advanced-cdk-constructs/API.md

[](https://codecov.io/gh/spensireli/advanced-cdk-constructs)

# API Reference <a name="API Reference" id="api-reference"></a>

## Constructs <a name="Constructs" id="Constructs"></a>

### AwsAccount <a name="AwsAccount" id="advanced-cdk-constructs.AwsAccount"></a>

A CDK construct that creates a new AWS Account within an AWS Organization.

This construct creates a new AWS account and optionally places it within
specified organizational units. The account can be configured with cross-account
access roles and organizational tags.

Example:
```ts
new AwsAccount(this, 'MyAccount', {
  name: 'Development Account',
  email: 'dev-account@example.com',
  parentIds: ['ou-xxxx-xxxxxxxx'],
  roleName: 'OrganizationAccountAccessRole',
  tags: [
    { key: 'Environment', value: 'Development' },
    { key: 'Project', value: 'MyProject' }
  ]
});
```

#### Initializers <a name="Initializers" id="advanced-cdk-constructs.AwsAccount.Initializer"></a>

```typescript
import { AwsAccount } from 'advanced-cdk-constructs'

new AwsAccount(scope: Construct, id: string, props: AwsAccountProps)
```

| **Name** | **Type** | **Description** |
| --- | --- | --- |
| <code><a href="#advanced-cdk-constructs.AwsAccount.Initializer.parameter.scope">scope</a></code> | <code>constructs.Construct</code> | The parent construct. |
| <code><a href="#advanced-cdk-constructs.AwsAccount.Initializer.parameter.id">id</a></code> | <code>string</code> | The construct ID. |
| <code><a href="#advanced-cdk-constructs.AwsAccount.Initializer.parameter.props">props</a></code> | <code><a href="#advanced-cdk-constructs.AwsAccountProps">AwsAccountProps</a></code> | The properties for creating the AWS account. |

---

##### `scope`<sup>Required</sup> <a name="scope" id="advanced-cdk-constructs.AwsAccount.Initializer.parameter.scope"></a>

- *Type:* constructs.Construct

The parent construct.

---

##### `id`<sup>Required</sup> <a name="id" id="advanced-cdk-constructs.AwsAccount.Initializer.parameter.id"></a>

- *Type:* string

The construct ID.

---

##### `props`<sup>Required</sup> <a name="props" id="advanced-cdk-constructs.AwsAccount.Initializer.parameter.props"></a>

- *Type:* <a href="#advanced-cdk-constructs.AwsAccountProps">AwsAccountProps</a>

The properties for creating the AWS account.

---

#### Methods <a name="Methods" id="Methods"></a>

| **Name** | **Description** |
| --- | --- |
| <code><a href="#advanced-cdk-constructs.AwsAccount.toString">toString</a></code> | Returns a string representation of this construct. |

---

##### `toString` <a name="toString" id="advanced-cdk-constructs.AwsAccount.toString"></a>

```typescript
public toString(): string
```

Returns a string representation of this construct.

#### Static Functions <a name="Static Functions" id="Static Functions"></a>

| **Name** | **Description** |
| --- | --- |
| <code><a href="#advanced-cdk-constructs.AwsAccount.isConstruct">isConstruct</a></code> | Checks if `x` is a construct. |

---

##### `isConstruct` <a name="isConstruct" id="advanced-cdk-constructs.AwsAccount.isConstruct"></a>

```typescript
import { AwsAccount } from 'advanced-cdk-constructs'

AwsAccount.isConstruct(x: any)
```

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct`
instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on
disk are seen as independent, completely different libraries. As a
consequence, the class `Construct` in each copy of the `constructs` library
is seen as a different class, and an instance of one class will not test as
`instanceof` the other class. `npm install` will not create installations
like this, but users may manually symlink construct libraries together or
use a monorepo tool: in those cases, multiple copies of the `constructs`
library can be accidentally installed, and `instanceof` will behave
unpredictably. It is safest to avoid using `instanceof`, and using
this type-testing method instead.

###### `x`<sup>Required</sup> <a name="x" id="advanced-cdk-constructs.AwsAccount.isConstruct.parameter.x"></a>

- *Type:* any

Any object.

---

#### Properties <a name="Properties" id="Properties"></a>

| **Name** | **Type** | **Description** |
| --- | --- | --- |
| <code><a href="#advanced-cdk-constructs.AwsAccount.property.node">node</a></code> | <code>constructs.Node</code> | The tree node. |
| <code><a href="#advanced-cdk-constructs.AwsAccount.property.accountArn">accountArn</a></code> | <code>string</code> | The ARN of the created AWS account. |
| <code><a href="#advanced-cdk-constructs.AwsAccount.property.accountId">accountId</a></code> | <code>string</code> | The AWS Account ID of the created account. |
| <code><a href="#advanced-cdk-constructs.AwsAccount.property.accountName">accountName</a></code> | <code>string</code> | The name of the AWS account as specified in the props. |
| <code><a href="#advanced-cdk-constructs.AwsAccount.property.accountStatus">accountStatus</a></code> | <code>string</code> | The current status of the AWS account (e.g., 'ACTIVE', 'SUSPENDED'). |
| <code><a href="#advanced-cdk-constructs.AwsAccount.property.joinedMethod">joinedMethod</a></code> | <code>string</code> | The method by which the account joined the organization (e.g., 'INVITED'). |
| <code><a href="#advanced-cdk-constructs.AwsAccount.property.joinedTimestamp">joinedTimestamp</a></code> | <code>string</code> | The timestamp when the account joined the organization. |

---

##### `node`<sup>Required</sup> <a name="node" id="advanced-cdk-constructs.AwsAccount.property.node"></a>

```typescript
public readonly node: Node;
```

- *Type:* constructs.Node

The tree node.

---

##### `accountArn`<sup>Required</sup> <a name="accountArn" id="advanced-cdk-constructs.AwsAccount.property.accountArn"></a>

```typescript
public readonly accountArn: string;
```

- *Type:* string

The ARN of the created AWS account.

---

##### `accountId`<sup>Required</sup> <a name="accountId" id="advanced-cdk-constructs.AwsAccount.property.accountId"></a>

```typescript
public readonly accountId: string;
```

- *Type:* string

The AWS Account ID of the created account.

This will be available after the account creation is complete.

---

##### `accountName`<sup>Required</sup> <a name="accountName" id="advanced-cdk-constructs.AwsAccount.property.accountName"></a>

```typescript
public readonly accountName: string;
```

- *Type:* string

The name of the AWS account as specified in the props.

---

##### `accountStatus`<sup>Required</sup> <a name="accountStatus" id="advanced-cdk-constructs.AwsAccount.property.accountStatus"></a>

```typescript
public readonly accountStatus: string;
```

- *Type:* string

The current status of the AWS account (e.g., 'ACTIVE', 'SUSPENDED').

---

##### `joinedMethod`<sup>Required</sup> <a name="joinedMethod" id="advanced-cdk-constructs.AwsAccount.property.joinedMethod"></a>

```typescript
public readonly joinedMethod: string;
```

- *Type:* string

The method by which the account joined the organization (e.g., 'INVITED').

---

##### `joinedTimestamp`<sup>Required</sup> <a name="joinedTimestamp" id="advanced-cdk-constructs.AwsAccount.property.joinedTimestamp"></a>

```typescript
public readonly joinedTimestamp: string;
```

- *Type:* string

The timestamp when the account joined the organization.

---


### ControlTowerLandingZone <a name="ControlTowerLandingZone" id="advanced-cdk-constructs.ControlTowerLandingZone"></a>

AWS Control Tower Landing Zone construct.

This construct provides a comprehensive solution for deploying and managing
AWS Control Tower landing zones with centralized logging, security auditing,
and organizational structure management.

*Example*

```typescript
const landingZone = new ControlTowerLandingZone(this, 'MyLandingZone', {
  controlTowerStackName: 'my-control-tower',
  governedRegions: ['us-east-1', 'us-west-2'],
  logArchiveAccountEmail: 'log-archive@example.com',
  securityAuditAccountEmail: 'security-audit@example.com',
  logRetentionDays: 90,
});
```


#### Initializers <a name="Initializers" id="advanced-cdk-constructs.ControlTowerLandingZone.Initializer"></a>

```typescript
import { ControlTowerLandingZone } from 'advanced-cdk-constructs'

new ControlTowerLandingZone(scope: Construct, id: string, props: ControlTowerLandingZoneProps)
```

| **Name** | **Type** | **Description** |
| --- | --- | --- |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZone.Initializer.parameter.scope">scope</a></code> | <code>constructs.Construct</code> | - The scope in which this construct is defined. |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZone.Initializer.parameter.id">id</a></code> | <code>string</code> | - The unique identifier for this construct. |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZone.Initializer.parameter.props">props</a></code> | <code><a href="#advanced-cdk-constructs.ControlTowerLandingZoneProps">ControlTowerLandingZoneProps</a></code> | - Configuration properties for the landing zone. |

---

##### `scope`<sup>Required</sup> <a name="scope" id="advanced-cdk-constructs.ControlTowerLandingZone.Initializer.parameter.scope"></a>

- *Type:* constructs.Construct

The scope in which this construct is defined.

---

##### `id`<sup>Required</sup> <a name="id" id="advanced-cdk-constructs.ControlTowerLandingZone.Initializer.parameter.id"></a>

- *Type:* string

The unique identifier for this construct.

---

##### `props`<sup>Required</sup> <a name="props" id="advanced-cdk-constructs.ControlTowerLandingZone.Initializer.parameter.props"></a>

- *Type:* <a href="#advanced-cdk-constructs.ControlTowerLandingZoneProps">ControlTowerLandingZoneProps</a>

Configuration properties for the landing zone.

---

#### Methods <a name="Methods" id="Methods"></a>

| **Name** | **Description** |
| --- | --- |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZone.toString">toString</a></code> | Returns a string representation of this construct. |

---

##### `toString` <a name="toString" id="advanced-cdk-constructs.ControlTowerLandingZone.toString"></a>

```typescript
public toString(): string
```

Returns a string representation of this construct.

#### Static Functions <a name="Static Functions" id="Static Functions"></a>

| **Name** | **Description** |
| --- | --- |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZone.isConstruct">isConstruct</a></code> | Checks if `x` is a construct. |

---

##### `isConstruct` <a name="isConstruct" id="advanced-cdk-constructs.ControlTowerLandingZone.isConstruct"></a>

```typescript
import { ControlTowerLandingZone } from 'advanced-cdk-constructs'

ControlTowerLandingZone.isConstruct(x: any)
```

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct`
instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on
disk are seen as independent, completely different libraries. As a
consequence, the class `Construct` in each copy of the `constructs` library
is seen as a different class, and an instance of one class will not test as
`instanceof` the other class. `npm install` will not create installations
like this, but users may manually symlink construct libraries together or
use a monorepo tool: in those cases, multiple copies of the `constructs`
library can be accidentally installed, and `instanceof` will behave
unpredictably. It is safest to avoid using `instanceof`, and using
this type-testing method instead.

###### `x`<sup>Required</sup> <a name="x" id="advanced-cdk-constructs.ControlTowerLandingZone.isConstruct.parameter.x"></a>

- *Type:* any

Any object.

---

#### Properties <a name="Properties" id="Properties"></a>

| **Name** | **Type** | **Description** |
| --- | --- | --- |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZone.property.node">node</a></code> | <code>constructs.Node</code> | The tree node. |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZone.property.controlTowerAdminRole">controlTowerAdminRole</a></code> | <code>aws-cdk-lib.aws_iam.IRole</code> | The Control Tower admin role (either created or referenced). |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZone.property.landingZoneArn">landingZoneArn</a></code> | <code>string</code> | The ARN of the Control Tower landing zone. |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZone.property.landingZoneId">landingZoneId</a></code> | <code>string</code> | The unique identifier of the Control Tower landing zone. |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZone.property.logArchiveAccountId">logArchiveAccountId</a></code> | <code>string</code> | The AWS account ID of the log archive account. |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZone.property.loggingKmsKeyArn">loggingKmsKeyArn</a></code> | <code>string</code> | The ARN of the KMS key used for logging bucket encryption. |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZone.property.securityAuditAccountId">securityAuditAccountId</a></code> | <code>string</code> | The AWS account ID of the security audit account. |

---

##### `node`<sup>Required</sup> <a name="node" id="advanced-cdk-constructs.ControlTowerLandingZone.property.node"></a>

```typescript
public readonly node: Node;
```

- *Type:* constructs.Node

The tree node.

