-
Notifications
You must be signed in to change notification settings - Fork 3.8k
/
managed-rules.ts
132 lines (121 loc) · 4.26 KB
/
managed-rules.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
import { Construct } from 'constructs';
import { ManagedRule, ManagedRuleIdentifiers, ResourceType, RuleProps, RuleScope } from './rule';
import * as iam from '../../aws-iam';
import * as sns from '../../aws-sns';
import { Duration, Lazy, Stack } from '../../core';
/**
* Construction properties for a AccessKeysRotated
*/
export interface AccessKeysRotatedProps extends RuleProps {
/**
* The maximum number of days within which the access keys must be rotated.
*
* @default Duration.days(90)
*/
readonly maxAge?: Duration;
}
/**
* Checks whether the active access keys are rotated within the number of days
* specified in `maxAge`.
*
* @see https://docs.aws.amazon.com/config/latest/developerguide/access-keys-rotated.html
*
* @resource AWS::Config::ConfigRule
*/
export class AccessKeysRotated extends ManagedRule {
constructor(scope: Construct, id: string, props: AccessKeysRotatedProps = {}) {
super(scope, id, {
...props,
identifier: ManagedRuleIdentifiers.ACCESS_KEYS_ROTATED,
inputParameters: {
...props.maxAge
? {
maxAccessKeyAge: props.maxAge.toDays(),
}
: {},
},
});
}
}
/**
* Construction properties for a CloudFormationStackDriftDetectionCheck
*/
export interface CloudFormationStackDriftDetectionCheckProps extends RuleProps {
/**
* Whether to check only the stack where this rule is deployed.
*
* @default false
*/
readonly ownStackOnly?: boolean;
/**
* The IAM role to use for this rule. It must have permissions to detect drift
* for AWS CloudFormation stacks. Ensure to attach `config.amazonaws.com` trusted
* permissions and `ReadOnlyAccess` policy permissions. For specific policy permissions,
* refer to https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html.
*
* @default - A role will be created
*/
readonly role?: iam.IRole;
}
/**
* Checks whether your CloudFormation stacks' actual configuration differs, or
* has drifted, from its expected configuration.
*
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudformation-stack-drift-detection-check.html
*
* @resource AWS::Config::ConfigRule
*/
export class CloudFormationStackDriftDetectionCheck extends ManagedRule {
private readonly role: iam.IRole;
constructor(scope: Construct, id: string, props: CloudFormationStackDriftDetectionCheckProps = {}) {
super(scope, id, {
...props,
identifier: ManagedRuleIdentifiers.CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK,
inputParameters: {
cloudformationRoleArn: Lazy.string({ produce: () => this.role.roleArn }),
},
});
this.ruleScope = RuleScope.fromResource( ResourceType.CLOUDFORMATION_STACK, props.ownStackOnly ? Stack.of(this).stackId : undefined );
this.role = props.role || new iam.Role(this, 'Role', {
assumedBy: new iam.ServicePrincipal('config.amazonaws.com'),
managedPolicies: [
iam.ManagedPolicy.fromAwsManagedPolicyName('ReadOnlyAccess'),
],
});
}
}
/**
* Construction properties for a CloudFormationStackNotificationCheck.
*/
export interface CloudFormationStackNotificationCheckProps extends RuleProps {
/**
* A list of allowed topics. At most 5 topics.
*
* @default - No topics.
*/
readonly topics?: sns.ITopic[];
}
/**
* Checks whether your CloudFormation stacks are sending event notifications to
* a SNS topic. Optionally checks whether specified SNS topics are used.
*
* @see https://docs.aws.amazon.com/config/latest/developerguide/cloudformation-stack-notification-check.html
*
* @resource AWS::Config::ConfigRule
*/
export class CloudFormationStackNotificationCheck extends ManagedRule {
constructor(scope: Construct, id: string, props: CloudFormationStackNotificationCheckProps = {}) {
if (props.topics && props.topics.length > 5) {
throw new Error('At most 5 topics can be specified.');
}
super(scope, id, {
...props,
identifier: ManagedRuleIdentifiers.CLOUDFORMATION_STACK_NOTIFICATION_CHECK,
inputParameters: props.topics && props.topics.reduce(
(params, topic, idx) => ({ ...params, [`snsTopic${idx + 1}`]: topic.topicArn }),
{},
),
ruleScope: RuleScope.fromResources([ResourceType.CLOUDFORMATION_STACK]),
});
}
}