diff --git a/packages/@aws-cdk/aws-iot-alpha/README.md b/packages/@aws-cdk/aws-iot-alpha/README.md index 4ec5ccb38e93d..ffd905dc5a2ed 100644 --- a/packages/@aws-cdk/aws-iot-alpha/README.md +++ b/packages/@aws-cdk/aws-iot-alpha/README.md @@ -91,3 +91,51 @@ new iot.Logging(this, 'Logging', { ``` **Note**: All logs are forwarded to the `AWSIotLogsV2` log group in CloudWatch. + +## Audit + +An [AWS IoT Device Defender audit looks](https://docs.aws.amazon.com/iot-device-defender/latest/devguide/device-defender-audit.html) at account- and device-related settings and policies to ensure security measures are in place. +An audit can help you detect any drifts from security best practices or access policies. + +### Account Audit Configuration + +The IoT audit includes [various audit checks](https://docs.aws.amazon.com/iot-device-defender/latest/devguide/device-defender-audit-checks.html), and it is necessary to configure settings to enable those checks. + +You can enable an account audit configuration with the following code: + +```ts +// Audit notification are sent to the SNS topic +declare const targetTopic: sns.ITopic; + +new iot.AccountAuditConfiguration(this, 'AuditConfiguration', { + targetTopic, +}); +``` + +By default, all audit checks are enabled, but it is also possible to enable only specific audit checks. + +```ts +new iot.AccountAuditConfiguration(this, 'AuditConfiguration', { + checkConfiguration: { + // enabled + authenticatedCognitoRoleOverlyPermissiveCheck: true, + // enabled by default + caCertificateExpiringCheck: undefined, + // disabled + caCertificateKeyQualityCheck: false, + conflictingClientIdsCheck: false, + deviceCertificateExpiringCheck: false, + deviceCertificateKeyQualityCheck: false, + deviceCertificateSharedCheck: false, + intermediateCaRevokedForActiveDeviceCertificatesCheck: false, + ioTPolicyPotentialMisConfigurationCheck: false, + iotPolicyOverlyPermissiveCheck: false, + iotRoleAliasAllowsAccessToUnusedServicesCheck: false, + iotRoleAliasOverlyPermissiveCheck: false, + loggingDisabledCheck: false, + revokedCaCertificateStillActiveCheck: false, + revokedDeviceCertificateStillActiveCheck: false, + unauthenticatedCognitoRoleOverlyPermissiveCheck: false, + }, +}); +``` diff --git a/packages/@aws-cdk/aws-iot-alpha/awslint.json b/packages/@aws-cdk/aws-iot-alpha/awslint.json index e800657e60d35..8a0685a425a3c 100644 --- a/packages/@aws-cdk/aws-iot-alpha/awslint.json +++ b/packages/@aws-cdk/aws-iot-alpha/awslint.json @@ -1,6 +1,7 @@ { "exclude": [ "no-unused-type:@aws-cdk/aws-iot-alpha.ActionConfig", - "props-physical-name:@aws-cdk/aws-iot-alpha.LoggingProps" + "props-physical-name:@aws-cdk/aws-iot-alpha.LoggingProps", + "props-physical-name:@aws-cdk/aws-iot-alpha.AccountAuditConfigurationProps" ] } diff --git a/packages/@aws-cdk/aws-iot-alpha/lib/audit-configuration.ts b/packages/@aws-cdk/aws-iot-alpha/lib/audit-configuration.ts new file mode 100644 index 0000000000000..8fa046a78ab0b --- /dev/null +++ b/packages/@aws-cdk/aws-iot-alpha/lib/audit-configuration.ts @@ -0,0 +1,287 @@ +import { Resource, Stack, IResource } from 'aws-cdk-lib/core'; +import { Construct } from 'constructs'; +import * as iot from 'aws-cdk-lib/aws-iot'; +import * as iam from 'aws-cdk-lib/aws-iam'; +import * as sns from 'aws-cdk-lib/aws-sns'; + +/** + * Represents AWS IoT Audit Configuration + */ +export interface IAccountAuditConfiguration extends IResource { + /** + * The account ID + * @attribute + */ + readonly accountId: string; +} + +/** + * The types of audit checks + * + * @see https://docs.aws.amazon.com/iot-device-defender/latest/devguide/device-defender-audit-checks.html + */ +export interface CheckConfiguration { + /** + * Checks the permissiveness of an authenticated Amazon Cognito identity pool role. + * + * For this check, AWS