---

##### `controlTowerAdminRole`<sup>Required</sup> <a name="controlTowerAdminRole" id="advanced-cdk-constructs.ControlTowerLandingZone.property.controlTowerAdminRole"></a>

```typescript
public readonly controlTowerAdminRole: IRole;
```

- *Type:* aws-cdk-lib.aws_iam.IRole

The Control Tower admin role (either created or referenced).

---

##### `landingZoneArn`<sup>Required</sup> <a name="landingZoneArn" id="advanced-cdk-constructs.ControlTowerLandingZone.property.landingZoneArn"></a>

```typescript
public readonly landingZoneArn: string;
```

- *Type:* string

The ARN of the Control Tower landing zone.

---

##### `landingZoneId`<sup>Required</sup> <a name="landingZoneId" id="advanced-cdk-constructs.ControlTowerLandingZone.property.landingZoneId"></a>

```typescript
public readonly landingZoneId: string;
```

- *Type:* string

The unique identifier of the Control Tower landing zone.

---

##### `logArchiveAccountId`<sup>Optional</sup> <a name="logArchiveAccountId" id="advanced-cdk-constructs.ControlTowerLandingZone.property.logArchiveAccountId"></a>

```typescript
public readonly logArchiveAccountId: string;
```

- *Type:* string

The AWS account ID of the log archive account.

---

##### `loggingKmsKeyArn`<sup>Optional</sup> <a name="loggingKmsKeyArn" id="advanced-cdk-constructs.ControlTowerLandingZone.property.loggingKmsKeyArn"></a>

```typescript
public readonly loggingKmsKeyArn: string;
```

- *Type:* string

The ARN of the KMS key used for logging bucket encryption.

---

##### `securityAuditAccountId`<sup>Optional</sup> <a name="securityAuditAccountId" id="advanced-cdk-constructs.ControlTowerLandingZone.property.securityAuditAccountId"></a>

```typescript
public readonly securityAuditAccountId: string;
```

- *Type:* string

The AWS account ID of the security audit account.

---


### DeclarativePolicy <a name="DeclarativePolicy" id="advanced-cdk-constructs.DeclarativePolicy"></a>

A CDK construct that creates an AWS Organizations EC2 Declarative Policy.

This construct allows you to declaratively define and apply EC2-related policies
such as blocking public access to VPCs, restricting AMI providers, enforcing
instance metadata service settings, and more.

Example:
```ts
new DeclarativePolicy(this, 'MyPolicy', {
  targetIds: ['ou-xxxx-xxxxxxxx'],
  vpcBlockPublicAccess: true,
  vpcBlockPublicAccessMode: VpcBlockPublicAccessMode.BLOCK_BIDIRECTIONAL,
});
```

#### Initializers <a name="Initializers" id="advanced-cdk-constructs.DeclarativePolicy.Initializer"></a>

```typescript
import { DeclarativePolicy } from 'advanced-cdk-constructs'

new DeclarativePolicy(scope: Construct, id: string, props: DeclarativePolicyProps)
```

| **Name** | **Type** | **Description** |
| --- | --- | --- |
| <code><a href="#advanced-cdk-constructs.DeclarativePolicy.Initializer.parameter.scope">scope</a></code> | <code>constructs.Construct</code> | The parent construct. |
| <code><a href="#advanced-cdk-constructs.DeclarativePolicy.Initializer.parameter.id">id</a></code> | <code>string</code> | The construct ID. |
| <code><a href="#advanced-cdk-constructs.DeclarativePolicy.Initializer.parameter.props">props</a></code> | <code><a href="#advanced-cdk-constructs.DeclarativePolicyProps">DeclarativePolicyProps</a></code> | The policy properties. |

---

##### `scope`<sup>Required</sup> <a name="scope" id="advanced-cdk-constructs.DeclarativePolicy.Initializer.parameter.scope"></a>

- *Type:* constructs.Construct

The parent construct.

---

##### `id`<sup>Required</sup> <a name="id" id="advanced-cdk-constructs.DeclarativePolicy.Initializer.parameter.id"></a>

- *Type:* string

The construct ID.

---

##### `props`<sup>Required</sup> <a name="props" id="advanced-cdk-constructs.DeclarativePolicy.Initializer.parameter.props"></a>

- *Type:* <a href="#advanced-cdk-constructs.DeclarativePolicyProps">DeclarativePolicyProps</a>

The policy properties.

---

#### Methods <a name="Methods" id="Methods"></a>

| **Name** | **Description** |
| --- | --- |
| <code><a href="#advanced-cdk-constructs.DeclarativePolicy.toString">toString</a></code> | Returns a string representation of this construct. |

---

##### `toString` <a name="toString" id="advanced-cdk-constructs.DeclarativePolicy.toString"></a>

```typescript
public toString(): string
```

Returns a string representation of this construct.

#### Static Functions <a name="Static Functions" id="Static Functions"></a>

| **Name** | **Description** |
| --- | --- |
| <code><a href="#advanced-cdk-constructs.DeclarativePolicy.isConstruct">isConstruct</a></code> | Checks if `x` is a construct. |

---

##### `isConstruct` <a name="isConstruct" id="advanced-cdk-constructs.DeclarativePolicy.isConstruct"></a>

```typescript
import { DeclarativePolicy } from 'advanced-cdk-constructs'

DeclarativePolicy.isConstruct(x: any)
```

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct`
instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on
disk are seen as independent, completely different libraries. As a
consequence, the class `Construct` in each copy of the `constructs` library
is seen as a different class, and an instance of one class will not test as
`instanceof` the other class. `npm install` will not create installations
like this, but users may manually symlink construct libraries together or
use a monorepo tool: in those cases, multiple copies of the `constructs`
library can be accidentally installed, and `instanceof` will behave
unpredictably. It is safest to avoid using `instanceof`, and using
this type-testing method instead.

