@k9securityio/k9-cdk/lib/dynamodb.js

Provision strong AWS security policies easily using the AWS CDK.

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.makeResourcePolicy = exports.SID_DENY_EVERYONE_ELSE = void 0;
const aws_iam_1 = require("aws-cdk-lib/aws-iam");
const iam = require("aws-cdk-lib/aws-iam");
const k9policy_1 = require("./k9policy");
let SUPPORTED_CAPABILITIES = new Array(k9policy_1.AccessCapability.ADMINISTER_RESOURCE, k9policy_1.AccessCapability.READ_CONFIG, k9policy_1.AccessCapability.READ_DATA, k9policy_1.AccessCapability.WRITE_DATA, k9policy_1.AccessCapability.DELETE_DATA);
exports.SID_DENY_EVERYONE_ELSE = 'DenyEveryoneElse';
/**
 * Generate a DynamoDB resource policy from the provided props that can be attached to DynamoDB
 * resources, particularly tables & indices.
 *
 * @param props specifying desired access
 * @return a PolicyDocument that can be attached to DynamoDB resources
 */
function makeResourcePolicy(props) {
    const policyFactory = new k9policy_1.K9PolicyFactory();
    const policy = new iam.PolicyDocument();
    const resourceArns = ['*'];
    let accessSpecsByCapabilityRecs = policyFactory.mergeDesiredAccessSpecsByCapability(SUPPORTED_CAPABILITIES, props.k9DesiredAccess);
    let accessSpecsByCapability = new Map();
    for (let [capabilityStr, accessSpec] of Object.entries(accessSpecsByCapabilityRecs)) {
        accessSpecsByCapability.set((0, k9policy_1.getAccessCapabilityFromValue)(capabilityStr), accessSpec);
    }
    if (!(0, k9policy_1.canPrincipalsManageResources)(accessSpecsByCapability)) {
        throw Error('At least one principal must be able to administer and read-config for DynamoDB resources' +
            ' so data data remains accessible; found:\n' +
            `administer-resource: '${accessSpecsByCapability.get(k9policy_1.AccessCapability.ADMINISTER_RESOURCE)?.allowPrincipalArns}'\n` +
            `read-config: '${accessSpecsByCapability.get(k9policy_1.AccessCapability.READ_CONFIG)?.allowPrincipalArns}'`);
    }
    const allowStatements = policyFactory.makeAllowStatements('DynamoDB', SUPPORTED_CAPABILITIES, Array.from(accessSpecsByCapability.values()), resourceArns, true);
    policy.addStatements(...allowStatements);
    const denyEveryoneElseStatement = new aws_iam_1.PolicyStatement({
        sid: exports.SID_DENY_EVERYONE_ELSE,
        effect: aws_iam_1.Effect.DENY,
        principals: policyFactory.makeDenyEveryoneElsePrincipals(),
        actions: ['dynamodb:*'],
        resources: resourceArns,
    });
    denyEveryoneElseStatement.addCondition('Bool', {
        'aws:PrincipalIsAWSService': ['false'],
    });
    const denyEveryoneElseTest = policyFactory.wasLikeUsed(props.k9DesiredAccess) ?
