Claude Code for CDK Nag Policy Workflow Guide
AWS CDK Nag is an essential tool for enforcing security, governance, and best-practice policies on your cloud infrastructure. When combined with Claude Code, it becomes a powerful automation pipeline for catching compliance issues before they reach production. This guide shows you how to integrate Claude Code with CDK Nag workflows to streamline policy enforcement across your infrastructure-as-code projects.
Understanding CDK Nag and Its Role in Infrastructure Security
CDK Nag (Cloud Development Kit Nag) extends the AWS CDK by analyzing your infrastructure stacks against predefined security and compliance rules. It works with well-known frameworks like AWS Foundational Security Best Practices (FSBP), PCI DSS, and HIPAA, catching issues like overly permissive IAM policies, unencrypted storage, or exposed resources early in the development cycle.
Claude Code can dramatically improve your CDK Nag workflow by automating the interpretation of scan results, suggesting fixes, and even generating corrected code. Instead of manually reviewing each warning, you let Claude handle the repetitive analysis while you focus on architectural decisions.
Setting Up Your CDK Nag Workflow with Claude Code
Before integrating Claude Code into your workflow, ensure your CDK project has Nag scanning configured. Install the necessary packages:
npm install @aws-cdk/nag aws-cdk-lib
Create a simple CDK stack and add Nag suppression:
import * as cdk from 'aws-cdk-lib';
import * as nag from '@aws-cdk/nag';
export class MyStack extends cdk.Stack {
constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Your resources here
const bucket = new s3.Bucket(this, 'DataBucket', {
encryption: s3.BucketEncryption.S3_MANAGED,
});
// Apply Nag checks
nag.NagPack.addIncludeSuppressions(
[{ id: 'AwsSolutions-S1', reason: 'Bucket is for demo purposes' }]
);
// Run Nag after stack synthesis
Aspects.of(this).add(new nag.NagSuppressions.AwsSolutionsSuppressions());
}
}
Now when you run cdk synth, Nag will flag violations and you can feed those results directly to Claude Code for remediation guidance.
Automating Policy Analysis with Claude Code
When CDK Nag reports violations, the output can be overwhelming—especially for large stacks with dozens of resources. Claude Code excels at parsing these results and explaining each issue in developer-friendly terms. Here’s a practical workflow:
First, capture your Nag output:
cdk synth > /tmp/stack-output.yml
cdk nag scan --output-file /tmp/nag-results.json
Now invoke Claude Code with the results:
Read /tmp/nag-results.json and explain each security finding in plain language. For each issue, provide the specific code fix needed to resolve it, with before and after examples using the existing stack pattern.
Claude will analyze each violation, explain the security risk, and provide concrete remediation code. This transforms dense JSON output into actionable fixes.
Creating a Custom Claude Skill for CDK Nag
For teams working extensively with CDK, creating a dedicated skill for Nag workflows pays dividends. A custom skill can standardize how Claude responds to infrastructure policy issues:
---
name: cdk-nag-helper
description: Analyzes CDK Nag results and generates remediation code for security and compliance violations
---
You are a CDK infrastructure security expert. When analyzing Nag results:
1. Prioritize findings by severity (Critical > High > Medium > Informational)
2. For each finding, provide: the rule violated, security implication, and exact code fix
3. Use the existing stack's import patterns and follow team conventions
4. Never suppress findings without explaining why suppression is acceptable
5. When suggesting IAM policy changes, apply least-privilege principles
Output format for each finding:
- Rule ID: [id]
- Severity: [level]
- Explanation: [plain-language security context]
- Fix: [before/after code comparison]
Save this as ~/.claude/skills/cdk-nag-helper/skill.md and invoke it whenever you need Nag analysis.
Integrating CDK Nag into Your CI/CD Pipeline with Claude
Automated policy enforcement only works when integrated into your continuous deployment process. Combine CDK Nag with Claude Code in your pipeline to ensure no non-compliant infrastructure reaches production:
# .github/workflows/cdk-deploy.yml
name: CDK Deploy with Policy Checks
on: [push, pull_request]
jobs:
nag-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- run: npm ci
- run: npx cdk synth
- name: Run CDK Nag
run: |
npx cdk nag scan --output-file nag-results.json
- name: Claude Code Analysis
run: |
claude read nag-results.json
claude "Analyze these CDK Nag findings and generate a summary report
with severity breakdown and recommended fixes. Format as markdown."
- name: Fail on critical violations
if: failure()
run: echo "Critical security violations must be resolved"
This workflow ensures every deployment passes through policy review, with Claude generating human-readable reports for your team.
Handling Common CDK Nag Patterns
Certain violations recur frequently across CDK projects. Claude Code can recognize these patterns and provide pre-built solutions:
S3 Bucket Public Access: Common in development, problematic in production. Claude suggests bucket policies restricting public access while preserving legitimate use cases.
Overly Permissive IAM Roles: Claude applies least-privilege principles to trim excessive permissions, often referencing service-specific action sets.
Unencrypted Resources: For databases and storage, Claude generates encryption-at-rest configurations using your team’s preferred KMS keys.
Missing Logging: For resources like API Gateways or load balancers, Claude ensures proper CloudWatch logging is configured.
When explaining these fixes, Claude contextualizes each change against compliance frameworks—useful for teams needing to demonstrate adherence to auditors.
Best Practices for CDK Nag Workflows
Working effectively with CDK Nag and Claude requires establishing good habits early:
Scan Early, Scan Often: Run Nag locally before pushing commits. Claude can help you set up pre-commit hooks that run cdk nag scan automatically.
Suppress Strategically: Sometimes Nag warnings are false positives for your use case. Document why each suppression is acceptable—Claude can help draft these justifications for your team.
Version Your Suppressions: Keep suppression files in version control. This prevents accumulated technical debt and makes onboarding easier.
Use Suppression Packs: Group suppressions by category (security, operational, compliance) to make reviews cleaner.
Conclusion
Integrating Claude Code with CDK Nag transforms policy compliance from a manual chore into an automated, developer-friendly process. By letting Claude interpret scan results, generate remediation code, and enforce consistent standards, your team catches security issues earlier and spends less time on repetitive fixes. The combination of automated scanning and intelligent analysis ensures your infrastructure stays compliant while maintaining development velocity.
Start by running Nag on your existing CDK stacks and feed the results to Claude. Even a quick “explain these findings” query reveals the immediate value—and from there, you can build toward full pipeline integration with custom skills tailored to your organization’s policies.
Related Reading
- Claude Code for Beginners: Complete Getting Started Guide
- Best Claude Skills for Developers in 2026
- Claude Skills Guides Hub
Built by theluckystrike — More at zovo.one