UNPKG

@k9securityio/k9-cdk

Version:

Provision strong AWS security policies easily using the AWS CDK.

github.com/k9securityio/k9-cdk

k9securityio/k9-cdk

75 lines (74 loc) 3.59 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
import { AddToResourcePolicyResult, Conditions, PolicyStatement } from 'aws-cdk-lib/aws-iam'; import * as s3 from 'aws-cdk-lib/aws-s3'; import { IBucket, BucketEncryption } from 'aws-cdk-lib/aws-s3'; import { IConstruct } from 'constructs'; import { IAccessSpec, IAWSServiceAccessGenerator } from './k9policy'; /** * Configure the k9 Security S3 Bucket policy generator with the K9BucketPolicyProps. */ export interface K9BucketPolicyProps extends s3.BucketPolicyProps { /** * An array of IAccessSpec defining the desired access. The policy * generator will combine and normalize overlapping access specs. */ readonly k9DesiredAccess: Array<IAccessSpec>; /** * (Optionally) Provide the BucketEncryption object for the Bucket to * allow the policy generator to customize the policy for the Bucket's * configuration without handling, e.g. the encryption method options directly */ readonly encryption?: BucketEncryption; /** * Enforce encryption at rest with policy conditions. The policy will use * the encryption method defined by the encryption property or default to `aws:kms`. * * @default true */ readonly enforceEncryptionAtRest?: boolean; /** * Allow public read access to the bucket. * * @default false */ readonly publicReadAccess?: boolean; /** * An (optional) array of IAWSServiceAccessGenerator instances which will generate statements to allow access to the * bucket or bucket object(s) by an AWS service like CloudFront or Kinesis. * * @default undefined */ readonly awsServiceAccessGenerators?: Array<IAWSServiceAccessGenerator>; } export declare const SID_DENY_UNEXPECTED_ENCRYPTION_METHOD = "DenyUnexpectedEncryptionMethod"; export declare const SID_DENY_UNENCRYPTED_STORAGE = "DenyUnencryptedStorage"; export declare const SID_ALLOW_PUBLIC_READ_ACCESS = "AllowPublicReadAccess"; export declare class CloudFrontOACReadAccessGenerator implements IAWSServiceAccessGenerator { static readonly SID_ALLOW_CLOUDFRONT_OAC_READ_ACCESS = "AllowCloudFrontOACReadAccess"; readonly bucket: IBucket; readonly distributionArn: string; constructor(bucket: IBucket, distributionArn: string); makeAllowStatements(): Array<PolicyStatement>; makeConditionsToExceptFromDenyEveryoneElse(): Conditions; } /** * Grants least-privilege access to a bucket by generating a BucketPolicy from the access capabilities * described by `props`; the policy will be set on the Bucket specified in `props`. * * When a BucketPolicy already exists on the Bucket referenced in `props`: * * the BucketPolicy's existing Statements will pass through unmodified * * k9 will identify IAM principals there were allowed by the original policy and add those principals to * the `DenyEveryoneElse` Statement's exclusion list so that, e.g. autoDeleteObjects works as expected * * k9's Allow and Deny statements will be added to the policy * * @remarks * * k9 modifies the existing BucketPolicy in place instead of replacing or copying and modifying that * to preserve dependency references created by certain S3 CDK features such as `autoDeleteObjects`. * * @param scope The scope in which to define this construct. * @param id The scoped construct ID. * @param props describing the desired access capabilities for the bucket * * @return an array of AddToResourcePolicyResult */ export declare function grantAccessViaResourcePolicy(scope: IConstruct, id: string, props: K9BucketPolicyProps): AddToResourcePolicyResult[];