Skip to content

Cdk Graph Threat Composer Plugin

experimental API Documentation Source Code

This plugin generates Threat Composer threat models, utilizing the cdk-graph framework.

threat-composer

Quick Start

// bin/app.ts

// Must wrap cdk app with async IIFE function to enable async cdk-graph report
(async () => {
  const app = PDKNag.app();
  // ... add stacks, etc
  const graph = new CdkGraph(app, {
    plugins: [
      // Configure the plugin
      new CdkGraphThreatComposerPlugin({
        applicationDetails: {
          name: "My Application"
        },
      }),
    ],
  });

  app.synth();

  // async cdk-graph reporting hook
  await graph.report();
})();

// => cdk.out/cdkgraph/threat-model.tc.json

Warning

This plugin must be used in tandem with pdk-nag, using PDKNag.app()

This plugin currently only supports async report() generation following the above example. Make sure to wrap the cdk app with async IIFE.

How it Works

This plugin uses the CDK Nag findings from your pdk-nag app to generate a starter Threat Composer threat model for you.

Upon configuring the plugin and synthesizing CDK, you'll find a cdk.out/cdkgraph/threat-composer.tc.json file in your project. You can import this into the Threat Composer tool to view and edit your threat model.

Note

The generated threat model is not complete, however it provides a good starting point for you to consider possible threats to your application and how they are mitigated.

After editing your threat model, it's recommended that you manage it as part of your codebase by checking it into version control.

This plugin generates the threat model based on a hand-crafted mapping of CDK Nag rules to the threats which they intend to mitigate.

Architecture Diagram

Specify this plugin after the CDK Graph Diagram Plugin to automatically include a generated architecture diagram in your threat model.

(async () => {
  const app = PDKNag.app();
  // ... add stacks, etc
  const graph = new CdkGraph(app, {
    plugins: [
      new CdkGraphDiagramPlugin(),
      // Configure the plugin after the cdk graph diagram plugin
      new CdkGraphThreatComposerPlugin(),
    ],
  });

  app.synth();

  await graph.report();
})();

Last update: 2024-12-20