@k9securityio/k9-cdk

Version:

Provision strong AWS security policies easily using the AWS CDK.

29 lines (28 loc) • 1.64 kB

TypeScript

import { Conditions, PolicyDocument, PolicyStatement } from 'aws-cdk-lib/aws-iam'; import { IAccessSpec, IAWSServiceAccessGenerator } from './k9policy'; export interface K9KeyPolicyProps { readonly k9DesiredAccess: Array<IAccessSpec>; readonly trustAccountIdentities?: boolean; /** * An (optional) array of IAWSServiceAccessGenerator instances which will generate statements to allow access to the * key by an AWS service like CloudFront or Kinesis. * * @default undefined */ readonly awsServiceAccessGenerators?: Array<IAWSServiceAccessGenerator>; } export declare const SID_ALLOW_ROOT_AND_IDENTITY_POLICIES = "Allow Root User to Administer Key And Identity Policies"; export declare const SID_DENY_EVERYONE_ELSE = "DenyEveryoneElse"; /** * Generate key policy statements to enable the CloudFront service to read encrypted S3 bucket object data (only) * from within a <a href="https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#sse-kms">CloudFront OAC integration</a>. */ export declare class CloudFrontOACReadAccessGenerator implements IAWSServiceAccessGenerator { static readonly SID_ALLOW_CLOUDFRONT_SVC_READ_DATA = "Allow CloudFront Service read-data"; static readonly SID_ALLOW_CLOUDFRONT_IAM_ROLE_READ_DATA = "Allow CloudFront IAM role read-data"; readonly distributionArn: string; constructor(distributionArn: string); makeAllowStatements(): Array<PolicyStatement>; makeConditionsToExceptFromDenyEveryoneElse(): Conditions; } export declare function makeKeyPolicy(props: K9KeyPolicyProps): PolicyDocument;