###### `x`<sup>Required</sup> <a name="x" id="advanced-cdk-constructs.DeclarativePolicy.isConstruct.parameter.x"></a>

- *Type:* any

Any object.

---

#### Properties <a name="Properties" id="Properties"></a>

| **Name** | **Type** | **Description** |
| --- | --- | --- |
| <code><a href="#advanced-cdk-constructs.DeclarativePolicy.property.node">node</a></code> | <code>constructs.Node</code> | The tree node. |
| <code><a href="#advanced-cdk-constructs.DeclarativePolicy.property.declarativePolicyArn">declarativePolicyArn</a></code> | <code>string</code> | The ARN of the created declarative policy. |

---

##### `node`<sup>Required</sup> <a name="node" id="advanced-cdk-constructs.DeclarativePolicy.property.node"></a>

```typescript
public readonly node: Node;
```

- *Type:* constructs.Node

The tree node.

---

##### `declarativePolicyArn`<sup>Required</sup> <a name="declarativePolicyArn" id="advanced-cdk-constructs.DeclarativePolicy.property.declarativePolicyArn"></a>

```typescript
public readonly declarativePolicyArn: string;
```

- *Type:* string

The ARN of the created declarative policy.

---


### GuardDutyConstruct <a name="GuardDutyConstruct" id="advanced-cdk-constructs.GuardDutyConstruct"></a>

A CDK construct that sets up AWS GuardDuty with configurable data sources and features.

Example:
```ts
new GuardDutyConstruct(this, 'GuardDuty', {
  enableGuardDuty: true,
  kubernetesAuditLogs: true,
  malwareProtection: true,
  s3Logs: true,
});
```

#### Initializers <a name="Initializers" id="advanced-cdk-constructs.GuardDutyConstruct.Initializer"></a>

```typescript
import { GuardDutyConstruct } from 'advanced-cdk-constructs'

new GuardDutyConstruct(scope: Construct, id: string, props?: GuardDutyConstructProps)
```

| **Name** | **Type** | **Description** |
| --- | --- | --- |
| <code><a href="#advanced-cdk-constructs.GuardDutyConstruct.Initializer.parameter.scope">scope</a></code> | <code>constructs.Construct</code> | The parent construct. |
| <code><a href="#advanced-cdk-constructs.GuardDutyConstruct.Initializer.parameter.id">id</a></code> | <code>string</code> | The construct ID. |
| <code><a href="#advanced-cdk-constructs.GuardDutyConstruct.Initializer.parameter.props">props</a></code> | <code><a href="#advanced-cdk-constructs.GuardDutyConstructProps">GuardDutyConstructProps</a></code> | GuardDuty configuration properties. |

---

##### `scope`<sup>Required</sup> <a name="scope" id="advanced-cdk-constructs.GuardDutyConstruct.Initializer.parameter.scope"></a>

- *Type:* constructs.Construct

The parent construct.

---

##### `id`<sup>Required</sup> <a name="id" id="advanced-cdk-constructs.GuardDutyConstruct.Initializer.parameter.id"></a>

- *Type:* string

The construct ID.

---

##### `props`<sup>Optional</sup> <a name="props" id="advanced-cdk-constructs.GuardDutyConstruct.Initializer.parameter.props"></a>

- *Type:* <a href="#advanced-cdk-constructs.GuardDutyConstructProps">GuardDutyConstructProps</a>

GuardDuty configuration properties.

---

#### Methods <a name="Methods" id="Methods"></a>

| **Name** | **Description** |
| --- | --- |
| <code><a href="#advanced-cdk-constructs.GuardDutyConstruct.toString">toString</a></code> | Returns a string representation of this construct. |

---

##### `toString` <a name="toString" id="advanced-cdk-constructs.GuardDutyConstruct.toString"></a>

```typescript
public toString(): string
```

Returns a string representation of this construct.

#### Static Functions <a name="Static Functions" id="Static Functions"></a>

| **Name** | **Description** |
| --- | --- |
| <code><a href="#advanced-cdk-constructs.GuardDutyConstruct.isConstruct">isConstruct</a></code> | Checks if `x` is a construct. |

---

##### `isConstruct` <a name="isConstruct" id="advanced-cdk-constructs.GuardDutyConstruct.isConstruct"></a>

```typescript
import { GuardDutyConstruct } from 'advanced-cdk-constructs'

GuardDutyConstruct.isConstruct(x: any)
```

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct`
instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on
disk are seen as independent, completely different libraries. As a
consequence, the class `Construct` in each copy of the `constructs` library
is seen as a different class, and an instance of one class will not test as
`instanceof` the other class. `npm install` will not create installations
like this, but users may manually symlink construct libraries together or
use a monorepo tool: in those cases, multiple copies of the `constructs`
library can be accidentally installed, and `instanceof` will behave
unpredictably. It is safest to avoid using `instanceof`, and using
this type-testing method instead.

###### `x`<sup>Required</sup> <a name="x" id="advanced-cdk-constructs.GuardDutyConstruct.isConstruct.parameter.x"></a>

- *Type:* any

Any object.

---

#### Properties <a name="Properties" id="Properties"></a>

| **Name** | **Type** | **Description** |
| --- | --- | --- |
| <code><a href="#advanced-cdk-constructs.GuardDutyConstruct.property.node">node</a></code> | <code>constructs.Node</code> | The tree node. |
| <code><a href="#advanced-cdk-constructs.GuardDutyConstruct.property.detectorId">detectorId</a></code> | <code>string</code> | The ID of the created GuardDuty detector. |

---

##### `node`<sup>Required</sup> <a name="node" id="advanced-cdk-constructs.GuardDutyConstruct.property.node"></a>

```typescript
public readonly node: Node;
```

- *Type:* constructs.Node

The tree node.

---

##### `detectorId`<sup>Required</sup> <a name="detectorId" id="advanced-cdk-constructs.GuardDutyConstruct.property.detectorId"></a>

```typescript
public readonly detectorId: string;
```

- *Type:* string

The ID of the created GuardDuty detector.

