@renovosolutions/cdk-library-crowdstrike-ingestion
Version:
A CDK library to ease repetetive construct creation for CrowdStrike data ingestion
93 lines (92 loc) • 3.51 kB
TypeScript
import { aws_iam as iam, aws_kms as kms, aws_s3 as s3, aws_sqs as sqs } from 'aws-cdk-lib';
import { Construct } from 'constructs';
/**
* Properties for the CrowdStrikeBucket construct.
*/
export interface CrowdStrikeBucketProps extends s3.BucketProps {
/**
* Properties for the SQS queue.
*
* @default - enforceSSL: true, deadLetterQueue: { maxReceiveCount: 5, queue: new sqs.Queue(this, 'DLQ', { queueName: `${this.bucketName}-dlq`, enforceSSL: true, }), },
*/
readonly queueProps?: sqs.QueueProps;
/**
* Whether to create a KMS key for the bucket.
*
* @default - false
*/
readonly createKmsKey?: boolean;
/**
* Properties for the KMS key.
*
* @default - removalPolicy: RemovalPolicy.RETAIN_ON_UPDATE_OR_DELETE, enableKeyRotation: false, multiRegion: true, description: `KMS Key for CrowdStrike ingestion bucket ${this.bucketName}`,
*/
readonly keyProps?: kms.KeyProps;
/**
* Properties for the IAM role.
*
* If you provide this, you must provide the roleProps.assumedBy property,
* and you don't need to provide the crowdStrikeRoleParameterArn and crowdStrikeExternalIdParameterArn.
*
* @default - none except for the assumedBy property which is set to a CrowdStrike principal.
*/
readonly roleProps?: iam.RoleProps;
/**
* The CrowdStrike role ARN.
*
* Required unless the role principal is provided directly in the roleProps.
*/
readonly crowdStrikeRoleArn?: string;
/**
* The ARN of the SSM parameter containing the CrowdStrike external ID.
*
* Required unless the role principal is provided directly in the roleProps.
*/
readonly crowdStrikeExternalIdParameterArn?: string;
/**
* The organization ID.
* If provided, the bucket will allow write access to all accounts in the organization.
* If there is a KMS key, it will also allow encrypt/decrypt access to the organization.
*
* @default - none
*/
readonly orgId?: string;
/**
* The name of the S3 bucket that will be sending S3 access logs to this bucket.
* This is used to configure the bucket policy to allow logging from that bucket.
*
* @default - none
*/
readonly loggingBucketSourceName?: string;
}
/**
* A construct that creates an S3 bucket for CrowdStrike data ingestion,
* along with an SQS queue for notifications, an IAM role for access,
* and optionally a KMS key for encryption.
*/
export declare class CrowdStrikeBucket extends s3.Bucket {
/**
* The SQS queue that receives notifications for new objects in the bucket.
*/
readonly queue: sqs.Queue;
/**
* The KMS key used for encrypting data in the bucket, if created.
* This will be undefined if createKmsKey is false.
*
* Note that the bucket will still be created with S3-managed encryption
* even if this is provided. The key is used by the service writing to the bucket.
*/
readonly key?: kms.Key;
/**
* The IAM role that CrowdStrike will assume to access the data in the bucket.
*/
readonly role: iam.Role;
/**
* Constructs a new CrowdStrikeBucket.
*
* @param scope The scope in which this construct is defined.
* @param id The scoped construct ID.
* @param props The properties for the bucket, queue, role, and optional KMS key.
*/
constructor(scope: Construct, id: string, props: CrowdStrikeBucketProps);
}