@vptech/aws-security-baseline
Version:
Auto-generate AWS security baselines, IAM policies, and security groups from TypeScript interfaces
532 lines • 18.4 kB
JavaScript
"use strict";
/**
* AWS Security Baseline Generator
* Generates comprehensive security baselines from TypeScript interfaces and configuration
*/
Object.defineProperty(exports, "__esModule", { value: true });
exports.SecurityBaselineGenerator = void 0;
class SecurityBaselineGenerator {
/**
* Generate a complete security baseline
*/
generateBaseline(config) {
return {
iamPolicies: this.generateIAMPolicies(config),
iamRoles: this.generateIAMRoles(config),
securityGroups: this.generateSecurityGroups(config),
kmsKeys: this.generateKMSKeys(config),
auditConfig: this.generateAuditConfig(config),
complianceReport: this.generateComplianceReport(config)
};
}
/**
* Generate IAM policies based on security configuration
*/
generateIAMPolicies(config) {
const policies = [];
// Base security policy
policies.push(this.createBaseSecurityPolicy(config));
// Compliance-specific policies
config.complianceFrameworks.forEach(framework => {
policies.push(this.createCompliancePolicy(framework, config.securityLevel));
});
// Environment-specific policies
policies.push(this.createEnvironmentPolicy(config.environmentType, config.securityLevel));
// Custom policies
if (config.customPolicies) {
config.customPolicies.forEach(customPolicy => {
policies.push({
version: '2012-10-17',
statement: customPolicy.statements
});
});
}
return policies;
}
createBaseSecurityPolicy(config) {
const statements = [];
// Deny root user actions in production
if (config.environmentType === 'production') {
statements.push({
effect: 'Deny',
actions: ['*'],
resources: ['*'],
conditions: {
'StringEquals': {
'aws:userid': 'AIDACKCEVSQ6C2EXAMPLE'
}
}
});
}
// Enforce MFA for sensitive actions
if (config.securityLevel === 'enhanced' || config.securityLevel === 'strict') {
statements.push({
effect: 'Deny',
actions: [
'iam:DeleteRole',
'iam:DeletePolicy',
'iam:CreateRole',
'iam:AttachRolePolicy',
's3:DeleteBucket',
'rds:DeleteDBInstance',
'ec2:TerminateInstances'
],
resources: ['*'],
conditions: {
'BoolIfExists': {
'aws:MultiFactorAuthPresent': 'false'
}
}
});
}
// Restrict region access
statements.push({
effect: 'Deny',
actions: ['*'],
resources: ['*'],
conditions: {
'StringNotEquals': {
'aws:RequestedRegion': [
'us-east-1',
'us-west-2',
'eu-west-1',
'ap-southeast-2'
]
}
}
});
return {
version: '2012-10-17',
statement: statements
};
}
createCompliancePolicy(framework, securityLevel) {
const statements = [];
switch (framework) {
case 'SOC2':
statements.push(...this.getSOC2PolicyStatements(securityLevel));
break;
case 'ISO27001':
statements.push(...this.getISO27001PolicyStatements(securityLevel));
break;
case 'HIPAA':
statements.push(...this.getHIPAAPolicyStatements(securityLevel));
break;
case 'PCI-DSS':
statements.push(...this.getPCIDSSPolicyStatements(securityLevel));
break;
case 'GDPR':
statements.push(...this.getGDPRPolicyStatements(securityLevel));
break;
}
return {
version: '2012-10-17',
statement: statements
};
}
getSOC2PolicyStatements(securityLevel) {
const statements = [];
// SOC2 Type II - Security logging requirement
statements.push({
effect: 'Allow',
actions: [
'cloudtrail:CreateTrail',
'cloudtrail:StartLogging',
'cloudtrail:StopLogging',
'logs:CreateLogGroup',
'logs:CreateLogStream'
],
resources: ['*']
});
// SOC2 - Backup and recovery
statements.push({
effect: 'Allow',
actions: [
'backup:CreateBackupPlan',
'backup:CreateBackupSelection',
'backup:StartBackupJob'
],
resources: ['*']
});
if (securityLevel === 'strict') {
// Deny unencrypted storage
statements.push({
effect: 'Deny',
actions: [
's3:PutObject'
],
resources: ['*'],
conditions: {