IoT Device Defender audits all Amazon Cognito identity pools that have been used to connect to the AWS IoT message broker + * during the 31 days before the audit is performed. + * + * @default true + */ + readonly authenticatedCognitoRoleOverlyPermissiveCheck?: boolean; + + /** + * Checks if a CA certificate is expiring. + * + * This check applies to CA certificates expiring within 30 days or that have expired. + * + * @default true + */ + readonly caCertificateExpiringCheck?: boolean; + + /** + * Checks the quality of the CA certificate key. + * + * The quality checks if the key is in a valid format, not expired, and if the key meets a minimum required size. + * + * This check applies to CA certificates that are ACTIVE or PENDING_TRANSFER. + * + * @default true + */ + readonly caCertificateKeyQualityCheck?: boolean; + + /** + * Checks if multiple devices connect using the same client ID. + * + * @default true + */ + readonly conflictingClientIdsCheck?: boolean; + + /** + * Checks if a device certificate is expiring. + * + * This check applies to device certificates expiring within 30 days or that have expired. + * + * @default true + */ + readonly deviceCertificateExpiringCheck?: boolean; + + /** + * Checks the quality of the device certificate key. + * + * The quality checks if the key is in a valid format, not expired, signed by a registered certificate authority, + * and if the key meets a minimum required size. + * + * @default true + */ + readonly deviceCertificateKeyQualityCheck?: boolean; + + /** + * Checks if multiple concurrent connections use the same X.509 certificate to authenticate with AWS IoT. + * + * @default true + */ + readonly deviceCertificateSharedCheck?: boolean; + + /** + * Checks if device certificates are still active despite being revoked by an intermediate CA. + * + * @default true + */ + readonly intermediateCaRevokedForActiveDeviceCertificatesCheck?: boolean; + + /** + * Checks the permissiveness of a policy attached to an authenticated Amazon Cognito identity pool role. + * + * @default true + */ + readonly iotPolicyOverlyPermissiveCheck?: boolean; + + /** + * Checks if an AWS IoT policy is potentially misconfigured. + * + * Misconfigured policies, including overly permissive policies, can cause security incidents like allowing devices access to unintended resources. + * + * This check is a warning for you to make sure that only intended actions are allowed before updating the policy. + * + * @default true + */ + readonly ioTPolicyPotentialMisConfigurationCheck?: boolean; + + /** + * Checks if a role alias has access to services that haven't been used for the AWS IoT device in the last year. + * + * @default true + */ + readonly iotRoleAliasAllowsAccessToUnusedServicesCheck?: boolean; + + /** + * Checks if the temporary credentials provided by AWS IoT role aliases are overly permissive. + * + * @default true + */ + readonly iotRoleAliasOverlyPermissiveCheck?: boolean; + + /** + * Checks if AWS IoT logs are disabled. + * + * @default true + */ + readonly loggingDisabledCheck?: boolean; + + /** + * Checks if a revoked CA certificate is still active. + * + * @default true + */ + readonly revokedCaCertificateStillActiveCheck?: boolean; + + /** + * Checks if a revoked device certificate is still active. + * + * @default true + */ + readonly revokedDeviceCertificateStillActiveCheck?: boolean; + + /** + * Checks if policy attached to an unauthenticated Amazon Cognito identity pool role is too permissive. + * + * @default true + */ + readonly unauthenticatedCognitoRoleOverlyPermissiveCheck?: boolean; +} + +/** + * Properties for defining AWS IoT Audit Configuration + */ +export interface AccountAuditConfigurationProps { + /** + * The target SNS topic to which audit notifications are sent. + * + * @default - no notifications are sent + */ + readonly targetTopic?: sns.ITopic; + + /** + * Specifies which audit checks are enabled and disabled for this account. + * + * @default - all checks are enabled + */ + readonly checkConfiguration?: CheckConfiguration; +} + +/** + * Defines AWS IoT Audit Configuration + */ +export class AccountAuditConfiguration extends Resource implements IAccountAuditConfiguration { + /** + * Import an existing AWS IoT Audit Configuration + * + * @param scope The parent creating construct (usually `this`) + * @param id The construct's name + * @param accountId The account ID + */ + public static fromAccountId(scope: Construct, id: string, accountId: string): IAccountAuditConfiguration { + class Import extends Resource implements IAccountAuditConfiguration { + public readonly accountId = accountId; + } + return new Import(scope, id); + } + + /** + * The account ID + * @attribute + */ + public readonly accountId: string; + + constructor(scope: Construct, id: string, props?: AccountAuditConfigurationProps) { + super(scope, id); + + this.accountId = Stack.of(this).account; + + const auditRole = new iam.Role(this, 'AuditRole', { + assumedBy: new iam.ServicePrincipal('iot.amazonaws.com'), + managedPolicies: [ + iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSIoTDeviceDefenderAudit'), + ], + }); + + new iot.CfnAccountAuditConfiguration(this, 'Resource', { + accountId: this.accountId, + auditCheckConfigurations: this.renderAuditCheckConfigurations(props?.checkConfiguration), + auditNotificationTargetConfigurations: this.renderAuditNotificationTargetConfigurations(props?.targetTopic), + roleArn: auditRole.roleArn, + }); + } + + /** + * Render the audit notification target configurations + */ + private renderAuditNotificationTargetConfigurations( + targetTopic?: sns.ITopic, + ): iot.CfnAccountAuditConfiguration.AuditNotificationTargetConfigurationsProperty | undefined { + if (!targetTopic) { + return undefined; + } + + const notificationRole = new iam.Role(this, 'NotificationRole', { + assumedBy: new iam.ServicePrincipal('iot.amazonaws.com'), + inlinePolicies: { + NotificationPolicy: new iam.PolicyDocument({ + statements: [ + new iam.PolicyStatement({ + actions: ['sns:Publish'], + resources: [targetTopic.topicArn], + }), + ], + }), + }, + }); + + return { + sns: { + enabled: true, + targetArn: targetTopic.topicArn, + roleArn: notificationRole.roleArn, + }, + }; + } + + /** + * Render the audit check configurations + */ + private renderAuditCheckConfigurations(checkConfiguration?: CheckConfiguration): iot.CfnAccountAuditConfiguration.AuditCheckConfigurationsProperty { + return { + authenticatedCognitoRoleOverlyPermissiveCheck: + this.renderAuditCheckConfiguration(checkConfiguration?.authenticatedCognitoRoleOverlyPermissiveCheck), + caCertificateExpiringCheck: this.renderAuditCheckConfiguration(checkConfiguration?.caCertificateExpiringCheck), + caCertificateKeyQualityCheck: this.renderAuditCheckConfiguration(checkConfiguration?.caCertificateKeyQualityCheck), + conflictingClientIdsCheck: this.renderAuditCheckConfiguration(checkConfiguration?.conflictingClientIdsCheck), + deviceCertificateExpiringCheck: this.renderAuditCheckConfiguration(checkConfiguration?.deviceCertificateExpiringCheck), + deviceCertificateKeyQualityCheck: this.renderAuditCheckConfiguration(checkConfiguration?.deviceCertificateKeyQualityCheck), + deviceCertificateSharedCheck: this.renderAuditCheckConfiguration(checkConfiguration?.deviceCertificateSharedCheck), + intermediateCaRevokedForActiveDeviceCertificatesCheck: + this.renderAuditCheckConfiguration(checkConfiguration?.intermediateCaRevokedForActiveDeviceCertificatesCheck), + iotPolicyOverlyPermissiveCheck: this.renderAuditCheckConfiguration(checkConfiguration?.iotPolicyOverlyPermissiveCheck), + ioTPolicyPotentialMisConfigurationCheck: this.renderAuditCheckConfiguration(checkConfiguration?.ioTPolicyPotentialMisConfigurationCheck), + iotRoleAliasAllowsAccessToUnusedServicesCheck: + this.renderAuditCheckConfiguration(checkConfiguration?.iotRoleAliasAllowsAccessToUnusedServicesCheck), + iotRoleAliasOverlyPermissiveCheck: this.renderAuditCheckConfiguration(checkConfiguration?.iotRoleAliasOverlyPermissiveCheck), + loggingDisabledCheck: this.renderAuditCheckConfiguration(checkConfiguration?.loggingDisabledCheck), + revokedCaCertificateStillActiveCheck: this.renderAuditCheckConfiguration(checkConfiguration?.revokedCaCertificateStillActiveCheck), + revokedDeviceCertificateStillActiveCheck: + this.renderAuditCheckConfiguration(checkConfiguration?.revokedDeviceCertificateStillActiveCheck), + unauthenticatedCognitoRoleOverlyPermissiveCheck: + this.renderAuditCheckConfiguration(checkConfiguration?.unauthenticatedCognitoRoleOverlyPermissiveCheck), + }; + } + + /** + * Render the audit check configuration + */ + private renderAuditCheckConfiguration(check?: boolean): iot.CfnAccountAuditConfiguration.AuditCheckConfigurationProperty | undefined { + return check === false ? undefined : { enabled: true }; + } +} + diff --git a/packages/@aws-cdk/aws-iot-alpha/lib/index.ts b/packages/@aws-cdk/aws-iot-alpha/lib/index.ts index 727f9fa956d58..8fe633369a5a5 100644 --- a/packages/@aws-cdk/aws-iot-alpha/lib/index.ts +++ b/packages/@aws-cdk/aws-iot-alpha/lib/index.ts @@ -1,4 +1,5 @@ export * from './action'; +export * from './audit-configuration'; export * from './iot-sql'; export * from './logging'; export * from './topic-rule'; diff --git a/packages/@aws-cdk/aws-iot-alpha/rosetta/default.ts-fixture b/packages/@aws-cdk/aws-iot-alpha/rosetta/default.ts-fixture index b8926a17ed606..4eed3ad967c9d 100644 --- a/packages/@aws-cdk/aws-iot-alpha/rosetta/default.ts-fixture +++ b/packages/@aws-cdk/aws-iot-alpha/rosetta/default.ts-fixture @@ -5,6 +5,7 @@ import * as actions from '@aws-cdk/aws-iot-actions-alpha'; import * as iot from '@aws-cdk/aws-iot-alpha'; import * as lambda from 'aws-cdk-lib/aws-lambda'; import * as s3 from 'aws-cdk-lib/aws-s3'; +import * as sns from 'aws-cdk-lib/aws-sns' class Fixture extends Stack { constructor(scope: Construct, id: string) { diff --git a/packages/@aws-cdk/aws-iot-alpha/test/audit-configuration.test.ts b/packages/@aws-cdk/aws-iot-alpha/test/audit-configuration.test.ts new file mode 100644 index 0000000000000..f779909036dc4 --- /dev/null +++ b/packages/@aws-cdk/aws-iot-alpha/test/audit-configuration.test.ts @@ -0,0 +1,142 @@ +import { Template } from 'aws-cdk-lib/assertions'; +import * as cdk from 'aws-cdk-lib'; +import * as sns from 'aws-cdk-lib/aws-sns'; +import * as iot from '../lib'; + +test('Default property', () => { + const stack = new cdk.Stack(); + + new iot.AccountAuditConfiguration(stack, 'AccountAuditConfiguration'); + + Template.fromStack(stack).hasResourceProperties('AWS::IoT::AccountAuditConfiguration', { + AccountId: { Ref: 'AWS::AccountId' }, + AuditCheckConfigurations: { + AuthenticatedCognitoRoleOverlyPermissiveCheck: { Enabled: true }, + CaCertificateExpiringCheck: { Enabled: true }, + CaCertificateKeyQualityCheck: { Enabled: true }, + ConflictingClientIdsCheck: { Enabled: true }, + DeviceCertificateExpiringCheck: { Enabled: true }, + DeviceCertificateKeyQualityCheck: { Enabled: true }, + DeviceCertificateSharedCheck: { Enabled: true }, + IntermediateCaRevokedForActiveDeviceCertificatesCheck: { Enabled: true }, + IoTPolicyPotentialMisConfigurationCheck: { Enabled: true }, + IotPolicyOverlyPermissiveCheck: { Enabled: true }, + IotRoleAliasAllowsAccessToUnusedServicesCheck: { Enabled: true }, + IotRoleAliasOverlyPermissiveCheck: { Enabled: true }, + LoggingDisabledCheck: { Enabled: true }, + RevokedCaCertificateStillActiveCheck: { Enabled: true }, + RevokedDeviceCertificateStillActiveCheck: { Enabled: true }, + UnauthenticatedCognitoRoleOverlyPermissiveCheck: { Enabled: true }, + }, + RoleArn: { 'Fn::GetAtt': ['AccountAuditConfigurationAuditRoleBEFDE978', 'Arn'] }, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', { + AssumeRolePolicyDocument: { + Statement: [ + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Principal: { Service: 'iot.amazonaws.com' }, + }, + ], + Version: '2012-10-17', + }, + ManagedPolicyArns: [ + { + 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::aws:policy/service-role/AWSIoTDeviceDefenderAudit']], + }, + ], + }); +}); + +test('configure target topic', () => { + const stack = new cdk.Stack(); + + const targetTopic = new sns.Topic(stack, 'TargetTopic'); + + new iot.AccountAuditConfiguration(stack, 'AccountAuditConfiguration', { + targetTopic, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IoT::AccountAuditConfiguration', { + AuditNotificationTargetConfigurations: { + Sns: { + Enabled: true, + TargetArn: { Ref: 'TargetTopic73BB7828' }, + RoleArn: { 'Fn::GetAtt': ['AccountAuditConfigurationNotificationRoleD9824FB9', 'Arn'] }, + }, + }, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Role', { + AssumeRolePolicyDocument: { + Statement: [ + { + Action: 'sts:AssumeRole', + Effect: 'Allow', + Principal: { Service: 'iot.amazonaws.com' }, + }, + ], + Version: '2012-10-17', + }, + Policies: [ + { + PolicyDocument: { + Statement: [ + { + Action: 'sns:Publish', + Effect: 'Allow', + Resource: { Ref: 'TargetTopic73BB7828' }, + }, + ], + Version: '2012-10-17', + }, + }, + ], + }); +}); + +test('configure check configuration', () => { + const stack = new cdk.Stack(); + + new iot.AccountAuditConfiguration(stack, 'AccountAuditConfiguration', { + checkConfiguration: { + authenticatedCognitoRoleOverlyPermissiveCheck: true, + caCertificateExpiringCheck: undefined, + caCertificateKeyQualityCheck: false, + conflictingClientIdsCheck: false, + deviceCertificateExpiringCheck: false, + deviceCertificateKeyQualityCheck: false, + deviceCertificateSharedCheck: false, + intermediateCaRevokedForActiveDeviceCertificatesCheck: false, + ioTPolicyPotentialMisConfigurationCheck: false, + iotPolicyOverlyPermissiveCheck: false, + iotRoleAliasAllowsAccessToUnusedServicesCheck: false, + iotRoleAliasOverlyPermissiveCheck: false, + loggingDisabledCheck: false, + revokedCaCertificateStillActiveCheck: false, + revokedDeviceCertificateStillActiveCheck: false, + unauthenticatedCognitoRoleOverlyPermissiveCheck: false, + }, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IoT::AccountAuditConfiguration', { + AuditCheckConfigurations: { + AuthenticatedCognitoRoleOverlyPermissiveCheck: { Enabled: true }, + CaCertificateExpiringCheck: { Enabled: true }, + }, + }); +}); + +test('import by Account ID', () => { + const stack = new cdk.Stack(); + + const accountId = '1234567899012'; + + const auditConfiguration = iot.AccountAuditConfiguration.fromAccountId(stack, 'AccountAuditConfigurationFromId', accountId); + + expect(auditConfiguration).toMatchObject({ + accountId, + }); +}); diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets.json new file mode 100644 index 0000000000000..057363705de1d --- /dev/null +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets.json @@ -0,0 +1,19 @@ +{ + "version": "38.0.1", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.template.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.assets.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.assets.json new file mode 100644 index 0000000000000..621c14e610285 --- /dev/null +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.assets.json @@ -0,0 +1,19 @@ +{ + "version": "38.0.1", + "files": { + "d809d9222ee845df66ea2b3540b3dffe1098b00da280f913784b983e7e4ddf35": { + "source": { + "path": "IotAuditConfigurationTestStack.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "d809d9222ee845df66ea2b3540b3dffe1098b00da280f913784b983e7e4ddf35.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.template.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.template.json new file mode 100644 index 0000000000000..16606b73febd4 --- /dev/null +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.template.json @@ -0,0 +1,184 @@ +{ + "Resources": { + "TopicBFC7AF6E": { + "Type": "AWS::SNS::Topic" + }, + "AuditConfigurationAuditRole0FFA1461": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "iot.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSIoTDeviceDefenderAudit" + ] + ] + } + ] + } + }, + "AuditConfigurationNotificationRole9774BAD4": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "iot.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": "sns:Publish", + "Effect": "Allow", + "Resource": { + "Ref": "TopicBFC7AF6E" + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "NotificationPolicy" + } + ] + } + }, + "AuditConfiguration8C793652": { + "Type": "AWS::IoT::AccountAuditConfiguration", + "Properties": { + "AccountId": { + "Ref": "AWS::AccountId" + }, + "AuditCheckConfigurations": { + "AuthenticatedCognitoRoleOverlyPermissiveCheck": { + "Enabled": true + }, + "CaCertificateExpiringCheck": { + "Enabled": true + }, + "CaCertificateKeyQualityCheck": { + "Enabled": true + }, + "ConflictingClientIdsCheck": { + "Enabled": true + }, + "DeviceCertificateExpiringCheck": { + "Enabled": true + }, + "DeviceCertificateKeyQualityCheck": { + "Enabled": true + }, + "DeviceCertificateSharedCheck": { + "Enabled": true + }, + "IntermediateCaRevokedForActiveDeviceCertificatesCheck": { + "Enabled": true + }, + "IoTPolicyPotentialMisConfigurationCheck": { + "Enabled": true + }, + "IotPolicyOverlyPermissiveCheck": { + "Enabled": true + }, + "IotRoleAliasAllowsAccessToUnusedServicesCheck": { + "Enabled": true + }, + "IotRoleAliasOverlyPermissiveCheck": { + "Enabled": true + }, + "LoggingDisabledCheck": { + "Enabled": true + }, + "RevokedCaCertificateStillActiveCheck": { + "Enabled": true + }, + "RevokedDeviceCertificateStillActiveCheck": { + "Enabled": true + }, + "UnauthenticatedCognitoRoleOverlyPermissiveCheck": { + "Enabled": true + } + }, + "AuditNotificationTargetConfigurations": { + "Sns": { + "Enabled": true, + "RoleArn": { + "Fn::GetAtt": [ + "AuditConfigurationNotificationRole9774BAD4", + "Arn" + ] + }, + "TargetArn": { + "Ref": "TopicBFC7AF6E" + } + } + }, + "RoleArn": { + "Fn::GetAtt": [ + "AuditConfigurationAuditRole0FFA1461", + "Arn" + ] + } + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/cdk.out b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/cdk.out new file mode 100644 index 0000000000000..c6e612584e352 --- /dev/null +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"38.0.1"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/integ.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/integ.json new file mode 100644 index 0000000000000..b4d8fa9d08bf3 --- /dev/null +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "38.0.1", + "testCases": { + "IotAuditConfigurationTest/DefaultTest": { + "stacks": [ + "IotAuditConfigurationTestStack" + ], + "assertionStack": "IotAuditConfigurationTest/DefaultTest/DeployAssert", + "assertionStackName": "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/manifest.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/manifest.json new file mode 100644 index 0000000000000..f8743822993c2 --- /dev/null +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/manifest.json @@ -0,0 +1,133 @@ +{ + "version": "38.0.1", + "artifacts": { + "IotAuditConfigurationTestStack.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "IotAuditConfigurationTestStack.