UNPKG

@k9securityio/k9-cdk

Version:

Provision strong AWS security policies easily using the AWS CDK.

github.com/k9securityio/k9-cdk

k9securityio/k9-cdk

114 lines (113 loc) 5.84 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
import { ArnPrincipal, Conditions, PolicyStatement } from 'aws-cdk-lib/aws-iam'; export type ArnEqualsTest = 'ArnEquals'; export type ArnLikeTest = 'ArnLike'; export type ArnConditionTest = ArnEqualsTest | ArnLikeTest; export declare enum AccessCapability { ADMINISTER_RESOURCE = "administer-resource", READ_CONFIG = "read-config", READ_DATA = "read-data", WRITE_DATA = "write-data", DELETE_DATA = "delete-data" } export declare function getAccessCapabilityFromValue(accessCapabilityStr: string): AccessCapability; export interface IAccessSpec { accessCapabilities: Array<AccessCapability> | AccessCapability; allowPrincipalArns: Array<string>; test?: ArnConditionTest; /** * Optional list of AWS Organization IDs that restrict the principals specified * in `allowPrincipalArns`. When present, generated Allow statements will include * a `StringEquals` condition on `aws:PrincipalOrgID` and a DenyUntrustedOrgs statement will * be generated for the permissions that are restricted by org IDs. * * Org IDs restrict which principals are allowed — they do not replace * `allowPrincipalArns`. If you want to allow an entire org, add `*` to `allowPrincipalArns` and the org ID to * `restrictToPrincipalOrgIDs`. */ restrictToPrincipalOrgIDs?: Array<string>; } /** * `IAWSServiceAccessGenerator` defines an interface that the k9 policy generators use to grant an AWS service * access to a protected resource. */ export interface IAWSServiceAccessGenerator { /** * Make an array of PolicyStatement objects that allow an AWS service, e.g. CloudFront, to access to the * protected AWS resource. */ makeAllowStatements(): Array<PolicyStatement>; /** * Make a Conditions object that creates an exception for an AWS service in a protected resource's `DenyEveryoneElse` * statement. */ makeConditionsToExceptFromDenyEveryoneElse(): Conditions; } /** * Check whether the provided access specs ensure that at least one principal can both read and administer configuration. * @param accessSpecsByCapability is a map of access specs keyed by access capability * * @return true when at least one principal that can administer and read configuration exists */ export declare function canPrincipalsManageResources(accessSpecsByCapability: Map<AccessCapability, IAccessSpec>): boolean; /** * Check if any access spec contains a wildcard principal ("*"). */ export declare function hasWildcardPrincipal(accessSpecs: Array<IAccessSpec>): boolean; /** * Validate that access specs have valid principal ARN + org constraint combinations. * Throws an error for invalid combinations: * - Empty allowPrincipalArns * - Wildcard allowPrincipalArns without restrictToPrincipalOrgIDs (public access) */ export declare function validateAccessSpecs(accessSpecs: Array<IAccessSpec>): void; /** * Converts a string to PascalCase, which is useful for e.g. policy types that don't * do not support spaces or hyphens in statement ids. * * @param input */ export declare function toPascalCase(input: string): string; export declare const SID_DENY_UNTRUSTED_ORGS = "DenyUntrustedOrgs"; export declare class K9PolicyFactory { /** * Deduplicate an array of principals while preserving original order of principals. * Note that principals may contain either strings or objects, so naive array sorting * produces unstable results. * * @param principals */ static deduplicatePrincipals(principals: Array<string | object>): Array<string | object>; /** @internal */ _SUPPORTED_SERVICES: Set<string>; /** @internal */ _K9CapabilityMapJSON: Object; /** @internal */ _K9CapabilityMapByService: Map<string, Object>; getActions(service: string, accessCapability: AccessCapability): Array<string>; /** @internal */ _mergeAccessSpecs(target: IAccessSpec, addition: IAccessSpec): void; mergeDesiredAccessSpecsByCapability(supportedCapabilities: Array<AccessCapability>, desiredAccess: Array<IAccessSpec>): Record<string, IAccessSpec>; makeAllowStatements(serviceName: string, supportedCapabilities: Array<AccessCapability>, desiredAccess: Array<IAccessSpec>, resourceArns: Array<string>, usePascalCase?: boolean): Array<PolicyStatement>; makeAllowStatement(sid: string, actions: Array<string>, principalArns: Array<string>, test: ArnConditionTest, resources: Array<string>, restrictToPrincipalOrgIDs?: Array<string>): PolicyStatement; wasLikeUsed(accessSpecs: IAccessSpec[]): boolean; getAllowedPrincipalArns(accessSpecs: IAccessSpec[]): Array<string>; /** * k9 wants to deny all AWS accounts and IAM principals not explicitly allowed; this *should* * be straightforward, but it isn't because of the way aws-cdk merges and manipulates Principals. * @return list of principals for a DenyEveryoneElse statement */ makeDenyEveryoneElsePrincipals(): ArnPrincipal[]; /** * Create a DenyUntrustedOrgs statement that explicitly denies principals from * untrusted orgs for org-restricted actions. This provides defense-in-depth * beyond the implicit deny from org-constrained Allow statements. * * The StringNotEquals condition on aws:PrincipalOrgID is inherently safe for * AWS service principals because the key is absent from their request context, * so the condition is not satisfied and the Deny does not apply. * * @return a PolicyStatement with Effect Deny, or undefined if no access specs have org restrictions * @internal */ _makeDenyUntrustedOrgsStatement(serviceName: string, supportedCapabilities: Array<AccessCapability>, accessSpecsByCapability: Map<AccessCapability, IAccessSpec>, resourceArns: Array<string>): PolicyStatement | undefined; }