Class SecurityConfigValidator

Hierarchy

  • SecurityConfigValidator

Constructors

constructor

Methods

getAccountNames getOuIdNames getSnsTopicNames getSsmDocuments guarddutyLifecycleRules hasDuplicates isConfigRuleCmkDependent macieLifecycleRules validateAwsCloudWatchLogGroups validateAwsCloudWatchLogGroupsRetention validateAwsConfigAggregation validateCloudWatchAlarmsDeploymentTargetAccounts validateCloudWatchAlarmsDeploymentTargetOUs validateCloudWatchLogGroupsDeploymentTargetAccounts validateCloudWatchMetricsDeploymentTargetAccounts validateCloudWatchMetricsDeploymentTargetOUs validateConfigRuleAssets validateConfigRuleCmkDependency validateConfigRuleDeploymentTargetAccounts validateConfigRuleDeploymentTargetOUs validateConfigRuleNames validateConfigRuleRemediationAccountNames validateConfigRuleRemediationAssumeRoleFile validateConfigRuleRemediationTargetAssets validateCustomKeyName validateDelegatedAdminAccount validateDeploymentTargetAccountNames validateDeploymentTargetOUs validateEbsEncryptionConfiguration validateEbsEncryptionDeploymentTargetAccounts validateEbsEncryptionDeploymentTargetOUs validateKeyPolicyFiles validateKmsKeyConfigDeploymentTargetAccounts validateKmsKeyConfigDeploymentTargetOUs validateResourcePolicyEnforcementConfig validateResourcePolicyParameters validateSecurityHubNotifications validateSnsTopics validateSsmDocumentDeploymentTargetOUs validateSsmDocumentFiles validateSsmDocumentNames validateSsmDocumentsDeploymentTargetAccounts

Constructors

constructor

Methods

Private getAccountNames

  • Prepare list of Account names from account config file

    Returns

    Parameters

    Returns string[]

Private getOuIdNames

  • Prepare list of OU ids from organization config file

    Returns

    Parameters

    Returns string[]

Private getSnsTopicNames

  • Prepare list of SNS Topic names from the global config file

    Parameters

    Returns string[]

Private getSsmDocuments

  • Function to get SSM document names

    Returns

    Parameters

    Returns {
        name: string;
        template: string;
    }[]

Private guarddutyLifecycleRules

  • Validate S3 lifecycle expiration to be smaller than noncurrentVersionExpiration

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...;
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
          resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...);
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
      • resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...)
    • errors: string[]

    Returns void

hasDuplicates

  • Parameters

    • arr: string[]

    Returns boolean

Private isConfigRuleCmkDependent

  • Function to check if given config rule uses solution deployed CMK replacement

    Returns

    Parameters

    Returns undefined | ConfigRule

Private macieLifecycleRules

  • Validate S3 lifecycle expiration to be smaller than noncurrentVersionExpiration

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...;
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
          resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...);
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
      • resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...)
    • errors: string[]

    Returns void

Private validateAwsCloudWatchLogGroups

  • Function to validate AWS CloudWatch Log Groups configuration

    Parameters

    Returns void

Private validateAwsCloudWatchLogGroupsRetention

  • Function to validate AWS CloudWatch Log Groups retention values

    Parameters

    Returns void

Private validateAwsConfigAggregation

  • Parameters

    • globalConfig: GlobalConfig
    • accountNames: string[]
    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...;
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
          resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...);
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
      • resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...)
    • errors: string[]

    Returns void

Private validateCloudWatchAlarmsDeploymentTargetAccounts

  • Function to validate existence of CloudWatch Alarms deployment target Accounts Make sure deployment target Accounts are part of account config file

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...;
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
          resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...);
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
      • resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...)
    • accountNames: string[]
    • errors: string[]

    Returns void

Private validateCloudWatchAlarmsDeploymentTargetOUs

  • Function to validate existence of CloudWatch Alarms deployment target OUs Make sure deployment target OUs are part of Organization config file

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...;
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
          resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...);
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
      • resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...)
    • ouIdNames: string[]
    • errors: string[]

    Returns void

Private validateCloudWatchLogGroupsDeploymentTargetAccounts

  • Function to validate existence of CloudWatch LogGroups deployment target Accounts Make sure deployment target Accounts are part of account config file

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...;
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
          resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...);
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
      • resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...)
    • accountNames: string[]
    • errors: string[]

    Returns void

Private validateCloudWatchMetricsDeploymentTargetAccounts

  • Function to validate existence of CloudWatch Metrics deployment target Accounts Make sure deployment target Accounts are part of account config file

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...;
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
          resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...);
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
      • resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...)
    • accountNames: string[]
    • errors: string[]

    Returns void

Private validateCloudWatchMetricsDeploymentTargetOUs

  • Function to validate existence of CloudWatch Metrics deployment target OUs Make sure deployment target OUs are part of Organization config file

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...;
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
          resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...);
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
      • resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...)
    • ouIdNames: string[]
    • errors: string[]

    Returns void

Private validateConfigRuleAssets

  • Function to validate existence of custom config rule assets such as lambda zip file and role policy file

    Parameters

    • configDir: string
    • ruleSet: {
          deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; };
          rules: ({ name: string; description: string | undefined; identifier: string | undefined; inputParameters: { [x: string]: string; } | undefined; complianceResourceTypes: string[] | undefined; type: string | undefined; customRule: { ...; } | undefined; remediation: { ...; } | undefined; tags: { ...; }[] | undefined; })[];
      }
      • deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }
      • rules: ({ name: string; description: string | undefined; identifier: string | undefined; inputParameters: { [x: string]: string; } | undefined; complianceResourceTypes: string[] | undefined; type: string | undefined; customRule: { ...; } | undefined; remediation: { ...; } | undefined; tags: { ...; }[] | undefined; })[]
    • errors: string[]

    Returns void

Private validateConfigRuleCmkDependency

  • Function to validate AWS Config rules do not use solution defined CMK when global config s3 encryption was disabled.

    Returns

    Parameters

    Returns void

Private validateConfigRuleDeploymentTargetAccounts

  • Function to validate existence of custom config rule deployment target Accounts Make sure deployment target Accounts are part of account config file

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...;
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
          resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...);
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
      • resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...)
    • accountNames: string[]
    • errors: string[]

    Returns void

Private validateConfigRuleDeploymentTargetOUs

  • Function to validate existence of custom config rule deployment target OUs Make sure deployment target OUs are part of Organization config file

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...;
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
          resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...);
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
      • resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...)
    • ouIdNames: string[]
    • errors: string[]

    Returns void

Private validateConfigRuleNames

  • Function to validate if AWS Config Rule names are unique to the environments they're deployed to respectively.

    Parameters

    • configItem: {
          aggregation: undefined | ({ enable: boolean; delegatedAdminAccount: string | undefined; });
          enableConfigurationRecorder: boolean;
          enableDeliveryChannel: undefined | boolean;
          overrideExisting: undefined | boolean;
          ruleSets: ({ deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; })[];
      }
      • aggregation: undefined | ({ enable: boolean; delegatedAdminAccount: string | undefined; })
      • enableConfigurationRecorder: boolean
      • enableDeliveryChannel: undefined | boolean
      • overrideExisting: undefined | boolean
      • ruleSets: ({ deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; })[]
    • accountsConfig: AccountsConfig
    • globalConfig: GlobalConfig
    • errors: string[]

    Returns void

Private validateConfigRuleRemediationAccountNames

  • Validate Config rule remediation account name

    Parameters

    Returns void

Private validateConfigRuleRemediationAssumeRoleFile

  • Function to validate existence of config rule remediation assume role definition file

    Parameters

    • configDir: string
    • ruleSet: {
          deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; };
          rules: ({ name: string; description: string | undefined; identifier: string | undefined; inputParameters: { [x: string]: string; } | undefined; complianceResourceTypes: string[] | undefined; type: string | undefined; customRule: { ...; } | undefined; remediation: { ...; } | undefined; tags: { ...; }[] | undefined; })[];
      }
      • deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }
      • rules: ({ name: string; description: string | undefined; identifier: string | undefined; inputParameters: { [x: string]: string; } | undefined; complianceResourceTypes: string[] | undefined; type: string | undefined; customRule: { ...; } | undefined; remediation: { ...; } | undefined; tags: { ...; }[] | undefined; })[]
    • errors: string[]

    Returns void

Private validateConfigRuleRemediationTargetAssets

  • Function to validate existence of config rule remediation target assets such as SSM document and lambda zip file

    Parameters

    • configDir: string
    • ruleSet: {
          deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; };
          rules: ({ name: string; description: string | undefined; identifier: string | undefined; inputParameters: { [x: string]: string; } | undefined; complianceResourceTypes: string[] | undefined; type: string | undefined; customRule: { ...; } | undefined; remediation: { ...; } | undefined; tags: { ...; }[] | undefined; })[];
      }
      • deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }
      • rules: ({ name: string; description: string | undefined; identifier: string | undefined; inputParameters: { [x: string]: string; } | undefined; complianceResourceTypes: string[] | undefined; type: string | undefined; customRule: { ...; } | undefined; remediation: { ...; } | undefined; tags: { ...; }[] | undefined; })[]
    • ssmDocuments: {
          name: string;
          template: string;
      }[]
    • errors: string[]