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "IotAuditConfigurationTestStack": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "IotAuditConfigurationTestStack.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "notificationArns": [], + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d809d9222ee845df66ea2b3540b3dffe1098b00da280f913784b983e7e4ddf35.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "IotAuditConfigurationTestStack.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "IotAuditConfigurationTestStack.assets" + ], + "metadata": { + "/IotAuditConfigurationTestStack/Topic/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "TopicBFC7AF6E" + } + ], + "/IotAuditConfigurationTestStack/AuditConfiguration/AuditRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "AuditConfigurationAuditRole0FFA1461" + } + ], + "/IotAuditConfigurationTestStack/AuditConfiguration/NotificationRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "AuditConfigurationNotificationRole9774BAD4" + } + ], + "/IotAuditConfigurationTestStack/AuditConfiguration/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "AuditConfiguration8C793652" + } + ], + "/IotAuditConfigurationTestStack/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/IotAuditConfigurationTestStack/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "IotAuditConfigurationTestStack" + }, + "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "notificationArns": [], + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets" + ], + "metadata": { + "/IotAuditConfigurationTest/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/IotAuditConfigurationTest/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "IotAuditConfigurationTest/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/tree.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/tree.json new file mode 100644 index 0000000000000..1748d3c01b041 --- /dev/null +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/tree.json @@ -0,0 +1,336 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "IotAuditConfigurationTestStack": { + "id": "IotAuditConfigurationTestStack", + "path": "IotAuditConfigurationTestStack", + "children": { + "Topic": { + "id": "Topic", + "path": "IotAuditConfigurationTestStack/Topic", + "children": { + "Resource": { + "id": "Resource", + "path": "IotAuditConfigurationTestStack/Topic/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::SNS::Topic", + "aws:cdk:cloudformation:props": {} + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "AuditConfiguration": { + "id": "AuditConfiguration", + "path": "IotAuditConfigurationTestStack/AuditConfiguration", + "children": { + "AuditRole": { + "id": "AuditRole", + "path": "IotAuditConfigurationTestStack/AuditConfiguration/AuditRole", + "children": { + "ImportAuditRole": { + "id": "ImportAuditRole", + "path": "IotAuditConfigurationTestStack/AuditConfiguration/AuditRole/ImportAuditRole", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "Resource": { + "id": "Resource", + "path": "IotAuditConfigurationTestStack/AuditConfiguration/AuditRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "iot.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSIoTDeviceDefenderAudit" + ] + ] + } + ] + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "NotificationRole": { + "id": "NotificationRole", + "path": "IotAuditConfigurationTestStack/AuditConfiguration/NotificationRole", + "children": { + "ImportNotificationRole": { + "id": "ImportNotificationRole", + "path": "IotAuditConfigurationTestStack/AuditConfiguration/NotificationRole/ImportNotificationRole", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "Resource": { + "id": "Resource", + "path": "IotAuditConfigurationTestStack/AuditConfiguration/NotificationRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "iot.