-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add support for excluding custom resource Lambda functions from Inspector scans #26028
Comments
@pahud Adding tags (which are implemented as an aspect) to resources via an aspect does not work that well in general. And even if we tried to do that I don't know how we could distinguish the CDK-backed lambda functions from our own. |
Can you expand on this? |
@peterwoodworth During synthesis, it recurses through the construct tree, and for each node first fetches the list of aspects and then applies them all by calling their aws-cdk/packages/aws-cdk-lib/core/lib/private/synthesis.ts Lines 238 to 243 in 133c9b5
By the way, the fact that this situation isn't supported is one of the more frustrating parts of attempting to use aspects for anything. |
Describe the feature
AWS Inspector costs 30 cents per month per Lambda for standard scanning, and 60 cents per month per Lambda function for code scanning. Due to CDK's reliance on custom resources for several common features, such as setting the log group retention for a Lambda function, the number of CDK-owned functions that we don't care to scan can quickly add up, which adds to the Inspector bill.
AWS Inspector allows us to exclude specific Lambda functions from these scans by tagging them with InspectorExclusion= LambdaStandardScanning and InspectorCodeExclusion=LambdaCodeScanning. However, since CDK creates these custom resource Lambda functions behind the scenes, applying these tags is cumbersome.
Please add support for automatically including these tags on all custom resource Lambda functions that are created internally by CDK.
Use Case
See above.
Proposed Solution
No response
Other Information
No response
Acknowledgements
CDK version used
2.74.0
Environment details (OS name and version, etc.)
Alpine 3.17
The text was updated successfully, but these errors were encountered: