diff --git a/API.md b/API.md
index ee6b4a7e..ac61ae9a 100644
--- a/API.md
+++ b/API.md
@@ -3472,6 +3472,352 @@ an AWS account.
---
+### AutomationDocument
+
+- *Implements:* cdk-extensions.ssm.IAutomationDocument
+
+#### Methods
+
+| **Name** | **Description** |
+| --- | --- |
+| toString
| Returns a string representation of this construct. |
+| applyRemovalPolicy
| Apply the given removal policy to this resource. |
+| arnForAutomationDefinitionVersion
| *No description.* |
+
+---
+
+##### `toString`
+
+```typescript
+public toString(): string
+```
+
+Returns a string representation of this construct.
+
+##### `applyRemovalPolicy`
+
+```typescript
+public applyRemovalPolicy(policy: RemovalPolicy): void
+```
+
+Apply the given removal policy to this resource.
+
+The Removal Policy controls what happens to this resource when it stops
+being managed by CloudFormation, either because you've removed it from the
+CDK application or because you've made a change that requires the resource
+to be replaced.
+
+The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
+account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
+
+###### `policy`Required
+
+- *Type:* aws-cdk-lib.RemovalPolicy
+
+---
+
+##### `arnForAutomationDefinitionVersion`
+
+```typescript
+public arnForAutomationDefinitionVersion(version: string): string
+```
+
+###### `version`Required
+
+- *Type:* string
+
+---
+
+#### Static Functions
+
+| **Name** | **Description** |
+| --- | --- |
+| isConstruct
| Checks if `x` is a construct. |
+| isOwnedResource
| Returns true if the construct was created by CDK, and false otherwise. |
+| isResource
| Check whether the given construct is a Resource. |
+| fromManaged
| *No description.* |
+
+---
+
+##### ~~`isConstruct`~~
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+ssm.AutomationDocument.isConstruct(x: any)
+```
+
+Checks if `x` is a construct.
+
+###### `x`Required
+
+- *Type:* any
+
+Any object.
+
+---
+
+##### `isOwnedResource`
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+ssm.AutomationDocument.isOwnedResource(construct: IConstruct)
+```
+
+Returns true if the construct was created by CDK, and false otherwise.
+
+###### `construct`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `isResource`
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+ssm.AutomationDocument.isResource(construct: IConstruct)
+```
+
+Check whether the given construct is a Resource.
+
+###### `construct`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `fromManaged`
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+ssm.AutomationDocument.fromManaged(scope: IConstruct, id: string, managedDocumentName: string)
+```
+
+###### `scope`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+###### `id`Required
+
+- *Type:* string
+
+---
+
+###### `managedDocumentName`Required
+
+- *Type:* string
+
+---
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| node
| constructs.Node
| The tree node. |
+| env
| aws-cdk-lib.ResourceEnvironment
| The environment this resource belongs to. |
+| stack
| aws-cdk-lib.Stack
| The stack in which this resource is defined. |
+| content
| cdk-extensions.ssm.IDocumentContent
| *No description.* |
+| documentArn
| string
| *No description.* |
+| documentName
| string
| *No description.* |
+| requires
| cdk-extensions.ssm.DocumentRequirement[]
| *No description.* |
+| resource
| aws-cdk-lib.aws_ssm.CfnDocument
| *No description.* |
+| documentType
| cdk-extensions.ssm.DocumentType
| *No description.* |
+| name
| string
| *No description.* |
+| targetType
| string
| *No description.* |
+| updateMethod
| cdk-extensions.ssm.DocumentUpdateMethod
| *No description.* |
+| versionName
| string
| *No description.* |
+| automationDefinitionArn
| string
| *No description.* |
+
+---
+
+##### `node`Required
+
+```typescript
+public readonly node: Node;
+```
+
+- *Type:* constructs.Node
+
+The tree node.
+
+---
+
+##### `env`Required
+
+```typescript
+public readonly env: ResourceEnvironment;
+```
+
+- *Type:* aws-cdk-lib.ResourceEnvironment
+
+The environment this resource belongs to.
+
+For resources that are created and managed by the CDK
+(generally, those created by creating new class instances like Role, Bucket, etc.),
+this is always the same as the environment of the stack they belong to;
+however, for imported resources
+(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
+that might be different than the stack they were imported into.
+
+---
+
+##### `stack`Required
+
+```typescript
+public readonly stack: Stack;
+```
+
+- *Type:* aws-cdk-lib.Stack
+
+The stack in which this resource is defined.
+
+---
+
+##### `content`Required
+
+```typescript
+public readonly content: IDocumentContent;
+```
+
+- *Type:* cdk-extensions.ssm.IDocumentContent
+
+---
+
+##### `documentArn`Required
+
+```typescript
+public readonly documentArn: string;
+```
+
+- *Type:* string
+
+---
+
+##### `documentName`Required
+
+```typescript
+public readonly documentName: string;
+```
+
+- *Type:* string
+
+---
+
+##### `requires`Required
+
+```typescript
+public readonly requires: DocumentRequirement[];
+```
+
+- *Type:* cdk-extensions.ssm.DocumentRequirement[]
+
+---
+
+##### `resource`Required
+
+```typescript
+public readonly resource: CfnDocument;
+```
+
+- *Type:* aws-cdk-lib.aws_ssm.CfnDocument
+
+---
+
+##### `documentType`Optional
+
+```typescript
+public readonly documentType: DocumentType;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentType
+
+---
+
+##### `name`Optional
+
+```typescript
+public readonly name: string;
+```
+
+- *Type:* string
+
+---
+
+##### `targetType`Optional
+
+```typescript
+public readonly targetType: string;
+```
+
+- *Type:* string
+
+---
+
+##### `updateMethod`Optional
+
+```typescript
+public readonly updateMethod: DocumentUpdateMethod;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentUpdateMethod
+
+---
+
+##### `versionName`Optional
+
+```typescript
+public readonly versionName: string;
+```
+
+- *Type:* string
+
+---
+
+##### `automationDefinitionArn`Required
+
+```typescript
+public readonly automationDefinitionArn: string;
+```
+
+- *Type:* string
+
+---
+
+#### Constants
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| ARN_FORMAT
| aws-cdk-lib.ArnFormat
| *No description.* |
+| DEFAULT_SCHEMA_VERSION
| cdk-extensions.ssm.AutomationSchemaVersion
| *No description.* |
+
+---
+
+##### `ARN_FORMAT`Required
+
+```typescript
+public readonly ARN_FORMAT: ArnFormat;
+```
+
+- *Type:* aws-cdk-lib.ArnFormat
+
+---
+
+##### `DEFAULT_SCHEMA_VERSION`Required
+
+```typescript
+public readonly DEFAULT_SCHEMA_VERSION: AutomationSchemaVersion;
+```
+
+- *Type:* cdk-extensions.ssm.AutomationSchemaVersion
+
+---
+
### AwsIntegratedFargateCluster
#### Initializers
@@ -12276,6 +12622,640 @@ public readonly MESSAGES_ENDPOINT: string;
---
+### Document
+
+#### Initializers
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+new ssm.Document(scope: IConstruct, id: string, props: DocumentProps)
+```
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| scope
| constructs.IConstruct
| *No description.* |
+| id
| string
| *No description.* |
+| props
| cdk-extensions.ssm.DocumentProps
| *No description.* |
+
+---
+
+##### `scope`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `id`Required
+
+- *Type:* string
+
+---
+
+##### `props`Required
+
+- *Type:* cdk-extensions.ssm.DocumentProps
+
+---
+
+#### Methods
+
+| **Name** | **Description** |
+| --- | --- |
+| toString
| Returns a string representation of this construct. |
+| applyRemovalPolicy
| Apply the given removal policy to this resource. |
+
+---
+
+##### `toString`
+
+```typescript
+public toString(): string
+```
+
+Returns a string representation of this construct.
+
+##### `applyRemovalPolicy`
+
+```typescript
+public applyRemovalPolicy(policy: RemovalPolicy): void
+```
+
+Apply the given removal policy to this resource.
+
+The Removal Policy controls what happens to this resource when it stops
+being managed by CloudFormation, either because you've removed it from the
+CDK application or because you've made a change that requires the resource
+to be replaced.
+
+The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
+account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
+
+###### `policy`Required
+
+- *Type:* aws-cdk-lib.RemovalPolicy
+
+---
+
+#### Static Functions
+
+| **Name** | **Description** |
+| --- | --- |
+| isConstruct
| Checks if `x` is a construct. |
+| isOwnedResource
| Returns true if the construct was created by CDK, and false otherwise. |
+| isResource
| Check whether the given construct is a Resource. |
+
+---
+
+##### ~~`isConstruct`~~
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+ssm.Document.isConstruct(x: any)
+```
+
+Checks if `x` is a construct.
+
+###### `x`Required
+
+- *Type:* any
+
+Any object.
+
+---
+
+##### `isOwnedResource`
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+ssm.Document.isOwnedResource(construct: IConstruct)
+```
+
+Returns true if the construct was created by CDK, and false otherwise.
+
+###### `construct`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `isResource`
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+ssm.Document.isResource(construct: IConstruct)
+```
+
+Check whether the given construct is a Resource.
+
+###### `construct`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| node
| constructs.Node
| The tree node. |
+| env
| aws-cdk-lib.ResourceEnvironment
| The environment this resource belongs to. |
+| stack
| aws-cdk-lib.Stack
| The stack in which this resource is defined. |
+| content
| cdk-extensions.ssm.IDocumentContent
| *No description.* |
+| documentArn
| string
| *No description.* |
+| documentName
| string
| *No description.* |
+| requires
| cdk-extensions.ssm.DocumentRequirement[]
| *No description.* |
+| resource
| aws-cdk-lib.aws_ssm.CfnDocument
| *No description.* |
+| documentType
| cdk-extensions.ssm.DocumentType
| *No description.* |
+| name
| string
| *No description.* |
+| targetType
| string
| *No description.* |
+| updateMethod
| cdk-extensions.ssm.DocumentUpdateMethod
| *No description.* |
+| versionName
| string
| *No description.* |
+
+---
+
+##### `node`Required
+
+```typescript
+public readonly node: Node;
+```
+
+- *Type:* constructs.Node
+
+The tree node.
+
+---
+
+##### `env`Required
+
+```typescript
+public readonly env: ResourceEnvironment;
+```
+
+- *Type:* aws-cdk-lib.ResourceEnvironment
+
+The environment this resource belongs to.
+
+For resources that are created and managed by the CDK
+(generally, those created by creating new class instances like Role, Bucket, etc.),
+this is always the same as the environment of the stack they belong to;
+however, for imported resources
+(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
+that might be different than the stack they were imported into.
+
+---
+
+##### `stack`Required
+
+```typescript
+public readonly stack: Stack;
+```
+
+- *Type:* aws-cdk-lib.Stack
+
+The stack in which this resource is defined.
+
+---
+
+##### `content`Required
+
+```typescript
+public readonly content: IDocumentContent;
+```
+
+- *Type:* cdk-extensions.ssm.IDocumentContent
+
+---
+
+##### `documentArn`Required
+
+```typescript
+public readonly documentArn: string;
+```
+
+- *Type:* string
+
+---
+
+##### `documentName`Required
+
+```typescript
+public readonly documentName: string;
+```
+
+- *Type:* string
+
+---
+
+##### `requires`Required
+
+```typescript
+public readonly requires: DocumentRequirement[];
+```
+
+- *Type:* cdk-extensions.ssm.DocumentRequirement[]
+
+---
+
+##### `resource`Required
+
+```typescript
+public readonly resource: CfnDocument;
+```
+
+- *Type:* aws-cdk-lib.aws_ssm.CfnDocument
+
+---
+
+##### `documentType`Optional
+
+```typescript
+public readonly documentType: DocumentType;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentType
+
+---
+
+##### `name`Optional
+
+```typescript
+public readonly name: string;
+```
+
+- *Type:* string
+
+---
+
+##### `targetType`Optional
+
+```typescript
+public readonly targetType: string;
+```
+
+- *Type:* string
+
+---
+
+##### `updateMethod`Optional
+
+```typescript
+public readonly updateMethod: DocumentUpdateMethod;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentUpdateMethod
+
+---
+
+##### `versionName`Optional
+
+```typescript
+public readonly versionName: string;
+```
+
+- *Type:* string
+
+---
+
+#### Constants
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| ARN_FORMAT
| aws-cdk-lib.ArnFormat
| *No description.* |
+
+---
+
+##### `ARN_FORMAT`Required
+
+```typescript
+public readonly ARN_FORMAT: ArnFormat;
+```
+
+- *Type:* aws-cdk-lib.ArnFormat
+
+---
+
+### DocumentBase
+
+- *Implements:* cdk-extensions.ssm.IDocument
+
+#### Initializers
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+new ssm.DocumentBase(scope: IConstruct, id: string, props: DocumentBaseProps)
+```
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| scope
| constructs.IConstruct
| *No description.* |
+| id
| string
| *No description.* |
+| props
| cdk-extensions.ssm.DocumentBaseProps
| *No description.* |
+
+---
+
+##### `scope`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `id`Required
+
+- *Type:* string
+
+---
+
+##### `props`Required
+
+- *Type:* cdk-extensions.ssm.DocumentBaseProps
+
+---
+
+#### Methods
+
+| **Name** | **Description** |
+| --- | --- |
+| toString
| Returns a string representation of this construct. |
+| applyRemovalPolicy
| Apply the given removal policy to this resource. |
+
+---
+
+##### `toString`
+
+```typescript
+public toString(): string
+```
+
+Returns a string representation of this construct.
+
+##### `applyRemovalPolicy`
+
+```typescript
+public applyRemovalPolicy(policy: RemovalPolicy): void
+```
+
+Apply the given removal policy to this resource.
+
+The Removal Policy controls what happens to this resource when it stops
+being managed by CloudFormation, either because you've removed it from the
+CDK application or because you've made a change that requires the resource
+to be replaced.
+
+The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
+account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
+
+###### `policy`Required
+
+- *Type:* aws-cdk-lib.RemovalPolicy
+
+---
+
+#### Static Functions
+
+| **Name** | **Description** |
+| --- | --- |
+| isConstruct
| Checks if `x` is a construct. |
+| isOwnedResource
| Returns true if the construct was created by CDK, and false otherwise. |
+| isResource
| Check whether the given construct is a Resource. |
+
+---
+
+##### ~~`isConstruct`~~
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+ssm.DocumentBase.isConstruct(x: any)
+```
+
+Checks if `x` is a construct.
+
+###### `x`Required
+
+- *Type:* any
+
+Any object.
+
+---
+
+##### `isOwnedResource`
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+ssm.DocumentBase.isOwnedResource(construct: IConstruct)
+```
+
+Returns true if the construct was created by CDK, and false otherwise.
+
+###### `construct`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `isResource`
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+ssm.DocumentBase.isResource(construct: IConstruct)
+```
+
+Check whether the given construct is a Resource.
+
+###### `construct`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| node
| constructs.Node
| The tree node. |
+| env
| aws-cdk-lib.ResourceEnvironment
| The environment this resource belongs to. |
+| stack
| aws-cdk-lib.Stack
| The stack in which this resource is defined. |
+| content
| cdk-extensions.ssm.IDocumentContent
| *No description.* |
+| documentArn
| string
| *No description.* |
+| documentName
| string
| *No description.* |
+| requires
| cdk-extensions.ssm.DocumentRequirement[]
| *No description.* |
+| resource
| aws-cdk-lib.aws_ssm.CfnDocument
| *No description.* |
+| documentType
| cdk-extensions.ssm.DocumentType
| *No description.* |
+| name
| string
| *No description.* |
+| targetType
| string
| *No description.* |
+| updateMethod
| cdk-extensions.ssm.DocumentUpdateMethod
| *No description.* |
+| versionName
| string
| *No description.* |
+
+---
+
+##### `node`Required
+
+```typescript
+public readonly node: Node;
+```
+
+- *Type:* constructs.Node
+
+The tree node.
+
+---
+
+##### `env`Required
+
+```typescript
+public readonly env: ResourceEnvironment;
+```
+
+- *Type:* aws-cdk-lib.ResourceEnvironment
+
+The environment this resource belongs to.
+
+For resources that are created and managed by the CDK
+(generally, those created by creating new class instances like Role, Bucket, etc.),
+this is always the same as the environment of the stack they belong to;
+however, for imported resources
+(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
+that might be different than the stack they were imported into.
+
+---
+
+##### `stack`Required
+
+```typescript
+public readonly stack: Stack;
+```
+
+- *Type:* aws-cdk-lib.Stack
+
+The stack in which this resource is defined.
+
+---
+
+##### `content`Required
+
+```typescript
+public readonly content: IDocumentContent;
+```
+
+- *Type:* cdk-extensions.ssm.IDocumentContent
+
+---
+
+##### `documentArn`Required
+
+```typescript
+public readonly documentArn: string;
+```
+
+- *Type:* string
+
+---
+
+##### `documentName`Required
+
+```typescript
+public readonly documentName: string;
+```
+
+- *Type:* string
+
+---
+
+##### `requires`Required
+
+```typescript
+public readonly requires: DocumentRequirement[];
+```
+
+- *Type:* cdk-extensions.ssm.DocumentRequirement[]
+
+---
+
+##### `resource`Required
+
+```typescript
+public readonly resource: CfnDocument;
+```
+
+- *Type:* aws-cdk-lib.aws_ssm.CfnDocument
+
+---
+
+##### `documentType`Optional
+
+```typescript
+public readonly documentType: DocumentType;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentType
+
+---
+
+##### `name`Optional
+
+```typescript
+public readonly name: string;
+```
+
+- *Type:* string
+
+---
+
+##### `targetType`Optional
+
+```typescript
+public readonly targetType: string;
+```
+
+- *Type:* string
+
+---
+
+##### `updateMethod`Optional
+
+```typescript
+public readonly updateMethod: DocumentUpdateMethod;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentUpdateMethod
+
+---
+
+##### `versionName`Optional
+
+```typescript
+public readonly versionName: string;
+```
+
+- *Type:* string
+
+---
+
+#### Constants
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| ARN_FORMAT
| aws-cdk-lib.ArnFormat
| *No description.* |
+
+---
+
+##### `ARN_FORMAT`Required
+
+```typescript
+public readonly ARN_FORMAT: ArnFormat;
+```
+
+- *Type:* aws-cdk-lib.ArnFormat
+
+---
+
### Echoserver
- *Implements:* aws-cdk-lib.aws_ec2.IConnectable, cdk-extensions.route53.IDnsResolvable
@@ -19669,6 +20649,936 @@ public readonly SEVERITIES: GuardDutySeverity[];
---
+### Hub
+
+- *Implements:* cdk-extensions.securityhub.IHub
+
+#### Initializers
+
+```typescript
+import { securityhub } from 'cdk-extensions'
+
+new securityhub.Hub(scope: IConstruct, id: string, props?: HubProps)
+```
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| scope
| constructs.IConstruct
| *No description.* |
+| id
| string
| *No description.* |
+| props
| cdk-extensions.securityhub.HubProps
| *No description.* |
+
+---
+
+##### `scope`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `id`Required
+
+- *Type:* string
+
+---
+
+##### `props`Optional
+
+- *Type:* cdk-extensions.securityhub.HubProps
+
+---
+
+#### Methods
+
+| **Name** | **Description** |
+| --- | --- |
+| toString
| Returns a string representation of this construct. |
+| applyRemovalPolicy
| Apply the given removal policy to this resource. |
+
+---
+
+##### `toString`
+
+```typescript
+public toString(): string
+```
+
+Returns a string representation of this construct.
+
+##### `applyRemovalPolicy`
+
+```typescript
+public applyRemovalPolicy(policy: RemovalPolicy): void
+```
+
+Apply the given removal policy to this resource.
+
+The Removal Policy controls what happens to this resource when it stops
+being managed by CloudFormation, either because you've removed it from the
+CDK application or because you've made a change that requires the resource
+to be replaced.
+
+The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
+account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
+
+###### `policy`Required
+
+- *Type:* aws-cdk-lib.RemovalPolicy
+
+---
+
+#### Static Functions
+
+| **Name** | **Description** |
+| --- | --- |
+| isConstruct
| Checks if `x` is a construct. |
+| isOwnedResource
| Returns true if the construct was created by CDK, and false otherwise. |
+| isResource
| Check whether the given construct is a Resource. |
+| fromHubArn
| *No description.* |
+| fromHubAttributes
| *No description.* |
+| fromHubName
| *No description.* |
+
+---
+
+##### ~~`isConstruct`~~
+
+```typescript
+import { securityhub } from 'cdk-extensions'
+
+securityhub.Hub.isConstruct(x: any)
+```
+
+Checks if `x` is a construct.
+
+###### `x`Required
+
+- *Type:* any
+
+Any object.
+
+---
+
+##### `isOwnedResource`
+
+```typescript
+import { securityhub } from 'cdk-extensions'
+
+securityhub.Hub.isOwnedResource(construct: IConstruct)
+```
+
+Returns true if the construct was created by CDK, and false otherwise.
+
+###### `construct`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `isResource`
+
+```typescript
+import { securityhub } from 'cdk-extensions'
+
+securityhub.Hub.isResource(construct: IConstruct)
+```
+
+Check whether the given construct is a Resource.
+
+###### `construct`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `fromHubArn`
+
+```typescript
+import { securityhub } from 'cdk-extensions'
+
+securityhub.Hub.fromHubArn(scope: IConstruct, id: string, arn: string)
+```
+
+###### `scope`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+###### `id`Required
+
+- *Type:* string
+
+---
+
+###### `arn`Required
+
+- *Type:* string
+
+---
+
+##### `fromHubAttributes`
+
+```typescript
+import { securityhub } from 'cdk-extensions'
+
+securityhub.Hub.fromHubAttributes(scope: IConstruct, id: string, attrs: HubAttributes)
+```
+
+###### `scope`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+###### `id`Required
+
+- *Type:* string
+
+---
+
+###### `attrs`Required
+
+- *Type:* cdk-extensions.securityhub.HubAttributes
+
+---
+
+##### `fromHubName`
+
+```typescript
+import { securityhub } from 'cdk-extensions'
+
+securityhub.Hub.fromHubName(scope: IConstruct, id: string, name: string)
+```
+
+###### `scope`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+###### `id`Required
+
+- *Type:* string
+
+---
+
+###### `name`Required
+
+- *Type:* string
+
+---
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| node
| constructs.Node
| The tree node. |
+| env
| aws-cdk-lib.ResourceEnvironment
| The environment this resource belongs to. |
+| stack
| aws-cdk-lib.Stack
| The stack in which this resource is defined. |
+| hubArn
| string
| *No description.* |
+| hubName
| string
| *No description.* |
+| resource
| aws-cdk-lib.aws_securityhub.CfnHub
| *No description.* |
+| autoEnableControls
| boolean
| *No description.* |
+| consolidatedFindings
| boolean
| *No description.* |
+| controlFindingGenerator
| cdk-extensions.securityhub.ControlFindingGenerator
| *No description.* |
+| enableDefaultStandards
| boolean
| *No description.* |
+
+---
+
+##### `node`Required
+
+```typescript
+public readonly node: Node;
+```
+
+- *Type:* constructs.Node
+
+The tree node.
+
+---
+
+##### `env`Required
+
+```typescript
+public readonly env: ResourceEnvironment;
+```
+
+- *Type:* aws-cdk-lib.ResourceEnvironment
+
+The environment this resource belongs to.
+
+For resources that are created and managed by the CDK
+(generally, those created by creating new class instances like Role, Bucket, etc.),
+this is always the same as the environment of the stack they belong to;
+however, for imported resources
+(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
+that might be different than the stack they were imported into.
+
+---
+
+##### `stack`Required
+
+```typescript
+public readonly stack: Stack;
+```
+
+- *Type:* aws-cdk-lib.Stack
+
+The stack in which this resource is defined.
+
+---
+
+##### `hubArn`Required
+
+```typescript
+public readonly hubArn: string;
+```
+
+- *Type:* string
+
+---
+
+##### `hubName`Required
+
+```typescript
+public readonly hubName: string;
+```
+
+- *Type:* string
+
+---
+
+##### `resource`Required
+
+```typescript
+public readonly resource: CfnHub;
+```
+
+- *Type:* aws-cdk-lib.aws_securityhub.CfnHub
+
+---
+
+##### `autoEnableControls`Optional
+
+```typescript
+public readonly autoEnableControls: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `consolidatedFindings`Optional
+
+```typescript
+public readonly consolidatedFindings: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `controlFindingGenerator`Optional
+
+```typescript
+public readonly controlFindingGenerator: ControlFindingGenerator;
+```
+
+- *Type:* cdk-extensions.securityhub.ControlFindingGenerator
+
+---
+
+##### `enableDefaultStandards`Optional
+
+```typescript
+public readonly enableDefaultStandards: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+#### Constants
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| ARN_FORMAT
| aws-cdk-lib.ArnFormat
| *No description.* |
+
+---
+
+##### `ARN_FORMAT`Required
+
+```typescript
+public readonly ARN_FORMAT: ArnFormat;
+```
+
+- *Type:* aws-cdk-lib.ArnFormat
+
+---
+
+### IamPasswordPolicy
+
+#### Initializers
+
+```typescript
+import { config_rules } from 'cdk-extensions'
+
+new config_rules.IamPasswordPolicy(scope: IConstruct, id: string, props: IamPasswordPolicyProps)
+```
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| scope
| constructs.IConstruct
| *No description.* |
+| id
| string
| *No description.* |
+| props
| cdk-extensions.config_rules.IamPasswordPolicyProps
| *No description.* |
+
+---
+
+##### `scope`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `id`Required
+
+- *Type:* string
+
+---
+
+##### `props`Required
+
+- *Type:* cdk-extensions.config_rules.IamPasswordPolicyProps
+
+---
+
+#### Methods
+
+| **Name** | **Description** |
+| --- | --- |
+| toString
| Returns a string representation of this construct. |
+| applyRemovalPolicy
| Apply the given removal policy to this resource. |
+| onComplianceChange
| Defines an EventBridge event rule which triggers for rule compliance events. |
+| onEvent
| Defines an EventBridge event rule which triggers for rule events. |
+| onReEvaluationStatus
| Defines an EventBridge event rule which triggers for rule re-evaluation status events. |
+
+---
+
+##### `toString`
+
+```typescript
+public toString(): string
+```
+
+Returns a string representation of this construct.
+
+##### `applyRemovalPolicy`
+
+```typescript
+public applyRemovalPolicy(policy: RemovalPolicy): void
+```
+
+Apply the given removal policy to this resource.
+
+The Removal Policy controls what happens to this resource when it stops
+being managed by CloudFormation, either because you've removed it from the
+CDK application or because you've made a change that requires the resource
+to be replaced.
+
+The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
+account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
+
+###### `policy`Required
+
+- *Type:* aws-cdk-lib.RemovalPolicy
+
+---
+
+##### `onComplianceChange`
+
+```typescript
+public onComplianceChange(id: string, options?: OnEventOptions): Rule
+```
+
+Defines an EventBridge event rule which triggers for rule compliance events.
+
+###### `id`Required
+
+- *Type:* string
+
+---
+
+###### `options`Optional
+
+- *Type:* aws-cdk-lib.aws_events.OnEventOptions
+
+---
+
+##### `onEvent`
+
+```typescript
+public onEvent(id: string, options?: OnEventOptions): Rule
+```
+
+Defines an EventBridge event rule which triggers for rule events.
+
+Use
+`rule.addEventPattern(pattern)` to specify a filter.
+
+###### `id`Required
+
+- *Type:* string
+
+---
+
+###### `options`Optional
+
+- *Type:* aws-cdk-lib.aws_events.OnEventOptions
+
+---
+
+##### `onReEvaluationStatus`
+
+```typescript
+public onReEvaluationStatus(id: string, options?: OnEventOptions): Rule
+```
+
+Defines an EventBridge event rule which triggers for rule re-evaluation status events.
+
+###### `id`Required
+
+- *Type:* string
+
+---
+
+###### `options`Optional
+
+- *Type:* aws-cdk-lib.aws_events.OnEventOptions
+
+---
+
+#### Static Functions
+
+| **Name** | **Description** |
+| --- | --- |
+| isConstruct
| Checks if `x` is a construct. |
+| isOwnedResource
| Returns true if the construct was created by CDK, and false otherwise. |
+| isResource
| Check whether the given construct is a Resource. |
+| fromConfigRuleName
| Imports an existing rule. |
+
+---
+
+##### ~~`isConstruct`~~
+
+```typescript
+import { config_rules } from 'cdk-extensions'
+
+config_rules.IamPasswordPolicy.isConstruct(x: any)
+```
+
+Checks if `x` is a construct.
+
+###### `x`Required
+
+- *Type:* any
+
+Any object.
+
+---
+
+##### `isOwnedResource`
+
+```typescript
+import { config_rules } from 'cdk-extensions'
+
+config_rules.IamPasswordPolicy.isOwnedResource(construct: IConstruct)
+```
+
+Returns true if the construct was created by CDK, and false otherwise.
+
+###### `construct`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `isResource`
+
+```typescript
+import { config_rules } from 'cdk-extensions'
+
+config_rules.IamPasswordPolicy.isResource(construct: IConstruct)
+```
+
+Check whether the given construct is a Resource.
+
+###### `construct`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `fromConfigRuleName`
+
+```typescript
+import { config_rules } from 'cdk-extensions'
+
+config_rules.IamPasswordPolicy.fromConfigRuleName(scope: Construct, id: string, configRuleName: string)
+```
+
+Imports an existing rule.
+
+###### `scope`Required
+
+- *Type:* constructs.Construct
+
+---
+
+###### `id`Required
+
+- *Type:* string
+
+---
+
+###### `configRuleName`Required
+
+- *Type:* string
+
+the name of the rule.
+
+---
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| node
| constructs.Node
| The tree node. |
+| env
| aws-cdk-lib.ResourceEnvironment
| The environment this resource belongs to. |
+| stack
| aws-cdk-lib.Stack
| The stack in which this resource is defined. |
+| configRuleArn
| string
| The arn of the rule. |
+| configRuleComplianceType
| string
| The compliance status of the rule. |
+| configRuleId
| string
| The id of the rule. |
+| configRuleName
| string
| The name of the rule. |
+| maxPasswordAge
| number
| *No description.* |
+| minimumPasswordLength
| number
| *No description.* |
+| passwordReusePrevention
| number
| *No description.* |
+| remediationConfiguration
| cdk-extensions.config.RemediationConfiguration
| *No description.* |
+| remediationPolicy
| aws-cdk-lib.aws_iam.ManagedPolicy
| *No description.* |
+| remediationRole
| aws-cdk-lib.aws_iam.Role
| *No description.* |
+| requireLowercaseCharacters
| boolean
| *No description.* |
+| requireNumbers
| boolean
| *No description.* |
+| requireSymbols
| boolean
| *No description.* |
+| requireUppercaseCharacters
| boolean
| *No description.* |
+
+---
+
+##### `node`Required
+
+```typescript
+public readonly node: Node;
+```
+
+- *Type:* constructs.Node
+
+The tree node.
+
+---
+
+##### `env`Required
+
+```typescript
+public readonly env: ResourceEnvironment;
+```
+
+- *Type:* aws-cdk-lib.ResourceEnvironment
+
+The environment this resource belongs to.
+
+For resources that are created and managed by the CDK
+(generally, those created by creating new class instances like Role, Bucket, etc.),
+this is always the same as the environment of the stack they belong to;
+however, for imported resources
+(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
+that might be different than the stack they were imported into.
+
+---
+
+##### `stack`Required
+
+```typescript
+public readonly stack: Stack;
+```
+
+- *Type:* aws-cdk-lib.Stack
+
+The stack in which this resource is defined.
+
+---
+
+##### `configRuleArn`Required
+
+```typescript
+public readonly configRuleArn: string;
+```
+
+- *Type:* string
+
+The arn of the rule.
+
+---
+
+##### `configRuleComplianceType`Required
+
+```typescript
+public readonly configRuleComplianceType: string;
+```
+
+- *Type:* string
+
+The compliance status of the rule.
+
+---
+
+##### `configRuleId`Required
+
+```typescript
+public readonly configRuleId: string;
+```
+
+- *Type:* string
+
+The id of the rule.
+
+---
+
+##### `configRuleName`Required
+
+```typescript
+public readonly configRuleName: string;
+```
+
+- *Type:* string
+
+The name of the rule.
+
+---
+
+##### `maxPasswordAge`Required
+
+```typescript
+public readonly maxPasswordAge: number;
+```
+
+- *Type:* number
+
+---
+
+##### `minimumPasswordLength`Required
+
+```typescript
+public readonly minimumPasswordLength: number;
+```
+
+- *Type:* number
+
+---
+
+##### `passwordReusePrevention`Required
+
+```typescript
+public readonly passwordReusePrevention: number;
+```
+
+- *Type:* number
+
+---
+
+##### `remediationConfiguration`Required
+
+```typescript
+public readonly remediationConfiguration: RemediationConfiguration;
+```
+
+- *Type:* cdk-extensions.config.RemediationConfiguration
+
+---
+
+##### `remediationPolicy`Required
+
+```typescript
+public readonly remediationPolicy: ManagedPolicy;
+```
+
+- *Type:* aws-cdk-lib.aws_iam.ManagedPolicy
+
+---
+
+##### `remediationRole`Required
+
+```typescript
+public readonly remediationRole: Role;
+```
+
+- *Type:* aws-cdk-lib.aws_iam.Role
+
+---
+
+##### `requireLowercaseCharacters`Required
+
+```typescript
+public readonly requireLowercaseCharacters: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `requireNumbers`Required
+
+```typescript
+public readonly requireNumbers: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `requireSymbols`Required
+
+```typescript
+public readonly requireSymbols: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `requireUppercaseCharacters`Required
+
+```typescript
+public readonly requireUppercaseCharacters: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+#### Constants
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| DEFAULT_DESCRIPTION
| string
| *No description.* |
+| DEFAULT_MAX_PASSWORD_AGE
| number
| *No description.* |
+| DEFAULT_MINIMUM_PASSWORD_LENGTH
| number
| *No description.* |
+| DEFAULT_PASSWORD_REUSE_PREVENTION
| number
| *No description.* |
+| DEFAULT_REQUIRE_LOWERCASE_CHARACTERS
| boolean
| *No description.* |
+| DEFAULT_REQUIRE_NUMBERS
| boolean
| *No description.* |
+| DEFAULT_REQUIRE_SYMBOLS
| boolean
| *No description.* |
+| DEFAULT_REQUIRE_UPPERCASE_CHARACTERS
| boolean
| *No description.* |
+| MANAGED_RULE_NAME
| string
| *No description.* |
+| REMEDIATION_DOCUMENT_NAME
| string
| *No description.* |
+
+---
+
+##### `DEFAULT_DESCRIPTION`Required
+
+```typescript
+public readonly DEFAULT_DESCRIPTION: string;
+```
+
+- *Type:* string
+
+---
+
+##### `DEFAULT_MAX_PASSWORD_AGE`Required
+
+```typescript
+public readonly DEFAULT_MAX_PASSWORD_AGE: number;
+```
+
+- *Type:* number
+
+---
+
+##### `DEFAULT_MINIMUM_PASSWORD_LENGTH`Required
+
+```typescript
+public readonly DEFAULT_MINIMUM_PASSWORD_LENGTH: number;
+```
+
+- *Type:* number
+
+---
+
+##### `DEFAULT_PASSWORD_REUSE_PREVENTION`Required
+
+```typescript
+public readonly DEFAULT_PASSWORD_REUSE_PREVENTION: number;
+```
+
+- *Type:* number
+
+---
+
+##### `DEFAULT_REQUIRE_LOWERCASE_CHARACTERS`Required
+
+```typescript
+public readonly DEFAULT_REQUIRE_LOWERCASE_CHARACTERS: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `DEFAULT_REQUIRE_NUMBERS`Required
+
+```typescript
+public readonly DEFAULT_REQUIRE_NUMBERS: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `DEFAULT_REQUIRE_SYMBOLS`Required
+
+```typescript
+public readonly DEFAULT_REQUIRE_SYMBOLS: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `DEFAULT_REQUIRE_UPPERCASE_CHARACTERS`Required
+
+```typescript
+public readonly DEFAULT_REQUIRE_UPPERCASE_CHARACTERS: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `MANAGED_RULE_NAME`Required
+
+```typescript
+public readonly MANAGED_RULE_NAME: string;
+```
+
+- *Type:* string
+
+---
+
+##### `REMEDIATION_DOCUMENT_NAME`Required
+
+```typescript
+public readonly REMEDIATION_DOCUMENT_NAME: string;
+```
+
+- *Type:* string
+
+---
+
### InspectorFinding
- *Implements:* cdk-extensions.alerting.IIssueParser
@@ -29913,6 +31823,402 @@ Guide.
---
+### RemediationConfiguration
+
+- *Implements:* cdk-extensions.config.IRemediationConfiguration
+
+#### Initializers
+
+```typescript
+import { config } from 'cdk-extensions'
+
+new config.RemediationConfiguration(scope: IConstruct, id: string, props: RemediationConfigurationProps)
+```
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| scope
| constructs.IConstruct
| *No description.* |
+| id
| string
| *No description.* |
+| props
| cdk-extensions.config.RemediationConfigurationProps
| *No description.* |
+
+---
+
+##### `scope`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `id`Required
+
+- *Type:* string
+
+---
+
+##### `props`Required
+
+- *Type:* cdk-extensions.config.RemediationConfigurationProps
+
+---
+
+#### Methods
+
+| **Name** | **Description** |
+| --- | --- |
+| toString
| Returns a string representation of this construct. |
+| applyRemovalPolicy
| Apply the given removal policy to this resource. |
+| addParameter
| *No description.* |
+
+---
+
+##### `toString`
+
+```typescript
+public toString(): string
+```
+
+Returns a string representation of this construct.
+
+##### `applyRemovalPolicy`
+
+```typescript
+public applyRemovalPolicy(policy: RemovalPolicy): void
+```
+
+Apply the given removal policy to this resource.
+
+The Removal Policy controls what happens to this resource when it stops
+being managed by CloudFormation, either because you've removed it from the
+CDK application or because you've made a change that requires the resource
+to be replaced.
+
+The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
+account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
+
+###### `policy`Required
+
+- *Type:* aws-cdk-lib.RemovalPolicy
+
+---
+
+##### `addParameter`
+
+```typescript
+public addParameter(key: string, values: string): void
+```
+
+###### `key`Required
+
+- *Type:* string
+
+---
+
+###### `values`Required
+
+- *Type:* string
+
+---
+
+#### Static Functions
+
+| **Name** | **Description** |
+| --- | --- |
+| isConstruct
| Checks if `x` is a construct. |
+| isOwnedResource
| Returns true if the construct was created by CDK, and false otherwise. |
+| isResource
| Check whether the given construct is a Resource. |
+| fromRemediationConfigurationArn
| *No description.* |
+| fromRemediationConfigurationAttributes
| *No description.* |
+| fromRemediationConfigurationName
| *No description.* |
+
+---
+
+##### ~~`isConstruct`~~
+
+```typescript
+import { config } from 'cdk-extensions'
+
+config.RemediationConfiguration.isConstruct(x: any)
+```
+
+Checks if `x` is a construct.
+
+###### `x`Required
+
+- *Type:* any
+
+Any object.
+
+---
+
+##### `isOwnedResource`
+
+```typescript
+import { config } from 'cdk-extensions'
+
+config.RemediationConfiguration.isOwnedResource(construct: IConstruct)
+```
+
+Returns true if the construct was created by CDK, and false otherwise.
+
+###### `construct`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `isResource`
+
+```typescript
+import { config } from 'cdk-extensions'
+
+config.RemediationConfiguration.isResource(construct: IConstruct)
+```
+
+Check whether the given construct is a Resource.
+
+###### `construct`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `fromRemediationConfigurationArn`
+
+```typescript
+import { config } from 'cdk-extensions'
+
+config.RemediationConfiguration.fromRemediationConfigurationArn(scope: IConstruct, id: string, arn: string)
+```
+
+###### `scope`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+###### `id`Required
+
+- *Type:* string
+
+---
+
+###### `arn`Required
+
+- *Type:* string
+
+---
+
+##### `fromRemediationConfigurationAttributes`
+
+```typescript
+import { config } from 'cdk-extensions'
+
+config.RemediationConfiguration.fromRemediationConfigurationAttributes(scope: IConstruct, id: string, attrs: RemediationConfigurationAttributes)
+```
+
+###### `scope`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+###### `id`Required
+
+- *Type:* string
+
+---
+
+###### `attrs`Required
+
+- *Type:* cdk-extensions.config.RemediationConfigurationAttributes
+
+---
+
+##### `fromRemediationConfigurationName`
+
+```typescript
+import { config } from 'cdk-extensions'
+
+config.RemediationConfiguration.fromRemediationConfigurationName(scope: IConstruct, id: string, name: string)
+```
+
+###### `scope`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+###### `id`Required
+
+- *Type:* string
+
+---
+
+###### `name`Required
+
+- *Type:* string
+
+---
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| node
| constructs.Node
| The tree node. |
+| env
| aws-cdk-lib.ResourceEnvironment
| The environment this resource belongs to. |
+| stack
| aws-cdk-lib.Stack
| The stack in which this resource is defined. |
+| configRule
| aws-cdk-lib.aws_config.IRule
| *No description.* |
+| remediationConfigurationArn
| string
| *No description.* |
+| remediationConfigurationName
| string
| *No description.* |
+| resource
| aws-cdk-lib.aws_config.CfnRemediationConfiguration
| *No description.* |
+| automatic
| boolean
| *No description.* |
+| maximumAutomaticAttempts
| number
| *No description.* |
+| resourceType
| string
| *No description.* |
+| retryInterval
| aws-cdk-lib.Duration
| *No description.* |
+
+---
+
+##### `node`Required
+
+```typescript
+public readonly node: Node;
+```
+
+- *Type:* constructs.Node
+
+The tree node.
+
+---
+
+##### `env`Required
+
+```typescript
+public readonly env: ResourceEnvironment;
+```
+
+- *Type:* aws-cdk-lib.ResourceEnvironment
+
+The environment this resource belongs to.
+
+For resources that are created and managed by the CDK
+(generally, those created by creating new class instances like Role, Bucket, etc.),
+this is always the same as the environment of the stack they belong to;
+however, for imported resources
+(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
+that might be different than the stack they were imported into.
+
+---
+
+##### `stack`Required
+
+```typescript
+public readonly stack: Stack;
+```
+
+- *Type:* aws-cdk-lib.Stack
+
+The stack in which this resource is defined.
+
+---
+
+##### `configRule`Required
+
+```typescript
+public readonly configRule: IRule;
+```
+
+- *Type:* aws-cdk-lib.aws_config.IRule
+
+---
+
+##### `remediationConfigurationArn`Required
+
+```typescript
+public readonly remediationConfigurationArn: string;
+```
+
+- *Type:* string
+
+---
+
+##### `remediationConfigurationName`Required
+
+```typescript
+public readonly remediationConfigurationName: string;
+```
+
+- *Type:* string
+
+---
+
+##### `resource`Required
+
+```typescript
+public readonly resource: CfnRemediationConfiguration;
+```
+
+- *Type:* aws-cdk-lib.aws_config.CfnRemediationConfiguration
+
+---
+
+##### `automatic`Optional
+
+```typescript
+public readonly automatic: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `maximumAutomaticAttempts`Optional
+
+```typescript
+public readonly maximumAutomaticAttempts: number;
+```
+
+- *Type:* number
+
+---
+
+##### `resourceType`Optional
+
+```typescript
+public readonly resourceType: string;
+```
+
+- *Type:* string
+
+---
+
+##### `retryInterval`Optional
+
+```typescript
+public readonly retryInterval: Duration;
+```
+
+- *Type:* aws-cdk-lib.Duration
+
+---
+
+#### Constants
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| ARN_FORMAT
| aws-cdk-lib.ArnFormat
| *No description.* |
+
+---
+
+##### `ARN_FORMAT`Required
+
+```typescript
+public readonly ARN_FORMAT: ArnFormat;
+```
+
+- *Type:* aws-cdk-lib.ArnFormat
+
+---
+
### ResourceShare
- *Implements:* cdk-extensions.ram.IResourceShare
@@ -34149,6 +36455,217 @@ public readonly SEVERITIES: SecurityHubSeverity[];
---
+### SecurityManager
+
+#### Initializers
+
+```typescript
+import { securityhub_patterns } from 'cdk-extensions'
+
+new securityhub_patterns.SecurityManager(scope: IConstruct, id: string, props: SecurityManagerProps)
+```
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| scope
| constructs.IConstruct
| *No description.* |
+| id
| string
| *No description.* |
+| props
| cdk-extensions.securityhub_patterns.SecurityManagerProps
| *No description.* |
+
+---
+
+##### `scope`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `id`Required
+
+- *Type:* string
+
+---
+
+##### `props`Required
+
+- *Type:* cdk-extensions.securityhub_patterns.SecurityManagerProps
+
+---
+
+#### Methods
+
+| **Name** | **Description** |
+| --- | --- |
+| toString
| Returns a string representation of this construct. |
+| applyRemovalPolicy
| Apply the given removal policy to this resource. |
+
+---
+
+##### `toString`
+
+```typescript
+public toString(): string
+```
+
+Returns a string representation of this construct.
+
+##### `applyRemovalPolicy`
+
+```typescript
+public applyRemovalPolicy(policy: RemovalPolicy): void
+```
+
+Apply the given removal policy to this resource.
+
+The Removal Policy controls what happens to this resource when it stops
+being managed by CloudFormation, either because you've removed it from the
+CDK application or because you've made a change that requires the resource
+to be replaced.
+
+The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
+account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
+
+###### `policy`Required
+
+- *Type:* aws-cdk-lib.RemovalPolicy
+
+---
+
+#### Static Functions
+
+| **Name** | **Description** |
+| --- | --- |
+| isConstruct
| Checks if `x` is a construct. |
+| isOwnedResource
| Returns true if the construct was created by CDK, and false otherwise. |
+| isResource
| Check whether the given construct is a Resource. |
+
+---
+
+##### ~~`isConstruct`~~
+
+```typescript
+import { securityhub_patterns } from 'cdk-extensions'
+
+securityhub_patterns.SecurityManager.isConstruct(x: any)
+```
+
+Checks if `x` is a construct.
+
+###### `x`Required
+
+- *Type:* any
+
+Any object.
+
+---
+
+##### `isOwnedResource`
+
+```typescript
+import { securityhub_patterns } from 'cdk-extensions'
+
+securityhub_patterns.SecurityManager.isOwnedResource(construct: IConstruct)
+```
+
+Returns true if the construct was created by CDK, and false otherwise.
+
+###### `construct`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `isResource`
+
+```typescript
+import { securityhub_patterns } from 'cdk-extensions'
+
+securityhub_patterns.SecurityManager.isResource(construct: IConstruct)
+```
+
+Check whether the given construct is a Resource.
+
+###### `construct`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| node
| constructs.Node
| The tree node. |
+| env
| aws-cdk-lib.ResourceEnvironment
| The environment this resource belongs to. |
+| stack
| aws-cdk-lib.Stack
| The stack in which this resource is defined. |
+| autoRemediate
| boolean
| *No description.* |
+| hub
| cdk-extensions.securityhub.IHub
| *No description.* |
+
+---
+
+##### `node`Required
+
+```typescript
+public readonly node: Node;
+```
+
+- *Type:* constructs.Node
+
+The tree node.
+
+---
+
+##### `env`Required
+
+```typescript
+public readonly env: ResourceEnvironment;
+```
+
+- *Type:* aws-cdk-lib.ResourceEnvironment
+
+The environment this resource belongs to.
+
+For resources that are created and managed by the CDK
+(generally, those created by creating new class instances like Role, Bucket, etc.),
+this is always the same as the environment of the stack they belong to;
+however, for imported resources
+(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
+that might be different than the stack they were imported into.
+
+---
+
+##### `stack`Required
+
+```typescript
+public readonly stack: Stack;
+```
+
+- *Type:* aws-cdk-lib.Stack
+
+The stack in which this resource is defined.
+
+---
+
+##### `autoRemediate`Required
+
+```typescript
+public readonly autoRemediate: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `hub`Optional
+
+```typescript
+public readonly hub: IHub;
+```
+
+- *Type:* cdk-extensions.securityhub.IHub
+
+---
+
+
### SesLogsBucket
#### Initializers
@@ -36237,6 +38754,282 @@ The regex pattern used to validate secret store names.
---
+### Standard
+
+- *Implements:* cdk-extensions.securityhub.IStandard
+
+#### Initializers
+
+```typescript
+import { securityhub } from 'cdk-extensions'
+
+new securityhub.Standard(scope: IConstruct, id: string, props: StandardProps)
+```
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| scope
| constructs.IConstruct
| *No description.* |
+| id
| string
| *No description.* |
+| props
| cdk-extensions.securityhub.StandardProps
| *No description.* |
+
+---
+
+##### `scope`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `id`Required
+
+- *Type:* string
+
+---
+
+##### `props`Required
+
+- *Type:* cdk-extensions.securityhub.StandardProps
+
+---
+
+#### Methods
+
+| **Name** | **Description** |
+| --- | --- |
+| toString
| Returns a string representation of this construct. |
+| applyRemovalPolicy
| Apply the given removal policy to this resource. |
+| disableControl
| *No description.* |
+
+---
+
+##### `toString`
+
+```typescript
+public toString(): string
+```
+
+Returns a string representation of this construct.
+
+##### `applyRemovalPolicy`
+
+```typescript
+public applyRemovalPolicy(policy: RemovalPolicy): void
+```
+
+Apply the given removal policy to this resource.
+
+The Removal Policy controls what happens to this resource when it stops
+being managed by CloudFormation, either because you've removed it from the
+CDK application or because you've made a change that requires the resource
+to be replaced.
+
+The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
+account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
+
+###### `policy`Required
+
+- *Type:* aws-cdk-lib.RemovalPolicy
+
+---
+
+##### `disableControl`
+
+```typescript
+public disableControl(control: string, options: DisableControlOptions): void
+```
+
+###### `control`Required
+
+- *Type:* string
+
+---
+
+###### `options`Required
+
+- *Type:* cdk-extensions.securityhub.DisableControlOptions
+
+---
+
+#### Static Functions
+
+| **Name** | **Description** |
+| --- | --- |
+| isConstruct
| Checks if `x` is a construct. |
+| isOwnedResource
| Returns true if the construct was created by CDK, and false otherwise. |
+| isResource
| Check whether the given construct is a Resource. |
+| fromStandardArn
| *No description.* |
+
+---
+
+##### ~~`isConstruct`~~
+
+```typescript
+import { securityhub } from 'cdk-extensions'
+
+securityhub.Standard.isConstruct(x: any)
+```
+
+Checks if `x` is a construct.
+
+###### `x`Required
+
+- *Type:* any
+
+Any object.
+
+---
+
+##### `isOwnedResource`
+
+```typescript
+import { securityhub } from 'cdk-extensions'
+
+securityhub.Standard.isOwnedResource(construct: IConstruct)
+```
+
+Returns true if the construct was created by CDK, and false otherwise.
+
+###### `construct`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `isResource`
+
+```typescript
+import { securityhub } from 'cdk-extensions'
+
+securityhub.Standard.isResource(construct: IConstruct)
+```
+
+Check whether the given construct is a Resource.
+
+###### `construct`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `fromStandardArn`
+
+```typescript
+import { securityhub } from 'cdk-extensions'
+
+securityhub.Standard.fromStandardArn(scope: IConstruct, id: string, arn: string)
+```
+
+###### `scope`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+###### `id`Required
+
+- *Type:* string
+
+---
+
+###### `arn`Required
+
+- *Type:* string
+
+---
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| node
| constructs.Node
| The tree node. |
+| env
| aws-cdk-lib.ResourceEnvironment
| The environment this resource belongs to. |
+| stack
| aws-cdk-lib.Stack
| The stack in which this resource is defined. |
+| resource
| aws-cdk-lib.aws_securityhub.CfnStandard
| *No description.* |
+| standardArn
| string
| *No description.* |
+
+---
+
+##### `node`Required
+
+```typescript
+public readonly node: Node;
+```
+
+- *Type:* constructs.Node
+
+The tree node.
+
+---
+
+##### `env`Required
+
+```typescript
+public readonly env: ResourceEnvironment;
+```
+
+- *Type:* aws-cdk-lib.ResourceEnvironment
+
+The environment this resource belongs to.
+
+For resources that are created and managed by the CDK
+(generally, those created by creating new class instances like Role, Bucket, etc.),
+this is always the same as the environment of the stack they belong to;
+however, for imported resources
+(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
+that might be different than the stack they were imported into.
+
+---
+
+##### `stack`Required
+
+```typescript
+public readonly stack: Stack;
+```
+
+- *Type:* aws-cdk-lib.Stack
+
+The stack in which this resource is defined.
+
+---
+
+##### `resource`Required
+
+```typescript
+public readonly resource: CfnStandard;
+```
+
+- *Type:* aws-cdk-lib.aws_securityhub.CfnStandard
+
+---
+
+##### `standardArn`Required
+
+```typescript
+public readonly standardArn: string;
+```
+
+- *Type:* string
+
+---
+
+#### Constants
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| ARN_FORMAT
| aws-cdk-lib.ArnFormat
| *No description.* |
+
+---
+
+##### `ARN_FORMAT`Required
+
+```typescript
+public readonly ARN_FORMAT: ArnFormat;
+```
+
+- *Type:* aws-cdk-lib.ArnFormat
+
+---
+
### StringReplace
- *Implements:* aws-cdk-lib.aws_stepfunctions.IChainable, aws-cdk-lib.aws_stepfunctions.INextable
@@ -41097,6 +43890,416 @@ public readonly vpcCidrBlockCidr: string;
---
+### VpcDefaultSecurityGroupClosed
+
+#### Initializers
+
+```typescript
+import { config_rules } from 'cdk-extensions'
+
+new config_rules.VpcDefaultSecurityGroupClosed(scope: IConstruct, id: string, props: VpcDefaultSecurityGroupClosedProps)
+```
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| scope
| constructs.IConstruct
| *No description.* |
+| id
| string
| *No description.* |
+| props
| cdk-extensions.config_rules.VpcDefaultSecurityGroupClosedProps
| *No description.* |
+
+---
+
+##### `scope`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `id`Required
+
+- *Type:* string
+
+---
+
+##### `props`Required
+
+- *Type:* cdk-extensions.config_rules.VpcDefaultSecurityGroupClosedProps
+
+---
+
+#### Methods
+
+| **Name** | **Description** |
+| --- | --- |
+| toString
| Returns a string representation of this construct. |
+| applyRemovalPolicy
| Apply the given removal policy to this resource. |
+| onComplianceChange
| Defines an EventBridge event rule which triggers for rule compliance events. |
+| onEvent
| Defines an EventBridge event rule which triggers for rule events. |
+| onReEvaluationStatus
| Defines an EventBridge event rule which triggers for rule re-evaluation status events. |
+
+---
+
+##### `toString`
+
+```typescript
+public toString(): string
+```
+
+Returns a string representation of this construct.
+
+##### `applyRemovalPolicy`
+
+```typescript
+public applyRemovalPolicy(policy: RemovalPolicy): void
+```
+
+Apply the given removal policy to this resource.
+
+The Removal Policy controls what happens to this resource when it stops
+being managed by CloudFormation, either because you've removed it from the
+CDK application or because you've made a change that requires the resource
+to be replaced.
+
+The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
+account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
+
+###### `policy`Required
+
+- *Type:* aws-cdk-lib.RemovalPolicy
+
+---
+
+##### `onComplianceChange`
+
+```typescript
+public onComplianceChange(id: string, options?: OnEventOptions): Rule
+```
+
+Defines an EventBridge event rule which triggers for rule compliance events.
+
+###### `id`Required
+
+- *Type:* string
+
+---
+
+###### `options`Optional
+
+- *Type:* aws-cdk-lib.aws_events.OnEventOptions
+
+---
+
+##### `onEvent`
+
+```typescript
+public onEvent(id: string, options?: OnEventOptions): Rule
+```
+
+Defines an EventBridge event rule which triggers for rule events.
+
+Use
+`rule.addEventPattern(pattern)` to specify a filter.
+
+###### `id`Required
+
+- *Type:* string
+
+---
+
+###### `options`Optional
+
+- *Type:* aws-cdk-lib.aws_events.OnEventOptions
+
+---
+
+##### `onReEvaluationStatus`
+
+```typescript
+public onReEvaluationStatus(id: string, options?: OnEventOptions): Rule
+```
+
+Defines an EventBridge event rule which triggers for rule re-evaluation status events.
+
+###### `id`Required
+
+- *Type:* string
+
+---
+
+###### `options`Optional
+
+- *Type:* aws-cdk-lib.aws_events.OnEventOptions
+
+---
+
+#### Static Functions
+
+| **Name** | **Description** |
+| --- | --- |
+| isConstruct
| Checks if `x` is a construct. |
+| isOwnedResource
| Returns true if the construct was created by CDK, and false otherwise. |
+| isResource
| Check whether the given construct is a Resource. |
+| fromConfigRuleName
| Imports an existing rule. |
+
+---
+
+##### ~~`isConstruct`~~
+
+```typescript
+import { config_rules } from 'cdk-extensions'
+
+config_rules.VpcDefaultSecurityGroupClosed.isConstruct(x: any)
+```
+
+Checks if `x` is a construct.
+
+###### `x`Required
+
+- *Type:* any
+
+Any object.
+
+---
+
+##### `isOwnedResource`
+
+```typescript
+import { config_rules } from 'cdk-extensions'
+
+config_rules.VpcDefaultSecurityGroupClosed.isOwnedResource(construct: IConstruct)
+```
+
+Returns true if the construct was created by CDK, and false otherwise.
+
+###### `construct`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `isResource`
+
+```typescript
+import { config_rules } from 'cdk-extensions'
+
+config_rules.VpcDefaultSecurityGroupClosed.isResource(construct: IConstruct)
+```
+
+Check whether the given construct is a Resource.
+
+###### `construct`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+##### `fromConfigRuleName`
+
+```typescript
+import { config_rules } from 'cdk-extensions'
+
+config_rules.VpcDefaultSecurityGroupClosed.fromConfigRuleName(scope: Construct, id: string, configRuleName: string)
+```
+
+Imports an existing rule.
+
+###### `scope`Required
+
+- *Type:* constructs.Construct
+
+---
+
+###### `id`Required
+
+- *Type:* string
+
+---
+
+###### `configRuleName`Required
+
+- *Type:* string
+
+the name of the rule.
+
+---
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| node
| constructs.Node
| The tree node. |
+| env
| aws-cdk-lib.ResourceEnvironment
| The environment this resource belongs to. |
+| stack
| aws-cdk-lib.Stack
| The stack in which this resource is defined. |
+| configRuleArn
| string
| The arn of the rule. |
+| configRuleComplianceType
| string
| The compliance status of the rule. |
+| configRuleId
| string
| The id of the rule. |
+| configRuleName
| string
| The name of the rule. |
+| remediationConfiguration
| cdk-extensions.config.RemediationConfiguration
| *No description.* |
+| remediationPolicy
| aws-cdk-lib.aws_iam.ManagedPolicy
| *No description.* |
+| remediationRole
| aws-cdk-lib.aws_iam.Role
| *No description.* |
+
+---
+
+##### `node`Required
+
+```typescript
+public readonly node: Node;
+```
+
+- *Type:* constructs.Node
+
+The tree node.
+
+---
+
+##### `env`Required
+
+```typescript
+public readonly env: ResourceEnvironment;
+```
+
+- *Type:* aws-cdk-lib.ResourceEnvironment
+
+The environment this resource belongs to.
+
+For resources that are created and managed by the CDK
+(generally, those created by creating new class instances like Role, Bucket, etc.),
+this is always the same as the environment of the stack they belong to;
+however, for imported resources
+(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
+that might be different than the stack they were imported into.
+
+---
+
+##### `stack`Required
+
+```typescript
+public readonly stack: Stack;
+```
+
+- *Type:* aws-cdk-lib.Stack
+
+The stack in which this resource is defined.
+
+---
+
+##### `configRuleArn`Required
+
+```typescript
+public readonly configRuleArn: string;
+```
+
+- *Type:* string
+
+The arn of the rule.
+
+---
+
+##### `configRuleComplianceType`Required
+
+```typescript
+public readonly configRuleComplianceType: string;
+```
+
+- *Type:* string
+
+The compliance status of the rule.
+
+---
+
+##### `configRuleId`Required
+
+```typescript
+public readonly configRuleId: string;
+```
+
+- *Type:* string
+
+The id of the rule.
+
+---
+
+##### `configRuleName`Required
+
+```typescript
+public readonly configRuleName: string;
+```
+
+- *Type:* string
+
+The name of the rule.
+
+---
+
+##### `remediationConfiguration`Required
+
+```typescript
+public readonly remediationConfiguration: RemediationConfiguration;
+```
+
+- *Type:* cdk-extensions.config.RemediationConfiguration
+
+---
+
+##### `remediationPolicy`Required
+
+```typescript
+public readonly remediationPolicy: ManagedPolicy;
+```
+
+- *Type:* aws-cdk-lib.aws_iam.ManagedPolicy
+
+---
+
+##### `remediationRole`Required
+
+```typescript
+public readonly remediationRole: Role;
+```
+
+- *Type:* aws-cdk-lib.aws_iam.Role
+
+---
+
+#### Constants
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| DEFAULT_DESCRIPTION
| string
| *No description.* |
+| MANAGED_RULE_NAME
| string
| *No description.* |
+| REMEDIATION_DOCUMENT_NAME
| string
| *No description.* |
+
+---
+
+##### `DEFAULT_DESCRIPTION`Required
+
+```typescript
+public readonly DEFAULT_DESCRIPTION: string;
+```
+
+- *Type:* string
+
+---
+
+##### `MANAGED_RULE_NAME`Required
+
+```typescript
+public readonly MANAGED_RULE_NAME: string;
+```
+
+- *Type:* string
+
+---
+
+##### `REMEDIATION_DOCUMENT_NAME`Required
+
+```typescript
+public readonly REMEDIATION_DOCUMENT_NAME: string;
+```
+
+- *Type:* string
+
+---
+
### VpnConnection
- *Implements:* aws-cdk-lib.aws_ec2.IVpnConnection
@@ -47748,6 +50951,67 @@ public readonly requesterPays: boolean;
---
+### AutomationDocumentRemediationProps
+
+#### Initializer
+
+```typescript
+import { config } from 'cdk-extensions'
+
+const automationDocumentRemediationProps: config.AutomationDocumentRemediationProps = { ... }
+```
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| document
| cdk-extensions.ssm.IAutomationDocument
| *No description.* |
+| concurrencyPercentage
| number
| *No description.* |
+| errorPercentage
| number
| *No description.* |
+| version
| string
| *No description.* |
+
+---
+
+##### `document`Required
+
+```typescript
+public readonly document: IAutomationDocument;
+```
+
+- *Type:* cdk-extensions.ssm.IAutomationDocument
+
+---
+
+##### `concurrencyPercentage`Optional
+
+```typescript
+public readonly concurrencyPercentage: number;
+```
+
+- *Type:* number
+
+---
+
+##### `errorPercentage`Optional
+
+```typescript
+public readonly errorPercentage: number;
+```
+
+- *Type:* number
+
+---
+
+##### `version`Optional
+
+```typescript
+public readonly version: string;
+```
+
+- *Type:* string
+
+---
+
### AwsIntegratedFargateClusterProps
#### Initializer
@@ -53017,6 +56281,34 @@ Specifies how frequently updated findings are exported.
---
+### DisableControlOptions
+
+#### Initializer
+
+```typescript
+import { securityhub } from 'cdk-extensions'
+
+const disableControlOptions: securityhub.DisableControlOptions = { ... }
+```
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| reason
| string
| *No description.* |
+
+---
+
+##### `reason`Required
+
+```typescript
+public readonly reason: string;
+```
+
+- *Type:* string
+
+---
+
### DiscordOverrideOptions
#### Initializer
@@ -53219,6 +56511,406 @@ public readonly timeout: Duration;
---
+### DocumentBaseProps
+
+#### Initializer
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+const documentBaseProps: ssm.DocumentBaseProps = { ... }
+```
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| account
| string
| The AWS account ID this resource belongs to. |
+| environmentFromArn
| string
| ARN to deduce region and account from. |
+| physicalName
| string
| The value passed in by users to the physical name prop of the resource. |
+| region
| string
| The AWS region this resource belongs to. |
+| content
| cdk-extensions.ssm.IDocumentContent
| *No description.* |
+| documentType
| cdk-extensions.ssm.DocumentType
| *No description.* |
+| name
| string
| *No description.* |
+| requires
| cdk-extensions.ssm.DocumentRequirement[]
| *No description.* |
+| targetType
| string
| *No description.* |
+| updateMethod
| cdk-extensions.ssm.DocumentUpdateMethod
| *No description.* |
+| versionName
| string
| *No description.* |
+
+---
+
+##### `account`Optional
+
+```typescript
+public readonly account: string;
+```
+
+- *Type:* string
+- *Default:* the resource is in the same account as the stack it belongs to
+
+The AWS account ID this resource belongs to.
+
+---
+
+##### `environmentFromArn`Optional
+
+```typescript
+public readonly environmentFromArn: string;
+```
+
+- *Type:* string
+- *Default:* take environment from `account`, `region` parameters, or use Stack environment.
+
+ARN to deduce region and account from.
+
+The ARN is parsed and the account and region are taken from the ARN.
+This should be used for imported resources.
+
+Cannot be supplied together with either `account` or `region`.
+
+---
+
+##### `physicalName`Optional
+
+```typescript
+public readonly physicalName: string;
+```
+
+- *Type:* string
+- *Default:* The physical name will be allocated by CloudFormation at deployment time
+
+The value passed in by users to the physical name prop of the resource.
+
+`undefined` implies that a physical name will be allocated by
+ CloudFormation during deployment.
+- a concrete value implies a specific physical name
+- `PhysicalName.GENERATE_IF_NEEDED` is a marker that indicates that a physical will only be generated
+ by the CDK if it is needed for cross-environment references. Otherwise, it will be allocated by CloudFormation.
+
+---
+
+##### `region`Optional
+
+```typescript
+public readonly region: string;
+```
+
+- *Type:* string
+- *Default:* the resource is in the same region as the stack it belongs to
+
+The AWS region this resource belongs to.
+
+---
+
+##### `content`Required
+
+```typescript
+public readonly content: IDocumentContent;
+```
+
+- *Type:* cdk-extensions.ssm.IDocumentContent
+
+---
+
+##### `documentType`Optional
+
+```typescript
+public readonly documentType: DocumentType;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentType
+
+---
+
+##### `name`Optional
+
+```typescript
+public readonly name: string;
+```
+
+- *Type:* string
+
+---
+
+##### `requires`Optional
+
+```typescript
+public readonly requires: DocumentRequirement[];
+```
+
+- *Type:* cdk-extensions.ssm.DocumentRequirement[]
+
+---
+
+##### `targetType`Optional
+
+```typescript
+public readonly targetType: string;
+```
+
+- *Type:* string
+
+---
+
+##### `updateMethod`Optional
+
+```typescript
+public readonly updateMethod: DocumentUpdateMethod;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentUpdateMethod
+
+---
+
+##### `versionName`Optional
+
+```typescript
+public readonly versionName: string;
+```
+
+- *Type:* string
+
+---
+
+### DocumentContentResult
+
+#### Initializer
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+const documentContentResult: ssm.DocumentContentResult = { ... }
+```
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| content
| string
| *No description.* |
+| documentFormat
| cdk-extensions.ssm.DocumentFormat
| *No description.* |
+
+---
+
+##### `content`Required
+
+```typescript
+public readonly content: string;
+```
+
+- *Type:* string
+
+---
+
+##### `documentFormat`Required
+
+```typescript
+public readonly documentFormat: DocumentFormat;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentFormat
+
+---
+
+### DocumentProps
+
+#### Initializer
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+const documentProps: ssm.DocumentProps = { ... }
+```
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| account
| string
| The AWS account ID this resource belongs to. |
+| environmentFromArn
| string
| ARN to deduce region and account from. |
+| physicalName
| string
| The value passed in by users to the physical name prop of the resource. |
+| region
| string
| The AWS region this resource belongs to. |
+| content
| cdk-extensions.ssm.IDocumentContent
| *No description.* |
+| documentType
| cdk-extensions.ssm.DocumentType
| *No description.* |
+| name
| string
| *No description.* |
+| requires
| cdk-extensions.ssm.DocumentRequirement[]
| *No description.* |
+| targetType
| string
| *No description.* |
+| updateMethod
| cdk-extensions.ssm.DocumentUpdateMethod
| *No description.* |
+| versionName
| string
| *No description.* |
+
+---
+
+##### `account`Optional
+
+```typescript
+public readonly account: string;
+```
+
+- *Type:* string
+- *Default:* the resource is in the same account as the stack it belongs to
+
+The AWS account ID this resource belongs to.
+
+---
+
+##### `environmentFromArn`Optional
+
+```typescript
+public readonly environmentFromArn: string;
+```
+
+- *Type:* string
+- *Default:* take environment from `account`, `region` parameters, or use Stack environment.
+
+ARN to deduce region and account from.
+
+The ARN is parsed and the account and region are taken from the ARN.
+This should be used for imported resources.
+
+Cannot be supplied together with either `account` or `region`.
+
+---
+
+##### `physicalName`Optional
+
+```typescript
+public readonly physicalName: string;
+```
+
+- *Type:* string
+- *Default:* The physical name will be allocated by CloudFormation at deployment time
+
+The value passed in by users to the physical name prop of the resource.
+
+`undefined` implies that a physical name will be allocated by
+ CloudFormation during deployment.
+- a concrete value implies a specific physical name
+- `PhysicalName.GENERATE_IF_NEEDED` is a marker that indicates that a physical will only be generated
+ by the CDK if it is needed for cross-environment references. Otherwise, it will be allocated by CloudFormation.
+
+---
+
+##### `region`Optional
+
+```typescript
+public readonly region: string;
+```
+
+- *Type:* string
+- *Default:* the resource is in the same region as the stack it belongs to
+
+The AWS region this resource belongs to.
+
+---
+
+##### `content`Required
+
+```typescript
+public readonly content: IDocumentContent;
+```
+
+- *Type:* cdk-extensions.ssm.IDocumentContent
+
+---
+
+##### `documentType`Optional
+
+```typescript
+public readonly documentType: DocumentType;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentType
+
+---
+
+##### `name`Optional
+
+```typescript
+public readonly name: string;
+```
+
+- *Type:* string
+
+---
+
+##### `requires`Optional
+
+```typescript
+public readonly requires: DocumentRequirement[];
+```
+
+- *Type:* cdk-extensions.ssm.DocumentRequirement[]
+
+---
+
+##### `targetType`Optional
+
+```typescript
+public readonly targetType: string;
+```
+
+- *Type:* string
+
+---
+
+##### `updateMethod`Optional
+
+```typescript
+public readonly updateMethod: DocumentUpdateMethod;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentUpdateMethod
+
+---
+
+##### `versionName`Optional
+
+```typescript
+public readonly versionName: string;
+```
+
+- *Type:* string
+
+---
+
+### DocumentRequirement
+
+#### Initializer
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+const documentRequirement: ssm.DocumentRequirement = { ... }
+```
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| document
| cdk-extensions.ssm.IDocument
| *No description.* |
+| version
| string
| *No description.* |
+
+---
+
+##### `document`Required
+
+```typescript
+public readonly document: IDocument;
+```
+
+- *Type:* cdk-extensions.ssm.IDocument
+
+---
+
+##### `version`Optional
+
+```typescript
+public readonly version: string;
+```
+
+- *Type:* string
+
+---
+
### DomainOptions
#### Initializer
@@ -60160,6 +63852,367 @@ public readonly retryDuration: Duration;
---
+### HubAttributes
+
+#### Initializer
+
+```typescript
+import { securityhub } from 'cdk-extensions'
+
+const hubAttributes: securityhub.HubAttributes = { ... }
+```
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| arn
| string
| *No description.* |
+| name
| string
| *No description.* |
+
+---
+
+##### `arn`Optional
+
+```typescript
+public readonly arn: string;
+```
+
+- *Type:* string
+
+---
+
+##### `name`Optional
+
+```typescript
+public readonly name: string;
+```
+
+- *Type:* string
+
+---
+
+### HubProps
+
+#### Initializer
+
+```typescript
+import { securityhub } from 'cdk-extensions'
+
+const hubProps: securityhub.HubProps = { ... }
+```
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| account
| string
| The AWS account ID this resource belongs to. |
+| environmentFromArn
| string
| ARN to deduce region and account from. |
+| physicalName
| string
| The value passed in by users to the physical name prop of the resource. |
+| region
| string
| The AWS region this resource belongs to. |
+| autoEnableControls
| boolean
| *No description.* |
+| consolidatedFindings
| boolean
| *No description.* |
+| enableDefaultStandards
| boolean
| *No description.* |
+
+---
+
+##### `account`Optional
+
+```typescript
+public readonly account: string;
+```
+
+- *Type:* string
+- *Default:* the resource is in the same account as the stack it belongs to
+
+The AWS account ID this resource belongs to.
+
+---
+
+##### `environmentFromArn`Optional
+
+```typescript
+public readonly environmentFromArn: string;
+```
+
+- *Type:* string
+- *Default:* take environment from `account`, `region` parameters, or use Stack environment.
+
+ARN to deduce region and account from.
+
+The ARN is parsed and the account and region are taken from the ARN.
+This should be used for imported resources.
+
+Cannot be supplied together with either `account` or `region`.
+
+---
+
+##### `physicalName`Optional
+
+```typescript
+public readonly physicalName: string;
+```
+
+- *Type:* string
+- *Default:* The physical name will be allocated by CloudFormation at deployment time
+
+The value passed in by users to the physical name prop of the resource.
+
+`undefined` implies that a physical name will be allocated by
+ CloudFormation during deployment.
+- a concrete value implies a specific physical name
+- `PhysicalName.GENERATE_IF_NEEDED` is a marker that indicates that a physical will only be generated
+ by the CDK if it is needed for cross-environment references. Otherwise, it will be allocated by CloudFormation.
+
+---
+
+##### `region`Optional
+
+```typescript
+public readonly region: string;
+```
+
+- *Type:* string
+- *Default:* the resource is in the same region as the stack it belongs to
+
+The AWS region this resource belongs to.
+
+---
+
+##### `autoEnableControls`Optional
+
+```typescript
+public readonly autoEnableControls: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `consolidatedFindings`Optional
+
+```typescript
+public readonly consolidatedFindings: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `enableDefaultStandards`Optional
+
+```typescript
+public readonly enableDefaultStandards: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+### IamPasswordPolicyProps
+
+#### Initializer
+
+```typescript
+import { config_rules } from 'cdk-extensions'
+
+const iamPasswordPolicyProps: config_rules.IamPasswordPolicyProps = { ... }
+```
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| account
| string
| The AWS account ID this resource belongs to. |
+| environmentFromArn
| string
| ARN to deduce region and account from. |
+| physicalName
| string
| The value passed in by users to the physical name prop of the resource. |
+| region
| string
| The AWS region this resource belongs to. |
+| autoRemediation
| boolean
| *No description.* |
+| configRuleName
| string
| *No description.* |
+| description
| string
| *No description.* |
+| maximumExecutionFrequency
| aws-cdk-lib.aws_config.MaximumExecutionFrequency
| *No description.* |
+| maxPasswordAge
| number
| *No description.* |
+| minimumPasswordLength
| number
| *No description.* |
+| passwordReusePrevention
| number
| *No description.* |
+| requireLowercaseCharacters
| boolean
| *No description.* |
+| requireNumbers
| boolean
| *No description.* |
+| requireSymbols
| boolean
| *No description.* |
+| requireUppercaseCharacters
| boolean
| *No description.* |
+
+---
+
+##### `account`Optional
+
+```typescript
+public readonly account: string;
+```
+
+- *Type:* string
+- *Default:* the resource is in the same account as the stack it belongs to
+
+The AWS account ID this resource belongs to.
+
+---
+
+##### `environmentFromArn`Optional
+
+```typescript
+public readonly environmentFromArn: string;
+```
+
+- *Type:* string
+- *Default:* take environment from `account`, `region` parameters, or use Stack environment.
+
+ARN to deduce region and account from.
+
+The ARN is parsed and the account and region are taken from the ARN.
+This should be used for imported resources.
+
+Cannot be supplied together with either `account` or `region`.
+
+---
+
+##### `physicalName`Optional
+
+```typescript
+public readonly physicalName: string;
+```
+
+- *Type:* string
+- *Default:* The physical name will be allocated by CloudFormation at deployment time
+
+The value passed in by users to the physical name prop of the resource.
+
+`undefined` implies that a physical name will be allocated by
+ CloudFormation during deployment.
+- a concrete value implies a specific physical name
+- `PhysicalName.GENERATE_IF_NEEDED` is a marker that indicates that a physical will only be generated
+ by the CDK if it is needed for cross-environment references. Otherwise, it will be allocated by CloudFormation.
+
+---
+
+##### `region`Optional
+
+```typescript
+public readonly region: string;
+```
+
+- *Type:* string
+- *Default:* the resource is in the same region as the stack it belongs to
+
+The AWS region this resource belongs to.
+
+---
+
+##### `autoRemediation`Optional
+
+```typescript
+public readonly autoRemediation: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `configRuleName`Optional
+
+```typescript
+public readonly configRuleName: string;
+```
+
+- *Type:* string
+
+---
+
+##### `description`Optional
+
+```typescript
+public readonly description: string;
+```
+
+- *Type:* string
+
+---
+
+##### `maximumExecutionFrequency`Optional
+
+```typescript
+public readonly maximumExecutionFrequency: MaximumExecutionFrequency;
+```
+
+- *Type:* aws-cdk-lib.aws_config.MaximumExecutionFrequency
+
+---
+
+##### `maxPasswordAge`Optional
+
+```typescript
+public readonly maxPasswordAge: number;
+```
+
+- *Type:* number
+
+---
+
+##### `minimumPasswordLength`Optional
+
+```typescript
+public readonly minimumPasswordLength: number;
+```
+
+- *Type:* number
+
+---
+
+##### `passwordReusePrevention`Optional
+
+```typescript
+public readonly passwordReusePrevention: number;
+```
+
+- *Type:* number
+
+---
+
+##### `requireLowercaseCharacters`Optional
+
+```typescript
+public readonly requireLowercaseCharacters: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `requireNumbers`Optional
+
+```typescript
+public readonly requireNumbers: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `requireSymbols`Optional
+
+```typescript
+public readonly requireSymbols: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `requireUppercaseCharacters`Optional
+
+```typescript
+public readonly requireUppercaseCharacters: boolean;
+```
+
+- *Type:* boolean
+
+---
+
### InspectorFindingEventOptions
#### Initializer
@@ -64964,6 +69017,34 @@ public readonly vpnCidr: IIpv4CidrAssignment;
---
+### ObjectContentProps
+
+#### Initializer
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+const objectContentProps: ssm.ObjectContentProps = { ... }
+```
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| input
| {[ key: string ]: any}
| *No description.* |
+
+---
+
+##### `input`Required
+
+```typescript
+public readonly input: {[ key: string ]: any};
+```
+
+- *Type:* {[ key: string ]: any}
+
+---
+
### OpenSearchEventProps
#### Initializer
@@ -67047,6 +71128,278 @@ public readonly transitGateway: ITransitGateway;
---
+### RemediationConfigurationAttributes
+
+#### Initializer
+
+```typescript
+import { config } from 'cdk-extensions'
+
+const remediationConfigurationAttributes: config.RemediationConfigurationAttributes = { ... }
+```
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| arn
| string
| *No description.* |
+| name
| string
| *No description.* |
+
+---
+
+##### `arn`Optional
+
+```typescript
+public readonly arn: string;
+```
+
+- *Type:* string
+
+---
+
+##### `name`Optional
+
+```typescript
+public readonly name: string;
+```
+
+- *Type:* string
+
+---
+
+### RemediationConfigurationProps
+
+#### Initializer
+
+```typescript
+import { config } from 'cdk-extensions'
+
+const remediationConfigurationProps: config.RemediationConfigurationProps = { ... }
+```
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| account
| string
| The AWS account ID this resource belongs to. |
+| environmentFromArn
| string
| ARN to deduce region and account from. |
+| physicalName
| string
| The value passed in by users to the physical name prop of the resource. |
+| region
| string
| The AWS region this resource belongs to. |
+| configRule
| aws-cdk-lib.aws_config.IRule
| *No description.* |
+| staticParameters
| {[ key: string ]: any[]}
| *No description.* |
+| target
| cdk-extensions.config.IRemediationTarget
| *No description.* |
+| automatic
| boolean
| *No description.* |
+| maximumAutomaticAttempts
| number
| *No description.* |
+| resourceParameter
| string
| *No description.* |
+| resourceType
| string
| *No description.* |
+| retryInterval
| aws-cdk-lib.Duration
| *No description.* |
+
+---
+
+##### `account`Optional
+
+```typescript
+public readonly account: string;
+```
+
+- *Type:* string
+- *Default:* the resource is in the same account as the stack it belongs to
+
+The AWS account ID this resource belongs to.
+
+---
+
+##### `environmentFromArn`Optional
+
+```typescript
+public readonly environmentFromArn: string;
+```
+
+- *Type:* string
+- *Default:* take environment from `account`, `region` parameters, or use Stack environment.
+
+ARN to deduce region and account from.
+
+The ARN is parsed and the account and region are taken from the ARN.
+This should be used for imported resources.
+
+Cannot be supplied together with either `account` or `region`.
+
+---
+
+##### `physicalName`Optional
+
+```typescript
+public readonly physicalName: string;
+```
+
+- *Type:* string
+- *Default:* The physical name will be allocated by CloudFormation at deployment time
+
+The value passed in by users to the physical name prop of the resource.
+
+`undefined` implies that a physical name will be allocated by
+ CloudFormation during deployment.
+- a concrete value implies a specific physical name
+- `PhysicalName.GENERATE_IF_NEEDED` is a marker that indicates that a physical will only be generated
+ by the CDK if it is needed for cross-environment references. Otherwise, it will be allocated by CloudFormation.
+
+---
+
+##### `region`Optional
+
+```typescript
+public readonly region: string;
+```
+
+- *Type:* string
+- *Default:* the resource is in the same region as the stack it belongs to
+
+The AWS region this resource belongs to.
+
+---
+
+##### `configRule`Required
+
+```typescript
+public readonly configRule: IRule;
+```
+
+- *Type:* aws-cdk-lib.aws_config.IRule
+
+---
+
+##### `staticParameters`Required
+
+```typescript
+public readonly staticParameters: {[ key: string ]: any[]};
+```
+
+- *Type:* {[ key: string ]: any[]}
+
+---
+
+##### `target`Required
+
+```typescript
+public readonly target: IRemediationTarget;
+```
+
+- *Type:* cdk-extensions.config.IRemediationTarget
+
+---
+
+##### `automatic`Optional
+
+```typescript
+public readonly automatic: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `maximumAutomaticAttempts`Optional
+
+```typescript
+public readonly maximumAutomaticAttempts: number;
+```
+
+- *Type:* number
+
+---
+
+##### `resourceParameter`Optional
+
+```typescript
+public readonly resourceParameter: string;
+```
+
+- *Type:* string
+
+---
+
+##### `resourceType`Optional
+
+```typescript
+public readonly resourceType: string;
+```
+
+- *Type:* string
+
+---
+
+##### `retryInterval`Optional
+
+```typescript
+public readonly retryInterval: Duration;
+```
+
+- *Type:* aws-cdk-lib.Duration
+
+---
+
+### RemediationTargetConfiguration
+
+#### Initializer
+
+```typescript
+import { config } from 'cdk-extensions'
+
+const remediationTargetConfiguration: config.RemediationTargetConfiguration = { ... }
+```
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| targetId
| string
| *No description.* |
+| targetType
| cdk-extensions.config.RemediationTargetType
| *No description.* |
+| controls
| aws-cdk-lib.aws_config.CfnRemediationConfiguration.ExecutionControlsProperty
| *No description.* |
+| targetVersion
| string
| *No description.* |
+
+---
+
+##### `targetId`Required
+
+```typescript
+public readonly targetId: string;
+```
+
+- *Type:* string
+
+---
+
+##### `targetType`Required
+
+```typescript
+public readonly targetType: RemediationTargetType;
+```
+
+- *Type:* cdk-extensions.config.RemediationTargetType
+
+---
+
+##### `controls`Optional
+
+```typescript
+public readonly controls: ExecutionControlsProperty;
+```
+
+- *Type:* aws-cdk-lib.aws_config.CfnRemediationConfiguration.ExecutionControlsProperty
+
+---
+
+##### `targetVersion`Optional
+
+```typescript
+public readonly targetVersion: string;
+```
+
+- *Type:* string
+
+---
+
### RemoteVpnEndpointConfiguration
Configuration object containing the vlues needed to configure the remote end of a VPN connection.
@@ -68304,6 +72657,89 @@ The name of the rule groups namespace.
---
+### RuleSetProps
+
+#### Initializer
+
+```typescript
+import { securityhub } from 'cdk-extensions'
+
+const ruleSetProps: securityhub.RuleSetProps = { ... }
+```
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| id
| string
| *No description.* |
+| version
| string
| *No description.* |
+| default
| boolean
| *No description.* |
+| description
| string
| *No description.* |
+| global
| boolean
| *No description.* |
+| name
| string
| *No description.* |
+
+---
+
+##### `id`Required
+
+```typescript
+public readonly id: string;
+```
+
+- *Type:* string
+
+---
+
+##### `version`Required
+
+```typescript
+public readonly version: string;
+```
+
+- *Type:* string
+
+---
+
+##### `default`Optional
+
+```typescript
+public readonly default: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `description`Optional
+
+```typescript
+public readonly description: string;
+```
+
+- *Type:* string
+
+---
+
+##### `global`Optional
+
+```typescript
+public readonly global: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `name`Optional
+
+```typescript
+public readonly name: string;
+```
+
+- *Type:* string
+
+---
+
### S3AccessLogsBucketProps
Configuration for objects bucket.
@@ -69013,6 +73449,89 @@ Setting this value to true prioritizes the customer's extra JAR files in the cla
---
+### ScopedRuleSet
+
+#### Initializer
+
+```typescript
+import { securityhub } from 'cdk-extensions'
+
+const scopedRuleSet: securityhub.ScopedRuleSet = { ... }
+```
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| arn
| string
| *No description.* |
+| id
| string
| *No description.* |
+| version
| string
| *No description.* |
+| default
| boolean
| *No description.* |
+| description
| string
| *No description.* |
+| name
| string
| *No description.* |
+
+---
+
+##### `arn`Required
+
+```typescript
+public readonly arn: string;
+```
+
+- *Type:* string
+
+---
+
+##### `id`Required
+
+```typescript
+public readonly id: string;
+```
+
+- *Type:* string
+
+---
+
+##### `version`Required
+
+```typescript
+public readonly version: string;
+```
+
+- *Type:* string
+
+---
+
+##### `default`Optional
+
+```typescript
+public readonly default: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `description`Optional
+
+```typescript
+public readonly description: string;
+```
+
+- *Type:* string
+
+---
+
+##### `name`Optional
+
+```typescript
+public readonly name: string;
+```
+
+- *Type:* string
+
+---
+
### SecretFieldReference
Options for how to synchronize a specific field in a secret being imported.
@@ -69584,6 +74103,151 @@ public readonly timeout: Duration;
---
+### SecurityHubOptions
+
+#### Initializer
+
+```typescript
+import { securityhub_patterns } from 'cdk-extensions'
+
+const securityHubOptions: securityhub_patterns.SecurityHubOptions = { ... }
+```
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| enabled
| boolean
| *No description.* |
+| hub
| cdk-extensions.securityhub.IHub
| *No description.* |
+
+---
+
+##### `enabled`Optional
+
+```typescript
+public readonly enabled: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `hub`Optional
+
+```typescript
+public readonly hub: IHub;
+```
+
+- *Type:* cdk-extensions.securityhub.IHub
+
+---
+
+### SecurityManagerProps
+
+#### Initializer
+
+```typescript
+import { securityhub_patterns } from 'cdk-extensions'
+
+const securityManagerProps: securityhub_patterns.SecurityManagerProps = { ... }
+```
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| account
| string
| The AWS account ID this resource belongs to. |
+| environmentFromArn
| string
| ARN to deduce region and account from. |
+| physicalName
| string
| The value passed in by users to the physical name prop of the resource. |
+| region
| string
| The AWS region this resource belongs to. |
+| autoRemediate
| boolean
| *No description.* |
+| securityHub
| cdk-extensions.securityhub_patterns.SecurityHubOptions
| *No description.* |
+
+---
+
+##### `account`Optional
+
+```typescript
+public readonly account: string;
+```
+
+- *Type:* string
+- *Default:* the resource is in the same account as the stack it belongs to
+
+The AWS account ID this resource belongs to.
+
+---
+
+##### `environmentFromArn`Optional
+
+```typescript
+public readonly environmentFromArn: string;
+```
+
+- *Type:* string
+- *Default:* take environment from `account`, `region` parameters, or use Stack environment.
+
+ARN to deduce region and account from.
+
+The ARN is parsed and the account and region are taken from the ARN.
+This should be used for imported resources.
+
+Cannot be supplied together with either `account` or `region`.
+
+---
+
+##### `physicalName`Optional
+
+```typescript
+public readonly physicalName: string;
+```
+
+- *Type:* string
+- *Default:* The physical name will be allocated by CloudFormation at deployment time
+
+The value passed in by users to the physical name prop of the resource.
+
+`undefined` implies that a physical name will be allocated by
+ CloudFormation during deployment.
+- a concrete value implies a specific physical name
+- `PhysicalName.GENERATE_IF_NEEDED` is a marker that indicates that a physical will only be generated
+ by the CDK if it is needed for cross-environment references. Otherwise, it will be allocated by CloudFormation.
+
+---
+
+##### `region`Optional
+
+```typescript
+public readonly region: string;
+```
+
+- *Type:* string
+- *Default:* the resource is in the same region as the stack it belongs to
+
+The AWS region this resource belongs to.
+
+---
+
+##### `autoRemediate`Optional
+
+```typescript
+public readonly autoRemediate: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `securityHub`Optional
+
+```typescript
+public readonly securityHub: SecurityHubOptions;
+```
+
+- *Type:* cdk-extensions.securityhub_patterns.SecurityHubOptions
+
+---
+
### SesLogsBucketProps
Configuration for objects bucket.
@@ -70295,6 +74959,112 @@ The Kubernetes namespace where the secret store should be created.
---
+### StandardProps
+
+#### Initializer
+
+```typescript
+import { securityhub } from 'cdk-extensions'
+
+const standardProps: securityhub.StandardProps = { ... }
+```
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| account
| string
| The AWS account ID this resource belongs to. |
+| environmentFromArn
| string
| ARN to deduce region and account from. |
+| physicalName
| string
| The value passed in by users to the physical name prop of the resource. |
+| region
| string
| The AWS region this resource belongs to. |
+| ruleSet
| cdk-extensions.securityhub.RuleSet
| *No description.* |
+| disabledControls
| string[]
| *No description.* |
+
+---
+
+##### `account`Optional
+
+```typescript
+public readonly account: string;
+```
+
+- *Type:* string
+- *Default:* the resource is in the same account as the stack it belongs to
+
+The AWS account ID this resource belongs to.
+
+---
+
+##### `environmentFromArn`Optional
+
+```typescript
+public readonly environmentFromArn: string;
+```
+
+- *Type:* string
+- *Default:* take environment from `account`, `region` parameters, or use Stack environment.
+
+ARN to deduce region and account from.
+
+The ARN is parsed and the account and region are taken from the ARN.
+This should be used for imported resources.
+
+Cannot be supplied together with either `account` or `region`.
+
+---
+
+##### `physicalName`Optional
+
+```typescript
+public readonly physicalName: string;
+```
+
+- *Type:* string
+- *Default:* The physical name will be allocated by CloudFormation at deployment time
+
+The value passed in by users to the physical name prop of the resource.
+
+`undefined` implies that a physical name will be allocated by
+ CloudFormation during deployment.
+- a concrete value implies a specific physical name
+- `PhysicalName.GENERATE_IF_NEEDED` is a marker that indicates that a physical will only be generated
+ by the CDK if it is needed for cross-environment references. Otherwise, it will be allocated by CloudFormation.
+
+---
+
+##### `region`Optional
+
+```typescript
+public readonly region: string;
+```
+
+- *Type:* string
+- *Default:* the resource is in the same region as the stack it belongs to
+
+The AWS region this resource belongs to.
+
+---
+
+##### `ruleSet`Required
+
+```typescript
+public readonly ruleSet: RuleSet;
+```
+
+- *Type:* cdk-extensions.securityhub.RuleSet
+
+---
+
+##### `disabledControls`Optional
+
+```typescript
+public readonly disabledControls: string[];
+```
+
+- *Type:* string[]
+
+---
+
### StateMachineLogging
#### Initializer
@@ -70356,6 +75126,45 @@ public readonly level: LogLevel;
---
+### StringContentProps
+
+#### Initializer
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+const stringContentProps: ssm.StringContentProps = { ... }
+```
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| content
| string
| *No description.* |
+| documentFormat
| cdk-extensions.ssm.DocumentFormat
| *No description.* |
+
+---
+
+##### `content`Required
+
+```typescript
+public readonly content: string;
+```
+
+- *Type:* string
+
+---
+
+##### `documentFormat`Required
+
+```typescript
+public readonly documentFormat: DocumentFormat;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentFormat
+
+---
+
### StringReplaceProps
#### Initializer
@@ -73402,6 +78211,134 @@ public readonly vpc: IVpc;
---
+### VpcDefaultSecurityGroupClosedProps
+
+#### Initializer
+
+```typescript
+import { config_rules } from 'cdk-extensions'
+
+const vpcDefaultSecurityGroupClosedProps: config_rules.VpcDefaultSecurityGroupClosedProps = { ... }
+```
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| account
| string
| The AWS account ID this resource belongs to. |
+| environmentFromArn
| string
| ARN to deduce region and account from. |
+| physicalName
| string
| The value passed in by users to the physical name prop of the resource. |
+| region
| string
| The AWS region this resource belongs to. |
+| autoRemediation
| boolean
| *No description.* |
+| configRuleName
| string
| *No description.* |
+| description
| string
| *No description.* |
+| maximumExecutionFrequency
| aws-cdk-lib.aws_config.MaximumExecutionFrequency
| *No description.* |
+
+---
+
+##### `account`Optional
+
+```typescript
+public readonly account: string;
+```
+
+- *Type:* string
+- *Default:* the resource is in the same account as the stack it belongs to
+
+The AWS account ID this resource belongs to.
+
+---
+
+##### `environmentFromArn`Optional
+
+```typescript
+public readonly environmentFromArn: string;
+```
+
+- *Type:* string
+- *Default:* take environment from `account`, `region` parameters, or use Stack environment.
+
+ARN to deduce region and account from.
+
+The ARN is parsed and the account and region are taken from the ARN.
+This should be used for imported resources.
+
+Cannot be supplied together with either `account` or `region`.
+
+---
+
+##### `physicalName`Optional
+
+```typescript
+public readonly physicalName: string;
+```
+
+- *Type:* string
+- *Default:* The physical name will be allocated by CloudFormation at deployment time
+
+The value passed in by users to the physical name prop of the resource.
+
+`undefined` implies that a physical name will be allocated by
+ CloudFormation during deployment.
+- a concrete value implies a specific physical name
+- `PhysicalName.GENERATE_IF_NEEDED` is a marker that indicates that a physical will only be generated
+ by the CDK if it is needed for cross-environment references. Otherwise, it will be allocated by CloudFormation.
+
+---
+
+##### `region`Optional
+
+```typescript
+public readonly region: string;
+```
+
+- *Type:* string
+- *Default:* the resource is in the same region as the stack it belongs to
+
+The AWS region this resource belongs to.
+
+---
+
+##### `autoRemediation`Optional
+
+```typescript
+public readonly autoRemediation: boolean;
+```
+
+- *Type:* boolean
+
+---
+
+##### `configRuleName`Optional
+
+```typescript
+public readonly configRuleName: string;
+```
+
+- *Type:* string
+
+---
+
+##### `description`Optional
+
+```typescript
+public readonly description: string;
+```
+
+- *Type:* string
+
+---
+
+##### `maximumExecutionFrequency`Optional
+
+```typescript
+public readonly maximumExecutionFrequency: MaximumExecutionFrequency;
+```
+
+- *Type:* aws-cdk-lib.aws_config.MaximumExecutionFrequency
+
+---
+
### VpnAttachmentOptions
#### Initializer
@@ -77831,6 +82768,67 @@ athena.AthenaSqlOutputEncryption.sseS3()
+### AutomationSchemaVersion
+
+
+#### Static Functions
+
+| **Name** | **Description** |
+| --- | --- |
+| of
| *No description.* |
+
+---
+
+##### `of`
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+ssm.AutomationSchemaVersion.of(version: string)
+```
+
+###### `version`Required
+
+- *Type:* string
+
+---
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| version
| string
| *No description.* |
+
+---
+
+##### `version`Required
+
+```typescript
+public readonly version: string;
+```
+
+- *Type:* string
+
+---
+
+#### Constants
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| VER_0_3
| cdk-extensions.ssm.AutomationSchemaVersion
| *No description.* |
+
+---
+
+##### `VER_0_3`Required
+
+```typescript
+public readonly VER_0_3: AutomationSchemaVersion;
+```
+
+- *Type:* cdk-extensions.ssm.AutomationSchemaVersion
+
+---
+
### AwsServiceDiscoveryRegistry
- *Implements:* cdk-extensions.k8s_aws.IExternalDnsRegistry
@@ -78789,6 +83787,78 @@ The name of the Column.
---
+### ControlFindingGenerator
+
+
+#### Static Functions
+
+| **Name** | **Description** |
+| --- | --- |
+| of
| *No description.* |
+
+---
+
+##### `of`
+
+```typescript
+import { securityhub } from 'cdk-extensions'
+
+securityhub.ControlFindingGenerator.of(value: string)
+```
+
+###### `value`Required
+
+- *Type:* string
+
+---
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| value
| string
| *No description.* |
+
+---
+
+##### `value`Required
+
+```typescript
+public readonly value: string;
+```
+
+- *Type:* string
+
+---
+
+#### Constants
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| SECURITY_CONTROL
| cdk-extensions.securityhub.ControlFindingGenerator
| *No description.* |
+| STANDARD_CONTROL
| cdk-extensions.securityhub.ControlFindingGenerator
| *No description.* |
+
+---
+
+##### `SECURITY_CONTROL`Required
+
+```typescript
+public readonly SECURITY_CONTROL: ControlFindingGenerator;
+```
+
+- *Type:* cdk-extensions.securityhub.ControlFindingGenerator
+
+---
+
+##### `STANDARD_CONTROL`Required
+
+```typescript
+public readonly STANDARD_CONTROL: ControlFindingGenerator;
+```
+
+- *Type:* cdk-extensions.securityhub.ControlFindingGenerator
+
+---
+
### CustomerGatewayConfigurationRemoteVpnEndpoint
- *Implements:* cdk-extensions.ec2.IRemoteVpnEndpoint
@@ -80041,6 +85111,365 @@ public readonly processorType: ProcessorType;
---
+### DocumentContent
+
+#### Initializers
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+new ssm.DocumentContent()
+```
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+
+---
+
+
+#### Static Functions
+
+| **Name** | **Description** |
+| --- | --- |
+| fromObject
| *No description.* |
+| fromString
| *No description.* |
+
+---
+
+##### `fromObject`
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+ssm.DocumentContent.fromObject(props: ObjectContentProps)
+```
+
+###### `props`Required
+
+- *Type:* cdk-extensions.ssm.ObjectContentProps
+
+---
+
+##### `fromString`
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+ssm.DocumentContent.fromString(props: StringContentProps)
+```
+
+###### `props`Required
+
+- *Type:* cdk-extensions.ssm.StringContentProps
+
+---
+
+
+
+### DocumentFormat
+
+
+#### Static Functions
+
+| **Name** | **Description** |
+| --- | --- |
+| of
| *No description.* |
+
+---
+
+##### `of`
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+ssm.DocumentFormat.of(value: string)
+```
+
+###### `value`Required
+
+- *Type:* string
+
+---
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| value
| string
| *No description.* |
+
+---
+
+##### `value`Required
+
+```typescript
+public readonly value: string;
+```
+
+- *Type:* string
+
+---
+
+#### Constants
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| JSON
| cdk-extensions.ssm.DocumentFormat
| *No description.* |
+| TEXT
| cdk-extensions.ssm.DocumentFormat
| *No description.* |
+| YAML
| cdk-extensions.ssm.DocumentFormat
| *No description.* |
+
+---
+
+##### `JSON`Required
+
+```typescript
+public readonly JSON: DocumentFormat;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentFormat
+
+---
+
+##### `TEXT`Required
+
+```typescript
+public readonly TEXT: DocumentFormat;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentFormat
+
+---
+
+##### `YAML`Required
+
+```typescript
+public readonly YAML: DocumentFormat;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentFormat
+
+---
+
+### DocumentType
+
+
+#### Static Functions
+
+| **Name** | **Description** |
+| --- | --- |
+| of
| *No description.* |
+
+---
+
+##### `of`
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+ssm.DocumentType.of(value: string)
+```
+
+###### `value`Required
+
+- *Type:* string
+
+---
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| name
| string
| *No description.* |
+
+---
+
+##### `name`Required
+
+```typescript
+public readonly name: string;
+```
+
+- *Type:* string
+
+---
+
+#### Constants
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| APPLICATION_CONFIGURATION
| cdk-extensions.ssm.DocumentType
| *No description.* |
+| APPLICATION_CONFIGURATION_SCHEMA
| cdk-extensions.ssm.DocumentType
| *No description.* |
+| AUTOMATION
| cdk-extensions.ssm.DocumentType
| *No description.* |
+| AUTOMATION_CHANGE_TEMPLATE
| cdk-extensions.ssm.DocumentType
| *No description.* |
+| COMMAND
| cdk-extensions.ssm.DocumentType
| *No description.* |
+| DEPLOYMENT_STRATEGY
| cdk-extensions.ssm.DocumentType
| *No description.* |
+| PACKAGE
| cdk-extensions.ssm.DocumentType
| *No description.* |
+| POLICY
| cdk-extensions.ssm.DocumentType
| *No description.* |
+| SESSION
| cdk-extensions.ssm.DocumentType
| *No description.* |
+
+---
+
+##### `APPLICATION_CONFIGURATION`Required
+
+```typescript
+public readonly APPLICATION_CONFIGURATION: DocumentType;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentType
+
+---
+
+##### `APPLICATION_CONFIGURATION_SCHEMA`Required
+
+```typescript
+public readonly APPLICATION_CONFIGURATION_SCHEMA: DocumentType;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentType
+
+---
+
+##### `AUTOMATION`Required
+
+```typescript
+public readonly AUTOMATION: DocumentType;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentType
+
+---
+
+##### `AUTOMATION_CHANGE_TEMPLATE`Required
+
+```typescript
+public readonly AUTOMATION_CHANGE_TEMPLATE: DocumentType;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentType
+
+---
+
+##### `COMMAND`Required
+
+```typescript
+public readonly COMMAND: DocumentType;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentType
+
+---
+
+##### `DEPLOYMENT_STRATEGY`Required
+
+```typescript
+public readonly DEPLOYMENT_STRATEGY: DocumentType;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentType
+
+---
+
+##### `PACKAGE`Required
+
+```typescript
+public readonly PACKAGE: DocumentType;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentType
+
+---
+
+##### `POLICY`Required
+
+```typescript
+public readonly POLICY: DocumentType;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentType
+
+---
+
+##### `SESSION`Required
+
+```typescript
+public readonly SESSION: DocumentType;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentType
+
+---
+
+### DocumentUpdateMethod
+
+
+#### Static Functions
+
+| **Name** | **Description** |
+| --- | --- |
+| of
| *No description.* |
+
+---
+
+##### `of`
+
+```typescript
+import { ssm } from 'cdk-extensions'
+
+ssm.DocumentUpdateMethod.of(value: string)
+```
+
+###### `value`Required
+
+- *Type:* string
+
+---
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| value
| string
| *No description.* |
+
+---
+
+##### `value`Required
+
+```typescript
+public readonly value: string;
+```
+
+- *Type:* string
+
+---
+
+#### Constants
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| NEW_VERSION
| cdk-extensions.ssm.DocumentUpdateMethod
| *No description.* |
+| REPLACE
| cdk-extensions.ssm.DocumentUpdateMethod
| *No description.* |
+
+---
+
+##### `NEW_VERSION`Required
+
+```typescript
+public readonly NEW_VERSION: DocumentUpdateMethod;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentUpdateMethod
+
+---
+
+##### `REPLACE`Required
+
+```typescript
+public readonly REPLACE: DocumentUpdateMethod;
+```
+
+- *Type:* cdk-extensions.ssm.DocumentUpdateMethod
+
+---
+
### Domain
#### Initializers
@@ -94491,6 +99920,204 @@ public readonly referencedPolicy: ReferencedManagedPolicy;
---
+### RemediationTarget
+
+#### Initializers
+
+```typescript
+import { config } from 'cdk-extensions'
+
+new config.RemediationTarget()
+```
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+
+---
+
+
+#### Static Functions
+
+| **Name** | **Description** |
+| --- | --- |
+| automationDocument
| *No description.* |
+
+---
+
+##### `automationDocument`
+
+```typescript
+import { config } from 'cdk-extensions'
+
+config.RemediationTarget.automationDocument(props: AutomationDocumentRemediationProps)
+```
+
+###### `props`Required
+
+- *Type:* cdk-extensions.config.AutomationDocumentRemediationProps
+
+---
+
+
+
+### RemediationTargetType
+
+
+#### Static Functions
+
+| **Name** | **Description** |
+| --- | --- |
+| of
| *No description.* |
+
+---
+
+##### `of`
+
+```typescript
+import { config } from 'cdk-extensions'
+
+config.RemediationTargetType.of(value: string)
+```
+
+###### `value`Required
+
+- *Type:* string
+
+---
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| value
| string
| *No description.* |
+
+---
+
+##### `value`Required
+
+```typescript
+public readonly value: string;
+```
+
+- *Type:* string
+
+---
+
+#### Constants
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| SSM_DOCUMENT
| cdk-extensions.config.RemediationTargetType
| *No description.* |
+
+---
+
+##### `SSM_DOCUMENT`Required
+
+```typescript
+public readonly SSM_DOCUMENT: RemediationTargetType;
+```
+
+- *Type:* cdk-extensions.config.RemediationTargetType
+
+---
+
+### RuleSet
+
+#### Methods
+
+| **Name** | **Description** |
+| --- | --- |
+| bind
| *No description.* |
+
+---
+
+##### `bind`
+
+```typescript
+public bind(scope: IConstruct): ScopedRuleSet
+```
+
+###### `scope`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+
+
+#### Constants
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| ARN_FORMAT
| aws-cdk-lib.ArnFormat
| *No description.* |
+| CIS_FOUNDATIONS_1_2_0
| cdk-extensions.securityhub.RuleSet
| *No description.* |
+| CIS_FOUNDATIONS_1_4_0
| cdk-extensions.securityhub.RuleSet
| *No description.* |
+| FOUNDATIONAL_BEST_PRACTICES_1_0_0
| cdk-extensions.securityhub.RuleSet
| *No description.* |
+| NIST_800_53_5_0_0
| cdk-extensions.securityhub.RuleSet
| *No description.* |
+| PCI_DSS_3_2_1
| cdk-extensions.securityhub.RuleSet
| *No description.* |
+
+---
+
+##### `ARN_FORMAT`Required
+
+```typescript
+public readonly ARN_FORMAT: ArnFormat;
+```
+
+- *Type:* aws-cdk-lib.ArnFormat
+
+---
+
+##### `CIS_FOUNDATIONS_1_2_0`Required
+
+```typescript
+public readonly CIS_FOUNDATIONS_1_2_0: RuleSet;
+```
+
+- *Type:* cdk-extensions.securityhub.RuleSet
+
+---
+
+##### `CIS_FOUNDATIONS_1_4_0`Required
+
+```typescript
+public readonly CIS_FOUNDATIONS_1_4_0: RuleSet;
+```
+
+- *Type:* cdk-extensions.securityhub.RuleSet
+
+---
+
+##### `FOUNDATIONAL_BEST_PRACTICES_1_0_0`Required
+
+```typescript
+public readonly FOUNDATIONAL_BEST_PRACTICES_1_0_0: RuleSet;
+```
+
+- *Type:* cdk-extensions.securityhub.RuleSet
+
+---
+
+##### `NIST_800_53_5_0_0`Required
+
+```typescript
+public readonly NIST_800_53_5_0_0: RuleSet;
+```
+
+- *Type:* cdk-extensions.securityhub.RuleSet
+
+---
+
+##### `PCI_DSS_3_2_1`Required
+
+```typescript
+public readonly PCI_DSS_3_2_1: RuleSet;
+```
+
+- *Type:* cdk-extensions.securityhub.RuleSet
+
+---
+
### S3Code
Glue job Code from an S3 bucket.
@@ -99157,6 +104784,118 @@ public bind(scope: IConstruct): AthenaResultEncryptionConfiguration
---
+### IAutomationDocument
+
+- *Extends:* cdk-extensions.ssm.IDocument
+
+- *Implemented By:* cdk-extensions.ssm.AutomationDocument, cdk-extensions.ssm.IAutomationDocument
+
+#### Methods
+
+| **Name** | **Description** |
+| --- | --- |
+| arnForAutomationDefinitionVersion
| *No description.* |
+
+---
+
+##### `arnForAutomationDefinitionVersion`
+
+```typescript
+public arnForAutomationDefinitionVersion(version: string): string
+```
+
+###### `version`Required
+
+- *Type:* string
+
+---
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| node
| constructs.Node
| The tree node. |
+| env
| aws-cdk-lib.ResourceEnvironment
| The environment this resource belongs to. |
+| stack
| aws-cdk-lib.Stack
| The stack in which this resource is defined. |
+| documentArn
| string
| *No description.* |
+| documentName
| string
| *No description.* |
+| automationDefinitionArn
| string
| *No description.* |
+
+---
+
+##### `node`Required
+
+```typescript
+public readonly node: Node;
+```
+
+- *Type:* constructs.Node
+
+The tree node.
+
+---
+
+##### `env`Required
+
+```typescript
+public readonly env: ResourceEnvironment;
+```
+
+- *Type:* aws-cdk-lib.ResourceEnvironment
+
+The environment this resource belongs to.
+
+For resources that are created and managed by the CDK
+(generally, those created by creating new class instances like Role, Bucket, etc.),
+this is always the same as the environment of the stack they belong to;
+however, for imported resources
+(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
+that might be different than the stack they were imported into.
+
+---
+
+##### `stack`Required
+
+```typescript
+public readonly stack: Stack;
+```
+
+- *Type:* aws-cdk-lib.Stack
+
+The stack in which this resource is defined.
+
+---
+
+##### `documentArn`Required
+
+```typescript
+public readonly documentArn: string;
+```
+
+- *Type:* string
+
+---
+
+##### `documentName`Required
+
+```typescript
+public readonly documentName: string;
+```
+
+- *Type:* string
+
+---
+
+##### `automationDefinitionArn`Required
+
+```typescript
+public readonly automationDefinitionArn: string;
+```
+
+- *Type:* string
+
+---
+
### ICidrAssignment
- *Implemented By:* cdk-extensions.ec2.ICidrAssignment, cdk-extensions.ec2.IIpv4CidrAssignment, cdk-extensions.ec2.IIpv6CidrAssignment
@@ -99853,6 +105592,113 @@ public readonly domainDiscovery: DomainDiscovery;
---
+### IDocument
+
+- *Extends:* aws-cdk-lib.IResource
+
+- *Implemented By:* cdk-extensions.ssm.AutomationDocument, cdk-extensions.ssm.Document, cdk-extensions.ssm.DocumentBase, cdk-extensions.ssm.IAutomationDocument, cdk-extensions.ssm.IDocument
+
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| node
| constructs.Node
| The tree node. |
+| env
| aws-cdk-lib.ResourceEnvironment
| The environment this resource belongs to. |
+| stack
| aws-cdk-lib.Stack
| The stack in which this resource is defined. |
+| documentArn
| string
| *No description.* |
+| documentName
| string
| *No description.* |
+
+---
+
+##### `node`Required
+
+```typescript
+public readonly node: Node;
+```
+
+- *Type:* constructs.Node
+
+The tree node.
+
+---
+
+##### `env`Required
+
+```typescript
+public readonly env: ResourceEnvironment;
+```
+
+- *Type:* aws-cdk-lib.ResourceEnvironment
+
+The environment this resource belongs to.
+
+For resources that are created and managed by the CDK
+(generally, those created by creating new class instances like Role, Bucket, etc.),
+this is always the same as the environment of the stack they belong to;
+however, for imported resources
+(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
+that might be different than the stack they were imported into.
+
+---
+
+##### `stack`Required
+
+```typescript
+public readonly stack: Stack;
+```
+
+- *Type:* aws-cdk-lib.Stack
+
+The stack in which this resource is defined.
+
+---
+
+##### `documentArn`Required
+
+```typescript
+public readonly documentArn: string;
+```
+
+- *Type:* string
+
+---
+
+##### `documentName`Required
+
+```typescript
+public readonly documentName: string;
+```
+
+- *Type:* string
+
+---
+
+### IDocumentContent
+
+- *Implemented By:* cdk-extensions.ssm.IDocumentContent
+
+#### Methods
+
+| **Name** | **Description** |
+| --- | --- |
+| bind
| *No description.* |
+
+---
+
+##### `bind`
+
+```typescript
+public bind(scope: IConstruct): DocumentContentResult
+```
+
+###### `scope`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+
### IEcrImageScanSeverityConfiguration
- *Implemented By:* cdk-extensions.alerting.IEcrImageScanSeverityConfiguration
@@ -100356,6 +106202,40 @@ public bind(scope: IConstruct): BoundGroupConfiguration
---
+### IHub
+
+- *Implemented By:* cdk-extensions.securityhub.Hub, cdk-extensions.securityhub.IHub
+
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| hubArn
| string
| *No description.* |
+| hubName
| string
| *No description.* |
+
+---
+
+##### `hubArn`Required
+
+```typescript
+public readonly hubArn: string;
+```
+
+- *Type:* string
+
+---
+
+##### `hubName`Required
+
+```typescript
+public readonly hubName: string;
+```
+
+- *Type:* string
+
+---
+
### IIdentityCenterPrincipal
- *Implemented By:* cdk-extensions.sso.GroupBase, cdk-extensions.sso.UserBase, cdk-extensions.sso.IIdentityCenterPrincipal
@@ -102504,6 +108384,65 @@ The type of the scope.
---
+### IRemediationConfiguration
+
+- *Implemented By:* cdk-extensions.config.RemediationConfiguration, cdk-extensions.config.IRemediationConfiguration
+
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| remediationConfigurationArn
| string
| *No description.* |
+| remediationConfigurationName
| string
| *No description.* |
+
+---
+
+##### `remediationConfigurationArn`Required
+
+```typescript
+public readonly remediationConfigurationArn: string;
+```
+
+- *Type:* string
+
+---
+
+##### `remediationConfigurationName`Required
+
+```typescript
+public readonly remediationConfigurationName: string;
+```
+
+- *Type:* string
+
+---
+
+### IRemediationTarget
+
+- *Implemented By:* cdk-extensions.config.IRemediationTarget
+
+#### Methods
+
+| **Name** | **Description** |
+| --- | --- |
+| bind
| *No description.* |
+
+---
+
+##### `bind`
+
+```typescript
+public bind(scope: IConstruct): RemediationTargetConfiguration
+```
+
+###### `scope`Required
+
+- *Type:* constructs.IConstruct
+
+---
+
+
### IRemoteVpnEndpoint
- *Implemented By:* cdk-extensions.ec2.CustomerGatewayConfigurationRemoteVpnEndpoint, cdk-extensions.ec2.CustomerGatewayRemoteVpnEndpoint, cdk-extensions.ec2.IRemoteVpnEndpoint
@@ -102955,6 +108894,77 @@ public readonly stackConstruct: Stack;
---
+### IStandard
+
+- *Extends:* aws-cdk-lib.IResource
+
+- *Implemented By:* cdk-extensions.securityhub.Standard, cdk-extensions.securityhub.IStandard
+
+
+#### Properties
+
+| **Name** | **Type** | **Description** |
+| --- | --- | --- |
+| node
| constructs.Node
| The tree node. |
+| env
| aws-cdk-lib.ResourceEnvironment
| The environment this resource belongs to. |
+| stack
| aws-cdk-lib.Stack
| The stack in which this resource is defined. |
+| standardArn
| string
| *No description.* |
+
+---
+
+##### `node`Required
+
+```typescript
+public readonly node: Node;
+```
+
+- *Type:* constructs.Node
+
+The tree node.
+
+---
+
+##### `env`Required
+
+```typescript
+public readonly env: ResourceEnvironment;
+```
+
+- *Type:* aws-cdk-lib.ResourceEnvironment
+
+The environment this resource belongs to.
+
+For resources that are created and managed by the CDK
+(generally, those created by creating new class instances like Role, Bucket, etc.),
+this is always the same as the environment of the stack they belong to;
+however, for imported resources
+(those obtained from static methods like fromRoleArn, fromBucketName, etc.),
+that might be different than the stack they were imported into.
+
+---
+
+##### `stack`Required
+
+```typescript
+public readonly stack: Stack;
+```
+
+- *Type:* aws-cdk-lib.Stack
+
+The stack in which this resource is defined.
+
+---
+
+##### `standardArn`Required
+
+```typescript
+public readonly standardArn: string;
+```
+
+- *Type:* string
+
+---
+
### ITransitGateway
- *Extends:* constructs.IConstruct
diff --git a/src/config-rules/iam-password-policy.ts b/src/config-rules/iam-password-policy.ts
new file mode 100644
index 00000000..7796e0b4
--- /dev/null
+++ b/src/config-rules/iam-password-policy.ts
@@ -0,0 +1,151 @@
+import { ResourceProps } from 'aws-cdk-lib';
+import { ManagedRule, MaximumExecutionFrequency } from 'aws-cdk-lib/aws-config';
+import { Effect, ManagedPolicy, PolicyStatement, Role, ServicePrincipal } from 'aws-cdk-lib/aws-iam';
+import { IConstruct } from 'constructs';
+import { RemediationTarget } from '../config/lib';
+import { RemediationConfiguration } from '../config/remediation-configuration';
+import { AutomationDocument } from '../ssm';
+
+
+export interface IamPasswordPolicyProps extends ResourceProps {
+ readonly autoRemediation?: boolean;
+ readonly configRuleName?: string;
+ readonly description?: string;
+ readonly maxPasswordAge?: number;
+ readonly maximumExecutionFrequency?: MaximumExecutionFrequency;
+ readonly minimumPasswordLength?: number;
+ readonly passwordReusePrevention?: number;
+ readonly requireLowercaseCharacters?: boolean;
+ readonly requireNumbers?: boolean;
+ readonly requireSymbols?: boolean;
+ readonly requireUppercaseCharacters?: boolean;
+}
+
+export class IamPasswordPolicy extends ManagedRule {
+ static readonly DEFAULT_DESCRIPTION: string = [
+ 'Checks if the account password policy for AWS Identity and Access',
+ 'Management (IAM) users meets the specified requirements indicated in the',
+ 'parameters. The rule is NON_COMPLIANT if the account password policy',
+ 'does not meet the specified requirements.',
+ ].join(' ');
+ static readonly DEFAULT_MAX_PASSWORD_AGE: number = 90;
+ static readonly DEFAULT_MINIMUM_PASSWORD_LENGTH: number = 14;
+ static readonly DEFAULT_PASSWORD_REUSE_PREVENTION: number = 24;
+ static readonly DEFAULT_REQUIRE_LOWERCASE_CHARACTERS: boolean = true;
+ static readonly DEFAULT_REQUIRE_NUMBERS: boolean = true;
+ static readonly DEFAULT_REQUIRE_SYMBOLS: boolean = true;
+ static readonly DEFAULT_REQUIRE_UPPERCASE_CHARACTERS: boolean = true;
+ static readonly MANAGED_RULE_NAME: string = 'IAM_PASSWORD_POLICY';
+ static readonly REMEDIATION_DOCUMENT_NAME: string = 'AWSConfigRemediation-SetIAMPasswordPolicy';
+
+
+ readonly maxPasswordAge: number;
+ readonly minimumPasswordLength: number;
+ readonly passwordReusePrevention: number;
+ readonly requireLowercaseCharacters: boolean;
+ readonly requireNumbers: boolean;
+ readonly requireSymbols: boolean;
+ readonly requireUppercaseCharacters: boolean;
+ readonly remediationConfiguration: RemediationConfiguration;
+ readonly remediationPolicy: ManagedPolicy;
+ readonly remediationRole: Role;
+
+
+ public constructor(scope: IConstruct, id: string, props: IamPasswordPolicyProps) {
+ const managedRuleName = IamPasswordPolicy.MANAGED_RULE_NAME;
+ const maxPasswordAge = props.maxPasswordAge ?? IamPasswordPolicy.DEFAULT_MAX_PASSWORD_AGE;
+ const minimumPasswordLength = props.minimumPasswordLength ?? IamPasswordPolicy.DEFAULT_MINIMUM_PASSWORD_LENGTH;
+ const passwordReusePrevention = props.passwordReusePrevention ?? IamPasswordPolicy.DEFAULT_PASSWORD_REUSE_PREVENTION;
+ const requireLowercaseCharacters = props.requireLowercaseCharacters ?? IamPasswordPolicy.DEFAULT_REQUIRE_UPPERCASE_CHARACTERS;
+ const requireNumbers = props.requireNumbers ?? IamPasswordPolicy.DEFAULT_REQUIRE_NUMBERS;
+ const requireSymbols = props.requireSymbols ?? IamPasswordPolicy.DEFAULT_REQUIRE_SYMBOLS;
+ const requireUppercaseCharacters = props.requireUppercaseCharacters ?? IamPasswordPolicy.DEFAULT_REQUIRE_UPPERCASE_CHARACTERS;
+
+ super(scope, id, {
+ configRuleName: props.configRuleName,
+ description: props.description ?? IamPasswordPolicy.DEFAULT_DESCRIPTION,
+ identifier: managedRuleName,
+ inputParameters: {
+ MaxPasswordAge: maxPasswordAge,
+ MinimumPasswordLength: minimumPasswordLength,
+ PasswordReusePrevention: passwordReusePrevention,
+ RequireLowercaseCharacters: requireLowercaseCharacters,
+ RequireNumbers: requireNumbers,
+ RequireSymbols: requireSymbols,
+ RequireUppercaseCharacters: requireUppercaseCharacters,
+ },
+ maximumExecutionFrequency: props.maximumExecutionFrequency,
+ });
+
+ this.maxPasswordAge = maxPasswordAge;
+ this.minimumPasswordLength = minimumPasswordLength;
+ this.passwordReusePrevention = passwordReusePrevention;
+ this.requireLowercaseCharacters = requireLowercaseCharacters;
+ this.requireNumbers = requireNumbers;
+ this.requireSymbols = requireSymbols;
+ this.requireUppercaseCharacters = requireUppercaseCharacters;
+
+ const description = [
+ `Allows remdiation of of a non-compliant '${managedRuleName}' AWS`,
+ 'Config rule finding.',
+ ].join(' ');
+
+ this.remediationPolicy = new ManagedPolicy(this, 'remediation-policy', {
+ description: description,
+ path: '/config/',
+ statements: [
+ new PolicyStatement({
+ actions: [
+ 'iam:GetAccountPasswordPolicy',
+ 'iam:UpdateAccountPasswordPolicy',
+ ],
+ effect: Effect.ALLOW,
+ resources: [
+ '*',
+ ],
+ }),
+ ],
+ });
+
+ this.remediationRole = new Role(this, 'remediation-role', {
+ assumedBy: new ServicePrincipal('ssm.amazonaws.com'),
+ description: description,
+ managedPolicies: [
+ this.remediationPolicy,
+ ],
+ });
+
+ this.remediationConfiguration = new RemediationConfiguration(this, 'remediation-configuration', {
+ configRule: this,
+ staticParameters: {
+ AutomationAssumeRole: [
+ this.remediationRole.roleArn,
+ ],
+ MaxPasswordAge: [
+ maxPasswordAge,
+ ],
+ MinimumPasswordLength: [
+ minimumPasswordLength,
+ ],
+ PasswordReusePrevention: [
+ passwordReusePrevention,
+ ],
+ RequireLowercaseCharacters: [
+ requireLowercaseCharacters,
+ ],
+ RequireNumbers: [
+ requireNumbers,
+ ],
+ RequireSymbols: [
+ requireSymbols,
+ ],
+ RequireUppercaseCharacters: [
+ requireUppercaseCharacters,
+ ],
+ },
+ target: RemediationTarget.automationDocument({
+ document: AutomationDocument.fromManaged(this, 'remediation-document', IamPasswordPolicy.REMEDIATION_DOCUMENT_NAME),
+ }),
+ });
+ }
+}
\ No newline at end of file
diff --git a/src/config-rules/index.ts b/src/config-rules/index.ts
new file mode 100644
index 00000000..3225fae8
--- /dev/null
+++ b/src/config-rules/index.ts
@@ -0,0 +1,2 @@
+export * from './iam-password-policy';
+export * from './vpc-default-security-group-closed';
\ No newline at end of file
diff --git a/src/config-rules/vpc-default-security-group-closed.ts b/src/config-rules/vpc-default-security-group-closed.ts
new file mode 100644
index 00000000..67ffb1e5
--- /dev/null
+++ b/src/config-rules/vpc-default-security-group-closed.ts
@@ -0,0 +1,99 @@
+import { ArnFormat, ResourceProps } from 'aws-cdk-lib';
+import { ManagedRule, MaximumExecutionFrequency, ResourceType, RuleScope } from 'aws-cdk-lib/aws-config';
+import { Effect, ManagedPolicy, PolicyStatement, Role, ServicePrincipal } from 'aws-cdk-lib/aws-iam';
+import { IConstruct } from 'constructs';
+import { RemediationTarget } from '../config/lib';
+import { RemediationConfiguration } from '../config/remediation-configuration';
+import { AutomationDocument } from '../ssm';
+
+
+export interface VpcDefaultSecurityGroupClosedProps extends ResourceProps {
+ readonly autoRemediation?: boolean;
+ readonly configRuleName?: string;
+ readonly description?: string;
+ readonly maximumExecutionFrequency?: MaximumExecutionFrequency;
+}
+
+export class VpcDefaultSecurityGroupClosed extends ManagedRule {
+ public static readonly DEFAULT_DESCRIPTION: string = [
+ 'Checks if the default security group of any Amazon Virtual Private Cloud',
+ '(Amazon VPC) does not allow inbound or outbound traffic. The rule is',
+ 'NON_COMPLIANT if the default security group has one or more inbound or',
+ 'outbound traffic rules.',
+ ].join(' ');
+ public static readonly MANAGED_RULE_NAME: string = 'VPC_DEFAULT_SECURITY_GROUP_CLOSED';
+ public static readonly REMEDIATION_DOCUMENT_NAME: string = 'AWSConfigRemediation-RemoveVPCDefaultSecurityGroupRules';
+
+ public readonly remediationConfiguration: RemediationConfiguration;
+ public readonly remediationPolicy: ManagedPolicy;
+ public readonly remediationRole: Role;
+
+
+ public constructor(scope: IConstruct, id: string, props: VpcDefaultSecurityGroupClosedProps) {
+ const managedRuleName = VpcDefaultSecurityGroupClosed.MANAGED_RULE_NAME;
+
+ super(scope, id, {
+ configRuleName: props.configRuleName,
+ description: props.description ?? VpcDefaultSecurityGroupClosed.DEFAULT_DESCRIPTION,
+ identifier: managedRuleName,
+ maximumExecutionFrequency: props.maximumExecutionFrequency,
+ ruleScope: RuleScope.fromResource(ResourceType.EC2_SECURITY_GROUP),
+ });
+
+ const description = [
+ `Allows remdiation of of a non-compliant '${managedRuleName}' AWS`,
+ 'Config rule finding.',
+ ].join(' ');
+
+ this.remediationPolicy = new ManagedPolicy(this, 'remediation-policy', {
+ description: description,
+ path: '/config/',
+ statements: [
+ new PolicyStatement({
+ actions: [
+ 'ec2:DescribeSecurityGroups',
+ ],
+ effect: Effect.ALLOW,
+ resources: [
+ '*',
+ ],
+ }),
+ new PolicyStatement({
+ actions: [
+ 'ec2:RevokeSecurityGroupEgress',
+ 'ec2:RevokeSecurityGroupIngress',
+ ],
+ effect: Effect.ALLOW,
+ resources: [
+ this.stack.formatArn({
+ arnFormat: ArnFormat.SLASH_RESOURCE_NAME,
+ resource: 'security-group',
+ resourceName: '*',
+ service: 'ec2',
+ }),
+ ],
+ }),
+ ],
+ });
+
+ this.remediationRole = new Role(this, 'remediation-role', {
+ assumedBy: new ServicePrincipal('ssm.amazonaws.com'),
+ description: description,
+ managedPolicies: [
+ this.remediationPolicy,
+ ],
+ });
+ this.remediationConfiguration = new RemediationConfiguration(this, 'remediation-configuration', {
+ configRule: this,
+ resourceParameter: 'GroupId',
+ staticParameters: {
+ AutomationAssumeRole: [
+ this.remediationRole.roleArn,
+ ],
+ },
+ target: RemediationTarget.automationDocument({
+ document: AutomationDocument.fromManaged(this, 'remediation-document', VpcDefaultSecurityGroupClosed.REMEDIATION_DOCUMENT_NAME),
+ }),
+ });
+ }
+}
\ No newline at end of file
diff --git a/src/config/index.ts b/src/config/index.ts
new file mode 100644
index 00000000..af8c0d83
--- /dev/null
+++ b/src/config/index.ts
@@ -0,0 +1,2 @@
+export * from './lib';
+export * from './remediation-configuration';
\ No newline at end of file
diff --git a/src/config/lib/index.ts b/src/config/lib/index.ts
new file mode 100644
index 00000000..ae2b3575
--- /dev/null
+++ b/src/config/lib/index.ts
@@ -0,0 +1 @@
+export * from './remediation-target';
\ No newline at end of file
diff --git a/src/config/lib/remediation-target.ts b/src/config/lib/remediation-target.ts
new file mode 100644
index 00000000..cb958111
--- /dev/null
+++ b/src/config/lib/remediation-target.ts
@@ -0,0 +1,58 @@
+import { CfnRemediationConfiguration } from 'aws-cdk-lib/aws-config';
+import { IConstruct } from 'constructs';
+import { IAutomationDocument } from '../../ssm';
+import { definedFieldsOrUndefined } from '../../utils/formatting';
+
+
+export class RemediationTargetType {
+ static readonly SSM_DOCUMENT: RemediationTargetType = RemediationTargetType.of('SSM_DOCUMENT');
+
+ static of(value: string): RemediationTargetType {
+ return new RemediationTargetType(value);
+ }
+
+
+ readonly value: string;
+
+ private constructor(value: string) {
+ this.value = value;
+ }
+}
+
+export interface RemediationTargetConfiguration {
+ readonly controls?: CfnRemediationConfiguration.ExecutionControlsProperty;
+ readonly targetId: string;
+ readonly targetType: RemediationTargetType;
+ readonly targetVersion?: string;
+}
+
+export interface IRemediationTarget {
+ bind(scope: IConstruct): RemediationTargetConfiguration;
+}
+
+export interface AutomationDocumentRemediationProps {
+ readonly concurrencyPercentage?: number;
+ readonly document: IAutomationDocument;
+ readonly errorPercentage?: number;
+ readonly version?: string;
+}
+
+export class RemediationTarget {
+ static automationDocument(props: AutomationDocumentRemediationProps): IRemediationTarget {
+ return {
+ bind: (_scope) => {
+ return {
+ controls: definedFieldsOrUndefined({
+ ssmControls: definedFieldsOrUndefined({
+ concurrentExecutionRatePercentage: props.concurrencyPercentage,
+ errorPercentage: props.errorPercentage,
+ }),
+ }),
+ targetId: props.document.documentName,
+ targetType: RemediationTargetType.SSM_DOCUMENT,
+ targetVersion: props.version,
+ };
+ },
+ };
+ }
+}
\ No newline at end of file
diff --git a/src/config/remediation-configuration.ts b/src/config/remediation-configuration.ts
new file mode 100644
index 00000000..b46ea1ad
--- /dev/null
+++ b/src/config/remediation-configuration.ts
@@ -0,0 +1,156 @@
+import { ArnFormat, Duration, Lazy, Resource, ResourceProps } from 'aws-cdk-lib';
+import { CfnRemediationConfiguration, IRule } from 'aws-cdk-lib/aws-config';
+import { IConstruct } from 'constructs';
+import { IRemediationTarget } from './lib';
+import { ResourceImporter } from '../utils/importer';
+
+
+export interface IRemediationConfiguration {
+ readonly remediationConfigurationArn: string;
+ readonly remediationConfigurationName: string;
+}
+
+abstract class RemediationConfigurationBase extends Resource implements IRemediationConfiguration {
+ public abstract readonly remediationConfigurationArn: string;
+ public abstract readonly remediationConfigurationName: string;
+}
+
+export interface RemediationConfigurationAttributes {
+ readonly arn?: string;
+ readonly name?: string;
+}
+
+export interface RemediationConfigurationProps extends ResourceProps {
+ readonly automatic?: boolean;
+ readonly configRule: IRule;
+ readonly maximumAutomaticAttempts?: number;
+ readonly resourceParameter?: string;
+ readonly resourceType?: string;
+ readonly retryInterval?: Duration;
+ readonly staticParameters: {[key: string]: any[]};
+ readonly target: IRemediationTarget;
+}
+
+export class RemediationConfiguration extends RemediationConfigurationBase {
+ public static readonly ARN_FORMAT: ArnFormat = ArnFormat.SLASH_RESOURCE_NAME;
+
+ public static fromRemediationConfigurationArn(scope: IConstruct, id: string, arn: string): IRemediationConfiguration {
+ return RemediationConfiguration.fromRemediationConfigurationAttributes(scope, id, {
+ arn: arn,
+ });
+ }
+
+ public static fromRemediationConfigurationAttributes(
+ scope: IConstruct,
+ id: string,
+ attrs: RemediationConfigurationAttributes,
+ ): IRemediationConfiguration {
+ const importer = new ResourceImporter(scope, id, {
+ arnFormat: RemediationConfiguration.ARN_FORMAT,
+ service: 'config',
+ resource: 'remediation-configuration',
+ });
+
+ const identities = importer.resolveIdentities(attrs.arn, attrs.name);
+
+ class Import extends RemediationConfigurationBase {
+ public readonly remediationConfigurationArn = identities.arn;
+ public readonly remediationConfigurationName = identities.id;
+ }
+
+ return new Import(scope, id);
+ }
+
+ public static fromRemediationConfigurationName(scope: IConstruct, id: string, name: string): IRemediationConfiguration {
+ return RemediationConfiguration.fromRemediationConfigurationAttributes(scope, id, {
+ name: name,
+ });
+ }
+
+
+ private readonly _parameters: {[key: string]: any};
+
+ public readonly automatic?: boolean;
+ public readonly configRule: IRule;
+ public readonly maximumAutomaticAttempts?: number;
+ public readonly resourceType?: string;
+ public readonly retryInterval?: Duration;
+
+ public readonly resource: CfnRemediationConfiguration;
+
+ public readonly remediationConfigurationArn: string;
+ public readonly remediationConfigurationName: string;
+
+
+ public constructor(scope: IConstruct, id: string, props: RemediationConfigurationProps) {
+ super(scope, id, props);
+
+ this._parameters = {};
+
+ this.automatic = props.automatic;
+ this.configRule = props.configRule;
+ this.maximumAutomaticAttempts = props.maximumAutomaticAttempts;
+ this.resourceType = props.resourceType;
+ this.retryInterval = props.retryInterval;
+
+ const target = props.target.bind(this);
+
+ if (props.resourceParameter) {
+ this._parameters[props.resourceParameter] = {
+ ResourceValue: {
+ Value: 'RESOURCE_ID',
+ },
+ };
+ }
+
+ this.resource = new CfnRemediationConfiguration(this, 'Resource', {
+ automatic: this.automatic,
+ configRuleName: this.configRule.configRuleName,
+ executionControls: target.controls,
+ maximumAutomaticAttempts: this.maximumAutomaticAttempts,
+ parameters: Lazy.any({
+ produce: () => {
+ return this.renderParameters();
+ },
+ }),
+ resourceType: this.resourceType,
+ retryAttemptSeconds: this.retryInterval?.toSeconds(),
+ targetId: target.targetId,
+ targetType: target.targetType.value,
+ targetVersion: target.targetVersion,
+ });
+
+ this.remediationConfigurationArn = this.stack.formatArn({
+ arnFormat: RemediationConfiguration.ARN_FORMAT,
+ resource: 'remediation-configuration',
+ resourceName: this.resource.ref,
+ service: 'config',
+ });
+
+ this.remediationConfigurationName = this.resource.ref;
+ const parameters = props.staticParameters ?? {};
+
+ Object.keys(parameters).forEach((x) => {
+ this.addParameter(x, ...parameters[x]);
+ });
+ }
+
+ public addParameter(key: string, ...values: string[]): void {
+ if (key in this._parameters) {
+ throw new Error([
+ `A parameter with the key '${key}' already exists in the remediation`,
+ `configuration '${this.node.path}'. Cannot add duplicate parameter.`,
+ ].join(' '));
+ }
+
+ this._parameters[key] = {
+ StaticValue: {
+ Values: values,
+ },
+ };
+ }
+
+ protected renderParameters(): any {
+ return this._parameters;
+ }
+}
\ No newline at end of file
diff --git a/src/index.ts b/src/index.ts
index 53b21700..7c8c0aff 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -9,6 +9,8 @@ export * as asserts from './asserts';
export * as alerting from './alerting';
export * as aps from './aps';
export * as athena from './athena';
+export * as config from './config';
+export * as config_rules from './config-rules';
export * as ec2 from './ec2';
export * as ec2_patterns from './ec2-patterns';
export * as eks_patterns from './eks-patterns';
@@ -26,7 +28,10 @@ export * as rds from './rds';
export * as resourcegroups from './resourcegroups';
export * as route53 from './route53';
export * as s3_buckets from './s3-buckets';
+export * as securityhub from './securityhub';
+export * as securityhub_patterns from './securityhub-patterns';
export * as sso from './sso';
+export * as ssm from './ssm';
export * as stepfunctions from './stepfunctions';
export * as stacks from './stacks';
diff --git a/src/securityhub-patterns/index.ts b/src/securityhub-patterns/index.ts
new file mode 100644
index 00000000..c6182f2a
--- /dev/null
+++ b/src/securityhub-patterns/index.ts
@@ -0,0 +1 @@
+export * from './security-manager';
\ No newline at end of file
diff --git a/src/securityhub-patterns/security-manager.ts b/src/securityhub-patterns/security-manager.ts
new file mode 100644
index 00000000..908c2e75
--- /dev/null
+++ b/src/securityhub-patterns/security-manager.ts
@@ -0,0 +1,39 @@
+import { Resource, ResourceProps } from 'aws-cdk-lib';
+import { IConstruct } from 'constructs';
+import { IamPasswordPolicy, VpcDefaultSecurityGroupClosed } from '../config-rules';
+import { Hub, IHub } from '../securityhub/hub';
+
+
+export interface SecurityHubOptions {
+ readonly enabled?: boolean;
+ readonly hub?: IHub;
+}
+
+export interface SecurityManagerProps extends ResourceProps {
+ readonly autoRemediate?: boolean;
+ readonly securityHub?: SecurityHubOptions;
+}
+
+export class SecurityManager extends Resource {
+ public readonly autoRemediate: boolean;
+ public readonly hub?: IHub;
+
+
+ public constructor(scope: IConstruct, id: string, props: SecurityManagerProps) {
+ super(scope, id, props);
+
+ this.autoRemediate = props.autoRemediate ?? false;
+
+ if (props.securityHub?.enabled ?? true) {
+ this.hub = props.securityHub?.hub ?? new Hub(this, 'hub');
+ }
+
+ new IamPasswordPolicy(this, 'rule-iam-password-policy', {
+ autoRemediation: this.autoRemediate,
+ });
+
+ new VpcDefaultSecurityGroupClosed(this, 'rule-vpc-security-group-closed', {
+ autoRemediation: this.autoRemediate,
+ });
+ }
+}
\ No newline at end of file
diff --git a/src/securityhub/hub.ts b/src/securityhub/hub.ts
new file mode 100644
index 00000000..0a8bb514
--- /dev/null
+++ b/src/securityhub/hub.ts
@@ -0,0 +1,110 @@
+import { ArnFormat, Resource, ResourceProps } from 'aws-cdk-lib';
+import { CfnHub } from 'aws-cdk-lib/aws-securityhub';
+import { IConstruct } from 'constructs';
+import { ResourceImporter } from '../utils/importer';
+
+
+export class ControlFindingGenerator {
+ public static readonly SECURITY_CONTROL: ControlFindingGenerator = ControlFindingGenerator.of('SECURITY_CONTROL');
+ public static readonly STANDARD_CONTROL: ControlFindingGenerator = ControlFindingGenerator.of('STANDARD_CONTROL');
+
+ static of(value: string): ControlFindingGenerator {
+ return new ControlFindingGenerator(value);
+ }
+
+
+ readonly value: string;
+
+ private constructor(value: string) {
+ this.value = value;
+ }
+}
+
+export interface IHub {
+ readonly hubArn: string;
+ readonly hubName: string;
+}
+
+abstract class HubBase extends Resource implements IHub {
+ public abstract readonly hubArn: string;
+ public abstract readonly hubName: string;
+}
+
+export interface HubProps extends ResourceProps {
+ readonly autoEnableControls?: boolean;
+ readonly consolidatedFindings?: boolean;
+ readonly enableDefaultStandards?: boolean;
+}
+
+export interface HubAttributes {
+ readonly arn?: string;
+ readonly name?: string;
+}
+
+export class Hub extends HubBase {
+ public static readonly ARN_FORMAT: ArnFormat = ArnFormat.SLASH_RESOURCE_NAME;
+
+ public static fromHubArn(scope: IConstruct, id: string, arn: string): IHub {
+ return Hub.fromHubAttributes(scope, id, {
+ arn: arn,
+ });
+ }
+
+ public static fromHubAttributes(scope: IConstruct, id: string, attrs: HubAttributes): IHub {
+ const importer = new ResourceImporter(scope, id, {
+ arnFormat: Hub.ARN_FORMAT,
+ service: 'securityhub',
+ resource: 'hub',
+ });
+
+ const identities = importer.resolveIdentities(attrs.arn, attrs.name);
+
+ class Import extends HubBase {
+ public readonly hubArn = identities.arn;
+ public readonly hubName = identities.id;
+ }
+
+ return new Import(scope, id);
+ }
+
+ public static fromHubName(scope: IConstruct, id: string, name: string): IHub {
+ return Hub.fromHubAttributes(scope, id, {
+ name: name,
+ });
+ }
+
+
+ public readonly autoEnableControls?: boolean;
+ public readonly consolidatedFindings?: boolean;
+ public readonly controlFindingGenerator?: ControlFindingGenerator;
+ public readonly enableDefaultStandards?: boolean;
+
+ public readonly resource: CfnHub;
+
+ public readonly hubArn: string;
+ public readonly hubName: string;
+
+
+ public constructor(scope: IConstruct, id: string, props: HubProps = {}) {
+ super(scope, id, props);
+
+ this.autoEnableControls = props.autoEnableControls;
+ this.consolidatedFindings = props.consolidatedFindings;
+ this.enableDefaultStandards = props.enableDefaultStandards;
+
+ if (this.consolidatedFindings === true) {
+ this.controlFindingGenerator = ControlFindingGenerator.SECURITY_CONTROL;
+ } else if (this.consolidatedFindings === false) {
+ this.controlFindingGenerator = ControlFindingGenerator.STANDARD_CONTROL;
+ }
+
+ this.resource = new CfnHub(this, 'Resource', {
+ autoEnableControls: this.autoEnableControls,
+ controlFindingGenerator: this.controlFindingGenerator?.value,
+ enableDefaultStandards: this.enableDefaultStandards,
+ });
+
+ this.hubArn = this.resource.ref;
+ this.hubName = this.stack.splitArn(this.resource.ref, Hub.ARN_FORMAT).resourceName!;
+ }
+}
\ No newline at end of file
diff --git a/src/securityhub/index.ts b/src/securityhub/index.ts
new file mode 100644
index 00000000..dc2e1608
--- /dev/null
+++ b/src/securityhub/index.ts
@@ -0,0 +1,2 @@
+export * from './hub';
+export * from './standard';
\ No newline at end of file
diff --git a/src/securityhub/standard.ts b/src/securityhub/standard.ts
new file mode 100644
index 00000000..77301950
--- /dev/null
+++ b/src/securityhub/standard.ts
@@ -0,0 +1,188 @@
+import { ArnFormat, IResource, Lazy, Resource, ResourceProps, Stack } from 'aws-cdk-lib';
+import { CfnStandard } from 'aws-cdk-lib/aws-securityhub';
+import { IConstruct } from 'constructs';
+
+
+export interface RuleSetProps {
+ readonly default?: boolean;
+ readonly description?: string;
+ readonly global?: boolean;
+ readonly id: string;
+ readonly name?: string;
+ readonly version: string;
+}
+
+export interface ScopedRuleSet {
+ readonly arn: string;
+ readonly default?: boolean;
+ readonly description?: string;
+ readonly id: string;
+ readonly name?: string;
+ readonly version: string;
+}
+
+export class RuleSet {
+ public static readonly ARN_FORMAT: ArnFormat = ArnFormat.SLASH_RESOURCE_NAME;
+
+ public static readonly CIS_FOUNDATIONS_1_2_0: RuleSet = RuleSet.of({
+ default: true,
+ description: [
+ 'The Center for Internet Security (CIS) AWS Foundations Benchmark',
+ 'v1.2.0 is a set of security configuration best practices for AWS. This',
+ 'Security Hub standard automatically checks for your compliance',
+ 'readiness against a subset of CIS requirements.',
+ ].join(' '),
+ global: true,
+ id: 'cis-aws-foundations-benchmark',
+ name: 'CIS AWS Foundations Benchmark v1.2.0',
+ version: '1.2.0',
+ });
+ public static readonly CIS_FOUNDATIONS_1_4_0: RuleSet = RuleSet.of({
+ default: false,
+ description: [
+ 'The Center for Internet Security (CIS) AWS Foundations Benchmark',
+ 'v1.4.0 is a set of security configuration best practices for AWS. This',
+ 'Security Hub standard automatically checks for your compliance',
+ 'readiness against a subset of CIS requirements.',
+ ].join(' '),
+ id: 'cis-aws-foundations-benchmark',
+ name: 'CIS AWS Foundations Benchmark v1.4.0',
+ version: '1.4.0',
+ });
+ public static readonly FOUNDATIONAL_BEST_PRACTICES_1_0_0: RuleSet = RuleSet.of({
+ default: true,
+ description: [
+ 'The AWS Foundational Security Best Practices standard is a set of',
+ 'automated security checks that detect when AWS accounts and deployed',
+ 'resources do not align to security best practices. The standard is',
+ 'defined by AWS security experts. This curated set of controls helps',
+ "improve your security posture in AWS, and cover AWS's most popular and",
+ 'foundational services.',
+ ].join(' '),
+ id: 'aws-foundational-security-best-practices',
+ name: 'AWS Foundational Security Best Practices v1.0.0',
+ version: '1.0.0',
+ });
+ public static readonly NIST_800_53_5_0_0: RuleSet = RuleSet.of({
+ default: false,
+ description: [
+ 'NIST Special Publication 800-53 Revision 5 provides a catalog of',
+ 'security and privacy controls for information systems and',
+ 'organizations. This Security Hub standard automatically checks for',
+ 'your compliance readiness against a subset of NIST 800-53 R5',
+ 'requirements.',
+ ].join(' '),
+ id: 'nist-800-53',
+ name: 'NIST Special Publication 800-53 Revision 5',
+ version: '5.0.0',
+ });
+ public static readonly PCI_DSS_3_2_1: RuleSet = RuleSet.of({
+ default: false,
+ description: [
+ 'The Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 is',
+ 'an information security standard for entities that store, process,',
+ 'and/or transmit cardholder data. This Security Hub standard',
+ 'automatically checks for your compliance readiness against a subset of',
+ 'PCI DSS requirements.',
+ ].join(' '),
+ id: 'pci-dss',
+ name: 'PCI DSS v3.2.1',
+ version: '3.2.1',
+ });
+
+ private static of(props: RuleSetProps): RuleSet {
+ return new RuleSet(props);
+ }
+
+
+ private readonly _props;
+
+ private constructor(props: RuleSetProps) {
+ this._props = props;
+ }
+
+ public bind(scope: IConstruct): ScopedRuleSet {
+ return {
+ ...this._props,
+ arn: Stack.of(scope).formatArn({
+ arnFormat: RuleSet.ARN_FORMAT,
+ account: '',
+ region: (this._props.global ?? false) ? '' : undefined,
+ resource: (this._props.global ?? false) ? 'ruleset' : 'standard',
+ resourceName: `${this._props.id}/v/${this._props.version}`,
+ service: 'securityhub',
+ }),
+ };
+ }
+}
+
+export interface IStandard extends IResource {
+ readonly standardArn: string;
+}
+
+abstract class StandardBase extends Resource implements IStandard {
+ public abstract readonly standardArn: string;
+}
+
+export interface StandardProps extends ResourceProps {
+ readonly disabledControls?: string[];
+ readonly ruleSet: RuleSet;
+}
+
+export interface DisableControlOptions {
+ readonly reason: string;
+}
+
+export class Standard extends StandardBase {
+ public static readonly ARN_FORMAT: ArnFormat = ArnFormat.SLASH_RESOURCE_NAME;
+
+ public static fromStandardArn(scope: IConstruct, id: string, arn: string): IStandard {
+ class Import extends StandardBase {
+ public readonly standardArn = arn;
+ }
+
+ return new Import(scope, id);
+ }
+
+
+ private readonly _disabledControls: CfnStandard.StandardsControlProperty[];
+ private readonly _scopedRuleSet: ScopedRuleSet;
+
+ public readonly resource: CfnStandard;
+ public readonly standardArn: string;
+
+
+ public constructor(scope: IConstruct, id: string, props: StandardProps) {
+ super(scope, id, props);
+
+ this._disabledControls = [];
+ this._scopedRuleSet = props.ruleSet.bind(this);
+
+ this.standardArn = this._scopedRuleSet.arn;
+
+ this.resource = new CfnStandard(this, 'Resource', {
+ disabledStandardsControls: Lazy.any(
+ {
+ produce: () => {
+ return this._disabledControls;
+ },
+ },
+ {
+ omitEmptyArray: true,
+ },
+ ),
+ standardsArn: this.standardArn,
+ });
+ }
+
+ public disableControl(control: string, options: DisableControlOptions): void {
+ this._disabledControls.push({
+ reason: options.reason,
+ standardsControlArn: this.stack.formatArn({
+ resource: 'control',
+ resourceName: `${this._scopedRuleSet.id}/v/${this._scopedRuleSet.version}/${control}`,
+ service: 'securityhub',
+ }),
+ });
+ }
+}
\ No newline at end of file
diff --git a/src/ssm/automation-document.ts b/src/ssm/automation-document.ts
new file mode 100644
index 00000000..0ac8bdd8
--- /dev/null
+++ b/src/ssm/automation-document.ts
@@ -0,0 +1,79 @@
+import { Resource, Stack } from 'aws-cdk-lib';
+import { IConstruct } from 'constructs';
+import { DocumentBase, DocumentType, IDocument } from './document-base';
+import { DocumentContent, DocumentFormat } from './lib';
+
+
+export class AutomationSchemaVersion {
+ public static readonly VER_0_3: AutomationSchemaVersion= AutomationSchemaVersion.of('0.3');
+
+ public static of(version: string): AutomationSchemaVersion {
+ return new AutomationSchemaVersion(version);
+ }
+
+
+ public readonly version: string;
+
+ private constructor(version: string) {
+ this.version = version;
+ }
+}
+
+export interface IAutomationDocument extends IDocument {
+ readonly automationDefinitionArn: string;
+ arnForAutomationDefinitionVersion(version: string): string;
+}
+
+export class AutomationDocument extends DocumentBase implements IAutomationDocument {
+ public static readonly DEFAULT_SCHEMA_VERSION: AutomationSchemaVersion = AutomationSchemaVersion.VER_0_3;
+
+ public static fromManaged(scope: IConstruct, id: string, managedDocumentName: string): IAutomationDocument {
+ class Import extends Resource {
+ public readonly automationDefinitionArn = Stack.of(scope).formatArn({
+ account: '',
+ arnFormat: AutomationDocument.ARN_FORMAT,
+ resource: 'automation-definition',
+ resourceName: managedDocumentName,
+ service: 'ssm',
+ });
+ public readonly documentArn = Stack.of(scope).formatArn({
+ account: '',
+ arnFormat: AutomationDocument.ARN_FORMAT,
+ resource: 'document',
+ resourceName: managedDocumentName,
+ service: 'ssm',
+ });
+ public readonly documentName = managedDocumentName;
+
+ public arnForAutomationDefinitionVersion(version: string): string {
+ return `${this.automationDefinitionArn}:${version}`;
+ }
+ }
+
+ return new Import(scope, id);
+ }
+
+ public readonly automationDefinitionArn: string;
+
+
+ private constructor(scope: IConstruct, id: string) {
+ super(scope, id, {
+ documentType: DocumentType.AUTOMATION,
+ content: DocumentContent.fromString({
+ content: '{}',
+ documentFormat: DocumentFormat.JSON,
+ }),
+ });
+
+ this.automationDefinitionArn = this.stack.formatArn({
+ arnFormat: AutomationDocument.ARN_FORMAT,
+ resource: 'automation-definition',
+ resourceName: this.documentName,
+ service: 'ssm',
+ });
+ }
+
+ public arnForAutomationDefinitionVersion(version: string): string {
+ return `${this.automationDefinitionArn}:${version}`;
+ }
+}
\ No newline at end of file
diff --git a/src/ssm/document-base.ts b/src/ssm/document-base.ts
new file mode 100644
index 00000000..20a5fc65
--- /dev/null
+++ b/src/ssm/document-base.ts
@@ -0,0 +1,179 @@
+import { ArnFormat, IResource, Lazy, PhysicalName, Resource, ResourceProps } from 'aws-cdk-lib';
+import { CfnDocument } from 'aws-cdk-lib/aws-ssm';
+import { IConstruct } from 'constructs';
+import { IDocumentContent } from './lib';
+
+
+export interface IDocument extends IResource {
+ readonly documentArn: string;
+ readonly documentName: string;
+}
+
+export class DocumentType {
+ public static readonly APPLICATION_CONFIGURATION: DocumentType = DocumentType.of('ApplicationConfiguration');
+ public static readonly APPLICATION_CONFIGURATION_SCHEMA: DocumentType = DocumentType.of('ApplicationConfigurationSchema');
+ public static readonly AUTOMATION: DocumentType = DocumentType.of('Automation');
+ public static readonly AUTOMATION_CHANGE_TEMPLATE: DocumentType = DocumentType.of('Automation.ChangeTemplate');
+ public static readonly COMMAND: DocumentType = DocumentType.of('Command');
+ public static readonly DEPLOYMENT_STRATEGY: DocumentType = DocumentType.of('DeploymentStrategy');
+ public static readonly PACKAGE: DocumentType = DocumentType.of('Package');
+ public static readonly POLICY: DocumentType = DocumentType.of('Policy');
+ public static readonly SESSION: DocumentType = DocumentType.of('Session');
+
+ public static of(value: string): DocumentType {
+ return new DocumentType(value);
+ }
+
+
+ public readonly name: string;
+
+ private constructor(name: string) {
+ this.name = name;
+ }
+}
+
+export class DocumentUpdateMethod {
+ public static readonly NEW_VERSION: DocumentUpdateMethod = DocumentUpdateMethod.of('NewVersion');
+ public static readonly REPLACE: DocumentUpdateMethod = DocumentUpdateMethod.of('Replace');
+
+ public static of(value: string): DocumentUpdateMethod {
+ return new DocumentUpdateMethod(value);
+ }
+
+
+ public readonly value: string;
+
+ private constructor(value: string) {
+ this.value = value;
+ }
+}
+
+export interface DocumentRequirement {
+ readonly document: IDocument;
+ readonly version?: string;
+}
+
+export interface DocumentBaseProps extends ResourceProps {
+ readonly content: IDocumentContent;
+ readonly documentType?: DocumentType;
+ readonly name?: string;
+ readonly requires?: DocumentRequirement[];
+ readonly targetType?: string;
+ readonly updateMethod?: DocumentUpdateMethod;
+ readonly versionName?: string;
+}
+
+export class DocumentBase extends Resource implements IDocument {
+ public static readonly ARN_FORMAT: ArnFormat = ArnFormat.SLASH_RESOURCE_NAME;
+
+ private readonly _requires: DocumentRequirement[];
+
+ public readonly content: IDocumentContent;
+ public readonly documentType?: DocumentType;
+ public readonly name?: string;
+ public readonly targetType?: string;
+ public readonly updateMethod?: DocumentUpdateMethod;
+ public readonly versionName?: string;
+
+ public get requires(): DocumentRequirement[] {
+ return [...this._requires];
+ }
+
+ public readonly resource: CfnDocument;
+
+ public readonly documentArn: string;
+ public readonly documentName: string;
+
+
+ public constructor(scope: IConstruct, id: string, props: DocumentBaseProps) {
+ super(scope, id, {
+ physicalName: props.name ?? PhysicalName.GENERATE_IF_NEEDED,
+ });
+
+ this._requires = [];
+
+ this.content = props.content;
+ this.documentType = props.documentType;
+ this.name = this.physicalName;
+ this.targetType = props.targetType;
+ this.updateMethod = props.updateMethod;
+ this.versionName = props.versionName;
+
+ const boundContent = this.content.bind(this);
+
+ this.resource = new CfnDocument(this, 'Resource', {
+ content: boundContent.content,
+ documentFormat: boundContent.documentFormat.value,
+ documentType: this.documentType?.name,
+ name: this.name,
+ requires: Lazy.any(
+ {
+ produce: () => {
+ return this._requires.map((x) => {
+ return {
+ name: x.document.documentName,
+ version: x.version,
+ };
+ });
+ },
+ },
+ {
+ omitEmptyArray: true,
+ },
+ ),
+ targetType: this.targetType,
+ updateMethod: this.updateMethod?.value,
+ versionName: this.versionName,
+ });
+
+ this.documentArn = this.stack.formatArn({
+ arnFormat: DocumentBase.ARN_FORMAT,
+ resource: 'document',
+ resourceName: this.resource.ref,
+ service: 'ssm',
+ });
+ this.documentName = this.resource.ref;
+
+ props.requires?.forEach((x) => {
+ this.addRequirement(x);
+ });
+
+ this.node.addValidation({
+ validate: () => {
+ return this.validate();
+ },
+ });
+ }
+
+ protected addRequirement(requirement: DocumentRequirement): IDocument {
+ this._requires.push(requirement);
+ return this;
+ }
+
+ protected validate(): string[] {
+ const result: string[] = [];
+ const propertyTypesDocumentation = 'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html';
+ const targetTypeRegex = /^\/[\w\.\-\:\/]*$/;
+ const versionNameRegex = /^[a-zA-Z0-9_\-.]{1,128}$/;
+
+ if (this.targetType && this.targetType.match(targetTypeRegex)) {
+ result.push([
+ `Provided target type '${this.targetType}' failed validation. Valid`,
+ 'target types should start with a forward slash and can contain an',
+ 'optional property type name. For a list of valid property type see:',
+ propertyTypesDocumentation,
+ ].join(' '));
+ }
+
+ if (this.versionName && this.versionName.match(versionNameRegex)) {
+ result.push([
+ `Provided version name '${this.versionName}' failed validation. Valid`,
+ 'version names must be between 1 and 128 charactes and contain',
+ 'only alphanumeric characters, underscores, hyphens, and periods.',
+ `Regular expression used for validation: ${versionNameRegex}.`,
+ ].join(' '));
+ }
+
+ return result;
+ }
+}
\ No newline at end of file
diff --git a/src/ssm/document.ts b/src/ssm/document.ts
new file mode 100644
index 00000000..ef49b801
--- /dev/null
+++ b/src/ssm/document.ts
@@ -0,0 +1,11 @@
+import { IConstruct } from 'constructs';
+import { DocumentBase, DocumentBaseProps } from './document-base';
+
+
+export interface DocumentProps extends DocumentBaseProps {}
+
+export class Document extends DocumentBase {
+ public constructor(scope: IConstruct, id: string, props: DocumentProps) {
+ super(scope, id, props);
+ }
+}
\ No newline at end of file
diff --git a/src/ssm/index.ts b/src/ssm/index.ts
new file mode 100644
index 00000000..c8b967e0
--- /dev/null
+++ b/src/ssm/index.ts
@@ -0,0 +1,4 @@
+export * from './lib';
+export * from './automation-document';
+export * from './document';
+export * from './document-base';
\ No newline at end of file
diff --git a/src/ssm/lib/document-content.ts b/src/ssm/lib/document-content.ts
new file mode 100644
index 00000000..a68883b5
--- /dev/null
+++ b/src/ssm/lib/document-content.ts
@@ -0,0 +1,50 @@
+import { Lazy, Stack } from 'aws-cdk-lib';
+import { IConstruct } from 'constructs';
+import { DocumentFormat } from './document-format';
+
+
+export interface DocumentContentResult {
+ readonly content: string;
+ readonly documentFormat: DocumentFormat;
+}
+
+export interface IDocumentContent {
+ bind(scope: IConstruct): DocumentContentResult;
+}
+
+export interface ObjectContentProps {
+ readonly input: {[key: string]: any};
+}
+
+export interface StringContentProps {
+ readonly content: string;
+ readonly documentFormat: DocumentFormat;
+}
+
+export class DocumentContent {
+ public static fromObject(props: ObjectContentProps): IDocumentContent {
+ return {
+ bind: (scope) => {
+ return {
+ content: Lazy.string({
+ produce: () => {
+ return Stack.of(scope).toJsonString(props.input);
+ },
+ }),
+ documentFormat: DocumentFormat.JSON,
+ };
+ },
+ };
+ }
+
+ public static fromString(props: StringContentProps): IDocumentContent {
+ return {
+ bind: (_scope) => {
+ return {
+ content: props.content,
+ documentFormat: props.documentFormat,
+ };
+ },
+ };
+ }
+}
\ No newline at end of file
diff --git a/src/ssm/lib/document-format.ts b/src/ssm/lib/document-format.ts
new file mode 100644
index 00000000..e522e720
--- /dev/null
+++ b/src/ssm/lib/document-format.ts
@@ -0,0 +1,16 @@
+export class DocumentFormat {
+ public static readonly JSON: DocumentFormat = DocumentFormat.of('JSON');
+ public static readonly TEXT: DocumentFormat = DocumentFormat.of('TEXT');
+ public static readonly YAML: DocumentFormat = DocumentFormat.of('YAML');
+
+ public static of(value: string): DocumentFormat {
+ return new DocumentFormat(value);
+ }
+
+
+ public readonly value: string;
+
+ private constructor(value: string) {
+ this.value = value;
+ }
+}
\ No newline at end of file
diff --git a/src/ssm/lib/index.ts b/src/ssm/lib/index.ts
new file mode 100644
index 00000000..b79328c1
--- /dev/null
+++ b/src/ssm/lib/index.ts
@@ -0,0 +1,2 @@
+export * from './document-content';
+export * from './document-format';
\ No newline at end of file
diff --git a/src/utils/formatting.ts b/src/utils/formatting.ts
index 674d5da1..a74291c7 100644
--- a/src/utils/formatting.ts
+++ b/src/utils/formatting.ts
@@ -11,22 +11,51 @@ export function trimString(input: string, length: number): string {
}
}
+/**
+ * Checks to see if a given object has any keys. If the object has keys then
+ * the input object is returned. If the input object is empty then `undefined`
+ * is returned instead.
+ *
+ * @param obj The object to process.
+ * @returns The input object or `undefined` if the input object is empty.
+ */
export function undefinedIfNoKeys(obj: A): A | undefined {
const allUndefined = Object.values(obj as any).every(val => val === undefined);
return allUndefined ? undefined : obj;
}
+/**
+ * Removed undefined elements from an array.
+ *
+ * @param obj The array to process.
+ * @returns A copy of the input array with any `undefined` elements removed.
+ */
export function definedElements(obj: (A | undefined)[]): A[] {
return obj.filter((x) => {
return x !== undefined;
}) as A[];
}
+/**
+ * Removed undefined alements from an array. If all elements of the array are
+ * `undefined` then the result of the entire operation is `undefined`.
+ *
+ * @param obj The array to process.
+ * @returns A copy of the input array with any `undefined` elements removed or
+ * `undefined` if the array is empty after processing.
+ */
export function definedElementsOrUndefined(obj: (A | undefined)[]): A[] | undefined {
const defined = definedElements(obj);
return defined.length === 0 ? undefined : defined;
}
+/**
+ * Creates a copy of an object that has keys with an undefined value removed.
+ *
+ * @param obj The object to process.
+ * @returns A copy of the input object where keys with undefined values are
+ * removed.
+ */
export function definedFields(obj: A): A {
return Object.keys(obj as any).reduce((prev, cur) => {
const key = cur as keyof A;
@@ -37,6 +66,15 @@ export function definedFields(obj: A): A {
}, {} as A);
}
+/**
+ * Creates a copy of the object that has keys with an undefined value removed.
+ * If the resulting objecty has no keys `undefined` is returned instead of an
+ * empty object.
+ *
+ * @param obj The object to process.
+ * @returns A copy of the input object where keys with undefined values are
+ * removed or `undefined` if the object has no remaining keys after processing.
+ */
export function definedFieldsOrUndefined(obj: A): A | undefined {
return undefinedIfNoKeys(definedFields(obj));
}