@k9securityio/k9-cdk

Version:

Provision strong AWS security policies easily using the AWS CDK.

78 lines (77 loc) • 3.75 kB

TypeScript

import { ArnPrincipal, Conditions, PolicyStatement } from 'aws-cdk-lib/aws-iam'; export type ArnEqualsTest = 'ArnEquals'; export type ArnLikeTest = 'ArnLike'; export type ArnConditionTest = ArnEqualsTest | ArnLikeTest; export declare enum AccessCapability { ADMINISTER_RESOURCE = "administer-resource", READ_CONFIG = "read-config", READ_DATA = "read-data", WRITE_DATA = "write-data", DELETE_DATA = "delete-data" } export declare function getAccessCapabilityFromValue(accessCapabilityStr: string): AccessCapability; export interface IAccessSpec { accessCapabilities: Array<AccessCapability> | AccessCapability; allowPrincipalArns: Array<string>; test?: ArnConditionTest; } /** * `IAWSServiceAccessGenerator` defines an interface that the k9 policy generators use to grant an AWS service * access to a protected resource. */ export interface IAWSServiceAccessGenerator { /** * Make an array of PolicyStatement objects that allow an AWS service, e.g. CloudFront, to access to the * protected AWS resource. */ makeAllowStatements(): Array<PolicyStatement>; /** * Make a Conditions object that creates an exception for an AWS service in a protected resource's `DenyEveryoneElse` * statement. */ makeConditionsToExceptFromDenyEveryoneElse(): Conditions; } /** * Check whether the provided access specs ensure that at least one principal can both read and administer configuration. * @param accessSpecsByCapability is a map of access specs keyed by access capability * * @return true when at least one principal that can administer and read configuration exists */ export declare function canPrincipalsManageResources(accessSpecsByCapability: Map<AccessCapability, IAccessSpec>): boolean; /** * Converts a string to PascalCase, which is useful for e.g. policy types that don't * do not support spaces or hyphens in statement ids. * * @param input */ export declare function toPascalCase(input: string): string; export declare class K9PolicyFactory { /** * Deduplicate an array of principals while preserving original order of principals. * Note that principals may contain either strings or objects, so naive array sorting * produces unstable results. * * @param principals */ static deduplicatePrincipals(principals: Array<string | object>): Array<string | object>; /** @internal */ _SUPPORTED_SERVICES: Set<string>; /** @internal */ _K9CapabilityMapJSON: Object; /** @internal */ _K9CapabilityMapByService: Map<string, Object>; getActions(service: string, accessCapability: AccessCapability): Array<string>; /** @internal */ _mergeAccessSpecs(target: IAccessSpec, addition: IAccessSpec): void; mergeDesiredAccessSpecsByCapability(supportedCapabilities: Array<AccessCapability>, desiredAccess: Array<IAccessSpec>): Record<string, IAccessSpec>; makeAllowStatements(serviceName: string, supportedCapabilities: Array<AccessCapability>, desiredAccess: Array<IAccessSpec>, resourceArns: Array<string>, usePascalCase?: boolean): Array<PolicyStatement>; makeAllowStatement(sid: string, actions: Array<string>, principalArns: Array<string>, test: ArnConditionTest, resources: Array<string>): PolicyStatement; wasLikeUsed(accessSpecs: IAccessSpec[]): boolean; getAllowedPrincipalArns(accessSpecs: IAccessSpec[]): Array<string>; /** * k9 wants to deny all AWS accounts and IAM principals not explicitly allowed; this *should* * be straightforward, but it isn't because of the way aws-cdk merges and manipulates Principals. * @return list of principals for a DenyEveryoneElse statement */ makeDenyEveryoneElsePrincipals(): ArnPrincipal[]; }