From eacd6f721c189144f8d82bc263c0e557f109e28e Mon Sep 17 00:00:00 2001 From: Kazuho CryerShinozuka Date: Wed, 16 Oct 2024 15:07:01 +0900 Subject: [PATCH 1/9] add scheduled audit --- packages/@aws-cdk/aws-iot-alpha/lib/index.ts | 1 + .../aws-iot-alpha/lib/scheduled-audit.ts | 365 ++++++++++++++++++ 2 files changed, 366 insertions(+) create mode 100644 packages/@aws-cdk/aws-iot-alpha/lib/scheduled-audit.ts diff --git a/packages/@aws-cdk/aws-iot-alpha/lib/index.ts b/packages/@aws-cdk/aws-iot-alpha/lib/index.ts index 8fe633369a5a5..ed616f70bf433 100644 --- a/packages/@aws-cdk/aws-iot-alpha/lib/index.ts +++ b/packages/@aws-cdk/aws-iot-alpha/lib/index.ts @@ -2,6 +2,7 @@ export * from './action'; export * from './audit-configuration'; export * from './iot-sql'; export * from './logging'; +export * from './scheduled-audit'; export * from './topic-rule'; // AWS::IoT CloudFormation Resources: diff --git a/packages/@aws-cdk/aws-iot-alpha/lib/scheduled-audit.ts b/packages/@aws-cdk/aws-iot-alpha/lib/scheduled-audit.ts new file mode 100644 index 0000000000000..1a8b4450040b6 --- /dev/null +++ b/packages/@aws-cdk/aws-iot-alpha/lib/scheduled-audit.ts @@ -0,0 +1,365 @@ +import { Resource, Stack, IResource, Token, ArnFormat } from 'aws-cdk-lib/core'; +import { Construct } from 'constructs'; +import * as iot from 'aws-cdk-lib/aws-iot'; + +/** + * Represents AWS IoT Scheduled Audit + */ +export interface IScheduledAudit extends IResource { + /** + * The scheduled audit name + * @attribute + */ + readonly scheduledAuditName: string; + + /** + * The ARN of the scheduled audit + * @attribute + */ + readonly scheduledAuditArn: string; +} + +/** + * Construction properties for a Scheduled Audit + */ +export interface ScheduledAuditAttributes { + /** + * The scheduled audit name + */ + readonly scheduledAuditName: string; + + /** + * The ARN of the scheduled audit + */ + readonly scheduledAuditArn: string; +} + +/** + * The AWS IoT Device Defender audit checks + * + * @see https://docs.aws.amazon.com/iot-device-defender/latest/devguide/device-defender-audit-checks.html + */ +export enum AuditCheck { + /** + * Checks the permissiveness of an authenticated Amazon Cognito identity pool role. + * + * For this check, AWS IoT Device Defender audits all Amazon Cognito identity pools that have been used to connect to the AWS IoT message broker + * during the 31 days before the audit is performed. + */ + AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK = 'AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK', + + /** + * Checks if a CA certificate is expiring. + * + * This check applies to CA certificates expiring within 30 days or that have expired. + */ + CA_CERTIFICATE_EXPIRING_CHECK = 'CA_CERTIFICATE_EXPIRING_CHECK', + + /** + * Checks the quality of the CA certificate key. + * + * The quality checks if the key is in a valid format, not expired, and if the key meets a minimum required size. + * + * This check applies to CA certificates that are ACTIVE or PENDING_TRANSFER. + */ + CA_CERTIFICATE_KEY_QUALITY_CHECK = 'CA_CERTIFICATE_KEY_QUALITY_CHECK', + + /** + * Checks if multiple devices connect using the same client ID. + */ + CONFLICTING_CLIENT_IDS_CHECK = 'CONFLICTING_CLIENT_IDS_CHECK', + + /** + * Checks if a device certificate is expiring. + * + * This check applies to device certificates expiring within 30 days or that have expired. + */ + DEVICE_CERTIFICATE_EXPIRING_CHECK = 'DEVICE_CERTIFICATE_EXPIRING_CHECK', + + /** + * Checks the quality of the device certificate key. + * + * The quality checks if the key is in a valid format, not expired, signed by a registered certificate authority, + * and if the key meets a minimum required size. + */ + DEVICE_CERTIFICATE_KEY_QUALITY_CHECK = 'DEVICE_CERTIFICATE_KEY_QUALITY_CHECK', + + /** + * Checks if multiple concurrent connections use the same X.509 certificate to authenticate with AWS IoT. + */ + DEVICE_CERTIFICATE_SHARED_CHECK = 'DEVICE_CERTIFICATE_SHARED_CHECK', + + /** + * Checks if device certificates are still active despite being revoked by an intermediate CA. + */ + INTERMEDIATE_CA_REVOKED_FOR_ACTIVE_DEVICE_CERTIFICATES_CHECK = 'INTERMEDIATE_CA_REVOKED_FOR_ACTIVE_DEVICE_CERTIFICATES_CHECK', + + /** + * Checks the permissiveness of a policy attached to an authenticated Amazon Cognito identity pool role. + */ + IOT_POLICY_OVERLY_PERMISSIVE_CHECK = 'IOT_POLICY_OVERLY_PERMISSIVE_CHECK', + + /** + * Checks if an AWS IoT policy is potentially misconfigured. + * + * Misconfigured policies, including overly permissive policies, can cause security incidents like allowing devices access to unintended resources. + * + * This check is a warning for you to make sure that only intended actions are allowed before updating the policy. + */ + IOT_POLICY_POTENTIAL_MIS_CONFIGURATION_CHECK = 'IOT_POLICY_POTENTIAL_MIS_CONFIGURATION_CHECK', + + /** + * Checks if a role alias has access to services that haven't been used for the AWS IoT device in the last year. + */ + IOT_ROLE_ALIAS_ALLOWS_ACCESS_TO_UNUSED_SERVICES_CHECK = 'IOT_ROLE_ALIAS_ALLOWS_ACCESS_TO_UNUSED_SERVICES_CHECK', + + /** + * Checks if the temporary credentials provided by AWS IoT role aliases are overly permissive. + */ + IOT_ROLE_ALIAS_OVERLY_PERMISSIVE_CHECK = 'IOT_ROLE_ALIAS_OVERLY_PERMISSIVE_CHECK', + + /** + * Checks if AWS IoT logs are disabled. + */ + LOGGING_DISABLED_CHECK = 'LOGGING_DISABLED_CHECK', + + /** + * Checks if a revoked CA certificate is still active. + */ + REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK = 'REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK', + + /** + * Checks if a revoked device certificate is still active. + */ + REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK = 'REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK', + + /** + * Checks if policy attached to an unauthenticated Amazon Cognito identity pool role is too permissive. + */ + UNAUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK = 'UNAUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK', +} + +/** + * The day of the week on which the scheduled audit takes place. + */ +export enum DayOfWeek { + /** + * Sunday + */ + SUNDAY = 'SUN', + + /** + * Monday + */ + MONDAY = 'MON', + + /** + * Tuesday + */ + TUESDAY = 'TUE', + + /** + * Wednesday + */ + WEDNESDAY = 'WED', + + /** + * Thursday + */ + THURSDAY = 'THU', + + /** + * Friday + */ + FRIDAY = 'FRI', + + /** + * Saturday + */ + SATURDAY = 'SAT', +} + +/** + * The day of the month on which the scheduled audit takes place. + */ +export class DayOfMonth { + /** + * The last day of the month + */ + public static readonly LAST_DAY = new DayOfMonth('LAST'); + + /** + * Custom day of the month + * @param day the day of the month + */ + public static of(day: number): DayOfMonth { + if (day < 1 || day > 31) { + throw new Error(`Day of month must be between 1 and 31, got: ${day}`); + } + if (!Number.isInteger(day)) { + throw new Error(`Day of month must be an integer, got: ${day}`); + } + return new DayOfMonth(String(day)); + } + + private constructor(public readonly day: string) {} +} + +/** + * The frequency at which the scheduled audit takes place. + */ +export enum Frequency { + /** + * Daily + */ + DAILY = 'DAILY', + + /** + * Weekly + */ + WEEKLY = 'WEEKLY', + + /** + * Bi-weekly + */ + BI_WEEKLY = 'BIWEEKLY', + + /** + * Monthly + */ + MONTHLY = 'MONTHLY', +} + +/** + * Properties for defining AWS IoT Scheduled Audit + */ +export interface ScheduledAuditProps { + /** + * Which checks are performed during the scheduled audit. + * + * Checks must be enabled for your account. + */ + readonly auditChecks: AuditCheck[]; + + /** + * The day of the week on which the scheduled audit is run (if the frequency is "WEEKLY" or "BIWEEKLY"). + * + * @default - required if frequency is "WEEKLY" or "BIWEEKLY", not allowed otherwise + */ + readonly dayOfWeek?: DayOfWeek; + + /** + * The day of the month on which the scheduled audit is run (if the frequency is "MONTHLY"). + * + * If days 29-31 are specified, and the month does not have that many days, the audit takes place on the "LAST" day of the month. + * + * @default - required if frequency is "MONTHLY", not allowed otherwise + */ + readonly dayOfMonth?: DayOfMonth; + + /** + * How often the scheduled audit occurs. + */ + readonly frequency: Frequency; + + /** + * The name of the scheduled audit. + * + * @default - auto generated name + */ + readonly name?: string; +} + +/** + * Defines AWS IoT Scheduled Audit + */ +export class ScheduledAudit extends Resource implements IScheduledAudit { + /** + * Import an existing AWS IoT Scheduled Audit from its ARN. + * + * @param scope The parent creating construct (usually `this`) + * @param id The construct's name + * @param arn The ARN of the scheduled audit + */ + public static fromScheduledAuditArn(scope: Construct, id: string, arn: string): IScheduledAudit { + const name = Stack.of(scope).splitArn(arn, ArnFormat.SLASH_RESOURCE_NAME).resourceName; + if (!name) { + throw new Error(`No scheduled audit name found in ARN: '${arn}'`); + } + + return this.fromScheduledAuditAttributes(scope, id, { scheduledAuditArn: arn, scheduledAuditName: name }); + } + + /** + * Import an existing AWS IoT Scheduled Audit from its attributes. + * + * @param scope The parent creating construct (usually `this`) + * @param id The construct's name + * @param attrs The scheduled audit attributes + */ + public static fromScheduledAuditAttributes(scope: Construct, id: string, attrs: ScheduledAuditAttributes): IScheduledAudit { + class Import extends Resource implements IScheduledAudit { + public readonly scheduledAuditArn = attrs.scheduledAuditArn; + public readonly scheduledAuditName = attrs.scheduledAuditName; + } + return new Import(scope, id); + } + + /** + * The scheduled audit name + * @attribute + */ + public readonly scheduledAuditName: string; + + /** + * The ARN of the scheduled audit + * @attribute + */ + public readonly scheduledAuditArn: string; + + constructor(scope: Construct, id: string, props: ScheduledAuditProps) { + super(scope, id); + + if (props.auditChecks.length === 0) { + throw new Error('At least one \'auditChecks\' must be specified.'); + } + + if (props.frequency === Frequency.WEEKLY || props.frequency === Frequency.BI_WEEKLY) { + if (!props.dayOfWeek) { + throw new Error('Day of the week must be specified for weekly or bi-weekly audits.'); + } + if (props.dayOfMonth) { + throw new Error('Day of the month must not be specified for weekly or bi-weekly audits.'); + } + } + if (props.frequency === Frequency.MONTHLY) { + if (!props.dayOfMonth) { + throw new Error('Day of the month must be specified for monthly audits.'); + } + if (props.dayOfWeek) { + throw new Error('Day of the week must not be specified for monthly audits.'); + } + } + + if (props.name && !Token.isUnresolved(props.name)){ + if (props.name.length < 1 || props.name.length > 128) { + throw new Error(`Scheduled audit name must be between 1 and 128 characters, got: ${props.name.length}`); + } + if (!