'StringNotEquals': {
's3:x-amz-server-side-encryption': 'AES256'
}
}
});
}
return statements;
}
getISO27001PolicyStatements(securityLevel) {
return [
{
effect: 'Deny',
actions: ['*'],
resources: ['*'],
conditions: {
'DateGreaterThan': {
'aws:CurrentTime': '2024-12-31T23:59:59Z'
}
}
}
];
}
getHIPAAPolicyStatements(securityLevel) {
return [
{
effect: 'Deny',
actions: [
's3:PutObject',
'rds:CreateDBInstance',
'ec2:CreateVolume'
],
resources: ['*'],
conditions: {
'Bool': {
'aws:SecureTransport': 'false'
}
}
}
];
}
getPCIDSSPolicyStatements(securityLevel) {
return [
{
effect: 'Allow',
actions: [
'waf:CreateWebACL',
'wafv2:CreateWebACL',
'shield:CreateProtection'
],
resources: ['*']
}
];
}
getGDPRPolicyStatements(securityLevel) {
return [
{
effect: 'Allow',
actions: [
's3:GetObject',
's3:DeleteObject'
],
resources: ['*'],
conditions: {
'StringEquals': {
's3:x-amz-server-side-encryption': 'aws:kms'
}
}
}
];
}
createEnvironmentPolicy(environment, securityLevel) {
const statements = [];
if (environment === 'production') {
// Production restrictions
statements.push({
effect: 'Deny',
actions: [
'iam:CreateUser',
'iam:CreateAccessKey',
'ec2:AuthorizeSecurityGroupIngress'
],
resources: ['*'],
conditions: {
'StringNotEquals': {
'aws:PrincipalTag/Environment': 'production'
}
}
});
}
return {
version: '2012-10-17',
statement: statements
};
}
/**
* Generate IAM roles for different security contexts
*/
generateIAMRoles(config) {
const roles = [];
// Security audit role
roles.push({
roleName: `${config.organizationName}-SecurityAuditRole`,
description: 'Role for security auditing and compliance monitoring',
assumedBy: ['lambda.amazonaws.com', 'config.amazonaws.com'],
managedPolicies: [
'arn:aws:iam::aws:policy/SecurityAudit',
'arn:aws:iam::aws:policy/ConfigRole'
],
maxSessionDuration: 3600,
tags: {
Purpose: 'SecurityAudit',
Environment: config.environmentType,
Compliance: config.complianceFrameworks.join(',')
}
});
// Application execution role
roles.push({
roleName: `${config.organizationName}-ApplicationRole`,
description: 'Role for application services',
assumedBy: ['lambda.amazonaws.com', 'ecs-tasks.amazonaws.com'],
managedPolicies: [
'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
],
inlinePolicies: {
ApplicationPolicy: this.createApplicationPolicy(config)
},
tags: {
Purpose: 'Application',
Environment: config.environmentType
}
});
return roles;
}
createApplicationPolicy(config) {
return {
version: '2012-10-17',
statement: [
{
effect: 'Allow',
actions: [
's3:GetObject',
's3:PutObject'
],
resources: [`arn:aws:s3:::${config.organizationName.toLowerCase()}-${config.environmentType}-data/*`]
},
{
effect: 'Allow',
actions: [
'secretsmanager:GetSecretValue'
],
resources: [`arn:aws:secretsmanager:*:*:secret:${config.organizationName}/*`]
}
]
};
}
/**
* Generate security groups based on configuration
*/
generateSecurityGroups(config) {
const securityGroups = [];
// Web tier security group
securityGroups.push({
name: `${config.organizationName}-web-tier-sg`,
description: 'Security group for web tier',
rules: [
{
type: 'ingress',
protocol: 'tcp',
fromPort: 443,
toPort: 443,
cidrBlocks: ['0.0.0.0/0'],
description: 'HTTPS from internet'
},
{
type: 'ingress',
protocol: 'tcp',
fromPort: 80,
toPort: 80,
cidrBlocks: ['0.0.0.0/0'],
description: 'HTTP from internet (redirect to HTTPS)'
},
{
type: 'egress',
protocol: 'tcp',
fromPort: 443,
toPort: 443,
cidrBlocks: ['0.0.0.0/0'],
description: 'HTTPS outbound'
}
],
tags: {
Tier: 'Web',
Environment: config.environmentType
}
});
// Application tier security group
securityGroups.push({
name: `${config.organizationName}-app-tier-sg`,
description: 'Security group for application tier',
rules: [
{
type: 'ingress',
protocol: 'tcp',
fromPort: 8080,
toPort: 8080,
