bug: CDK NAG Suppression fails for DynamoDB with replication regions for Global Tables

[mssanjay]

What is the problem?

Hi,
I have a global table with replication regions specified. When NAGs are applied, the CDK NAG validation fails with below error

@aws-cdk--aws-dynamodb.ReplicaProvider/Provider/waiter-state-machine/Role/DefaultPolicy/Resource] AwsSolutions-IAM5[Resource::<ProviderframeworkonTimeout0B47CA38.Arn>:*]: The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.

My Global DDB table code is as follows .. if I comment out replicationRegions I dont get any error. What is the problem here?

        const replicationRegions = ['us-east-2'];
        const auditTable = new ddb.Table(this, 'codes-audit-table', {
            partitionKey: { name: 'PK', type: ddb.AttributeType.STRING },
            sortKey: { name: 'SK', type: ddb.AttributeType.STRING },
            billingMode: ddb.BillingMode.PAY_PER_REQUEST,
            tableName: `${id}-codes-audit-table`,
            encryption: ddb.TableEncryption.AWS_MANAGED,
            timeToLiveAttribute: 'expiresAt',
            replicationRegions,
        });

Reproduction Steps

        const replicationRegions = ['us-east-2'];
        const auditTable = new ddb.Table(this, 'codes-audit-table', {
            partitionKey: { name: 'PK', type: ddb.AttributeType.STRING },
            sortKey: { name: 'SK', type: ddb.AttributeType.STRING },
            billingMode: ddb.BillingMode.PAY_PER_REQUEST,
            tableName: `${id}-codes-audit-table`,
            encryption: ddb.TableEncryption.AWS_MANAGED,
            timeToLiveAttribute: 'expiresAt',
            replicationRegions,
        });

What did you expect to happen?

No CDK Nag errors should be reported when below suppressions are added

NagSuppressions.addStackSuppressions(
  dataStack,
  [ 
    { id: 'AwsSolutions-IAM4', reason: 'Allow the use of AWS managed policies.'},
    { id: 'AwsSolutions-IAM5', reason: 'Suppress roles/policies with wildcard permissions since some wildcard permissions are needed.' },
    { id: 'AwsSolutions-S1', reason: 'S3 Server access logs not to be enabled at this time.' },
    { id: 'AwsSolutions-DDB3', reason: 'DDB point-in-time recovery not to be enabled at this time.' }
  ]
);

What actually happened?

I see errors

/@aws-cdk--aws-dynamodb.ReplicaProvider/Provider/waiter-state-machine/Role/DefaultPolicy/Resource] AwsSolutions-IAM5[Resource::<ProviderframeworkonTimeout0B47CA38.Arn>:*]: The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission.

cdk-nag version

2.27.150

Language

Typescript

Other information

No response

[dontirun]

Based on the error message it looks like the CDK is creating a different stack behind the scenes to add some replication resources.

See this comment for suppressing on CDK generated stacks

[mssanjay]

Thanks for the explanation!