Options
All
  • Public
  • Public/Protected
  • All
Menu

Class SecurityConfig

Accelerator security configuration

Hierarchy

  • SecurityConfig

Implements

Index

Constructors

Properties

Methods

Constructors

constructor

  • new SecurityConfig(values?: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }, configDir?: string, validateConfig?: boolean): SecurityConfig

  • Parameters

    • Optional values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; }
    • Optional configDir: string
    • Optional validateConfig: boolean

    Returns SecurityConfig

Properties

Readonly accessAnalyzer

accessAnalyzer: AccessAnalyzerConfig = ...

Readonly awsConfig

awsConfig: AwsConfig = ...

Readonly centralSecurityServices

centralSecurityServices: CentralSecurityServicesConfig = ...

Central security configuration

Readonly cloudWatch

cloudWatch: CloudWatchConfig = ...

Readonly iamPasswordPolicy

iamPasswordPolicy: IamPasswordPolicyConfig = ...

Readonly keyManagementService

keyManagementService: KeyManagementServiceConfig = ...

Static Readonly FILENAME

FILENAME: "security-config.yaml" = 'security-config.yaml'

Security configuration file name, this file must be present in accelerator config repository

Methods

Private getAccountNames

  • getAccountNames(configDir: string, accountNames: string[]): void

  • Prepare list of Account names from account config file

    Parameters

    • configDir: string
    • accountNames: string[]

    Returns void

getDelegatedAccountName

  • getDelegatedAccountName(): string

  • Return delegated-admin-account name

    Returns string

Private getOuIdNames

  • getOuIdNames(configDir: string, ouIdNames: string[]): void

  • Prepare list of OU ids from organization config file

    Parameters

    • configDir: string
    • ouIdNames: string[]

    Returns void

Private getSnsTopicNames

  • getSnsTopicNames(configDir: string): string[]

  • Prepare list of SNS Topic names from the global config file

    Parameters

    • configDir: string

    Returns string[]

Private getSsmDocuments

  • getSsmDocuments(values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }, ssmDocuments: { name: string; template: string }[]): void

  • Function to get SSM document names

    Parameters

    • values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; }
    • ssmDocuments: { name: string; template: string }[]

    Returns void

Private guarddutyLifecycleRules

  • guarddutyLifecycleRules(values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }, errors: string[]): void

  • Validate S3 lifecycle expiration to be smaller than noncurrentVersionExpiration

    Parameters

    • values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; }
    • errors: string[]

    Returns void

Private macieLifecycleRules

  • macieLifecycleRules(values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }, errors: string[]): void

  • Validate S3 lifecycle expiration to be smaller than noncurrentVersionExpiration

    Parameters

    • values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; }
    • errors: string[]

    Returns void

Private validateCloudWatchAlarmsDeploymentTargetAccounts

  • validateCloudWatchAlarmsDeploymentTargetAccounts(values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }, accountNames: string[], errors: string[]): void

  • Function to validate existence of CloudWatch Alarms deployment target Accounts Make sure deployment target Accounts are part of account config file

    Parameters

    • values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; }
    • accountNames: string[]
    • errors: string[]

    Returns void

Private validateCloudWatchAlarmsDeploymentTargetOUs

  • validateCloudWatchAlarmsDeploymentTargetOUs(values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }, ouIdNames: string[], errors: string[]): void

  • Function to validate existence of CloudWatch Alarms deployment target OUs Make sure deployment target OUs are part of Organization config file

    Parameters

    • values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; }
    • ouIdNames: string[]
    • errors: string[]

    Returns void

Private validateCloudWatchMetricsDeploymentTargetAccounts

  • validateCloudWatchMetricsDeploymentTargetAccounts(values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }, accountNames: string[], errors: string[]): void

  • Function to validate existence of CloudWatch Metrics deployment target Accounts Make sure deployment target Accounts are part of account config file

    Parameters

    • values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; }
    • accountNames: string[]
    • errors: string[]

    Returns void

Private validateCloudWatchMetricsDeploymentTargetOUs

  • validateCloudWatchMetricsDeploymentTargetOUs(values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }, ouIdNames: string[], errors: string[]): void

  • Function to validate existence of CloudWatch Metrics deployment target OUs Make sure deployment target OUs are part of Organization config file

    Parameters

    • values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; }
    • ouIdNames: string[]
    • errors: string[]

    Returns void

Private validateConfigRuleAssets

  • validateConfigRuleAssets(configDir: string, ruleSet: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { name: string; description: string | undefined; identifier: string | undefined; inputParameters: { [x: string]: string; } | undefined; complianceResourceTypes: string[] | undefined; type: string | undefined; customRule: { ...; } | undefined; remediation: { ...; } | undefined; tags: { ...; }[] | undefined; }[] }, errors: string[]): void

  • Function to validate existence of custom config rule assets such as lambda zip file and role policy file

    Parameters

    • configDir: string
    • ruleSet: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { name: string; description: string | undefined; identifier: string | undefined; inputParameters: { [x: string]: string; } | undefined; complianceResourceTypes: string[] | undefined; type: string | undefined; customRule: { ...; } | undefined; remediation: { ...; } | undefined; tags: { ...; }[] | undefined; }[] }
      • deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }
      • rules: { name: string; description: string | undefined; identifier: string | undefined; inputParameters: { [x: string]: string; } | undefined; complianceResourceTypes: string[] | undefined; type: string | undefined; customRule: { ...; } | undefined; remediation: { ...; } | undefined; tags: { ...; }[] | undefined; }[]
    • errors: string[]

    Returns void

Private validateConfigRuleDeploymentTargetAccounts

  • validateConfigRuleDeploymentTargetAccounts(values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }, accountNames: string[], errors: string[]): void

  • Function to validate existence of custom config rule deployment target Accounts Make sure deployment target Accounts are part of account config file

    Parameters

    • values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; }
    • accountNames: string[]
    • errors: string[]

    Returns void

Private validateConfigRuleDeploymentTargetOUs

  • validateConfigRuleDeploymentTargetOUs(values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }, ouIdNames: string[], errors: string[]): void

  • Function to validate existence of custom config rule deployment target OUs Make sure deployment target OUs are part of Organization config file

    Parameters

    • values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; }
    • ouIdNames: string[]
    • errors: string[]

    Returns void

Private validateConfigRuleRemediationAssumeRoleFile

  • validateConfigRuleRemediationAssumeRoleFile(configDir: string, ruleSet: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { name: string; description: string | undefined; identifier: string | undefined; inputParameters: { [x: string]: string; } | undefined; complianceResourceTypes: string[] | undefined; type: string | undefined; customRule: { ...; } | undefined; remediation: { ...; } | undefined; tags: { ...; }[] | undefined; }[] }, errors: string[]): void

  • Function to validate existence of config rule remediation assume role definition file

    Parameters

    • configDir: string
    • ruleSet: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { name: string; description: string | undefined; identifier: string | undefined; inputParameters: { [x: string]: string; } | undefined; complianceResourceTypes: string[] | undefined; type: string | undefined; customRule: { ...; } | undefined; remediation: { ...; } | undefined; tags: { ...; }[] | undefined; }[] }
      • deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }
      • rules: { name: string; description: string | undefined; identifier: string | undefined; inputParameters: { [x: string]: string; } | undefined; complianceResourceTypes: string[] | undefined; type: string | undefined; customRule: { ...; } | undefined; remediation: { ...; } | undefined; tags: { ...; }[] | undefined; }[]
    • errors: string[]

    Returns void

Private validateConfigRuleRemediationTargetAssets

  • validateConfigRuleRemediationTargetAssets(configDir: string, ruleSet: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { name: string; description: string | undefined; identifier: string | undefined; inputParameters: { [x: string]: string; } | undefined; complianceResourceTypes: string[] | undefined; type: string | undefined; customRule: { ...; } | undefined; remediation: { ...; } | undefined; tags: { ...; }[] | undefined; }[] }, ssmDocuments: { name: string; template: string }[], errors: string[]): void

  • Function to validate existence of config rule remediation target assets such as SSM document and lambda zip file

    Parameters

    • configDir: string
    • ruleSet: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { name: string; description: string | undefined; identifier: string | undefined; inputParameters: { [x: string]: string; } | undefined; complianceResourceTypes: string[] | undefined; type: string | undefined; customRule: { ...; } | undefined; remediation: { ...; } | undefined; tags: { ...; }[] | undefined; }[] }
      • deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }
      • rules: { name: string; description: string | undefined; identifier: string | undefined; inputParameters: { [x: string]: string; } | undefined; complianceResourceTypes: string[] | undefined; type: string | undefined; customRule: { ...; } | undefined; remediation: { ...; } | undefined; tags: { ...; }[] | undefined; }[]
    • ssmDocuments: { name: string; template: string }[]
    • errors: string[]

    Returns void

Private validateCustomKeyName

  • validateCustomKeyName(keyNames: string[], errors: string[]): void

  • Function to validate custom key existence in key list of keyManagementService

    Parameters

    • keyNames: string[]
    • errors: string[]

    Returns void

Private validateDeploymentTargetAccountNames

  • validateDeploymentTargetAccountNames(values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }, accountNames: string[], errors: string[]): void

  • Function to validate Deployment targets account name for security services

    Parameters

    • values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; }
    • accountNames: string[]
    • errors: string[]

    Returns void

Private validateDeploymentTargetOUs

  • validateDeploymentTargetOUs(values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }, ouIdNames: string[], errors: string[]): void

  • Function to validate Deployment targets OU name for security services

    Parameters

    • values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; }
    • ouIdNames: string[]
    • errors: string[]

    Returns void

Private validateKeyPolicyFiles

  • validateKeyPolicyFiles(configDir: string, errors: string[]): void

  • Function to validate KMS key policy files existence

    Parameters

    • configDir: string
    • errors: string[]

    Returns void

Private validateSecurityHubNotifications

  • validateSecurityHubNotifications(snsTopicNames: string[], snsTopicName: undefined | string, notificationLevel: undefined | string, errors: string[]): void

  • Parameters

    • snsTopicNames: string[]
    • snsTopicName: undefined | string
    • notificationLevel: undefined | string
    • errors: string[]

    Returns void

Private validateSnsTopics

  • validateSnsTopics(configDir: string, alarmSet: { alarms: { alarmName: string; alarmDescription: string; snsAlertLevel: string | undefined; snsTopicName: string | undefined; metricName: string; namespace: string; comparisonOperator: string; ... 4 more ...; treatMissingData: string; }[]; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; regions: undefined | string[] }, snsTopicNames: string[], errors: string[]): void

  • Function to validate that sns topic references are correct

    Parameters

    • configDir: string
    • alarmSet: { alarms: { alarmName: string; alarmDescription: string; snsAlertLevel: string | undefined; snsTopicName: string | undefined; metricName: string; namespace: string; comparisonOperator: string; ... 4 more ...; treatMissingData: string; }[]; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; regions: undefined | string[] }
      • alarms: { alarmName: string; alarmDescription: string; snsAlertLevel: string | undefined; snsTopicName: string | undefined; metricName: string; namespace: string; comparisonOperator: string; ... 4 more ...; treatMissingData: string; }[]
      • deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }
      • regions: undefined | string[]
    • snsTopicNames: string[]
    • errors: string[]

    Returns void

Private validateSsmDocumentDeploymentTargetOUs

  • validateSsmDocumentDeploymentTargetOUs(values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }, ouIdNames: string[], errors: string[]): void

  • Function to validate existence of SSM document deployment target OUs Make sure deployment target OUs are part of Organization config file

    Parameters

    • values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; }
    • ouIdNames: string[]
    • errors: string[]

    Returns void

Private validateSsmDocumentFiles

  • validateSsmDocumentFiles(configDir: string, ssmDocuments: { name: string; template: string }[], errors: string[]): void

  • Function to validate SSM document files existence

    Parameters

    • configDir: string
    • ssmDocuments: { name: string; template: string }[]
    • errors: string[]

    Returns void

Private validateSsmDocumentsDeploymentTargetAccounts

  • validateSsmDocumentsDeploymentTargetAccounts(values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }, accountNames: string[], errors: string[]): void

  • Function to validate existence of SSM documents deployment target Accounts Make sure deployment target Accounts are part of account config file

    Parameters

    • values: { accessAnalyzer: { enable: boolean; }; awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }; centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }; cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }; iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }; keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; } }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; ruleSets: { deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-northeast-1" | "ap-northeast-2" | ... 23 more ... | "us-isob-east-1")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | { keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: "destroy" | ... 2 more ... | undefined; deploymentTargets: { ...; }; }[]; }
    • accountNames: string[]
    • errors: string[]

    Returns void

Static load

  • Parameters

    • dir: string
    • Optional validateConfig: boolean

    Returns SecurityConfig

Static loadFromString

  • Load from string content

    Parameters

    • content: string

    Returns undefined | SecurityConfig

Generated using TypeDoc