---


### ResourceControlPolicy <a name="ResourceControlPolicy" id="advanced-cdk-constructs.ResourceControlPolicy"></a>

A CDK construct that creates and attaches an AWS Organizations Resource Control Policy.

This policy can enforce Confused Deputy Protection and Secure Transport requirements
across specified AWS accounts, OUs, or roots.

#### Initializers <a name="Initializers" id="advanced-cdk-constructs.ResourceControlPolicy.Initializer"></a>

```typescript
import { ResourceControlPolicy } from 'advanced-cdk-constructs'

new ResourceControlPolicy(scope: Construct, id: string, props: ResourceControlPolicyProps)
```

| **Name** | **Type** | **Description** |
| --- | --- | --- |
| <code><a href="#advanced-cdk-constructs.ResourceControlPolicy.Initializer.parameter.scope">scope</a></code> | <code>constructs.Construct</code> | The parent construct. |
| <code><a href="#advanced-cdk-constructs.ResourceControlPolicy.Initializer.parameter.id">id</a></code> | <code>string</code> | The construct ID. |
| <code><a href="#advanced-cdk-constructs.ResourceControlPolicy.Initializer.parameter.props">props</a></code> | <code><a href="#advanced-cdk-constructs.ResourceControlPolicyProps">ResourceControlPolicyProps</a></code> | The properties for the resource control policy. |

---

##### `scope`<sup>Required</sup> <a name="scope" id="advanced-cdk-constructs.ResourceControlPolicy.Initializer.parameter.scope"></a>

- *Type:* constructs.Construct

The parent construct.

---

##### `id`<sup>Required</sup> <a name="id" id="advanced-cdk-constructs.ResourceControlPolicy.Initializer.parameter.id"></a>

- *Type:* string

The construct ID.

---

##### `props`<sup>Required</sup> <a name="props" id="advanced-cdk-constructs.ResourceControlPolicy.Initializer.parameter.props"></a>

- *Type:* <a href="#advanced-cdk-constructs.ResourceControlPolicyProps">ResourceControlPolicyProps</a>

The properties for the resource control policy.

---

#### Methods <a name="Methods" id="Methods"></a>

| **Name** | **Description** |
| --- | --- |
| <code><a href="#advanced-cdk-constructs.ResourceControlPolicy.toString">toString</a></code> | Returns a string representation of this construct. |

---

##### `toString` <a name="toString" id="advanced-cdk-constructs.ResourceControlPolicy.toString"></a>

```typescript
public toString(): string
```

Returns a string representation of this construct.

#### Static Functions <a name="Static Functions" id="Static Functions"></a>

| **Name** | **Description** |
| --- | --- |
| <code><a href="#advanced-cdk-constructs.ResourceControlPolicy.isConstruct">isConstruct</a></code> | Checks if `x` is a construct. |

---

##### `isConstruct` <a name="isConstruct" id="advanced-cdk-constructs.ResourceControlPolicy.isConstruct"></a>

```typescript
import { ResourceControlPolicy } from 'advanced-cdk-constructs'

ResourceControlPolicy.isConstruct(x: any)
```

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct`
instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on
disk are seen as independent, completely different libraries. As a
consequence, the class `Construct` in each copy of the `constructs` library
is seen as a different class, and an instance of one class will not test as
`instanceof` the other class. `npm install` will not create installations
like this, but users may manually symlink construct libraries together or
use a monorepo tool: in those cases, multiple copies of the `constructs`
library can be accidentally installed, and `instanceof` will behave
unpredictably. It is safest to avoid using `instanceof`, and using
this type-testing method instead.

###### `x`<sup>Required</sup> <a name="x" id="advanced-cdk-constructs.ResourceControlPolicy.isConstruct.parameter.x"></a>

- *Type:* any

Any object.

---

#### Properties <a name="Properties" id="Properties"></a>

| **Name** | **Type** | **Description** |
| --- | --- | --- |
| <code><a href="#advanced-cdk-constructs.ResourceControlPolicy.property.node">node</a></code> | <code>constructs.Node</code> | The tree node. |
| <code><a href="#advanced-cdk-constructs.ResourceControlPolicy.property.resourceControlPolicyArn">resourceControlPolicyArn</a></code> | <code>string</code> | The ARN of the created Resource Control Policy. |

---

##### `node`<sup>Required</sup> <a name="node" id="advanced-cdk-constructs.ResourceControlPolicy.property.node"></a>

```typescript
public readonly node: Node;
```

- *Type:* constructs.Node

The tree node.

---

##### `resourceControlPolicyArn`<sup>Required</sup> <a name="resourceControlPolicyArn" id="advanced-cdk-constructs.ResourceControlPolicy.property.resourceControlPolicyArn"></a>

```typescript
public readonly resourceControlPolicyArn: string;
```

- *Type:* string

The ARN of the created Resource Control Policy.

---


### ServiceControlPolicy <a name="ServiceControlPolicy" id="advanced-cdk-constructs.ServiceControlPolicy"></a>

Defines an AWS Organizations Service Control Policy (SCP) and attaches it to the specified targets.

Example:
```ts
new ServiceControlPolicy(this, 'MySCP', {
  targetIds: ['ou-xxxx-xxxxxxxx', '123456789012'],
  name: 'DenyEC2',
  statements: [
    {
      Effect: 'Deny',
      Action: 'ec2:*',
      Resource: '*',
    },
  ],
  description: 'Denies all EC2 actions',
});
```

#### Initializers <a name="Initializers" id="advanced-cdk-constructs.ServiceControlPolicy.Initializer"></a>

```typescript
import { ServiceControlPolicy } from 'advanced-cdk-constructs'

new ServiceControlPolicy(scope: Construct, id: string, props: ServiceControlPolicyProps)
```

| **Name** | **Type** | **Description** |
| --- | --- | --- |
| <code><a href="#advanced-cdk-constructs.ServiceControlPolicy.Initializer.parameter.scope">scope</a></code> | <code>constructs.Construct</code> | The parent construct. |
| <code><a href="#advanced-cdk-constructs.ServiceControlPolicy.Initializer.parameter.id">id</a></code> | <code>string</code> | The construct ID. |
| <code><a href="#advanced-cdk-constructs.ServiceControlPolicy.Initializer.parameter.props">props</a></code> | <code><a href="#advanced-cdk-constructs.ServiceControlPolicyProps">ServiceControlPolicyProps</a></code> | The Service Control Policy properties. |

---

##### `scope`<sup>Required</sup> <a name="scope" id="advanced-cdk-constructs.ServiceControlPolicy.Initializer.parameter.scope"></a>

- *Type:* constructs.Construct

The parent construct.

---

##### `id`<sup>Required</sup> <a name="id" id="advanced-cdk-constructs.ServiceControlPolicy.Initializer.parameter.id"></a>

- *Type:* string

The construct ID.

---

##### `props`<sup>Required</sup> <a name="props" id="advanced-cdk-constructs.ServiceControlPolicy.Initializer.parameter.props"></a>

- *Type:* <a href="#advanced-cdk-constructs.ServiceControlPolicyProps">ServiceControlPolicyProps</a>

The Service Control Policy properties.

---

#### Methods <a name="Methods" id="Methods"></a>

| **Name** | **Description** |
| --- | --- |
| <code><a href="#advanced-cdk-constructs.ServiceControlPolicy.toString">toString</a></code> | Returns a string representation of this construct. |

---

##### `toString` <a name="toString" id="advanced-cdk-constructs.ServiceControlPolicy.toString"></a>

```typescript
public toString(): string
```

Returns a string representation of this construct.

#### Static Functions <a name="Static Functions" id="Static Functions"></a>

| **Name** | **Description** |
| --- | --- |
| <code><a href="#advanced-cdk-constructs.ServiceControlPolicy.isConstruct">isConstruct</a></code> | Checks if `x` is a construct. |

---

##### `isConstruct` <a name="isConstruct" id="advanced-cdk-constructs.ServiceControlPolicy.isConstruct"></a>

```typescript
import { ServiceControlPolicy } from 'advanced-cdk-constructs'

ServiceControlPolicy.isConstruct(x: any)
```

Checks if `x` is a construct.

Use this method instead of `instanceof` to properly detect `Construct`
instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the `constructs` library on
disk are seen as independent, completely different libraries. As a
consequence, the class `Construct` in each copy of the `constructs` library
is seen as a different class, and an instance of one class will not test as
`instanceof` the other class. `npm install` will not create installations
like this, but users may manually symlink construct libraries together or
use a monorepo tool: in those cases, multiple copies of the `constructs`
library can be accidentally installed, and `instanceof` will behave
unpredictably. It is safest to avoid using `instanceof`, and using
this type-testing method instead.

###### `x`<sup>Required</sup> <a name="x" id="advanced-cdk-constructs.ServiceControlPolicy.isConstruct.parameter.x"></a>

- *Type:* any

Any object.

---

#### Properties <a name="Properties" id="Properties"></a>

| **Name** | **Type** | **Description** |
| --- | --- | --- |
| <code><a href="#advanced-cdk-constructs.ServiceControlPolicy.property.node">node</a></code> | <code>constructs.Node</code> | The tree node. |
| <code><a href="#advanced-cdk-constructs.ServiceControlPolicy.property.serviceControlPolicyArn">serviceControlPolicyArn</a></code> | <code>string</code> | The ARN of the created Service Control Policy. |

---

##### `node`<sup>Required</sup> <a name="node" id="advanced-cdk-constructs.ServiceControlPolicy.property.node"></a>

```typescript
public readonly node: Node;
```

- *Type:* constructs.Node

The tree node.

---

##### `serviceControlPolicyArn`<sup>Required</sup> <a name="serviceControlPolicyArn" id="advanced-cdk-constructs.ServiceControlPolicy.property.serviceControlPolicyArn"></a>

```typescript
public readonly serviceControlPolicyArn: string;
```

- *Type:* string

The ARN of the created Service Control Policy.

---


## Structs <a name="Structs" id="Structs"></a>

### AwsAccountProps <a name="AwsAccountProps" id="advanced-cdk-constructs.AwsAccountProps"></a>

Properties for creating an AWS Account within an AWS Organization.

#### Initializer <a name="Initializer" id="advanced-cdk-constructs.AwsAccountProps.Initializer"></a>

```typescript
import { AwsAccountProps } from 'advanced-cdk-constructs'

const awsAccountProps: AwsAccountProps = { ... }
```

#### Properties <a name="Properties" id="Properties"></a>

| **Name** | **Type** | **Description** |
| --- | --- | --- |
| <code><a href="#advanced-cdk-constructs.AwsAccountProps.property.email">email</a></code> | <code>string</code> | The email address associated with the AWS account. |
| <code><a href="#advanced-cdk-constructs.AwsAccountProps.property.name">name</a></code> | <code>string</code> | The name of the AWS account. |
| <code><a href="#advanced-cdk-constructs.AwsAccountProps.property.parentIds">parentIds</a></code> | <code>string[]</code> | Optional list of parent organizational unit IDs or root IDs. |
| <code><a href="#advanced-cdk-constructs.AwsAccountProps.property.roleName">roleName</a></code> | <code>string</code> | Optional IAM role name to be used for cross-account access. |
| <code><a href="#advanced-cdk-constructs.AwsAccountProps.property.tags">tags</a></code> | <code>aws-cdk-lib.CfnTag[]</code> | Optional list of tags to apply to the AWS account. |

---

##### `email`<sup>Required</sup> <a name="email" id="advanced-cdk-constructs.AwsAccountProps.property.email"></a>

```typescript
public readonly email: string;
```

- *Type:* string

The email address associated with the AWS account.

This email must be unique and not already associated with another AWS account.

---

##### `name`<sup>Required</sup> <a name="name" id="advanced-cdk-constructs.AwsAccountProps.property.name"></a>

```typescript
public readonly name: string;
```

- *Type:* string

The name of the AWS account.

This will be the display name in the AWS Organizations console.

---

##### `parentIds`<sup>Optional</sup> <a name="parentIds" id="advanced-cdk-constructs.AwsAccountProps.property.parentIds"></a>

```typescript
public readonly parentIds: string[];
```

- *Type:* string[]
- *Default:* Account will be placed in the root

Optional list of parent organizational unit IDs or root IDs.

If not provided, the account will be placed in the root of the organization.

---

##### `roleName`<sup>Optional</sup> <a name="roleName" id="advanced-cdk-constructs.AwsAccountProps.property.roleName"></a>

```typescript
public readonly roleName: string;
```

- *Type:* string
- *Default:* No cross-account role will be created

Optional IAM role name to be used for cross-account access.

This role will be created in the new account and can be assumed by the master account.

---

##### `tags`<sup>Optional</sup> <a name="tags" id="advanced-cdk-constructs.AwsAccountProps.property.tags"></a>

```typescript
public readonly tags: CfnTag[];
```

- *Type:* aws-cdk-lib.CfnTag[]
- *Default:* No tags will be applied

Optional list of tags to apply to the AWS account.

These tags will help with organization and cost tracking.

---

### ControlTowerLandingZoneProps <a name="ControlTowerLandingZoneProps" id="advanced-cdk-constructs.ControlTowerLandingZoneProps"></a>

Properties for configuring AWS Control Tower Landing Zone.

This interface defines all the configuration options available for setting up
a Control Tower landing zone with centralized logging, security auditing,
and organizational structure management.

#### Initializer <a name="Initializer" id="advanced-cdk-constructs.ControlTowerLandingZoneProps.Initializer"></a>

```typescript
import { ControlTowerLandingZoneProps } from 'advanced-cdk-constructs'

const controlTowerLandingZoneProps: ControlTowerLandingZoneProps = { ... }
```

#### Properties <a name="Properties" id="Properties"></a>

| **Name** | **Type** | **Description** |
| --- | --- | --- |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZoneProps.property.controlTowerStackName">controlTowerStackName</a></code> | <code>string</code> | The name of the Control Tower stack. |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZoneProps.property.accessLoggingBucketRetentionDays">accessLoggingBucketRetentionDays</a></code> | <code>number</code> | Number of days to retain access logs in the access logging bucket. |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZoneProps.property.createControlTowerAdminRole">createControlTowerAdminRole</a></code> | <code>boolean</code> | Whether to create the Control Tower admin role if it doesn't already exist. |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZoneProps.property.governedRegions">governedRegions</a></code> | <code>string[]</code> | AWS regions where Control Tower governance will be applied. |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZoneProps.property.logArchiveAccountEmail">logArchiveAccountEmail</a></code> | <code>string</code> | Email address for the log archive account. |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZoneProps.property.logArchiveAccountId">logArchiveAccountId</a></code> | <code>string</code> | AWS account ID for the log archive account. |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZoneProps.property.logArchiveAccountRoleName">logArchiveAccountRoleName</a></code> | <code>string</code> | IAM role name for the log archive account. |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZoneProps.property.logArchiveAccountTags">logArchiveAccountTags</a></code> | <code>aws-cdk-lib.CfnTag[]</code> | Tags to apply to the log archive account. |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZoneProps.property.loggingBucketKmsKeyArn">loggingBucketKmsKeyArn</a></code> | <code>string</code> | ARN of the KMS key for encrypting the logging bucket. |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZoneProps.property.logRetentionDays">logRetentionDays</a></code> | <code>number</code> | Number of days to retain logs in the centralized logging bucket. |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZoneProps.property.organizationStructure">organizationStructure</a></code> | <code>{[ key: string ]: <a href="#advanced-cdk-constructs.OrganizationalUnit">OrganizationalUnit</a>}</code> | Custom organizational structure. If not provided, defaults to AWS best practices structure. |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZoneProps.property.securityAuditAccountEmail">securityAuditAccountEmail</a></code> | <code>string</code> | Email address for the security audit account. |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZoneProps.property.securityAuditAccountId">securityAuditAccountId</a></code> | <code>string</code> | AWS account ID for the security audit account. |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZoneProps.property.securityAuditAccountRoleName">securityAuditAccountRoleName</a></code> | <code>string</code> | IAM role name for the security audit account. |
| <code><a href="#advanced-cdk-constructs.ControlTowerLandingZoneProps.property.securityAuditAccountTags">securityAuditAccountTags</a></code> | <code>aws-cdk-lib.CfnTag[]</code> | Tags to apply to the security audit account. |

---

##### `controlTowerStackName`<sup>Required</sup> <a name="controlTowerStackName" id="advanced-cdk-constructs.ControlTowerLandingZoneProps.property.controlTowerStackName"></a>

```typescript
public readonly controlTowerStackName: string;
```

- *Type:* string

The name of the Control Tower stack.

---

##### `accessLoggingBucketRetentionDays`<sup>Optional</sup> <a name="accessLoggingBucketRetentionDays" id="advanced-cdk-constructs.ControlTowerLandingZoneProps.property.accessLoggingBucketRetentionDays"></a>

```typescript
public readonly accessLoggingBucketRetentionDays: number;
```

- *Type:* number
- *Default:* 60 days

Number of days to retain access logs in the access logging bucket.

---

##### `createControlTowerAdminRole`<sup>Optional</sup> <a name="createControlTowerAdminRole" id="advanced-cdk-constructs.ControlTowerLandingZoneProps.property.createControlTowerAdminRole"></a>

```typescript
public readonly createControlTowerAdminRole: boolean;
```

- *Type:* boolean
- *Default:* true

Whether to create the Control Tower admin role if it doesn't already exist.

If false, the construct will attempt to reference an existing role with the name 'AWSControlTowerAdmin'.

---

##### `governedRegions`<sup>Optional</sup> <a name="governedRegions" id="advanced-cdk-constructs.ControlTowerLandingZoneProps.property.governedRegions"></a>

```typescript
public readonly governedRegions: string[];
```

- *Type:* string[]
- *Default:* Uses the current stack's region

AWS regions where Control Tower governance will be applied.

---

##### `logArchiveAccountEmail`<sup>Optional</sup> <a name="logArchiveAccountEmail" id="advanced-cdk-constructs.ControlTowerLandingZoneProps.property.logArchiveAccountEmail"></a>

```typescript
public readonly logArchiveAccountEmail: string;
```

- *Type:* string

Email address for the log archive account.

Required when logArchiveAccountId is not provided.

