UNPKG

@renovosolutions/cdk-library-crowdstrike-ingestion

Version:

A CDK library to ease repetetive construct creation for CrowdStrike data ingestion

93 lines (92 loc) 3.51 kB
import { aws_iam as iam, aws_kms as kms, aws_s3 as s3, aws_sqs as sqs } from 'aws-cdk-lib'; import { Construct } from 'constructs'; /** * Properties for the CrowdStrikeBucket construct. */ export interface CrowdStrikeBucketProps extends s3.BucketProps { /** * Properties for the SQS queue. * * @default - enforceSSL: true, deadLetterQueue: { maxReceiveCount: 5, queue: new sqs.Queue(this, 'DLQ', { queueName: `${this.bucketName}-dlq`, enforceSSL: true, }), }, */ readonly queueProps?: sqs.QueueProps; /** * Whether to create a KMS key for the bucket. * * @default - false */ readonly createKmsKey?: boolean; /** * Properties for the KMS key. * * @default - removalPolicy: RemovalPolicy.RETAIN_ON_UPDATE_OR_DELETE, enableKeyRotation: false, multiRegion: true, description: `KMS Key for CrowdStrike ingestion bucket ${this.bucketName}`, */ readonly keyProps?: kms.KeyProps; /** * Properties for the IAM role. * * If you provide this, you must provide the roleProps.assumedBy property, * and you don't need to provide the crowdStrikeRoleParameterArn and crowdStrikeExternalIdParameterArn. * * @default - none except for the assumedBy property which is set to a CrowdStrike principal. */ readonly roleProps?: iam.RoleProps; /** * The CrowdStrike role ARN. * * Required unless the role principal is provided directly in the roleProps. */ readonly crowdStrikeRoleArn?: string; /** * The ARN of the SSM parameter containing the CrowdStrike external ID. * * Required unless the role principal is provided directly in the roleProps. */ readonly crowdStrikeExternalIdParameterArn?: string; /** * The organization ID. * If provided, the bucket will allow write access to all accounts in the organization. * If there is a KMS key, it will also allow encrypt/decrypt access to the organization. * * @default - none */ readonly orgId?: string; /** * The name of the S3 bucket that will be sending S3 access logs to this bucket. * This is used to configure the bucket policy to allow logging from that bucket. * * @default - none */ readonly loggingBucketSourceName?: string; } /** * A construct that creates an S3 bucket for CrowdStrike data ingestion, * along with an SQS queue for notifications, an IAM role for access, * and optionally a KMS key for encryption. */ export declare class CrowdStrikeBucket extends s3.Bucket { /** * The SQS queue that receives notifications for new objects in the bucket. */ readonly queue: sqs.Queue; /** * The KMS key used for encrypting data in the bucket, if created. * This will be undefined if createKmsKey is false. * * Note that the bucket will still be created with S3-managed encryption * even if this is provided. The key is used by the service writing to the bucket. */ readonly key?: kms.Key; /** * The IAM role that CrowdStrike will assume to access the data in the bucket. */ readonly role: iam.Role; /** * Constructs a new CrowdStrikeBucket. * * @param scope The scope in which this construct is defined. * @param id The scoped construct ID. * @param props The properties for the bucket, queue, role, and optional KMS key. */ constructor(scope: Construct, id: string, props: CrowdStrikeBucketProps); }