determines what resources are in use and then generates a Service Control Policy

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages