feat(sast): Add TS CDK policies 1

cdk_integration_tests/src/typescript/ALBDropHttpHeaders/fail.ts

@@ -0,0 +1,17 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class ALBDropHttpHeadersStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnLoadBalancer(this, { type: 'not_application', loadBalancerAttributes: [{'key': 'routing.http.drop_invalid_header_fields.enabled', 'value': 'true'}] })
+        new elbv2.CfnLoadBalancer(this, { type: 'application', loadBalancerAttributes: [{'value': 'false', 'key': 'routing.http.drop_invalid_header_fields.enabled'}] })
+        new elbv2.CfnLoadBalancer(this, { loadBalancerAttributes: [{'key': 'routing.http.drop_invalid_header_fields.disable', 'value': 'true'}], type: 'application' })
+        new elbv2.CfnLoadBalancer(this, { loadBalancerAttributes: [], type: 'application' })
+    }
+}
+
+const app = new App();
+new ALBDropHttpHeadersStack(app, 'ALBDropHttpHeadersStack');

cdk_integration_tests/src/typescript/ALBDropHttpHeaders/pass.ts

@@ -0,0 +1,17 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class ALBDropHttpHeadersStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnLoadBalancer(this, { type: 'application', loadBalancerAttributes: [{'key': 'routing.http.drop_invalid_header_fields.enabled', 'value': 'true'}] })
+        new elbv2.CfnLoadBalancer(this, { type: 'application', loadBalancerAttributes: [{'value': 'true', 'key': 'routing.http.drop_invalid_header_fields.enabled'}] })
+        new elbv2.CfnLoadBalancer(this, { loadBalancerAttributes: [{'key': 'routing.http.drop_invalid_header_fields.enabled', 'value': 'true'}], type: 'application' })
+        new elbv2.CfnLoadBalancer(this, { loadBalancerAttributes: [{'value': 'true', 'key': 'routing.http.drop_invalid_header_fields.enabled'}], type: 'application' })
+    }
+}
+
+const app = new App();
+new ALBDropHttpHeadersStack(app, 'ALBDropHttpHeadersStack');

cdk_integration_tests/src/typescript/ALBListenerHTTPS/fail.ts

@@ -0,0 +1,14 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class ALBListenerHTTPSStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnLoadBalancer(this, {})
+    }
+}
+
+const app = new App();
+new ALBListenerHTTPSStack(app, 'ALBListenerHTTPSStack');

cdk_integration_tests/src/typescript/ALBListenerHTTPS/pass.ts

@@ -0,0 +1,19 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class ALBListenerHTTPSStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnLoadBalancer(this, {protocol: 'HTTPS'})
+        new elbv2.CfnLoadBalancer(this, {protocol: 'TLS'})
+        new elbv2.CfnLoadBalancer(this, {protocol: 'TCP'})
+        new elbv2.CfnLoadBalancer(this, {protocol: 'UDP'})
+        new elbv2.CfnLoadBalancer(this, {protocol: 'TCP_UDP'})
+        new elbv2.CfnLoadBalancer(this, {defaultActions: [{type: 'redirect', redirectConfig:{protocol: 'HTTPS'}}]})
+    }
+}
+
+const app = new App();
+new ALBListenerHTTPSStack(app, 'ALBListenerHTTPSStack');

cdk_integration_tests/src/typescript/APIGatewayAccessLogging/fail.ts

@@ -0,0 +1,14 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { apigateway as api } from 'aws-cdk-lib';
+
+class APIGatewayAccessLoggingStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new api.CfnStage(this, {})
+    }
+}
+
+const app = new App();
+new APIGatewayAccessLoggingStack(app, 'APIGatewayAccessLoggingStack');

cdk_integration_tests/src/typescript/APIGatewayAccessLogging/pass.ts

@@ -0,0 +1,14 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { apigateway as api } from 'aws-cdk-lib';
+
+class APIGatewayAccessLoggingStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new api.CfnStage(this, { accessLogSetting: { destinationArn: "1" }} )
+    }
+}
+
+const app = new App();
+new APIGatewayAccessLoggingStack(app, 'APIGatewayAccessLoggingStack');

cdk_integration_tests/src/typescript/APIGatewayCacheEnable/fail.ts

@@ -0,0 +1,14 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class APIGatewayCacheEnableStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.Stage(this, {})
+    }
+}
+
+const app = new App();
+new APIGatewayCacheEnableStack(app, 'APIGatewayCacheEnableStack');

cdk_integration_tests/src/typescript/APIGatewayCacheEnable/pass.ts

@@ -0,0 +1,13 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class APIGatewayCacheEnableStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+        new elbv2.Stage(this, { cacheClusterEnabled: true} )
+    }
+}
+
+const app = new App();
+new APIGatewayCacheEnableStack(app, 'APIGatewayCacheEnableStack');

cdk_integration_tests/src/typescript/APIGatewayV2AccessLogging/fail.ts

@@ -0,0 +1,14 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class APIGatewayV2AccessLoggingStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnApi(this, {})
+    }
+}
+
+const app = new App();
+new APIGatewayV2AccessLoggingStack(app, 'APIGatewayV2AccessLoggingStack');

cdk_integration_tests/src/typescript/APIGatewayV2AccessLogging/pass.ts

@@ -0,0 +1,14 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class APIGatewayV2AccessLoggingStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnApi(this, {accessLogSettings: {destinationArn: "1"}})
+    }
+}
+
+const app = new App();
+new APIGatewayV2AccessLoggingStack(app, 'APIGatewayV2AccessLoggingStack');

cdk_integration_tests/src/typescript/APIGatewayXray/fail.ts

@@ -0,0 +1,15 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class APIGatewayXrayStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnStage(this, {})
+        new elbv2.CfnStage(this, {tracingEnabled: false})
+    }
+}
+
+const app = new App();
+new APIGatewayXrayStack(app, 'APIGatewayXrayStack');

cdk_integration_tests/src/typescript/APIGatewayXray/pass.ts

@@ -0,0 +1,14 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class APIGatewayXrayStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnStage(this, {tracingEnabled: true})
+    }
+}
+
+const app = new App();
+new APIGatewayXrayStack(app, 'APIGatewayXrayStack');

cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/fail.ts

@@ -0,0 +1,15 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class AmazonMQBrokerPublicAccessStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnBroker(this, {})
+        new elbv2.CfnBroker(this, {publiclyAccessible: false})
+    }
+}
+
+const app = new App();
+new AmazonMQBrokerPublicAccessStack(app, 'AmazonMQBrokerPublicAccessStack');

cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/pass.ts

@@ -0,0 +1,14 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class AmazonMQBrokerPublicAccessStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnBroker(this, {publiclyAccessible: true})
+    }
+}
+
+const app = new App();
+new AmazonMQBrokerPublicAccessStack(app, 'AmazonMQBrokerPublicAccessStack');

cdk_integration_tests/src/typescript/AuroraEncryption/fail.ts

@@ -0,0 +1,15 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class AuroraEncryptionStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnDBCluster(this, {})
+        new elbv2.CfnDBCluster(this, {storageEncrypted: false})
+    }
+}
+
+const app = new App();
+new AuroraEncryptionStack(app, 'AuroraEncryptionStack');

cdk_integration_tests/src/typescript/AuroraEncryption/pass.ts

@@ -0,0 +1,14 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class AuroraEncryptionStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnDBCluster(this, {storageEncrypted: true})
+    }
+}
+
+const app = new App();
+new AuroraEncryptionStack(app, 'AuroraEncryptionStack');

cdk_integration_tests/src/typescript/BackupVaultEncrypted/fail.ts

@@ -0,0 +1,15 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class BackupVaultEncryptedStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnBackupVault(this, {})
+        new elbv2.CfnBackupVault(this, {encryptionKeyArn: false})
+    }
+}
+
+const app = new App();
+new BackupVaultEncryptedStack(app, 'BackupVaultEncryptedStack');

cdk_integration_tests/src/typescript/BackupVaultEncrypted/pass.ts

@@ -0,0 +1,14 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class BackupVaultEncryptedStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnBackupVault(this, {encryptionKeyArn: true})
+    }
+}
+
+const app = new App();
+new BackupVaultEncryptedStack(app, 'BackupVaultEncryptedStack');

cdk_integration_tests/src/typescript/CloudTrailLogValidation/fail.ts

@@ -0,0 +1,15 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class CloudTrailLogValidationStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnTrail(this, {})
+        new elbv2.CfnTrail(this, {enableLogFileValidation: false})
+    }
+}
+
+const app = new App();
+new CloudTrailLogValidationStack(app, 'CloudTrailLogValidationStack');

cdk_integration_tests/src/typescript/CloudTrailLogValidation/pass.ts

@@ -0,0 +1,14 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class CloudTrailLogValidationStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnTrail(this, {enableLogFileValidation: true})
+    }
+}
+
+const app = new App();
+new CloudTrailLogValidationStack(app, 'CloudTrailLogValidationStack');