/^[a-zA-Z0-9:_-]+$/.test(props.name)) { + throw new Error(`Scheduled audit name must be alphanumeric and may include colons, underscores, and hyphens, got: ${props.name}`); + } + } + + const resource = new iot.CfnScheduledAudit(this, 'Resource', { + scheduledAuditName: props.name, + targetCheckNames: props.auditChecks, + dayOfWeek: props.dayOfWeek, + dayOfMonth: props.dayOfMonth?.day, + frequency: props.frequency, + }); + + this.scheduledAuditName = resource.ref; + this.scheduledAuditArn = resource.attrScheduledAuditArn; + } +} + From 82726743164b475fff1701ad5fb49b8cae2ab022 Mon Sep 17 00:00:00 2001 From: Kazuho CryerShinozuka Date: Wed, 16 Oct 2024 17:38:00 +0900 Subject: [PATCH 2/9] update integ test --- .../aws-iot-alpha/lib/scheduled-audit.ts | 56 ++- ...efaultTestDeployAssert6A603D00.assets.json | 19 - ...aultTestDeployAssert6A603D00.template.json | 36 -- ...IotAuditConfigurationTestStack.assets.json | 19 - ...tAuditConfigurationTestStack.template.json | 184 ---------- .../cdk.out | 1 - .../integ.json | 12 - .../manifest.json | 133 ------- .../tree.json | 336 ------------------ .../test/integ.audit-configuration.ts | 40 ++- 10 files changed, 62 insertions(+), 774 deletions(-) delete mode 100644 packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets.json delete mode 100644 packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.template.json delete mode 100644 packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.assets.json delete mode 100644 packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.template.json delete mode 100644 packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/cdk.out delete mode 100644 packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/integ.json delete mode 100644 packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/manifest.json delete mode 100644 packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/tree.json diff --git a/packages/@aws-cdk/aws-iot-alpha/lib/scheduled-audit.ts b/packages/@aws-cdk/aws-iot-alpha/lib/scheduled-audit.ts index 1a8b4450040b6..8d74c2b6e1c27 100644 --- a/packages/@aws-cdk/aws-iot-alpha/lib/scheduled-audit.ts +++ b/packages/@aws-cdk/aws-iot-alpha/lib/scheduled-audit.ts @@ -89,25 +89,11 @@ export enum AuditCheck { */ DEVICE_CERTIFICATE_SHARED_CHECK = 'DEVICE_CERTIFICATE_SHARED_CHECK', - /** - * Checks if device certificates are still active despite being revoked by an intermediate CA. - */ - INTERMEDIATE_CA_REVOKED_FOR_ACTIVE_DEVICE_CERTIFICATES_CHECK = 'INTERMEDIATE_CA_REVOKED_FOR_ACTIVE_DEVICE_CERTIFICATES_CHECK', - /** * Checks the permissiveness of a policy attached to an authenticated Amazon Cognito identity pool role. */ IOT_POLICY_OVERLY_PERMISSIVE_CHECK = 'IOT_POLICY_OVERLY_PERMISSIVE_CHECK', - /** - * Checks if an AWS IoT policy is potentially misconfigured. - * - * Misconfigured policies, including overly permissive policies, can cause security incidents like allowing devices access to unintended resources. - * - * This check is a warning for you to make sure that only intended actions are allowed before updating the policy. - */ - IOT_POLICY_POTENTIAL_MIS_CONFIGURATION_CHECK = 'IOT_POLICY_POTENTIAL_MIS_CONFIGURATION_CHECK', - /** * Checks if a role alias has access to services that haven't been used for the AWS IoT device in the last year. */ @@ -202,6 +188,10 @@ export class DayOfMonth { return new DayOfMonth(String(day)); } + /** + * + * @param day The day of the month + */ private constructor(public readonly day: string) {} } @@ -267,7 +257,7 @@ export interface ScheduledAuditProps { * * @default - auto generated name */ - readonly name?: string; + readonly scheduledAuditName?: string; } /** @@ -279,15 +269,15 @@ export class ScheduledAudit extends Resource implements IScheduledAudit { * * @param scope The parent creating construct (usually `this`) * @param id The construct's name - * @param arn The ARN of the scheduled audit + * @param scheduledAuditArn The ARN of the scheduled audit */ - public static fromScheduledAuditArn(scope: Construct, id: string, arn: string): IScheduledAudit { - const name = Stack.of(scope).splitArn(arn, ArnFormat.SLASH_RESOURCE_NAME).resourceName; + public static fromScheduledAuditArn(scope: Construct, id: string, scheduledAuditArn: string): IScheduledAudit { + const name = Stack.of(scope).splitArn(scheduledAuditArn, ArnFormat.SLASH_RESOURCE_NAME).resourceName; if (!name) { - throw new Error(`No scheduled audit name found in ARN: '${arn}'`); + throw new Error(`No scheduled audit name found in ARN: '${scheduledAuditArn}'`); } - return this.fromScheduledAuditAttributes(scope, id, { scheduledAuditArn: arn, scheduledAuditName: name }); + return this.fromScheduledAuditAttributes(scope, id, { scheduledAuditArn: scheduledAuditArn, scheduledAuditName: name }); } /** @@ -305,17 +295,17 @@ export class ScheduledAudit extends Resource implements IScheduledAudit { return new Import(scope, id); } - /** + /** * The scheduled audit name * @attribute */ - public readonly scheduledAuditName: string; + public readonly scheduledAuditName: string; - /** - * The ARN of the scheduled audit - * @attribute - */ - public readonly scheduledAuditArn: string; + /** + * The ARN of the scheduled audit + * @attribute + */ + public readonly scheduledAuditArn: string; constructor(scope: Construct, id: string, props: ScheduledAuditProps) { super(scope, id); @@ -341,17 +331,17 @@ export class ScheduledAudit extends Resource implements IScheduledAudit { } } - if (props.name && !Token.isUnresolved(props.name)){ - if (props.name.length < 1 || props.name.length > 128) { - throw new Error(`Scheduled audit name must be between 1 and 128 characters, got: ${props.name.length}`); + if (props.scheduledAuditName && !Token.isUnresolved(props.scheduledAuditName)) { + if (props.scheduledAuditName.length < 1 || props.scheduledAuditName.length > 128) { + throw new Error(`Scheduled audit name must be between 1 and 128 characters, got: ${props.scheduledAuditName.length}`); } - if (!/^[a-zA-Z0-9:_-]+$/.test(props.name)) { - throw new Error(`Scheduled audit name must be alphanumeric and may include colons, underscores, and hyphens, got: ${props.name}`); + if (!/^[a-zA-Z0-9:_-]+$/.test(props.scheduledAuditName)) { + throw new Error(`Scheduled audit name must be alphanumeric and may include colons, underscores, and hyphens, got: ${props.scheduledAuditName}`); } } const resource = new iot.CfnScheduledAudit(this, 'Resource', { - scheduledAuditName: props.name, + scheduledAuditName: props.scheduledAuditName, targetCheckNames: props.auditChecks, dayOfWeek: props.dayOfWeek, dayOfMonth: props.dayOfMonth?.day, diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets.json deleted file mode 100644 index 057363705de1d..0000000000000 --- a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "38.0.1", - "files": { - "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { - "source": { - "path": "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.template.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.template.json deleted file mode 100644 index ad9d0fb73d1dd..0000000000000 --- a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.template.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.assets.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.assets.json deleted file mode 100644 index 621c14e610285..0000000000000 --- a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.assets.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "version": "38.0.1", - "files": { - "d809d9222ee845df66ea2b3540b3dffe1098b00da280f913784b983e7e4ddf35": { - "source": { - "path": "IotAuditConfigurationTestStack.template.json", - "packaging": "file" - }, - "destinations": { - "current_account-current_region": { - "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "d809d9222ee845df66ea2b3540b3dffe1098b00da280f913784b983e7e4ddf35.json", - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" - } - } - } - }, - "dockerImages": {} -} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.template.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.template.json deleted file mode 100644 index 16606b73febd4..0000000000000 --- a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.template.json +++ /dev/null @@ -1,184 +0,0 @@ -{ - "Resources": { - "TopicBFC7AF6E": { - "Type": "AWS::SNS::Topic" - }, - "AuditConfigurationAuditRole0FFA1461": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "iot.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - }, - "ManagedPolicyArns": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/service-role/AWSIoTDeviceDefenderAudit" - ] - ] - } - ] - } - }, - "AuditConfigurationNotificationRole9774BAD4": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "iot.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - }, - "Policies": [ - { - "PolicyDocument": { - "Statement": [ - { - "Action": "sns:Publish", - "Effect": "Allow", - "Resource": { - "Ref": "TopicBFC7AF6E" - } - } - ], - "Version": "2012-10-17" - }, - "PolicyName": "NotificationPolicy" - } - ] - } - }, - "AuditConfiguration8C793652": { - "Type": "AWS::IoT::AccountAuditConfiguration", - "Properties": { - "AccountId": { - "Ref": "AWS::AccountId" - }, - "AuditCheckConfigurations": { - "AuthenticatedCognitoRoleOverlyPermissiveCheck": { - "Enabled": true - }, - "CaCertificateExpiringCheck": { - "Enabled": true - }, - "CaCertificateKeyQualityCheck": { - "Enabled": true - }, - "ConflictingClientIdsCheck": { - "Enabled": true - }, - "DeviceCertificateExpiringCheck": { - "Enabled": true - }, - "DeviceCertificateKeyQualityCheck": { - "Enabled": true - }, - "DeviceCertificateSharedCheck": { - "Enabled": true - }, - "IntermediateCaRevokedForActiveDeviceCertificatesCheck": { - "Enabled": true - }, - "IoTPolicyPotentialMisConfigurationCheck": { - "Enabled": true - }, - "IotPolicyOverlyPermissiveCheck": { - "Enabled": true - }, - "IotRoleAliasAllowsAccessToUnusedServicesCheck": { - "Enabled": true - }, - "IotRoleAliasOverlyPermissiveCheck": { - "Enabled": true - }, - "LoggingDisabledCheck": { - "Enabled": true - }, - "RevokedCaCertificateStillActiveCheck": { - "Enabled": true - }, - "RevokedDeviceCertificateStillActiveCheck": { - "Enabled": true - }, - "UnauthenticatedCognitoRoleOverlyPermissiveCheck": { - "Enabled": true - } - }, - "AuditNotificationTargetConfigurations": { - "Sns": { - "Enabled": true, - "RoleArn": { - "Fn::GetAtt": [ - "AuditConfigurationNotificationRole9774BAD4", - "Arn" - ] - }, - "TargetArn": { - "Ref": "TopicBFC7AF6E" - } - } - }, - "RoleArn": { - "Fn::GetAtt": [ - "AuditConfigurationAuditRole0FFA1461", - "Arn" - ] - } - } - } - }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" - } - }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } - ] - }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } - ] - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/cdk.out b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/cdk.out deleted file mode 100644 index c6e612584e352..0000000000000 --- a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/cdk.out +++ /dev/null @@ -1 +0,0 @@ -{"version":"38.0.1"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/integ.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/integ.json deleted file mode 100644 index b4d8fa9d08bf3..0000000000000 --- a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/integ.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "version": "38.0.1", - "testCases": { - "IotAuditConfigurationTest/DefaultTest": { - "stacks": [ - "IotAuditConfigurationTestStack" - ], - "assertionStack": "IotAuditConfigurationTest/DefaultTest/DeployAssert", - "assertionStackName": "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/manifest.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/manifest.json deleted file mode 100644 index f8743822993c2..0000000000000 --- a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/manifest.json +++ /dev/null @@ -1,133 +0,0 @@ -{ - "version": "38.0.1", - "artifacts": { - "IotAuditConfigurationTestStack.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "IotAuditConfigurationTestStack.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "IotAuditConfigurationTestStack": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "IotAuditConfigurationTestStack.template.json", - "terminationProtection": false, - "validateOnSynth": false, - "notificationArns": [], - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/d809d9222ee845df66ea2b3540b3dffe1098b00da280f913784b983e7e4ddf35.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "IotAuditConfigurationTestStack.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "dependencies": [ - "IotAuditConfigurationTestStack.assets" - ], - "metadata": { - "/IotAuditConfigurationTestStack/Topic/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "TopicBFC7AF6E" - } - ], - "/IotAuditConfigurationTestStack/AuditConfiguration/AuditRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "AuditConfigurationAuditRole0FFA1461" - } - ], - "/IotAuditConfigurationTestStack/AuditConfiguration/NotificationRole/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "AuditConfigurationNotificationRole9774BAD4" - } - ], - "/IotAuditConfigurationTestStack/AuditConfiguration/Resource": [ - { - "type": "aws:cdk:logicalId", - "data": "AuditConfiguration8C793652" - } - ], - "/IotAuditConfigurationTestStack/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/IotAuditConfigurationTestStack/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "IotAuditConfigurationTestStack" - }, - "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets": { - "type": "cdk:asset-manifest", - "properties": { - "file": "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00": { - "type": "aws:cloudformation:stack", - "environment": "aws://unknown-account/unknown-region", - "properties": { - "templateFile": "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.template.json", - "terminationProtection": false, - "validateOnSynth": false, - "notificationArns": [], - "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", - "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", - "requiresBootstrapStackVersion": 6, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", - "additionalDependencies": [ - "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets" - ], - "lookupRole": { - "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", - "requiresBootstrapStackVersion": 8, - "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" - } - }, - "dependencies": [ - "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets" - ], - "metadata": { - "/IotAuditConfigurationTest/DefaultTest/DeployAssert/BootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "BootstrapVersion" - } - ], - "/IotAuditConfigurationTest/DefaultTest/DeployAssert/CheckBootstrapVersion": [ - { - "type": "aws:cdk:logicalId", - "data": "CheckBootstrapVersion" - } - ] - }, - "displayName": "IotAuditConfigurationTest/DefaultTest/DeployAssert" - }, - "Tree": { - "type": "cdk:tree", - "properties": { - "file": "tree.json" - } - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/tree.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/tree.json deleted file mode 100644 index 1748d3c01b041..0000000000000 --- a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/tree.json +++ /dev/null @@ -1,336 +0,0 @@ -{ - "version": "tree-0.1", - "tree": { - "id": "App", - "path": "", - "children": { - "IotAuditConfigurationTestStack": { - "id": "IotAuditConfigurationTestStack", - "path": "IotAuditConfigurationTestStack", - "children": { - "Topic": { - "id": "Topic", - "path": "IotAuditConfigurationTestStack/Topic", - "children": { - "Resource": { - "id": "Resource", - "path": "IotAuditConfigurationTestStack/Topic/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::SNS::Topic", - "aws:cdk:cloudformation:props": {} - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "AuditConfiguration": { - "id": "AuditConfiguration", - "path": "IotAuditConfigurationTestStack/AuditConfiguration", - "children": { - "AuditRole": { - "id": "AuditRole", - "path": "IotAuditConfigurationTestStack/AuditConfiguration/AuditRole", - "children": { - "ImportAuditRole": { - "id": "ImportAuditRole", - "path": "IotAuditConfigurationTestStack/AuditConfiguration/AuditRole/ImportAuditRole", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Resource": { - "id": "Resource", - "path": "IotAuditConfigurationTestStack/AuditConfiguration/AuditRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "iot.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - }, - "managedPolicyArns": [ - { - "Fn::Join": [ - "", - [ - "arn:", - { - "Ref": "AWS::Partition" - }, - ":iam::aws:policy/service-role/AWSIoTDeviceDefenderAudit" - ] - ] - } - ] - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "NotificationRole": { - "id": "NotificationRole", - "path": "IotAuditConfigurationTestStack/AuditConfiguration/NotificationRole", - "children": { - "ImportNotificationRole": { - "id": "ImportNotificationRole", - "path": "IotAuditConfigurationTestStack/AuditConfiguration/NotificationRole/ImportNotificationRole", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Resource": { - "id": "Resource", - "path": "IotAuditConfigurationTestStack/AuditConfiguration/NotificationRole/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IAM::Role", - "aws:cdk:cloudformation:props": { - "assumeRolePolicyDocument": { - "Statement": [ - { - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { - "Service": "iot.amazonaws.com" - } - } - ], - "Version": "2012-10-17" - }, - "policies": [ - { - "policyName": "NotificationPolicy", - "policyDocument": { - "Statement": [ - { - "Action": "sns:Publish", - "Effect": "Allow", - "Resource": { - "Ref": "TopicBFC7AF6E" - } - } - ], - "Version": "2012-10-17" - } - } - ] - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "Resource": { - "id": "Resource", - "path": "IotAuditConfigurationTestStack/AuditConfiguration/Resource", - "attributes": { - "aws:cdk:cloudformation:type": "AWS::IoT::AccountAuditConfiguration", - "aws:cdk:cloudformation:props": { - "accountId": { - "Ref": "AWS::AccountId" - }, - "auditCheckConfigurations": { - "authenticatedCognitoRoleOverlyPermissiveCheck": { - "enabled": true - }, - "caCertificateExpiringCheck": { - "enabled": true - }, - "caCertificateKeyQualityCheck": { - "enabled": true - }, - "conflictingClientIdsCheck": { - "enabled": true - }, - "deviceCertificateExpiringCheck": { - "enabled": true - }, - "deviceCertificateKeyQualityCheck": { - "enabled": true - }, - "deviceCertificateSharedCheck": { - "enabled": true - }, - "intermediateCaRevokedForActiveDeviceCertificatesCheck": { - "enabled": true - }, - "iotPolicyOverlyPermissiveCheck": { - "enabled": true - }, - "ioTPolicyPotentialMisConfigurationCheck": { - "enabled": true - }, - "iotRoleAliasAllowsAccessToUnusedServicesCheck": { - "enabled": true - }, - "iotRoleAliasOverlyPermissiveCheck": { - "enabled": true - }, - "loggingDisabledCheck": { - "enabled": true - }, - "revokedCaCertificateStillActiveCheck": { - "enabled": true - }, - "revokedDeviceCertificateStillActiveCheck": { - "enabled": true - }, - "unauthenticatedCognitoRoleOverlyPermissiveCheck": { - "enabled": true - } - }, - "auditNotificationTargetConfigurations": { - "sns": { - "enabled": true, - "targetArn": { - "Ref": "TopicBFC7AF6E" - }, - "roleArn": { - "Fn::GetAtt": [ - "AuditConfigurationNotificationRole9774BAD4", - "Arn" - ] - } - } - }, - "roleArn": { - "Fn::GetAtt": [ - "AuditConfigurationAuditRole0FFA1461", - "Arn" - ] - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/aws-iot-alpha.AccountAuditConfiguration", - "version": "0.0.0" - } - }, - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "IotAuditConfigurationTestStack/BootstrapVersion", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "IotAuditConfigurationTestStack/CheckBootstrapVersion", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "IotAuditConfigurationTest": { - "id": "IotAuditConfigurationTest", - "path": "IotAuditConfigurationTest", - "children": { - "DefaultTest": { - "id": "DefaultTest", - "path": "IotAuditConfigurationTest/DefaultTest", - "children": { - "Default": { - "id": "Default", - "path": "IotAuditConfigurationTest/DefaultTest/Default", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "DeployAssert": { - "id": "DeployAssert", - "path": "IotAuditConfigurationTest/DefaultTest/DeployAssert", - "children": { - "BootstrapVersion": { - "id": "BootstrapVersion", - "path": "IotAuditConfigurationTest/DefaultTest/DeployAssert/BootstrapVersion", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - }, - "CheckBootstrapVersion": { - "id": "CheckBootstrapVersion", - "path": "IotAuditConfigurationTest/DefaultTest/DeployAssert/CheckBootstrapVersion", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", - "version": "0.0.0" - } - } - }, - "constructInfo": { - "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", - "version": "0.0.0" - } - }, - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } - }, - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.3.0" - } - } -} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.ts b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.ts index ce8535d25d0a0..64a44c38b71c8 100644 --- a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.ts +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.ts @@ -9,9 +9,47 @@ class TestStack extends cdk.Stack { const targetTopic = new sns.Topic(this, 'Topic'); - new iot.AccountAuditConfiguration(this, 'AuditConfiguration', { + const config = new iot.AccountAuditConfiguration(this, 'AuditConfiguration', { targetTopic, }); + + const dailyAudit = new iot.ScheduledAudit(this, 'DailyAudit', { + frequency: iot.Frequency.DAILY, + auditChecks: [ + iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK, + ], + }); + + const weeklyAudit = new iot.ScheduledAudit(this, 'WeeklyAudit', { + frequency: iot.Frequency.WEEKLY, + dayOfWeek: iot.DayOfWeek.SUNDAY, + auditChecks: [ + iot.AuditCheck.CA_CERTIFICATE_EXPIRING_CHECK, + ], + }); + + const monthlyAudit = new iot.ScheduledAudit(this, 'MonthlyAudit', { + frequency: iot.Frequency.MONTHLY, + dayOfMonth: iot.DayOfMonth.LAST_DAY, + auditChecks: [ + iot.AuditCheck.CA_CERTIFICATE_KEY_QUALITY_CHECK, + iot.AuditCheck.CONFLICTING_CLIENT_IDS_CHECK, + iot.AuditCheck.DEVICE_CERTIFICATE_EXPIRING_CHECK, + iot.AuditCheck.DEVICE_CERTIFICATE_KEY_QUALITY_CHECK, + iot.AuditCheck.DEVICE_CERTIFICATE_SHARED_CHECK, + iot.AuditCheck.IOT_POLICY_OVERLY_PERMISSIVE_CHECK, + iot.AuditCheck.IOT_ROLE_ALIAS_ALLOWS_ACCESS_TO_UNUSED_SERVICES_CHECK, + iot.AuditCheck.IOT_ROLE_ALIAS_OVERLY_PERMISSIVE_CHECK, + iot.AuditCheck.LOGGING_DISABLED_CHECK, + iot.AuditCheck.REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK, + iot.AuditCheck.REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK, + iot.AuditCheck.UNAUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK, + ], + }); + + dailyAudit.node.addDependency(config); + weeklyAudit.node.addDependency(config); + monthlyAudit.node.addDependency(config); } } From 218a1e72121a5b216722e48cc662d81376ea7a4a Mon Sep 17 00:00:00 2001 From: Kazuho CryerShinozuka Date: Wed, 16 Oct 2024 19:56:22 +0900 Subject: [PATCH 3/9] add snapshot --- ...efaultTestDeployAssert6A603D00.assets.json | 19 + ...aultTestDeployAssert6A603D00.template.json | 36 ++ ...IotAuditConfigurationTestStack.assets.json | 19 + ...tAuditConfigurationTestStack.template.json | 239 ++++++++++ .../cdk.out | 1 + .../integ.json | 12 + .../manifest.json | 151 ++++++ .../tree.json | 430 ++++++++++++++++++ 8 files changed, 907 insertions(+) create mode 100644 packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets.json create mode 100644 packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.template.json create mode 100644 packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.assets.json create mode 100644 packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.template.json create mode 100644 packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/cdk.out create mode 100644 packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/integ.json create mode 100644 packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/manifest.json create mode 100644 packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/tree.json diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets.json new file mode 100644 index 0000000000000..057363705de1d --- /dev/null +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets.json @@ -0,0 +1,19 @@ +{ + "version": "38.0.1", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "source": { + "path": "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.template.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.assets.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.assets.json new file mode 100644 index 0000000000000..770e7ed409613 --- /dev/null +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.assets.json @@ -0,0 +1,19 @@ +{ + "version": "38.0.1", + "files": { + "c093a5b4a568daafc27fab102fea007eaf70c883b8e02171441d44e702e0cebc": { + "source": { + "path": "IotAuditConfigurationTestStack.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "c093a5b4a568daafc27fab102fea007eaf70c883b8e02171441d44e702e0cebc.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.template.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.template.json new file mode 100644 index 0000000000000..ed4e8c63400f8 --- /dev/null +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.template.json @@ -0,0 +1,239 @@ +{ + "Resources": { + "TopicBFC7AF6E": { + "Type": "AWS::SNS::Topic" + }, + "AuditConfigurationAuditRole0FFA1461": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "iot.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSIoTDeviceDefenderAudit" + ] + ] + } + ] + } + }, + "AuditConfigurationNotificationRole9774BAD4": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "iot.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Action": "sns:Publish", + "Effect": "Allow", + "Resource": { + "Ref": "TopicBFC7AF6E" + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "NotificationPolicy" + } + ] + } + }, + "AuditConfiguration8C793652": { + "Type": "AWS::IoT::AccountAuditConfiguration", + "Properties": { + "AccountId": { + "Ref": "AWS::AccountId" + }, + "AuditCheckConfigurations": { + "AuthenticatedCognitoRoleOverlyPermissiveCheck": { + "Enabled": true + }, + "CaCertificateExpiringCheck": { + "Enabled": true + }, + "CaCertificateKeyQualityCheck": { + "Enabled": true + }, + "ConflictingClientIdsCheck": { + "Enabled": true + }, + "DeviceCertificateExpiringCheck": { + "Enabled": true + }, + "DeviceCertificateKeyQualityCheck": { + "Enabled": true + }, + "DeviceCertificateSharedCheck": { + "Enabled": true + }, + "IntermediateCaRevokedForActiveDeviceCertificatesCheck": { + "Enabled": true + }, + "IoTPolicyPotentialMisConfigurationCheck": { + "Enabled": true + }, + "IotPolicyOverlyPermissiveCheck": { + "Enabled": true + }, + "IotRoleAliasAllowsAccessToUnusedServicesCheck": { + "Enabled": true + }, + "IotRoleAliasOverlyPermissiveCheck": { + "Enabled": true + }, + "LoggingDisabledCheck": { + "Enabled": true + }, + "RevokedCaCertificateStillActiveCheck": { + "Enabled": true + }, + "RevokedDeviceCertificateStillActiveCheck": { + "Enabled": true + }, + "UnauthenticatedCognitoRoleOverlyPermissiveCheck": { + "Enabled": true + } + }, + "AuditNotificationTargetConfigurations": { + "Sns": { + "Enabled": true, + "RoleArn": { + "Fn::GetAtt": [ + "AuditConfigurationNotificationRole9774BAD4", + "Arn" + ] + }, + "TargetArn": { + "Ref": "TopicBFC7AF6E" + } + } + }, + "RoleArn": { + "Fn::GetAtt": [ + "AuditConfigurationAuditRole0FFA1461", + "Arn" + ] + } + } + }, + "DailyAudit1160906D": { + "Type": "AWS::IoT::ScheduledAudit", + "Properties": { + "Frequency": "DAILY", + "TargetCheckNames": [ + "AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK" + ] + }, + "DependsOn": [ + "AuditConfigurationAuditRole0FFA1461", + "AuditConfigurationNotificationRole9774BAD4", + "AuditConfiguration8C793652" + ] + }, + "WeeklyAudit5489D5FF": { + "Type": "AWS::IoT::ScheduledAudit", + "Properties": { + "DayOfWeek": "SUN", + "Frequency": "WEEKLY", + "TargetCheckNames": [ + "CA_CERTIFICATE_EXPIRING_CHECK" + ] + }, + "DependsOn": [ + "AuditConfigurationAuditRole0FFA1461", + "AuditConfigurationNotificationRole9774BAD4", + "AuditConfiguration8C793652" + ] + }, + "MonthlyAudit11A7B28C": { + "Type": "AWS::IoT::ScheduledAudit", + "Properties": { + "DayOfMonth": "LAST", + "Frequency": "MONTHLY", + "TargetCheckNames": [ + "CA_CERTIFICATE_KEY_QUALITY_CHECK", + "CONFLICTING_CLIENT_IDS_CHECK", + "DEVICE_CERTIFICATE_EXPIRING_CHECK", + "DEVICE_CERTIFICATE_KEY_QUALITY_CHECK", + "DEVICE_CERTIFICATE_SHARED_CHECK", + "IOT_POLICY_OVERLY_PERMISSIVE_CHECK", + "IOT_ROLE_ALIAS_ALLOWS_ACCESS_TO_UNUSED_SERVICES_CHECK", + "IOT_ROLE_ALIAS_OVERLY_PERMISSIVE_CHECK", + "LOGGING_DISABLED_CHECK", + "REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK", + "REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK", + "UNAUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK" + ] + }, + "DependsOn": [ + "AuditConfigurationAuditRole0FFA1461", + "AuditConfigurationNotificationRole9774BAD4", + "AuditConfiguration8C793652" + ] + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/cdk.out b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/cdk.out new file mode 100644 index 0000000000000..c6e612584e352 --- /dev/null +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"38.0.1"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/integ.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/integ.json new file mode 100644 index 0000000000000..b4d8fa9d08bf3 --- /dev/null +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/integ.json @@ -0,0 +1,12 @@ +{ + "version": "38.0.1", + "testCases": { + "IotAuditConfigurationTest/DefaultTest": { + "stacks": [ + "IotAuditConfigurationTestStack" + ], + "assertionStack": "IotAuditConfigurationTest/DefaultTest/DeployAssert", + "assertionStackName": "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00" + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/manifest.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/manifest.json new file mode 100644 index 0000000000000..da95d1a0a5749 --- /dev/null +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/manifest.json @@ -0,0 +1,151 @@ +{ + "version": "38.0.1", + "artifacts": { + "IotAuditConfigurationTestStack.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "IotAuditConfigurationTestStack.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "IotAuditConfigurationTestStack": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "IotAuditConfigurationTestStack.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "notificationArns": [], + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c093a5b4a568daafc27fab102fea007eaf70c883b8e02171441d44e702e0cebc.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "IotAuditConfigurationTestStack.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "IotAuditConfigurationTestStack.assets" + ], + "metadata": { + "/IotAuditConfigurationTestStack/Topic/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "TopicBFC7AF6E" + } + ], + "/IotAuditConfigurationTestStack/AuditConfiguration/AuditRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "AuditConfigurationAuditRole0FFA1461" + } + ], + "/IotAuditConfigurationTestStack/AuditConfiguration/NotificationRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "AuditConfigurationNotificationRole9774BAD4" + } + ], + "/IotAuditConfigurationTestStack/AuditConfiguration/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "AuditConfiguration8C793652" + } + ], + "/IotAuditConfigurationTestStack/DailyAudit/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "DailyAudit1160906D" + } + ], + "/IotAuditConfigurationTestStack/WeeklyAudit/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "WeeklyAudit5489D5FF" + } + ], + "/IotAuditConfigurationTestStack/MonthlyAudit/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MonthlyAudit11A7B28C" + } + ], + "/IotAuditConfigurationTestStack/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/IotAuditConfigurationTestStack/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "IotAuditConfigurationTestStack" + }, + "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "notificationArns": [], + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets" + ], + "metadata": { + "/IotAuditConfigurationTest/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/IotAuditConfigurationTest/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "IotAuditConfigurationTest/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/tree.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/tree.json new file mode 100644 index 0000000000000..a8a4569a1201f --- /dev/null +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/tree.json @@ -0,0 +1,430 @@ +{ + "version": "tree-0.1", + "tree": { + "id": "App", + "path": "", + "children": { + "IotAuditConfigurationTestStack": { + "id": "IotAuditConfigurationTestStack", + "path": "IotAuditConfigurationTestStack", + "children": { + "Topic": { + "id": "Topic", + "path": "IotAuditConfigurationTestStack/Topic", + "children": { + "Resource": { + "id": "Resource", + "path": "IotAuditConfigurationTestStack/Topic/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::SNS::Topic", + "aws:cdk:cloudformation:props": {} + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "AuditConfiguration": { + "id": "AuditConfiguration", + "path": "IotAuditConfigurationTestStack/AuditConfiguration", + "children": { + "AuditRole": { + "id": "AuditRole", + "path": "IotAuditConfigurationTestStack/AuditConfiguration/AuditRole", + "children": { + "ImportAuditRole": { + "id": "ImportAuditRole", + "path": "IotAuditConfigurationTestStack/AuditConfiguration/AuditRole/ImportAuditRole", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "Resource": { + "id": "Resource", + "path": "IotAuditConfigurationTestStack/AuditConfiguration/AuditRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "iot.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "managedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSIoTDeviceDefenderAudit" + ] + ] + } + ] + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "NotificationRole": { + "id": "NotificationRole", + "path": "IotAuditConfigurationTestStack/AuditConfiguration/NotificationRole", + "children": { + "ImportNotificationRole": { + "id": "ImportNotificationRole", + "path": "IotAuditConfigurationTestStack/AuditConfiguration/NotificationRole/ImportNotificationRole", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "Resource": { + "id": "Resource", + "path": "IotAuditConfigurationTestStack/AuditConfiguration/NotificationRole/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IAM::Role", + "aws:cdk:cloudformation:props": { + "assumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "iot.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "policies": [ + { + "policyName": "NotificationPolicy", + "policyDocument": { + "Statement": [ + { + "Action": "sns:Publish", + "Effect": "Allow", + "Resource": { + "Ref": "TopicBFC7AF6E" + } + } + ], + "Version": "2012-10-17" + } + } + ] + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "Resource": { + "id": "Resource", + "path": "IotAuditConfigurationTestStack/AuditConfiguration/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IoT::AccountAuditConfiguration", + "aws:cdk:cloudformation:props": { + "accountId": { + "Ref": "AWS::AccountId" + }, + "auditCheckConfigurations": { + "authenticatedCognitoRoleOverlyPermissiveCheck": { + "enabled": true + }, + "caCertificateExpiringCheck": { + "enabled": true + }, + "caCertificateKeyQualityCheck": { + "enabled": true + }, + "conflictingClientIdsCheck": { + "enabled": true + }, + "deviceCertificateExpiringCheck": { + "enabled": true + }, + "deviceCertificateKeyQualityCheck": { + "enabled": true + }, + "deviceCertificateSharedCheck": { + "enabled": true + }, + "intermediateCaRevokedForActiveDeviceCertificatesCheck": { + "enabled": true + }, + "iotPolicyOverlyPermissiveCheck": { + "enabled": true + }, + "ioTPolicyPotentialMisConfigurationCheck": { + "enabled": true + }, + "iotRoleAliasAllowsAccessToUnusedServicesCheck": { + "enabled": true + }, + "iotRoleAliasOverlyPermissiveCheck": { + "enabled": true + }, + "loggingDisabledCheck": { + "enabled": true + }, + "revokedCaCertificateStillActiveCheck": { + "enabled": true + }, + "revokedDeviceCertificateStillActiveCheck": { + "enabled": true + }, + "unauthenticatedCognitoRoleOverlyPermissiveCheck": { + "enabled": true + } + }, + "auditNotificationTargetConfigurations": { + "sns": { + "enabled": true, + "targetArn": { + "Ref": "TopicBFC7AF6E" + }, + "roleArn": { + "Fn::GetAtt": [ + "AuditConfigurationNotificationRole9774BAD4", + "Arn" + ] + } + } + }, + "roleArn": { + "Fn::GetAtt": [ + "AuditConfigurationAuditRole0FFA1461", + "Arn" + ] + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-iot-alpha.AccountAuditConfiguration", + "version": "0.0.0" + } + }, + "DailyAudit": { + "id": "DailyAudit", + "path": "IotAuditConfigurationTestStack/DailyAudit", + "children": { + "Resource": { + "id": "Resource", + "path": "IotAuditConfigurationTestStack/DailyAudit/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IoT::ScheduledAudit", + "aws:cdk:cloudformation:props": { + "frequency": "DAILY", + "targetCheckNames": [ + "AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK" + ] + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-iot-alpha.ScheduledAudit", + "version": "0.0.0" + } + }, + "WeeklyAudit": { + "id": "WeeklyAudit", + "path": "IotAuditConfigurationTestStack/WeeklyAudit", + "children": { + "Resource": { + "id": "Resource", + "path": "IotAuditConfigurationTestStack/WeeklyAudit/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IoT::ScheduledAudit", + "aws:cdk:cloudformation:props": { + "dayOfWeek": "SUN", + "frequency": "WEEKLY", + "targetCheckNames": [ + "CA_CERTIFICATE_EXPIRING_CHECK" + ] + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-iot-alpha.ScheduledAudit", + "version": "0.0.0" + } + }, + "MonthlyAudit": { + "id": "MonthlyAudit", + "path": "IotAuditConfigurationTestStack/MonthlyAudit", + "children": { + "Resource": { + "id": "Resource", + "path": "IotAuditConfigurationTestStack/MonthlyAudit/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::IoT::ScheduledAudit", + "aws:cdk:cloudformation:props": { + "dayOfMonth": "LAST", + "frequency": "MONTHLY", + "targetCheckNames": [ + "CA_CERTIFICATE_KEY_QUALITY_CHECK", + "CONFLICTING_CLIENT_IDS_CHECK", + "DEVICE_CERTIFICATE_EXPIRING_CHECK", + "DEVICE_CERTIFICATE_KEY_QUALITY_CHECK", + "DEVICE_CERTIFICATE_SHARED_CHECK", + "IOT_POLICY_OVERLY_PERMISSIVE_CHECK", + "IOT_ROLE_ALIAS_ALLOWS_ACCESS_TO_UNUSED_SERVICES_CHECK", + "IOT_ROLE_ALIAS_OVERLY_PERMISSIVE_CHECK", + "LOGGING_DISABLED_CHECK", + "REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK", + "REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK", + "UNAUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK" + ] + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/aws-iot-alpha.ScheduledAudit", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "IotAuditConfigurationTestStack/BootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "IotAuditConfigurationTestStack/CheckBootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "IotAuditConfigurationTest": { + "id": "IotAuditConfigurationTest", + "path": "IotAuditConfigurationTest", + "children": { + "DefaultTest": { + "id": "DefaultTest", + "path": "IotAuditConfigurationTest/DefaultTest", + "children": { + "Default": { + "id": "Default", + "path": "IotAuditConfigurationTest/DefaultTest/Default", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "DeployAssert": { + "id": "DeployAssert", + "path": "IotAuditConfigurationTest/DefaultTest/DeployAssert", + "children": { + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "IotAuditConfigurationTest/DefaultTest/DeployAssert/BootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "IotAuditConfigurationTest/DefaultTest/DeployAssert/CheckBootstrapVersion", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTestCase", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "@aws-cdk/integ-tests-alpha.IntegTest", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } + }, + "constructInfo": { + "fqn": "constructs.Construct", + "version": "10.3.0" + } + } +} \ No newline at end of file From e7dd2379bd164813fc9c4f4eee109545c0e0c463 Mon Sep 17 00:00:00 2001 From: Kazuho CryerShinozuka Date: Wed, 16 Oct 2024 21:08:35 +0900 Subject: [PATCH 4/9] add unit test --- .../aws-iot-alpha/lib/scheduled-audit.ts | 43 ++-- .../test/scheduled-audit.test.ts | 239 ++++++++++++++++++ 2 files changed, 267 insertions(+), 15 deletions(-) create mode 100644 packages/@aws-cdk/aws-iot-alpha/test/scheduled-audit.test.ts diff --git a/packages/@aws-cdk/aws-iot-alpha/lib/scheduled-audit.ts b/packages/@aws-cdk/aws-iot-alpha/lib/scheduled-audit.ts index 8d74c2b6e1c27..0de62a0e5c597 100644 --- a/packages/@aws-cdk/aws-iot-alpha/lib/scheduled-audit.ts +++ b/packages/@aws-cdk/aws-iot-alpha/lib/scheduled-audit.ts @@ -314,21 +314,34 @@ export class ScheduledAudit extends Resource implements IScheduledAudit { throw new Error('At least one \'auditChecks\' must be specified.'); } - if (props.frequency === Frequency.WEEKLY || props.frequency === Frequency.BI_WEEKLY) { - if (!props.dayOfWeek) { - throw new Error('Day of the week must be specified for weekly or bi-weekly audits.'); - } - if (props.dayOfMonth) { - throw new Error('Day of the month must not be specified for weekly or bi-weekly audits.'); - } - } - if (props.frequency === Frequency.MONTHLY) { - if (!props.dayOfMonth) { - throw new Error('Day of the month must be specified for monthly audits.'); - } - if (props.dayOfWeek) { - throw new Error('Day of the week must not be specified for monthly audits.'); - } + switch (props.frequency) { + case Frequency.DAILY: + if (props.dayOfWeek) { + throw new Error('Day of the week must not be specified for daily audits.'); + } + if (props.dayOfMonth) { + throw new Error('Day of the month must not be specified for daily audits.'); + } + break; + case Frequency.WEEKLY: + case Frequency.BI_WEEKLY: + if (!props.dayOfWeek) { + throw new Error('Day of the week must be specified for weekly or bi-weekly audits.'); + } + if (props.dayOfMonth) { + throw new Error('Day of the month must not be specified for weekly or bi-weekly audits.'); + } + break; + case Frequency.MONTHLY: + if (!props.dayOfMonth) { + throw new Error('Day of the month must be specified for monthly audits.'); + } + if (props.dayOfWeek) { + throw new Error('Day of the week must not be specified for monthly audits.'); + } + break; + default: + throw new Error('Invalid frequency specified.'); } if (props.scheduledAuditName && !Token.isUnresolved(props.scheduledAuditName)) { diff --git a/packages/@aws-cdk/aws-iot-alpha/test/scheduled-audit.test.ts b/packages/@aws-cdk/aws-iot-alpha/test/scheduled-audit.test.ts new file mode 100644 index 0000000000000..3a8903d79d5c4 --- /dev/null +++ b/packages/@aws-cdk/aws-iot-alpha/test/scheduled-audit.test.ts @@ -0,0 +1,239 @@ +import { Template } from 'aws-cdk-lib/assertions'; +import * as cdk from 'aws-cdk-lib'; +import * as iot from '../lib'; + +test('Default property', () => { + const stack = new cdk.Stack(); + + new iot.ScheduledAudit(stack, 'ScheduledAudit', { + frequency: iot.Frequency.DAILY, + auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IoT::ScheduledAudit', { + Frequency: 'DAILY', + TargetCheckNames: ['AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK'], + }); +}); + +test('full settings', () => { + const stack = new cdk.Stack(); + + new iot.ScheduledAudit(stack, 'ScheduledAudit', { + frequency: iot.Frequency.DAILY, + auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], + scheduledAuditName: 'MyScheduledAudit', + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IoT::ScheduledAudit', { + Frequency: 'DAILY', + ScheduledAuditName: 'MyScheduledAudit', + TargetCheckNames: ['AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK'], + }); +}); + +describe('daily audit', () => { + test('throw error for specifying day of week', () => { + const stack = new cdk.Stack(); + + expect(() => { + new iot.ScheduledAudit(stack, 'ScheduledAudit', { + frequency: iot.Frequency.DAILY, + dayOfWeek: iot.DayOfWeek.MONDAY, + auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], + }); + }).toThrow('Day of the week must not be specified for daily audits.'); + }); + + test('throw error for specifying day of month', () => { + const stack = new cdk.Stack(); + + expect(() => { + new iot.ScheduledAudit(stack, 'ScheduledAudit', { + frequency: iot.Frequency.DAILY, + dayOfMonth: iot.DayOfMonth.of(29), + auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], + }); + }).toThrow('Day of the month must not be specified for daily audits.'); + }); +}); + +describe('weekly audit', () => { + test('set day of week', () => { + const stack = new cdk.Stack(); + + new iot.ScheduledAudit(stack, 'ScheduledAudit', { + frequency: iot.Frequency.WEEKLY, + dayOfWeek: iot.DayOfWeek.MONDAY, + auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IoT::ScheduledAudit', { + Frequency: 'WEEKLY', + DayOfWeek: 'MONDAY', + TargetCheckNames: ['AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK'], + }); + }); + + test('throw error for missing day of week', () => { + const stack = new cdk.Stack(); + + expect(() => { + new iot.ScheduledAudit(stack, 'ScheduledAudit', { + frequency: iot.Frequency.WEEKLY, + auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], + }); + }).toThrow('Day of the week must be specified for weekly or bi-weekly audits.'); + }); + + test('throw error for specifying both day of week and day of month', () => { + const stack = new cdk.Stack(); + + expect(() => { + new iot.ScheduledAudit(stack, 'ScheduledAudit', { + frequency: iot.Frequency.WEEKLY, + dayOfWeek: iot.DayOfWeek.MONDAY, + dayOfMonth: iot.DayOfMonth.of(29), + auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], + }); + }).toThrow('Day of the month must not be specified for weekly or bi-weekly audits.'); + }); +}); + +describe('bi-weekly audit', () => { + test('set day of week', () => { + const stack = new cdk.Stack(); + + new iot.ScheduledAudit(stack, 'ScheduledAudit', { + frequency: iot.Frequency.BI_WEEKLY, + dayOfWeek: iot.DayOfWeek.MONDAY, + auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IoT::ScheduledAudit', { + Frequency: 'BIWEEKLY', + DayOfWeek: 'MONDAY', + TargetCheckNames: ['AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK'], + }); + }); + + test('throw error for missing day of week', () => { + const stack = new cdk.Stack(); + + expect(() => { + new iot.ScheduledAudit(stack, 'ScheduledAudit', { + frequency: iot.Frequency.BI_WEEKLY, + auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], + }); + }).toThrow('Day of the week must be specified for weekly or bi-weekly audits.'); + }); + + test('throw error for specifying both day of week and day of month', () => { + const stack = new cdk.Stack(); + + expect(() => { + new iot.ScheduledAudit(stack, 'ScheduledAudit', { + frequency: iot.Frequency.BI_WEEKLY, + dayOfWeek: iot.DayOfWeek.MONDAY, + dayOfMonth: iot.DayOfMonth.of(29), + auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], + }); + }).toThrow('Day of the month must not be specified for weekly or bi-weekly audits.'); + }); +}); + +describe('monthly audit', () => { + test('set day of month', () => { + const stack = new cdk.Stack(); + + new iot.ScheduledAudit(stack, 'ScheduledAudit', { + frequency: iot.Frequency.MONTHLY, + dayOfMonth: iot.DayOfMonth.of(29), + auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], + }); + + Template.fromStack(stack).hasResourceProperties('AWS::IoT::ScheduledAudit', { + Frequency: 'MONTHLY', + DayOfMonth: 29, + TargetCheckNames: ['AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK'], + }); + }); + + test('throw error for missing day of month', () => { + const stack = new cdk.Stack(); + + expect(() => { + new iot.ScheduledAudit(stack, 'ScheduledAudit', { + frequency: iot.Frequency.MONTHLY, + auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], + }); + }).toThrow('Day of the month must be specified for monthly audits.'); + }); + + test('throw error for specifying both day of week and day of month', () => { + const stack = new cdk.Stack(); + + expect(() => { + new iot.ScheduledAudit(stack, 'ScheduledAudit', { + frequency: iot.Frequency.MONTHLY, + dayOfWeek: iot.DayOfWeek.MONDAY, + dayOfMonth: iot.DayOfMonth.of(29), + auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], + }); + }).toThrow('Day of the week must not be specified for monthly audits.'); + }); +}); + +test.each(['', 'a'.repeat(129)])('throw error for invalid length of scheduled audit name %s', (name) => { + const stack = new cdk.Stack(); + + expect(() => { + new iot.ScheduledAudit(stack, 'ScheduledAudit', { + frequency: iot.Frequency.DAILY, + auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], + scheduledAuditName: name, + }); + }).toThrow(`Scheduled audit name must be between 1 and 128 characters, got: ${name.length}`); +}); + +test('throw error for invalid scheduled audit name', () => { + const stack = new cdk.Stack(); + + expect(() => { + new iot.ScheduledAudit(stack, 'ScheduledAudit', { + frequency: iot.Frequency.DAILY, + auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], + scheduledAuditName: '*!()', + }); + }).toThrow('Scheduled audit name must be alphanumeric and may include colons, underscores, and hyphens, got: *!()'); +}); + +test('import by attributes', () => { + const stack = new cdk.Stack(); + + const name = 'scheduled-audit-name'; + const arn = 'arn:aws:iot:us-east-1:123456789012:scheduledaudit/scheduled-audit-name'; + + const scheduledAudit = iot.ScheduledAudit.fromScheduledAuditAttributes(stack, 'AccountAuditConfigurationFromId', { + scheduledAuditName: name, + scheduledAuditArn: arn, + }); + + expect(scheduledAudit).toMatchObject({ + scheduledAuditName: name, + scheduledAuditArn: arn, + }); +}); + +test('import by arn', () => { + const stack = new cdk.Stack(); + + const arn = 'arn:aws:iot:us-east-1:123456789012:scheduledaudit/scheduled-audit-name'; + + const scheduledAudit = iot.ScheduledAudit.fromScheduledAuditArn(stack, 'AccountAuditConfigurationFromArn', arn); + + expect(scheduledAudit).toMatchObject({ + scheduledAuditArn: arn, + scheduledAuditName: 'scheduled-audit-name', + }); +}); From f37e4eed32c4677438856f5b2bcf4885a6d6cb29 Mon Sep 17 00:00:00 2001 From: Kazuho CryerShinozuka Date: Wed, 16 Oct 2024 21:13:25 +0900 Subject: [PATCH 5/9] update unit test --- packages/@aws-cdk/aws-iot-alpha/lib/scheduled-audit.ts | 2 +- .../@aws-cdk/aws-iot-alpha/test/scheduled-audit.test.ts | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/@aws-cdk/aws-iot-alpha/lib/scheduled-audit.ts b/packages/@aws-cdk/aws-iot-alpha/lib/scheduled-audit.ts index 0de62a0e5c597..68b31daa075a7 100644 --- a/packages/@aws-cdk/aws-iot-alpha/lib/scheduled-audit.ts +++ b/packages/@aws-cdk/aws-iot-alpha/lib/scheduled-audit.ts @@ -344,7 +344,7 @@ export class ScheduledAudit extends Resource implements IScheduledAudit { throw new Error('Invalid frequency specified.'); } - if (props.scheduledAuditName && !Token.isUnresolved(props.scheduledAuditName)) { + if (props.scheduledAuditName !== undefined && !Token.isUnresolved(props.scheduledAuditName)) { if (props.scheduledAuditName.length < 1 || props.scheduledAuditName.length > 128) { throw new Error(`Scheduled audit name must be between 1 and 128 characters, got: ${props.scheduledAuditName.length}`); } diff --git a/packages/@aws-cdk/aws-iot-alpha/test/scheduled-audit.test.ts b/packages/@aws-cdk/aws-iot-alpha/test/scheduled-audit.test.ts index 3a8903d79d5c4..3d2e129f5e8cc 100644 --- a/packages/@aws-cdk/aws-iot-alpha/test/scheduled-audit.test.ts +++ b/packages/@aws-cdk/aws-iot-alpha/test/scheduled-audit.test.ts @@ -70,7 +70,7 @@ describe('weekly audit', () => { Template.fromStack(stack).hasResourceProperties('AWS::IoT::ScheduledAudit', { Frequency: 'WEEKLY', - DayOfWeek: 'MONDAY', + DayOfWeek: 'MON', TargetCheckNames: ['AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK'], }); }); @@ -112,7 +112,7 @@ describe('bi-weekly audit', () => { Template.fromStack(stack).hasResourceProperties('AWS::IoT::ScheduledAudit', { Frequency: 'BIWEEKLY', - DayOfWeek: 'MONDAY', + DayOfWeek: 'MON', TargetCheckNames: ['AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK'], }); }); @@ -154,7 +154,7 @@ describe('monthly audit', () => { Template.fromStack(stack).hasResourceProperties('AWS::IoT::ScheduledAudit', { Frequency: 'MONTHLY', - DayOfMonth: 29, + DayOfMonth: '29', TargetCheckNames: ['AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK'], }); }); From ca8dd4dd99a49ef7a418486b64042e182e8db986 Mon Sep 17 00:00:00 2001 From: Kazuho CryerShinozuka Date: Wed, 16 Oct 2024 21:32:14 +0900 Subject: [PATCH 6/9] add readme --- packages/@aws-cdk/aws-iot-alpha/README.md | 39 +++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/packages/@aws-cdk/aws-iot-alpha/README.md b/packages/@aws-cdk/aws-iot-alpha/README.md index ffd905dc5a2ed..b93ccaed8413d 100644 --- a/packages/@aws-cdk/aws-iot-alpha/README.md +++ b/packages/@aws-cdk/aws-iot-alpha/README.md @@ -139,3 +139,42 @@ new iot.AccountAuditConfiguration(this, 'AuditConfiguration', { }, }); ``` + +### Scheduled Audit + +You can create a [scheduled audit](https://docs.aws.amazon.com/iot-device-defender/latest/devguide/AuditCommands.html#device-defender-AuditCommandsManageSchedules) that is run at a specified time interval. Checks must be enabled for your account by creating `AccountAuditConfiguration`. + +```ts +declare const config: iot.AccountAuditConfiguration; + +// Daily audit +const dailyConfig = new iot.ScheduledAudit(this, 'DailyAudit', { + frequency: iot.Frequency.DAILY, + auditChecks: [ + iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK, + ], +}) + +// Weekly audit +const weeklyAudit = new iot.ScheduledAudit(this, 'WeeklyAudit', { + frequency: iot.Frequency.WEEKLY, + dayOfWeek: iot.DayOfWeek.SUNDAY, + auditChecks: [ + iot.AuditCheck.CA_CERTIFICATE_EXPIRING_CHECK, + ], +}); + +// Monthly audit +const monthlyAudit = new iot.ScheduledAudit(this, 'MonthlyAudit', { + frequency: iot.Frequency.MONTHLY, + dayOfMonth: iot.DayOfMonth.of(1), + auditChecks: [ + iot.AuditCheck.CA_CERTIFICATE_KEY_QUALITY_CHECK, + ], +}); + +// Add a dependency because a `ScheduledAudit` needs to be created after the `AccountAuditConfiguration` is set up. +dailyAudit.node.addDependency(config); +weeklyAudit.node.addDependency(config); +monthlyAudit.node.addDependency(config); +``` From 80ce5ea49d2dd9275a3fe6b100cd4358b60d82c6 Mon Sep 17 00:00:00 2001 From: Kazuho CryerShinozuka Date: Wed, 16 Oct 2024 22:36:27 +0900 Subject: [PATCH 7/9] fix readme --- packages/@aws-cdk/aws-iot-alpha/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-iot-alpha/README.md b/packages/@aws-cdk/aws-iot-alpha/README.md index b93ccaed8413d..bf8cbdf149b3d 100644 --- a/packages/@aws-cdk/aws-iot-alpha/README.md +++ b/packages/@aws-cdk/aws-iot-alpha/README.md @@ -148,7 +148,7 @@ You can create a [scheduled audit](https://docs.aws.amazon.com/iot-device-defend declare const config: iot.AccountAuditConfiguration; // Daily audit -const dailyConfig = new iot.ScheduledAudit(this, 'DailyAudit', { +const dailyAudit = new iot.ScheduledAudit(this, 'DailyAudit', { frequency: iot.Frequency.DAILY, auditChecks: [ iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK, From ad93c47f7f7a2c01f15ff2a4d4c1d4bd417bb752 Mon Sep 17 00:00:00 2001 From: Kazuho CryerShinozuka Date: Sat, 19 Oct 2024 07:32:11 +0900 Subject: [PATCH 8/9] make configuration mandatory --- packages/@aws-cdk/aws-iot-alpha/README.md | 5 -- .../aws-iot-alpha/lib/scheduled-audit.ts | 10 +++ .../test/integ.audit-configuration.ts | 13 ++-- .../test/scheduled-audit.test.ts | 66 ++++++++----------- 4 files changed, 45 insertions(+), 49 deletions(-) diff --git a/packages/@aws-cdk/aws-iot-alpha/README.md b/packages/@aws-cdk/aws-iot-alpha/README.md index bf8cbdf149b3d..5c51523350209 100644 --- a/packages/@aws-cdk/aws-iot-alpha/README.md +++ b/packages/@aws-cdk/aws-iot-alpha/README.md @@ -172,9 +172,4 @@ const monthlyAudit = new iot.ScheduledAudit(this, 'MonthlyAudit', { iot.AuditCheck.CA_CERTIFICATE_KEY_QUALITY_CHECK, ], }); - -// Add a dependency because a `ScheduledAudit` needs to be created after the `AccountAuditConfiguration` is set up. -dailyAudit.node.addDependency(config); -weeklyAudit.node.addDependency(config); -monthlyAudit.node.addDependency(config); ``` diff --git a/packages/@aws-cdk/aws-iot-alpha/lib/scheduled-audit.ts b/packages/@aws-cdk/aws-iot-alpha/lib/scheduled-audit.ts index 68b31daa075a7..7b69887cae327 100644 --- a/packages/@aws-cdk/aws-iot-alpha/lib/scheduled-audit.ts +++ b/packages/@aws-cdk/aws-iot-alpha/lib/scheduled-audit.ts @@ -1,6 +1,7 @@ import { Resource, Stack, IResource, Token, ArnFormat } from 'aws-cdk-lib/core'; import { Construct } from 'constructs'; import * as iot from 'aws-cdk-lib/aws-iot'; +import { IAccountAuditConfiguration } from './audit-configuration'; /** * Represents AWS IoT Scheduled Audit @@ -231,6 +232,13 @@ export interface ScheduledAuditProps { */ readonly auditChecks: AuditCheck[]; + /** + * Account audit configuration. + * + * The audit checks specified in `auditChecks` must be enabled in this configuration. + */ + readonly accountAuditConfiguration: IAccountAuditConfiguration; + /** * The day of the week on which the scheduled audit is run (if the frequency is "WEEKLY" or "BIWEEKLY"). * @@ -363,6 +371,8 @@ export class ScheduledAudit extends Resource implements IScheduledAudit { this.scheduledAuditName = resource.ref; this.scheduledAuditArn = resource.attrScheduledAuditArn; + + resource.node.addDependency(props.accountAuditConfiguration); } } diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.ts b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.ts index 64a44c38b71c8..6d37bf3b59df0 100644 --- a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.ts +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.ts @@ -13,14 +13,16 @@ class TestStack extends cdk.Stack { targetTopic, }); - const dailyAudit = new iot.ScheduledAudit(this, 'DailyAudit', { + new iot.ScheduledAudit(this, 'DailyAudit', { + accountAuditConfiguration: config, frequency: iot.Frequency.DAILY, auditChecks: [ iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK, ], }); - const weeklyAudit = new iot.ScheduledAudit(this, 'WeeklyAudit', { + new iot.ScheduledAudit(this, 'WeeklyAudit', { + accountAuditConfiguration: config, frequency: iot.Frequency.WEEKLY, dayOfWeek: iot.DayOfWeek.SUNDAY, auditChecks: [ @@ -28,7 +30,8 @@ class TestStack extends cdk.Stack { ], }); - const monthlyAudit = new iot.ScheduledAudit(this, 'MonthlyAudit', { + new iot.ScheduledAudit(this, 'MonthlyAudit', { + accountAuditConfiguration: config, frequency: iot.Frequency.MONTHLY, dayOfMonth: iot.DayOfMonth.LAST_DAY, auditChecks: [ @@ -46,10 +49,6 @@ class TestStack extends cdk.Stack { iot.AuditCheck.UNAUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK, ], }); - - dailyAudit.node.addDependency(config); - weeklyAudit.node.addDependency(config); - monthlyAudit.node.addDependency(config); } } diff --git a/packages/@aws-cdk/aws-iot-alpha/test/scheduled-audit.test.ts b/packages/@aws-cdk/aws-iot-alpha/test/scheduled-audit.test.ts index 3d2e129f5e8cc..85972b4571483 100644 --- a/packages/@aws-cdk/aws-iot-alpha/test/scheduled-audit.test.ts +++ b/packages/@aws-cdk/aws-iot-alpha/test/scheduled-audit.test.ts @@ -2,24 +2,33 @@ import { Template } from 'aws-cdk-lib/assertions'; import * as cdk from 'aws-cdk-lib'; import * as iot from '../lib'; -test('Default property', () => { - const stack = new cdk.Stack(); +let stack: cdk.Stack; +let config: iot.AccountAuditConfiguration; + +beforeEach(() => { + stack = new cdk.Stack(); + config = new iot.AccountAuditConfiguration(stack, 'AccountAuditConfiguration'); +}); +test('Default property', () => { new iot.ScheduledAudit(stack, 'ScheduledAudit', { + accountAuditConfiguration: config, frequency: iot.Frequency.DAILY, auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], }); - Template.fromStack(stack).hasResourceProperties('AWS::IoT::ScheduledAudit', { - Frequency: 'DAILY', - TargetCheckNames: ['AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK'], + Template.fromStack(stack).hasResource('AWS::IoT::ScheduledAudit', { + DependsOn: ['AccountAuditConfigurationAuditRoleBEFDE978', 'AccountAuditConfigurationA87E7758'], + Properties: { + Frequency: 'DAILY', + TargetCheckNames: ['AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK'], + }, }); }); test('full settings', () => { - const stack = new cdk.Stack(); - new iot.ScheduledAudit(stack, 'ScheduledAudit', { + accountAuditConfiguration: config, frequency: iot.Frequency.DAILY, auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], scheduledAuditName: 'MyScheduledAudit', @@ -34,10 +43,9 @@ test('full settings', () => { describe('daily audit', () => { test('throw error for specifying day of week', () => { - const stack = new cdk.Stack(); - expect(() => { new iot.ScheduledAudit(stack, 'ScheduledAudit', { + accountAuditConfiguration: config, frequency: iot.Frequency.DAILY, dayOfWeek: iot.DayOfWeek.MONDAY, auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], @@ -46,10 +54,9 @@ describe('daily audit', () => { }); test('throw error for specifying day of month', () => { - const stack = new cdk.Stack(); - expect(() => { new iot.ScheduledAudit(stack, 'ScheduledAudit', { + accountAuditConfiguration: config, frequency: iot.Frequency.DAILY, dayOfMonth: iot.DayOfMonth.of(29), auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], @@ -60,9 +67,8 @@ describe('daily audit', () => { describe('weekly audit', () => { test('set day of week', () => { - const stack = new cdk.Stack(); - new iot.ScheduledAudit(stack, 'ScheduledAudit', { + accountAuditConfiguration: config, frequency: iot.Frequency.WEEKLY, dayOfWeek: iot.DayOfWeek.MONDAY, auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], @@ -76,10 +82,9 @@ describe('weekly audit', () => { }); test('throw error for missing day of week', () => { - const stack = new cdk.Stack(); - expect(() => { new iot.ScheduledAudit(stack, 'ScheduledAudit', { + accountAuditConfiguration: config, frequency: iot.Frequency.WEEKLY, auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], }); @@ -87,10 +92,9 @@ describe('weekly audit', () => { }); test('throw error for specifying both day of week and day of month', () => { - const stack = new cdk.Stack(); - expect(() => { new iot.ScheduledAudit(stack, 'ScheduledAudit', { + accountAuditConfiguration: config, frequency: iot.Frequency.WEEKLY, dayOfWeek: iot.DayOfWeek.MONDAY, dayOfMonth: iot.DayOfMonth.of(29), @@ -102,9 +106,8 @@ describe('weekly audit', () => { describe('bi-weekly audit', () => { test('set day of week', () => { - const stack = new cdk.Stack(); - new iot.ScheduledAudit(stack, 'ScheduledAudit', { + accountAuditConfiguration: config, frequency: iot.Frequency.BI_WEEKLY, dayOfWeek: iot.DayOfWeek.MONDAY, auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], @@ -118,10 +121,9 @@ describe('bi-weekly audit', () => { }); test('throw error for missing day of week', () => { - const stack = new cdk.Stack(); - expect(() => { new iot.ScheduledAudit(stack, 'ScheduledAudit', { + accountAuditConfiguration: config, frequency: iot.Frequency.BI_WEEKLY, auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], }); @@ -129,10 +131,9 @@ describe('bi-weekly audit', () => { }); test('throw error for specifying both day of week and day of month', () => { - const stack = new cdk.Stack(); - expect(() => { new iot.ScheduledAudit(stack, 'ScheduledAudit', { + accountAuditConfiguration: config, frequency: iot.Frequency.BI_WEEKLY, dayOfWeek: iot.DayOfWeek.MONDAY, dayOfMonth: iot.DayOfMonth.of(29), @@ -144,9 +145,8 @@ describe('bi-weekly audit', () => { describe('monthly audit', () => { test('set day of month', () => { - const stack = new cdk.Stack(); - new iot.ScheduledAudit(stack, 'ScheduledAudit', { + accountAuditConfiguration: config, frequency: iot.Frequency.MONTHLY, dayOfMonth: iot.DayOfMonth.of(29), auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], @@ -160,10 +160,9 @@ describe('monthly audit', () => { }); test('throw error for missing day of month', () => { - const stack = new cdk.Stack(); - expect(() => { new iot.ScheduledAudit(stack, 'ScheduledAudit', { + accountAuditConfiguration: config, frequency: iot.Frequency.MONTHLY, auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], }); @@ -171,10 +170,9 @@ describe('monthly audit', () => { }); test('throw error for specifying both day of week and day of month', () => { - const stack = new cdk.Stack(); - expect(() => { new iot.ScheduledAudit(stack, 'ScheduledAudit', { + accountAuditConfiguration: config, frequency: iot.Frequency.MONTHLY, dayOfWeek: iot.DayOfWeek.MONDAY, dayOfMonth: iot.DayOfMonth.of(29), @@ -185,10 +183,9 @@ describe('monthly audit', () => { }); test.each(['', 'a'.repeat(129)])('throw error for invalid length of scheduled audit name %s', (name) => { - const stack = new cdk.Stack(); - expect(() => { new iot.ScheduledAudit(stack, 'ScheduledAudit', { + accountAuditConfiguration: config, frequency: iot.Frequency.DAILY, auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], scheduledAuditName: name, @@ -197,10 +194,9 @@ test.each(['', 'a'.repeat(129)])('throw error for invalid length of scheduled au }); test('throw error for invalid scheduled audit name', () => { - const stack = new cdk.Stack(); - expect(() => { new iot.ScheduledAudit(stack, 'ScheduledAudit', { + accountAuditConfiguration: config, frequency: iot.Frequency.DAILY, auditChecks: [iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK], scheduledAuditName: '*!()', @@ -209,8 +205,6 @@ test('throw error for invalid scheduled audit name', () => { }); test('import by attributes', () => { - const stack = new cdk.Stack(); - const name = 'scheduled-audit-name'; const arn = 'arn:aws:iot:us-east-1:123456789012:scheduledaudit/scheduled-audit-name'; @@ -226,8 +220,6 @@ test('import by attributes', () => { }); test('import by arn', () => { - const stack = new cdk.Stack(); - const arn = 'arn:aws:iot:us-east-1:123456789012:scheduledaudit/scheduled-audit-name'; const scheduledAudit = iot.ScheduledAudit.fromScheduledAuditArn(stack, 'AccountAuditConfigurationFromArn', arn); From 9d64f76a30c0cbcebdb6b58a252e04fcdf706a9e Mon Sep 17 00:00:00 2001 From: Kazuho CryerShinozuka Date: Sat, 19 Oct 2024 18:41:02 +0900 Subject: [PATCH 9/9] fix readme --- packages/@aws-cdk/aws-iot-alpha/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/packages/@aws-cdk/aws-iot-alpha/README.md b/packages/@aws-cdk/aws-iot-alpha/README.md index 5c51523350209..65a0c740bf9ee 100644 --- a/packages/@aws-cdk/aws-iot-alpha/README.md +++ b/packages/@aws-cdk/aws-iot-alpha/README.md @@ -149,6 +149,7 @@ declare const config: iot.AccountAuditConfiguration; // Daily audit const dailyAudit = new iot.ScheduledAudit(this, 'DailyAudit', { + accountAuditConfiguration: config, frequency: iot.Frequency.DAILY, auditChecks: [ iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK, @@ -157,6 +158,7 @@ const dailyAudit = new iot.ScheduledAudit(this, 'DailyAudit', { // Weekly audit const weeklyAudit = new iot.ScheduledAudit(this, 'WeeklyAudit', { + accountAuditConfiguration: config, frequency: iot.Frequency.WEEKLY, dayOfWeek: iot.DayOfWeek.SUNDAY, auditChecks: [ @@ -166,6 +168,7 @@ const weeklyAudit = new iot.ScheduledAudit(this, 'WeeklyAudit', { // Monthly audit const monthlyAudit = new iot.ScheduledAudit(this, 'MonthlyAudit', { + accountAuditConfiguration: config, frequency: iot.Frequency.MONTHLY, dayOfMonth: iot.DayOfMonth.of(1), auditChecks: [