---

##### `logArchiveAccountId`<sup>Optional</sup> <a name="logArchiveAccountId" id="advanced-cdk-constructs.ControlTowerLandingZoneProps.property.logArchiveAccountId"></a>

```typescript
public readonly logArchiveAccountId: string;
```

- *Type:* string

AWS account ID for the log archive account.

If not provided, a new account will be created using logArchiveAccountEmail.

---

##### `logArchiveAccountRoleName`<sup>Optional</sup> <a name="logArchiveAccountRoleName" id="advanced-cdk-constructs.ControlTowerLandingZoneProps.property.logArchiveAccountRoleName"></a>

```typescript
public readonly logArchiveAccountRoleName: string;
```

- *Type:* string
- *Default:* Uses Control Tower default role name

IAM role name for the log archive account.

---

##### `logArchiveAccountTags`<sup>Optional</sup> <a name="logArchiveAccountTags" id="advanced-cdk-constructs.ControlTowerLandingZoneProps.property.logArchiveAccountTags"></a>

```typescript
public readonly logArchiveAccountTags: CfnTag[];
```

- *Type:* aws-cdk-lib.CfnTag[]
- *Default:* Purpose: Log Archive, Environment: Production

Tags to apply to the log archive account.

---

##### `loggingBucketKmsKeyArn`<sup>Optional</sup> <a name="loggingBucketKmsKeyArn" id="advanced-cdk-constructs.ControlTowerLandingZoneProps.property.loggingBucketKmsKeyArn"></a>

```typescript
public readonly loggingBucketKmsKeyArn: string;
```

- *Type:* string

ARN of the KMS key for encrypting the logging bucket.

If not provided, a new KMS key will be created.

---

##### `logRetentionDays`<sup>Optional</sup> <a name="logRetentionDays" id="advanced-cdk-constructs.ControlTowerLandingZoneProps.property.logRetentionDays"></a>

```typescript
public readonly logRetentionDays: number;
```

- *Type:* number
- *Default:* 60 days

Number of days to retain logs in the centralized logging bucket.

---

##### `organizationStructure`<sup>Optional</sup> <a name="organizationStructure" id="advanced-cdk-constructs.ControlTowerLandingZoneProps.property.organizationStructure"></a>

```typescript
public readonly organizationStructure: {[ key: string ]: OrganizationalUnit};
```

- *Type:* {[ key: string ]: <a href="#advanced-cdk-constructs.OrganizationalUnit">OrganizationalUnit</a>}
- *Default:* AWS best practices organizational structure

Custom organizational structure. If not provided, defaults to AWS best practices structure.

The default structure includes:
- Security: Security and compliance accounts
- Infrastructure: Shared services and tooling accounts
- Workloads: Application workloads and production accounts
- Sandbox: Development and testing accounts
- Suspended: Isolated accounts requiring investigation

---

##### `securityAuditAccountEmail`<sup>Optional</sup> <a name="securityAuditAccountEmail" id="advanced-cdk-constructs.ControlTowerLandingZoneProps.property.securityAuditAccountEmail"></a>

```typescript
public readonly securityAuditAccountEmail: string;
```

- *Type:* string

Email address for the security audit account.

Required when securityAuditAccountId is not provided.

---

##### `securityAuditAccountId`<sup>Optional</sup> <a name="securityAuditAccountId" id="advanced-cdk-constructs.ControlTowerLandingZoneProps.property.securityAuditAccountId"></a>

```typescript
public readonly securityAuditAccountId: string;
```

- *Type:* string

AWS account ID for the security audit account.

If not provided, a new account will be created using securityAuditAccountEmail.

---

##### `securityAuditAccountRoleName`<sup>Optional</sup> <a name="securityAuditAccountRoleName" id="advanced-cdk-constructs.ControlTowerLandingZoneProps.property.securityAuditAccountRoleName"></a>

```typescript
public readonly securityAuditAccountRoleName: string;
```

- *Type:* string
- *Default:* Uses Control Tower default role name

IAM role name for the security audit account.

---

##### `securityAuditAccountTags`<sup>Optional</sup> <a name="securityAuditAccountTags" id="advanced-cdk-constructs.ControlTowerLandingZoneProps.property.securityAuditAccountTags"></a>

```typescript
public readonly securityAuditAccountTags: CfnTag[];
```

- *Type:* aws-cdk-lib.CfnTag[]
- *Default:* Purpose: Security Audit, Environment: Production

Tags to apply to the security audit account.

---

### DeclarativePolicyProps <a name="DeclarativePolicyProps" id="advanced-cdk-constructs.DeclarativePolicyProps"></a>

Properties for configuring a DeclarativePolicy.

#### Initializer <a name="Initializer" id="advanced-cdk-constructs.DeclarativePolicyProps.Initializer"></a>

```typescript
import { DeclarativePolicyProps } from 'advanced-cdk-constructs'

const declarativePolicyProps: DeclarativePolicyProps = { ... }
```

#### Properties <a name="Properties" id="Properties"></a>

| **Name** | **Type** | **Description** |
| --- | --- | --- |
| <code><a href="#advanced-cdk-constructs.DeclarativePolicyProps.property.targetIds">targetIds</a></code> | <code>string[]</code> | The target AWS account or organizational unit IDs to which the policy will be attached. |
| <code><a href="#advanced-cdk-constructs.DeclarativePolicyProps.property.allowedImageProviders">allowedImageProviders</a></code> | <code>string[]</code> | The list of allowed image providers or AWS account IDs. |
| <code><a href="#advanced-cdk-constructs.DeclarativePolicyProps.property.allowedImagesState">allowedImagesState</a></code> | <code><a href="#advanced-cdk-constructs.AllowedImagesState">AllowedImagesState</a></code> | The state for allowed images policy. |
| <code><a href="#advanced-cdk-constructs.DeclarativePolicyProps.property.blockPublicSnapshots">blockPublicSnapshots</a></code> | <code>boolean</code> | Whether to block public sharing of EBS snapshots. |
| <code><a href="#advanced-cdk-constructs.DeclarativePolicyProps.property.description">description</a></code> | <code>string</code> | The description of the policy. |
| <code><a href="#advanced-cdk-constructs.Decla