Class SecurityConfig

Accelerator security configuration

Hierarchy

  • SecurityConfig

Implements

Constructors

constructor

Properties

accessAnalyzer awsConfig centralSecurityServices cloudWatch iamPasswordPolicy keyManagementService FILENAME

Methods

getAccountNames getDelegatedAccountName getOuIdNames getSnsTopicNames getSsmDocuments guarddutyLifecycleRules macieLifecycleRules validateAwsConfigAggregation validateCloudWatchAlarmsDeploymentTargetAccounts validateCloudWatchAlarmsDeploymentTargetOUs validateCloudWatchMetricsDeploymentTargetAccounts validateCloudWatchMetricsDeploymentTargetOUs validateConfigRuleAssets validateConfigRuleDeploymentTargetAccounts validateConfigRuleDeploymentTargetOUs validateConfigRuleRemediationAssumeRoleFile validateConfigRuleRemediationTargetAssets validateCustomKeyName validateDeploymentTargetAccountNames validateDeploymentTargetOUs validateKeyPolicyFiles validateSecurityHubNotifications validateSnsTopics validateSsmDocumentDeploymentTargetOUs validateSsmDocumentFiles validateSsmDocumentsDeploymentTargetAccounts load loadFromString

Constructors

constructor

  • Parameters

    • Optional values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; };
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
    • Optional configDir: string
    • Optional validateConfig: boolean

    Returns SecurityConfig

Properties

Readonly accessAnalyzer

accessAnalyzer: AccessAnalyzerConfig = ...

Readonly awsConfig

awsConfig: AwsConfig = ...

Readonly centralSecurityServices

centralSecurityServices: CentralSecurityServicesConfig = ...

Central security configuration

Readonly cloudWatch

cloudWatch: CloudWatchConfig = ...

Readonly iamPasswordPolicy

iamPasswordPolicy: IamPasswordPolicyConfig = ...

Readonly keyManagementService

keyManagementService: KeyManagementServiceConfig = ...

Static Readonly FILENAME

FILENAME: "security-config.yaml" = 'security-config.yaml'

Security configuration file name, this file must be present in accelerator config repository

Methods

Private getAccountNames

  • Prepare list of Account names from account config file

    Parameters

    • configDir: string
    • accountNames: string[]

    Returns void

getDelegatedAccountName

  • Return delegated-admin-account name

    Returns string

Private getOuIdNames

  • Prepare list of OU ids from organization config file

    Parameters

    • configDir: string
    • ouIdNames: string[]

    Returns void

Private getSnsTopicNames

  • Prepare list of SNS Topic names from the global config file

    Parameters

    • configDir: string

    Returns string[]

Private getSsmDocuments

  • Function to get SSM document names

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; };
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
    • ssmDocuments: {
          name: string;
          template: string;
      }[]

    Returns void

Private guarddutyLifecycleRules

  • Validate S3 lifecycle expiration to be smaller than noncurrentVersionExpiration

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; };
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
    • errors: string[]

    Returns void

Private macieLifecycleRules

  • Validate S3 lifecycle expiration to be smaller than noncurrentVersionExpiration

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; };
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
    • errors: string[]

    Returns void

Private validateAwsConfigAggregation

  • Parameters

    • configDir: string
    • accountNames: string[]
    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; };
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
    • errors: string[]

    Returns void

Private validateCloudWatchAlarmsDeploymentTargetAccounts

  • Function to validate existence of CloudWatch Alarms deployment target Accounts Make sure deployment target Accounts are part of account config file

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; };
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
    • accountNames: string[]
    • errors: string[]

    Returns void

Private validateCloudWatchAlarmsDeploymentTargetOUs

  • Function to validate existence of CloudWatch Alarms deployment target OUs Make sure deployment target OUs are part of Organization config file

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; };
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
    • ouIdNames: string[]
    • errors: string[]

    Returns void

Private validateCloudWatchMetricsDeploymentTargetAccounts

  • Function to validate existence of CloudWatch Metrics deployment target Accounts Make sure deployment target Accounts are part of account config file

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; };
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
    • accountNames: string[]
    • errors: string[]

    Returns void

Private validateCloudWatchMetricsDeploymentTargetOUs

  • Function to validate existence of CloudWatch Metrics deployment target OUs Make sure deployment target OUs are part of Organization config file

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; };
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
    • ouIdNames: string[]
    • errors: string[]

    Returns void

Private validateConfigRuleAssets

  • Function to validate existence of custom config rule assets such as lambda zip file and role policy file

    Parameters

    • configDir: string
    • ruleSet: {
          deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; };
          rules: ({ name: string; description: string | undefined; identifier: string | undefined; inputParameters: { [x: string]: string; } | undefined; complianceResourceTypes: string[] | undefined; type: string | undefined; customRule: { ...; } | undefined; remediation: { ...; } | undefined; tags: { ...; }[] | undefined; })[];
      }
      • deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }
      • rules: ({ name: string; description: string | undefined; identifier: string | undefined; inputParameters: { [x: string]: string; } | undefined; complianceResourceTypes: string[] | undefined; type: string | undefined; customRule: { ...; } | undefined; remediation: { ...; } | undefined; tags: { ...; }[] | undefined; })[]
    • errors: string[]

    Returns void

Private validateConfigRuleDeploymentTargetAccounts

  • Function to validate existence of custom config rule deployment target Accounts Make sure deployment target Accounts are part of account config file

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; };
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
    • accountNames: string[]
    • errors: string[]

    Returns void

Private validateConfigRuleDeploymentTargetOUs

  • Function to validate existence of custom config rule deployment target OUs Make sure deployment target OUs are part of Organization config file

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; };
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
    • ouIdNames: string[]
    • errors: string[]

    Returns void

Private validateConfigRuleRemediationAssumeRoleFile

  • Function to validate existence of config rule remediation assume role definition file

    Parameters

    • configDir: string
    • ruleSet: {
          deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; };
          rules: ({ name: string; description: string | undefined; identifier: string | undefined; inputParameters: { [x: string]: string; } | undefined; complianceResourceTypes: string[] | undefined; type: string | undefined; customRule: { ...; } | undefined; remediation: { ...; } | undefined; tags: { ...; }[] | undefined; })[];
      }
      • deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }
      • rules: ({ name: string; description: string | undefined; identifier: string | undefined; inputParameters: { [x: string]: string; } | undefined; complianceResourceTypes: string[] | undefined; type: string | undefined; customRule: { ...; } | undefined; remediation: { ...; } | undefined; tags: { ...; }[] | undefined; })[]
    • errors: string[]

    Returns void

Private validateConfigRuleRemediationTargetAssets

  • Function to validate existence of config rule remediation target assets such as SSM document and lambda zip file

    Parameters

    • configDir: string
    • ruleSet: {
          deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; };
          rules: ({ name: string; description: string | undefined; identifier: string | undefined; inputParameters: { [x: string]: string; } | undefined; complianceResourceTypes: string[] | undefined; type: string | undefined; customRule: { ...; } | undefined; remediation: { ...; } | undefined; tags: { ...; }[] | undefined; })[];
      }
      • deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }
      • rules: ({ name: string; description: string | undefined; identifier: string | undefined; inputParameters: { [x: string]: string; } | undefined; complianceResourceTypes: string[] | undefined; type: string | undefined; customRule: { ...; } | undefined; remediation: { ...; } | undefined; tags: { ...; }[] | undefined; })[]
    • ssmDocuments: {
          name: string;
          template: string;
      }[]
    • errors: string[]

    Returns void

Private validateCustomKeyName

  • Function to validate custom key existence in key list of keyManagementService

    Parameters

    • keyNames: string[]
    • errors: string[]

    Returns void

Private validateDeploymentTargetAccountNames

  • Function to validate Deployment targets account name for security services

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; };
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
    • accountNames: string[]
    • errors: string[]

    Returns void

Private validateDeploymentTargetOUs

  • Function to validate Deployment targets OU name for security services

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; };
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
    • ouIdNames: string[]
    • errors: string[]

    Returns void

Private validateKeyPolicyFiles

  • Function to validate KMS key policy files existence

    Parameters

    • configDir: string
    • errors: string[]

    Returns void

Private validateSecurityHubNotifications

  • Parameters

    • snsTopicNames: string[]
    • snsTopicName: undefined | string
    • notificationLevel: undefined | string
    • errors: string[]

    Returns void

Private validateSnsTopics

  • Function to validate that sns topic references are correct

    Parameters

    • configDir: string
    • alarmSet: {
          alarms: ({ alarmName: string; alarmDescription: string; snsAlertLevel: string | undefined; snsTopicName: string | undefined; metricName: string; namespace: string; comparisonOperator: string; ... 4 more ...; treatMissingData: string; })[];
          deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; };
          regions: undefined | string[];
      }
      • alarms: ({ alarmName: string; alarmDescription: string; snsAlertLevel: string | undefined; snsTopicName: string | undefined; metricName: string; namespace: string; comparisonOperator: string; ... 4 more ...; treatMissingData: string; })[]
      • deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }
      • regions: undefined | string[]
    • snsTopicNames: string[]
    • errors: string[]

    Returns void

Private validateSsmDocumentDeploymentTargetOUs

  • Function to validate existence of SSM document deployment target OUs Make sure deployment target OUs are part of Organization config file

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; };
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
    • ouIdNames: string[]
    • errors: string[]

    Returns void

Private validateSsmDocumentFiles

  • Function to validate SSM document files existence

    Parameters

    • configDir: string
    • ssmDocuments: {
          name: string;
          template: string;
      }[]
    • errors: string[]

    Returns void

Private validateSsmDocumentsDeploymentTargetAccounts

  • Function to validate existence of SSM documents deployment target Accounts Make sure deployment target Accounts are part of account config file

    Parameters

    • values: {
          accessAnalyzer: { enable: boolean; };
          awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; };
          centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; };
          cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; };
          iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; };
          keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; });
      }
      • accessAnalyzer: { enable: boolean; }
      • awsConfig: { enableConfigurationRecorder: boolean; enableDeliveryChannel: boolean; aggregation: { enable: boolean; delegatedAdminAccount: string | undefined; } | undefined; ruleSets: { deploymentTargets: { ...; }; rules: { ...; }[]; }[]; }
      • centralSecurityServices: { delegatedAdminAccount: string; ebsDefaultVolumeEncryption: { enable: boolean; kmsKey: string | undefined; excludeRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-southeast-1" | ... 29 more ... | "ap-southeast-4")[] | undefined; }; ... 7 more ...; ssmAutomation: { ...; }; }
      • cloudWatch: { metricSets: { regions: string[] | undefined; deploymentTargets: { organizationalUnits: string[] | undefined; accounts: string[] | undefined; excludedRegions: string[] | undefined; excludedAccounts: string[] | undefined; }; metrics: { ...; }[]; }[]; alarmSets: { ...; }[]; }
      • iamPasswordPolicy: { allowUsersToChangePassword: boolean; hardExpiry: boolean; requireUppercaseCharacters: boolean; requireLowercaseCharacters: boolean; requireSymbols: boolean; requireNumbers: boolean; minimumPasswordLength: number; passwordReusePrevention: number; maxPasswordAge: number; }
      • keyManagementService: undefined | ({ keySets: { name: string; alias: string | undefined; policy: string | undefined; description: string | undefined; enableKeyRotation: boolean | undefined; enabled: boolean | undefined; removalPolicy: string | undefined; deploymentTargets: { ...; }; }[]; })
    • accountNames: string[]
    • errors: string[]

    Returns void

Static load

  • Returns

    Parameters

    • dir: string
    • Optional validateConfig: boolean

    Returns SecurityConfig

Static loadFromString

  • Load from string content

    Parameters

    • content: string

    Returns undefined | SecurityConfig

Settings

Member Visibility

Theme

Generated using TypeDoc