Logo
AWS Certified Developer – Associate / Question #802 of 557

Question #802

A developer is creating a serverless application using AWS CDK. The developer has initialized the project with the CDK CLI and needs to implement unit tests for the synthesized CloudFormation templates. Additionally, the developer must enforce compliance checks to verify that all resources adhere to organizational security standards before deployment.

Which combination of steps should the developer take to meet these requirements with MINIMAL effort? (Choose two.)

A

Develop a custom testing framework to parse the CDK-generated CloudFormation templates in the cdk.out directory. Integrate these tests into a CI/CD pipeline triggered on every repository commit.
B

Leverage the CDK assertions library to write unit tests validating resource properties using methods like 'haveResource' and 'haveResourceProperties'. Execute these tests automatically in a CI/CD pipeline after each code change.
C

Use CDK context parameters to define mandatory security settings. Configure the synthesis phase to abort if these parameters are missing from the cdk.out file.
D

Create a shell script to scan the CDK application codebase for specific AWS resource identifiers and security-related keywords. Generate an alert if any non-compliant configurations are detected.
E

Implement CDK Aspects to traverse the construct tree and validate security policies. Halt synthesis if any constructs fail to meet the required security criteria.

Explanation

Correct Answers:
- B: The CDK assertions library provides methods like haveResource and haveResourceProperties to validate CloudFormation resource properties programmatically. Integrating these tests into CI/CD ensures automated validation after code changes, aligning with unit testing requirements.
- E: CDK Aspects allow traversal of the construct tree to validate security policies during synthesis. Halting synthesis on failure ensures compliance before deployment, meeting organizational security standards.

Why Other Options Are Incorrect:
- A: Building a custom testing framework is redundant and effort-intensive since CDK already provides built-in testing tools.
- C: CDK context parameters are for runtime configuration, not security compliance. Missing parameters do not inherently validate resource properties.
- D: Scanning code for keywords is unreliable and does not validate actual synthesized templates or resource configurations.

Key Points:
- Use CDK's native tools (assertions library, Aspects) for testing and compliance.
- Integrate automated checks into CI/CD pipelines for efficiency.
- Validate constructs during synthesis to enforce security policies early.

Answer

The correct answer is: BE