securityGroupIds: [], // Will be populated with web tier SG ID
description: 'Application port from web tier'
},
{
type: 'egress',
protocol: 'tcp',
fromPort: 443,
toPort: 443,
cidrBlocks: ['0.0.0.0/0'],
description: 'HTTPS for AWS API calls'
}
],
tags: {
Tier: 'Application',
Environment: config.environmentType
}
});
// Database tier security group
securityGroups.push({
name: `${config.organizationName}-db-tier-sg`,
description: 'Security group for database tier',
rules: [
{
type: 'ingress',
protocol: 'tcp',
fromPort: 5432,
toPort: 5432,
securityGroupIds: [], // Will be populated with app tier SG ID
description: 'PostgreSQL from application tier'
}
],
tags: {
Tier: 'Database',
Environment: config.environmentType
}
});
return securityGroups;
}
/**
* Generate KMS keys for encryption
*/
generateKMSKeys(config) {
const keys = [];
// Data encryption key
keys.push({
alias: `${config.organizationName}-data-encryption-key`,
description: 'Key for encrypting sensitive data at rest',
keyUsage: 'ENCRYPT_DECRYPT',
keySpec: 'SYMMETRIC_DEFAULT',
enableKeyRotation: true,
keyPolicy: {
version: '2012-10-17',
statement: [
{
effect: 'Allow',
principals: ['arn:aws:iam::*:root'],
actions: ['kms:*'],
resources: ['*']
},
{
effect: 'Allow',
principals: [`arn:aws:iam::*:role/${config.organizationName}-ApplicationRole`],
actions: [
'kms:Encrypt',
'kms:Decrypt',
'kms:ReEncrypt*',
'kms:GenerateDataKey*',
'kms:CreateGrant',
'kms:DescribeKey'
],
resources: ['*']
}
]
}
});
return keys;
}
/**
* Generate audit configuration
*/
generateAuditConfig(config) {
return {
enableCloudTrail: config.enableCloudTrail,
enableConfigRules: config.enableConfigRules,
enableAccessLogging: true,
logRetentionDays: config.environmentType === 'production' ? 2557 : 90, // 7 years for production
alertOnPolicyViolations: true,
complianceChecks: this.generateComplianceChecks(config.complianceFrameworks)
};
}
generateComplianceChecks(frameworks) {
const checks = [];
frameworks.forEach(framework => {
switch (framework) {
case 'SOC2':
checks.push({
framework: 'SOC2',
controlId: 'CC6.1',
description: 'Logical and physical access controls',
severity: 'high',
automatedCheck: true
}, {
framework: 'SOC2',
controlId: 'CC6.7',
description: 'Data transmission and disposal',
severity: 'critical',
automatedCheck: true
});
break;
case 'ISO27001':
checks.push({
framework: 'ISO27001',
controlId: 'A.9.1.2',
description: 'Access to networks and network services',
severity: 'high',
automatedCheck: true
});
break;
}
});
return checks;
}
/**
* Generate compliance report
*/
generateComplianceReport(config) {
// For now, return a basic compliance report
// In full implementation, this would analyze the generated baseline against compliance requirements
return {
framework: config.complianceFrameworks[0],
controlsCovered: ['CC6.1', 'CC6.7', 'A.9.1.2'],
controlsNotCovered: ['CC8.1', 'A.12.6.1'],
recommendedActions: [
{
priority: 'high',
description: 'Implement automated vulnerability scanning',
implementationSteps: [
'Enable AWS Inspector',
'Configure scanning schedules',
'Set up alerting for critical vulnerabilities'
],
estimatedEffort: '1-2 weeks',
complianceImpact: 'Addresses CC7.1 security monitoring requirements'
}
],
riskAssessment: {
overallRiskLevel: 'medium',
identifiedRisks: [
{
category: 'access',
severity: 'medium',
description: 'Overly permissive IAM policies detected',
likelihood: 'medium',
impact: 'Potential unauthorized access to resources',
mitigation: 'Implement principle of least privilege'
}
],
mitigationStrategies: [
'Regular access reviews',
'Automated policy analysis',
'Just-in-time access implementation'
]
}
};
}
}
exports.SecurityBaselineGenerator = SecurityBaselineGenerator;
//# sourceMappingURL=security-baseline-generator.js.map