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "policies": [ + { + "policyName": "NotificationPolicy", + "policyDocument": { + "Statement": [ + { + "Action": "sns:Publish", + "Effect": "Allow", + "Resource": { + "Ref": "TopicBFC7AF6E" + } + } + ], + "Version": "2012-10-17" + } + } + ] + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "Resource": { + "id": "Resource", + "path": "IotAuditConfigurationTestStack/AuditConfiguration/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IoT::AccountAuditConfiguration", + "aws:cdk:cloudformation:props": { + "accountId": { + "Ref": "AWS::AccountId" + }, + "auditCheckConfigurations": { + "authenticatedCognitoRoleOverlyPermissiveCheck": { + "enabled": true + }, + "caCertificateExpiringCheck": { + "enabled": true + }, + "caCertificateKeyQualityCheck": { + "enabled": true + }, + "conflictingClientIdsCheck": { + "enabled": true + }, + "deviceCertificateExpiringCheck": { + "enabled": true + }, + "deviceCertificateKeyQualityCheck": { + "enabled": true + }, + "deviceCertificateSharedCheck": { + "enabled": true + }, + "intermediateCaRevokedForActiveDeviceCertificatesCheck": { + "enabled": true + }, + "iotPolicyOverlyPermissiveCheck": { + "enabled": true + }, + "ioTPolicyPotentialMisConfigurationCheck": { + "enabled": true + }, + "iotRoleAliasAllowsAccessToUnusedServicesCheck": { + "enabled": true + }, + "iotRoleAliasOverlyPermissiveCheck": { + "enabled": true + }, + "loggingDisabledCheck": { + "enabled": true + }, + "revokedCaCertificateStillActiveCheck": { + "enabled": true + }, + "revokedDeviceCertificateStillActiveCheck": { + "enabled": true + }, + "unauthenticatedCognitoRoleOverlyPermissiveCheck": { + "enabled": true + } + }, + "auditNotificationTargetConfigurations": { + "sns": { + "enabled": true, + "targetArn": { + "Ref": "TopicBFC7AF6E" + }, + "roleArn": { + "Fn::GetAtt": [ + "AuditConfigurationNotificationRole9774BAD4", + "Arn" + ] + } + } + }, + "roleArn": { + "Fn::GetAtt": [ + "AuditConfigurationAuditRole0FFA1461", + "Arn" + ] + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-iot-alpha.AccountAuditConfiguration", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "IotAuditConfigurationTestStack/BootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "IotAuditConfigurationTestStack/CheckBootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "IotAuditConfigurationTest": { + "id": "IotAuditConfigurationTest", + "path": "IotAuditConfigurationTest", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "IotAuditConfigurationTest/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "IotAuditConfigurationTest/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "IotAuditConfigurationTest/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "IotAuditConfigurationTest/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "IotAuditConfigurationTest/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.ts b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.ts new file mode 100644 index 0000000000000..ce8535d25d0a0 --- /dev/null +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.ts @@ -0,0 +1,23 @@ +import * as cdk from 'aws-cdk-lib'; +import * as integ from '@aws-cdk/integ-tests-alpha'; +import * as sns from 'aws-cdk-lib/aws-sns'; +import * as iot from '../lib'; + +class TestStack extends cdk.Stack { + constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { + super(scope, id, props); + + const targetTopic = new sns.Topic(this, 'Topic'); + + new iot.AccountAuditConfiguration(this, 'AuditConfiguration', { + targetTopic, + }); + } +} + +const app = new cdk.App(); +const testCase = new TestStack(app, 'IotAuditConfigurationTestStack'); + +new integ.IntegTest(app, 'IotAuditConfigurationTest', { + testCases: [testCase], +});