        'ArnNotLike' :
        'ArnNotEquals';
    const allAllowedPrincipalArns = policyFactory.getAllowedPrincipalArns(props.k9DesiredAccess);
    const accountRootPrincipal = new aws_iam_1.AccountRootPrincipal();
    denyEveryoneElseStatement.addCondition(denyEveryoneElseTest, {
        'aws:PrincipalArn': [
            // Place Root Principal arn in stable, prominent position;
            // will render as an object Fn::Join'ing Partition & AccountId
            accountRootPrincipal.arn,
            ...allAllowedPrincipalArns,
        ],
    });
    policy.addStatements(denyEveryoneElseStatement);
    policy.validateForResourcePolicy();
    return policy;
}
exports.makeResourcePolicy = makeResourcePolicy;
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZHluYW1vZGIuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvZHluYW1vZGIudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQUEsaURBQW9HO0FBQ3BHLDJDQUEyQztBQUMzQyx5Q0FNb0I7QUFPcEIsSUFBSSxzQkFBc0IsR0FBRyxJQUFJLEtBQUssQ0FDcEMsMkJBQWdCLENBQUMsbUJBQW1CLEVBQ3BDLDJCQUFnQixDQUFDLFdBQVcsRUFDNUIsMkJBQWdCLENBQUMsU0FBUyxFQUMxQiwyQkFBZ0IsQ0FBQyxVQUFVLEVBQzNCLDJCQUFnQixDQUFDLFdBQVcsQ0FDN0IsQ0FBQztBQUVXLFFBQUEsc0JBQXNCLEdBQUcsa0JBQWtCLENBQUM7QUFFekQ7Ozs7OztHQU1HO0FBQ0gsU0FBZ0Isa0JBQWtCLENBQUMsS0FBb0M7SUFDckUsTUFBTSxhQUFhLEdBQUcsSUFBSSwwQkFBZSxFQUFFLENBQUM7SUFDNUMsTUFBTSxNQUFNLEdBQUcsSUFBSSxHQUFHLENBQUMsY0FBYyxFQUFFLENBQUM7SUFFeEMsTUFBTSxZQUFZLEdBQUcsQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUUzQixJQUFJLDJCQUEyQixHQUFHLGFBQWEsQ0FBQyxtQ0FBbUMsQ0FBQyxzQkFBc0IsRUFBRSxLQUFLLENBQUMsZUFBZSxDQUFDLENBQUM7SUFDbkksSUFBSSx1QkFBdUIsR0FBdUMsSUFBSSxHQUFHLEVBQUUsQ0FBQztJQUU1RSxLQUFLLElBQUksQ0FBQyxhQUFhLEVBQUUsVUFBVSxDQUFDLElBQUksTUFBTSxDQUFDLE9BQU8sQ0FBQywyQkFBMkIsQ0FBQyxFQUFFLENBQUM7UUFDcEYsdUJBQXVCLENBQUMsR0FBRyxDQUFDLElBQUEsdUNBQTRCLEVBQUMsYUFBYSxDQUFDLEVBQUUsVUFBVSxDQUFDLENBQUM7SUFDdkYsQ0FBQztJQUVELElBQUksQ0FBQyxJQUFBLHVDQUE0QixFQUFDLHVCQUF1QixDQUFDLEVBQUUsQ0FBQztRQUMzRCxNQUFNLEtBQUssQ0FBQywwRkFBMEY7WUFDOUYsNENBQTRDO1lBQzVDLHlCQUF5Qix1QkFBdUIsQ0FBQyxHQUFHLENBQUMsMkJBQWdCLENBQUMsbUJBQW1CLENBQUMsRUFBRSxrQkFBa0IsS0FBSztZQUNuSCxpQkFBaUIsdUJBQXVCLENBQUMsR0FBRyxDQUFDLDJCQUFnQixDQUFDLFdBQVcsQ0FBQyxFQUFFLGtCQUFrQixHQUFHLENBQ3hHLENBQUM7SUFDSixDQUFDO0lBRUQsTUFBTSxlQUFlLEdBQUcsYUFBYSxDQUFDLG1CQUFtQixDQUFDLFVBQVUsRUFDbEUsc0JBQXNCLEVBQ3RCLEtBQUssQ0FBQyxJQUFJLENBQUMsdUJBQXVCLENBQUMsTUFBTSxFQUFFLENBQUMsRUFDNUMsWUFBWSxFQUNaLElBQUksQ0FBQyxDQUFDO0lBQ1IsTUFBTSxDQUFDLGFBQWEsQ0FBQyxHQUFHLGVBQWUsQ0FBQyxDQUFDO0lBRXpDLE1BQU0seUJBQXlCLEdBQUcsSUFBSSx5QkFBZSxDQUFDO1FBQ3BELEdBQUcsRUFBRSw4QkFBc0I7UUFDM0IsTUFBTSxFQUFFLGdCQUFNLENBQUMsSUFBSTtRQUNuQixVQUFVLEVBQUUsYUFBYSxDQUFDLDhCQUE4QixFQUFFO1FBQzFELE9BQU8sRUFBRSxDQUFDLFlBQVksQ0FBQztRQUN2QixTQUFTLEVBQUUsWUFBWTtLQUN4QixDQUFDLENBQUM7SUFDSCx5QkFBeUIsQ0FBQyxZQUFZLENBQUMsTUFBTSxFQUFFO1FBQzdDLDJCQUEyQixFQUFFLENBQUMsT0FBTyxDQUFDO0tBQ3ZDLENBQUMsQ0FBQztJQUNILE1BQU0sb0JBQW9CLEdBQUcsYUFBYSxDQUFDLFdBQVcsQ0FBQyxLQUFLLENBQUMsZUFBZSxDQUFDLENBQUMsQ0FBQztRQUM3RSxZQUFZLENBQUMsQ0FBQztRQUNkLGNBQWMsQ0FBQztJQUNqQixNQUFNLHVCQUF1QixHQUFHLGFBQWEsQ0FBQyx1QkFBdUIsQ0FBQyxLQUFLLENBQUMsZUFBZSxDQUFDLENBQUM7SUFDN0YsTUFBTSxvQkFBb0IsR0FBRyxJQUFJLDhCQUFvQixFQUFFLENBQUM7SUFDeEQseUJBQXlCLENBQUMsWUFBWSxDQUFDLG9CQUFvQixFQUFFO1FBQzNELGtCQUFrQixFQUFFO1lBQ2xCLDBEQUEwRDtZQUMxRCw4REFBOEQ7WUFDOUQsb0JBQW9CLENBQUMsR0FBRztZQUN4QixHQUFHLHVCQUF1QjtTQUMzQjtLQUNGLENBQUMsQ0FBQztJQUVILE1BQU0sQ0FBQyxhQUFhLENBQ2xCLHlCQUF5QixDQUMxQixDQUFDO0lBRUYsTUFBTSxDQUFDLHlCQUF5QixFQUFFLENBQUM7SUFFbkMsT0FBTyxNQUFNLENBQUM7QUFDaEIsQ0FBQztBQTNERCxnREEyREMiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgeyBBY2NvdW50Um9vdFByaW5jaXBhbCwgRWZmZWN0LCBQb2xpY3lEb2N1bWVudCwgUG9saWN5U3RhdGVtZW50IH0gZnJvbSAnYXdzLWNkay1saWIvYXdzLWlhbSc7XG5pbXBvcnQgKiBhcyBpYW0gZnJvbSAnYXdzLWNkay1saWIvYXdzLWlhbSc7XG5pbXBvcnQge1xuICBBY2Nlc3NDYXBhYmlsaXR5LFxuICBjYW5QcmluY2lwYWxzTWFuYWdlUmVzb3VyY2VzLFxuICBnZXRBY2Nlc3NDYXBhYmlsaXR5RnJvbVZhbHVlLFxuICBJQWNjZXNzU3BlYyxcbiAgSzlQb2xpY3lGYWN0b3J5LFxufSBmcm9tICcuL2s5cG9saWN5JztcblxuXG5leHBvcnQgaW50ZXJmYWNlIEs5RHluYW1vREJSZXNvdXJjZVBvbGljeVByb3BzIHtcbiAgcmVhZG9ubHkgazlEZXNpcmVkQWNjZXNzOiBBcnJheTxJQWNjZXNzU3BlYz47XG59XG5cbmxldCBTVVBQT1JURURfQ0FQQUJJTElUSUVTID0gbmV3IEFycmF5PEFjY2Vzc0NhcGFiaWxpdHk+KFxuICBBY2Nlc3NDYXBhYmlsaXR5LkFETUlOSVNURVJfUkVTT1VSQ0UsXG4gIEFjY2Vzc0NhcGFiaWxpdHkuUkVBRF9DT05GSUcsXG4gIEFjY2Vzc0NhcGFiaWxpdHkuUkVBRF9EQVRBLFxuICBBY2Nlc3NDYXBhYmlsaXR5LldSSVRFX0RBVEEsXG4gIEFjY2Vzc0NhcGFiaWxpdHkuREVMRVRFX0RBVEEsXG4pO1xuXG5leHBvcnQgY29uc3QgU0lEX0RFTllfRVZFUllPTkVfRUxTRSA9ICdEZW55RXZlcnlvbmVFbHNlJztcblxuLyoqXG4gKiBHZW5lcmF0ZSBhIER5bmFtb0RCIHJlc291cmNlIHBvbGljeSBmcm9tIHRoZSBwcm92aWRlZCBwcm9wcyB0aGF0IGNhbiBiZSBhdHRhY2hlZCB0byBEeW5hbW9EQlxuICogcmVzb3VyY2VzLCBwYXJ0aWN1bGFybHkgdGFibGVzICYgaW5kaWNlcy5cbiAqXG4gKiBAcGFyYW0gcHJvcHMgc3BlY2lmeWluZyBkZXNpcmVkIGFjY2Vzc1xuICogQHJldHVybiBhIFBvbGljeURvY3VtZW50IHRoYXQgY2FuIGJlIGF0dGFjaGVkIHRvIER5bmFtb0RCIHJlc291cmNlc1xuICovXG5leHBvcnQgZnVuY3Rpb24gbWFrZVJlc291cmNlUG9saWN5KHByb3BzOiBLOUR5bmFtb0RCUmVzb3VyY2VQb2xpY3lQcm9wcyk6IFBvbGljeURvY3VtZW50IHtcbiAgY29uc3QgcG9saWN5RmFjdG9yeSA9IG5ldyBLOVBvbGljeUZhY3RvcnkoKTtcbiAgY29uc3QgcG9saWN5ID0gbmV3IGlhbS5Qb2xpY3lEb2N1bWVudCgpO1xuXG4gIGNvbnN0IHJlc291cmNlQXJucyA9IFsnKiddO1xuXG4gIGxldCBhY2Nlc3NTcGVjc0J5Q2FwYWJpbGl0eVJlY3MgPSBwb2xpY3lGYWN0b3J5Lm1lcmdlRGVzaXJlZEFjY2Vzc1NwZWNzQnlDYXBhYmlsaXR5KFNVUFBPUlRFRF9DQVBBQklMSVRJRVMsIHByb3BzLms5RGVzaXJlZEFjY2Vzcyk7XG4gIGxldCBhY2Nlc3NTcGVjc0J5Q2FwYWJpbGl0eTogTWFwPEFjY2Vzc0NhcGFiaWxpdHksIElBY2Nlc3NTcGVjPiA9IG5ldyBNYXAoKTtcblxuICBmb3IgKGxldCBbY2FwYWJpbGl0eVN0ciwgYWNjZXNzU3BlY10gb2YgT2JqZWN0LmVudHJpZXMoYWNjZXNzU3BlY3NCeUNhcGFiaWxpdHlSZWNzKSkge1xuICAgIGFjY2Vzc1NwZWNzQnlDYXBhYmlsaXR5LnNldChnZXRBY2Nlc3NDYXBhYmlsaXR5RnJvbVZhbHVlKGNhcGFiaWxpdHlTdHIpLCBhY2Nlc3NTcGVjKTtcbiAgfVxuXG4gIGlmICghY2FuUHJpbmNpcGFsc01hbmFnZVJlc291cmNlcyhhY2Nlc3NTcGVjc0J5Q2FwYWJpbGl0eSkpIHtcbiAgICB0aHJvdyBFcnJvcignQXQgbGVhc3Qgb25lIHByaW5jaXBhbCBtdXN0IGJlIGFibGUgdG8gYWRtaW5pc3RlciBhbmQgcmVhZC1jb25maWcgZm9yIER5bmFtb0RCIHJlc291cmNlcycgK1xuICAgICAgICAgICAgJyBzbyBkYXRhIGRhdGEgcmVtYWlucyBhY2Nlc3NpYmxlOyBmb3VuZDpcXG4nICtcbiAgICAgICAgICAgIGBhZG1pbmlzdGVyLXJlc291cmNlOiAnJHthY2Nlc3NTcGVjc0J5Q