Save Time and Money by Shifting HIPAA Compliance Checks Left with CDK-Nag

With cdk-nag you can check your infrastructure before it’s deployed. Potentially preventing issues before they happen. Saving you time and money.

TL;DR: Here’s a working repo with a sample configuration.

The steps in this tutorial will assume you already have a CDK project made. If you don’t you can follow this guide from the docs or clone the sample repo from above.

Simple as.

In your root application file, you’ll need to import the packs and rules you’d like to have applied to your infrastructure. Once available, you hook the rules into your application by adding stack aspects.

It’s great that you can now check for issues. But unless you take the time to develop a system to bring these issues up and out, they will likely just be disregarded.

To remedy this, you should either import the NagReportLogger provided as part of the cdk-nag project or develop your own. The logger they supply can output JSON or CSV, making it ideal for integrating with existing CI/CD systems. If this isn’t enough, they have a great guide on how to implement your own custom logger.

Fancy buzzwords aside. By including cdk-nag as part of your application, you can check for potential HIPAA violations as early as the code is written. Preventing the lengthy debug cycle of

And reducing it to

The savings only begin there. Out of the box cdk-nag supplies rule packs for

As well as the ability to build your own.

Don’t want developers deploying g6e.24xlarge instances to run the latest LLM? You can write a rule for that. The abilities provided can have tremendous ROI with very little upfront investment. However, the ROI you could see by investing in engineering power to shape what your cloud can and cannot look like is vast.

If you enjoyed this or found it helpful in any way. Please consider a free subscription.