    Returns void

Private validateCustomKeyName

  • Function to validate custom key existence in key list of keyManagementService

    Parameters

    Returns void

Private validateDelegatedAdminAccount

  • Validate delegated admin account name

    Parameters

    Returns void

Private validateDeploymentTargetAccountNames

  • Function to validate Deployment targets account name for security services

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...;
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
          resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...);
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
      • resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...)
    • accountNames: string[]
    • errors: string[]

    Returns void

Private validateDeploymentTargetOUs

  • Function to validate Deployment targets OU name for security services

    Parameters

    Returns void

Private validateEbsEncryptionConfiguration

Private validateEbsEncryptionDeploymentTargetAccounts

  • Validate deployment target accounts for EBS default volume encryption

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...;
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
          resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...);
      }

      SecurityConfig

      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
      • resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...)
    • accountNames: string[]
    • errors: string[]

      string[]

    Returns void

Private validateEbsEncryptionDeploymentTargetOUs

  • Validate deployment target OUs for EBS default volume encryption

    Parameters

    • values: SecurityConfig

      SecurityConfig

    • ouIdNames: string[]

      string[]

    • errors: string[]

      string[]

    Returns void

Private validateKeyPolicyFiles

  • Function to validate KMS key policy files existence

    Parameters

    Returns void

Private validateKmsKeyConfigDeploymentTargetAccounts

  • Function to validate existence of KMS key deployment target Accounts Make sure deployment target Accounts are part of account config file

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...;
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
          resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...);
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
      • resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...)
    • accountNames: string[]
    • errors: string[]

    Returns void

Private validateKmsKeyConfigDeploymentTargetOUs

  • Function to validate existence of Key Management Service Config deployment target OUs Make sure deployment target OUs are part of Organization config file

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...;
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
          resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...);
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
      • resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...)
    • ouIdNames: string[]
    • errors: string[]

    Returns void

Private validateResourcePolicyEnforcementConfig

  • Parameters

    • securityConfig: SecurityConfig
    • ouIdNames: string[]
    • accountNames: string[]
    • errors: string[]

    Returns void

Private validateResourcePolicyParameters

  • Function to validate if static parameter in resource policy templates is defined in replacements config

    Parameters

    Returns void

Private validateSecurityHubNotifications

  • Parameters

    • snsTopicNames: string[]
    • snsTopicName: undefined | string
    • notificationLevel: undefined | string
    • errors: string[]

    Returns void

Private validateSnsTopics

  • Function to validate that sns topic references are correct

    Parameters

    • globalConfig: GlobalConfig
    • alarmSet: {
          alarms: ({ alarmName: string; alarmDescription: string; snsAlertLevel: string | undefined; snsTopicName: string | undefined; metricName: string; namespace: string; comparisonOperator: string; ... 4 more ...; treatMissingData: string; })[];
          deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; };
          regions: undefined | string[];
      }
      • alarms: ({ alarmName: string; alarmDescription: string; snsAlertLevel: string | undefined; snsTopicName: string | undefined; metricName: string; namespace: string; comparisonOperator: string; ... 4 more ...; treatMissingData: string; })[]
      • deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }
      • regions: undefined | string[]
    • snsTopicNames: string[]
    • errors: string[]

    Returns void

Private validateSsmDocumentDeploymentTargetOUs

  • Function to validate existence of SSM document deployment target OUs Make sure deployment target OUs are part of Organization config file

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...;
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
          resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...);
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
      • resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...)
    • ouIdNames: string[]
    • errors: string[]

    Returns void

Private validateSsmDocumentFiles

  • Function to validate SSM document files existence

    Parameters

    • configDir: string
    • ssmDocuments: {
          name: string;
          template: string;
      }[]
    • errors: string[]

    Returns void

Private validateSsmDocumentNames

  • Parameters

    • ssmDocuments: {
          name: string;
          template: string;
      }[]
    • errors: string[]

    Returns void

Private validateSsmDocumentsDeploymentTargetAccounts

  • Function to validate existence of SSM documents deployment target Accounts Make sure deployment target Accounts are part of account config file

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...;
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
          resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...);
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean | undefined; overrideExisting: boolean | undefined; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { ...; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; } | undefined; excludeRegions: str...
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; logGroups: { ...; }[] | undefined; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
      • resourcePolicyEnforcement: undefined | ({ enable: boolean; remediation: { automatic: boolean; retryAttemptSeconds: number | undefined; maximumAutomaticAttempts: number | undefined; }; policySets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string...)
    • accountNames: string[]
    • errors: string[]

    Returns void

Settings

Member Visibility

Theme

Generated using TypeDoc