2FwYWJpbGl0eS5nZXQoQWNjZXNzQ2FwYWJpbGl0eS5BRE1JTklTVEVSX1JFU09VUkNFKT8uYWxsb3dQcmluY2lwYWxBcm5zfSdcXG5gICtcbiAgICAgICAgICAgIGByZWFkLWNvbmZpZzogJyR7YWNjZXNzU3BlY3NCeUNhcGFiaWxpdHkuZ2V0KEFjY2Vzc0NhcGFiaWxpdHkuUkVBRF9DT05GSUcpPy5hbGxvd1ByaW5jaXBhbEFybnN9J2AsXG4gICAgKTtcbiAgfVxuXG4gIGNvbnN0IGFsbG93U3RhdGVtZW50cyA9IHBvbGljeUZhY3RvcnkubWFrZUFsbG93U3RhdGVtZW50cygnRHluYW1vREInLFxuICAgIFNVUFBPUlRFRF9DQVBBQklMSVRJRVMsXG4gICAgQXJyYXkuZnJvbShhY2Nlc3NTcGVjc0J5Q2FwYWJpbGl0eS52YWx1ZXMoKSksXG4gICAgcmVzb3VyY2VBcm5zLFxuICAgIHRydWUpO1xuICBwb2xpY3kuYWRkU3RhdGVtZW50cyguLi5hbGxvd1N0YXRlbWVudHMpO1xuXG4gIGNvbnN0IGRlbnlFdmVyeW9uZUVsc2VTdGF0ZW1lbnQgPSBuZXcgUG9saWN5U3RhdGVtZW50KHtcbiAgICBzaWQ6IFNJRF9ERU5ZX0VWRVJZT05FX0VMU0UsXG4gICAgZWZmZWN0OiBFZmZlY3QuREVOWSxcbiAgICBwcmluY2lwYWxzOiBwb2xpY3lGYWN0b3J5Lm1ha2VEZW55RXZlcnlvbmVFbHNlUHJpbmNpcGFscygpLFxuICAgIGFjdGlvbnM6IFsnZHluYW1vZGI6KiddLFxuICAgIHJlc291cmNlczogcmVzb3VyY2VBcm5zLFxuICB9KTtcbiAgZGVueUV2ZXJ5b25lRWxzZVN0YXRlbWVudC5hZGRDb25kaXRpb24oJ0Jvb2wnLCB7XG4gICAgJ2F3czpQcmluY2lwYWxJc0FXU1NlcnZpY2UnOiBbJ2ZhbHNlJ10sXG4gIH0pO1xuICBjb25zdCBkZW55RXZlcnlvbmVFbHNlVGVzdCA9IHBvbGljeUZhY3Rvcnkud2FzTGlrZVVzZWQocHJvcHMuazlEZXNpcmVkQWNjZXNzKSA/XG4gICAgJ0Fybk5vdExpa2UnIDpcbiAgICAnQXJuTm90RXF1YWxzJztcbiAgY29uc3QgYWxsQWxsb3dlZFByaW5jaXBhbEFybnMgPSBwb2xpY3lGYWN0b3J5LmdldEFsbG93ZWRQcmluY2lwYWxBcm5zKHByb3BzLms5RGVzaXJlZEFjY2Vzcyk7XG4gIGNvbnN0IGFjY291bnRSb290UHJpbmNpcGFsID0gbmV3IEFjY291bnRSb290UHJpbmNpcGFsKCk7XG4gIGRlbnlFdmVyeW9uZUVsc2VTdGF0ZW1lbnQuYWRkQ29uZGl0aW9uKGRlbnlFdmVyeW9uZUVsc2VUZXN0LCB7XG4gICAgJ2F3czpQcmluY2lwYWxBcm4nOiBbXG4gICAgICAvLyBQbGFjZSBSb290IFByaW5jaXBhbCBhcm4gaW4gc3RhYmxlLCBwcm9taW5lbnQgcG9zaXRpb247XG4gICAgICAvLyB3aWxsIHJlbmRlciBhcyBhbiBvYmplY3QgRm46OkpvaW4naW5nIFBhcnRpdGlvbiAmIEFjY291bnRJZFxuICAgICAgYWNjb3VudFJvb3RQcmluY2lwYWwuYXJuLFxuICAgICAgLi4uYWxsQWxsb3dlZFByaW5jaXBhbEFybnMsXG4gICAgXSxcbiAgfSk7XG5cbiAgcG9saWN5LmFkZFN0YXRlbWVudHMoXG4gICAgZGVueUV2ZXJ5b25lRWxzZVN0YXRlbWVudCxcbiAgKTtcblxuICBwb2xpY3kudmFsaWRhdGVGb3JSZXNvdXJjZVBvbGljeSgpO1xuXG4gIHJldHVybiBwb2xpY3k7XG59XG4iXX0=