diff --git a/README.md b/README.md index c6a6e83..9850c72 100644 --- a/README.md +++ b/README.md @@ -125,6 +125,12 @@ KMS Key Policy: * [Templatized Key Policy](examples/generated.key-policy.json) * [KeyPolicy attribute of Key resource in CFn template](examples/K9Example.template.json) +DynamoDB Resource Policy: + +* [Templatized DynamoDB Resource Policy](examples/generated.dynamodb-policy.json) +* [ResourcePolicy attribute of GlobalTable resource in CFn template](examples/K9Example.template.json) + + ## Specialized Use Cases k9-cdk can be configured to support specialized use cases, including: diff --git a/examples/K9Example.template.json b/examples/K9Example.template.json index b210e92..90827d5 100644 --- a/examples/K9Example.template.json +++ b/examples/K9Example.template.json @@ -1,836 +1,1070 @@ { - "Resources": { - "TestBucket560B80BC": { - "Type": "AWS::S3::Bucket", - "UpdateReplacePolicy": "Retain", - "DeletionPolicy": "Retain", - "Metadata": { - "aws:cdk:path": "K9Example/TestBucket/Resource" - } + "Resources": { + "TestBucket560B80BC": { + "Type": "AWS::S3::Bucket", + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain", + "Metadata": { + "aws:cdk:path": "K9Example/TestBucket/Resource" + } + }, + "S3BucketPolicy189C1E8E": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "TestBucket560B80BC" }, - "S3BucketPolicy189C1E8E": { - "Type": "AWS::S3::BucketPolicy", - "Properties": { - "Bucket": { - "Ref": "TestBucket560B80BC" - }, - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "s3:DeleteBucket", - "s3:DeleteBucketPolicy", - "s3:DeleteBucketWebsite", - "s3:ObjectOwnerOverrideToBucketOwner", - "s3:PutAccelerateConfiguration", - "s3:PutAnalyticsConfiguration", - "s3:PutBucketAcl", - "s3:PutBucketCORS", - "s3:PutBucketLogging", - "s3:PutBucketNotification", - "s3:PutBucketObjectLockConfiguration", - "s3:PutBucketPolicy", - "s3:PutBucketPublicAccessBlock", - "s3:PutBucketRequestPayment", - "s3:PutBucketTagging", - "s3:PutBucketVersioning", - "s3:PutBucketWebsite", - "s3:PutEncryptionConfiguration", - "s3:PutInventoryConfiguration", - "s3:PutLifecycleConfiguration", - "s3:PutMetricsConfiguration", - "s3:PutObjectAcl", - "s3:PutObjectLegalHold", - "s3:PutObjectRetention", - "s3:PutObjectVersionAcl", - "s3:PutReplicationConfiguration" - ], - "Condition": { - "ArnEquals": { - "aws:PrincipalArn": [ - "arn:aws:iam::123456789012:user/ci", - "arn:aws:iam::123456789012:user/person1" - ] - } - }, - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "TestBucket560B80BC", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestBucket560B80BC", - "Arn" - ] - }, - "/*" - ] - ] - } - ], - "Sid": "Allow Restricted administer-resource" - }, - { - "Action": [ - "s3:GetAccelerateConfiguration", - "s3:GetAnalyticsConfiguration", - "s3:GetBucketAcl", - "s3:GetBucketCORS", - "s3:GetBucketLocation", - "s3:GetBucketLogging", - "s3:GetBucketNotification", - "s3:GetBucketObjectLockConfiguration", - "s3:GetBucketOwnershipControls", - "s3:GetBucketPolicy", - "s3:GetBucketPolicyStatus", - "s3:GetBucketPublicAccessBlock", - "s3:GetBucketRequestPayment", - "s3:GetBucketTagging", - "s3:GetBucketVersioning", - "s3:GetBucketWebsite", - "s3:GetEncryptionConfiguration", - "s3:GetInventoryConfiguration", - "s3:GetLifecycleConfiguration", - "s3:GetMetricsConfiguration", - "s3:GetObjectAcl", - "s3:GetObjectLegalHold", - "s3:GetObjectRetention", - "s3:GetObjectTagging", - "s3:GetObjectVersionAcl", - "s3:GetObjectVersionTagging", - "s3:GetReplicationConfiguration", - "s3:ListBucketMultipartUploads", - "s3:ListBucketVersions", - "s3:ListMultipartUploadParts" - ], - "Condition": { - "ArnEquals": { - "aws:PrincipalArn": [ - "arn:aws:iam::123456789012:user/ci", - "arn:aws:iam::123456789012:user/person1", - "arn:aws:iam::123456789012:role/k9-auditor" - ] - } - }, - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "TestBucket560B80BC", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestBucket560B80BC", - "Arn" - ] - }, - "/*" - ] - ] - } - ], - "Sid": "Allow Restricted read-config" - }, - { - "Action": [ - "s3:GetObject", - "s3:GetObjectTorrent", - "s3:GetObjectVersion", - "s3:GetObjectVersionForReplication", - "s3:GetObjectVersionTorrent", - "s3:ListBucket" - ], - "Condition": { - "ArnEquals": { - "aws:PrincipalArn": [ - "arn:aws:iam::123456789012:role/app-backend", - "arn:aws:iam::123456789012:role/customer-service" - ] - } - }, - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "TestBucket560B80BC", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestBucket560B80BC", - "Arn" - ] - }, - "/*" - ] - ] - } - ], - "Sid": "Allow Restricted read-data" - }, - { - "Action": [ - "s3:AbortMultipartUpload", - "s3:PutBucketTagging", - "s3:PutObject", - "s3:PutObjectTagging", - "s3:PutObjectVersionTagging", - "s3:ReplicateDelete", - "s3:ReplicateObject", - "s3:ReplicateTags", - "s3:RestoreObject" - ], - "Condition": { - "ArnEquals": { - "aws:PrincipalArn": [ - "arn:aws:iam::123456789012:role/app-backend" - ] - } - }, - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "TestBucket560B80BC", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestBucket560B80BC", - "Arn" - ] - }, - "/*" - ] - ] - } - ], - "Sid": "Allow Restricted write-data" - }, - { - "Action": [ - "s3:DeleteObject", - "s3:DeleteObjectTagging", - "s3:DeleteObjectVersion", - "s3:DeleteObjectVersionTagging" - ], - "Condition": { - "ArnEquals": { - "aws:PrincipalArn": [] - } - }, - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "TestBucket560B80BC", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestBucket560B80BC", - "Arn" - ] - }, - "/*" - ] - ] - } - ], - "Sid": "Allow Restricted delete-data" - }, - { - "Action": "s3:*", - "Condition": { - "Bool": { - "aws:SecureTransport": false - } - }, - "Effect": "Deny", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "TestBucket560B80BC", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestBucket560B80BC", - "Arn" - ] - }, - "/*" - ] - ] - } - ], - "Sid": "DenyInsecureCommunications" - }, - { - "Action": [ - "s3:PutObject", - "s3:ReplicateObject" - ], - "Condition": { - "Null": { - "s3:x-amz-server-side-encryption": true - } - }, - "Effect": "Deny", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "TestBucket560B80BC", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestBucket560B80BC", - "Arn" - ] - }, - "/*" - ] - ] - } - ], - "Sid": "DenyUnencryptedStorage" - }, - { - "Action": [ - "s3:PutObject", - "s3:ReplicateObject" - ], - "Condition": { - "StringNotEquals": { - "s3:x-amz-server-side-encryption": "aws:kms" - } - }, - "Effect": "Deny", - "Principal": { - "AWS": "*" - }, - "Resource": [ - { - "Fn::GetAtt": [ - "TestBucket560B80BC", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestBucket560B80BC", - "Arn" - ] - }, - "/*" - ] - ] - } - ], - "Sid": "DenyUnexpectedEncryptionMethod" - }, - { - "Action": "s3:*", - "Condition": { - "ArnNotEquals": { - "aws:PrincipalArn": [ - "arn:aws:iam::123456789012:user/ci", - "arn:aws:iam::123456789012:user/person1", - "arn:aws:iam::123456789012:role/k9-auditor", - "arn:aws:iam::123456789012:role/app-backend", - "arn:aws:iam::123456789012:role/customer-service" - ] - } - }, - "Effect": "Deny", - "Principal": { - "AWS": [ - "*", - "*" - ] - }, - "Resource": [ - { - "Fn::GetAtt": [ - "TestBucket560B80BC", - "Arn" - ] - }, - { - "Fn::Join": [ - "", - [ - { - "Fn::GetAtt": [ - "TestBucket560B80BC", - "Arn" - ] - }, - "/*" - ] - ] - } - ], - "Sid": "DenyEveryoneElse" - } - ], - "Version": "2012-10-17" + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:DeleteBucket", + "s3:DeleteBucketPolicy", + "s3:DeleteBucketWebsite", + "s3:ObjectOwnerOverrideToBucketOwner", + "s3:PutAccelerateConfiguration", + "s3:PutAnalyticsConfiguration", + "s3:PutBucketAcl", + "s3:PutBucketCORS", + "s3:PutBucketLogging", + "s3:PutBucketNotification", + "s3:PutBucketObjectLockConfiguration", + "s3:PutBucketOwnershipControls", + "s3:PutBucketPolicy", + "s3:PutBucketPublicAccessBlock", + "s3:PutBucketRequestPayment", + "s3:PutBucketTagging", + "s3:PutBucketVersioning", + "s3:PutBucketWebsite", + "s3:PutEncryptionConfiguration", + "s3:PutIntelligentTieringConfiguration", + "s3:PutInventoryConfiguration", + "s3:PutLifecycleConfiguration", + "s3:PutMetricsConfiguration", + "s3:PutObjectAcl", + "s3:PutObjectLegalHold", + "s3:PutObjectRetention", + "s3:PutObjectVersionAcl", + "s3:PutReplicationConfiguration" + ], + "Condition": { + "ArnEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::123456789012:user/ci", + "arn:aws:iam::123456789012:user/person1" + ] + } + }, + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "TestBucket560B80BC", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "TestBucket560B80BC", + "Arn" + ] + }, + "/*" + ] + ] } + ], + "Sid": "Allow Restricted administer-resource" }, - "Metadata": { - "aws:cdk:path": "K9Example/S3BucketPolicy/Resource" - } - }, - "TestKey4CACAF33": { - "Type": "AWS::KMS::Key", - "Properties": { - "KeyPolicy": { - "Statement": [ - { - "Action": [ - "kms:CancelKeyDeletion", - "kms:ConnectCustomKeyStore", - "kms:CreateAlias", - "kms:CreateCustomKeyStore", - "kms:CreateGrant", - "kms:CreateKey", - "kms:DeleteAlias", - "kms:DisableKey", - "kms:DisableKeyRotation", - "kms:DisconnectCustomKeyStore", - "kms:EnableKey", - "kms:EnableKeyRotation", - "kms:PutKeyPolicy", - "kms:RetireGrant", - "kms:RevokeGrant", - "kms:ScheduleKeyDeletion", - "kms:TagResource", - "kms:UntagResource", - "kms:UpdateAlias", - "kms:UpdateCustomKeyStore", - "kms:UpdateKeyDescription" - ], - "Condition": { - "ArnEquals": { - "aws:PrincipalArn": [ - "arn:aws:iam::123456789012:user/ci", - "arn:aws:iam::123456789012:user/person1" - ] - } - }, - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Resource": "*", - "Sid": "Allow Restricted administer-resource" - }, - { - "Action": [ - "kms:DescribeCustomKeyStores", - "kms:DescribeKey", - "kms:GetKeyPolicy", - "kms:GetKeyRotationStatus", - "kms:GetParametersForImport", - "kms:GetPublicKey", - "kms:ListAliases", - "kms:ListGrants", - "kms:ListKeyPolicies", - "kms:ListKeys", - "kms:ListResourceTags", - "kms:ListRetirableGrants" - ], - "Condition": { - "ArnEquals": { - "aws:PrincipalArn": [ - "arn:aws:iam::123456789012:user/ci", - "arn:aws:iam::123456789012:user/person1" - ] - } - }, - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Resource": "*", - "Sid": "Allow Restricted read-config" - }, - { - "Action": [ - "kms:Decrypt", - "kms:Verify" - ], - "Condition": { - "ArnEquals": { - "aws:PrincipalArn": [ - "arn:aws:iam::123456789012:role/app-backend", - "arn:aws:iam::123456789012:role/customer-service" - ] - } - }, - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Resource": "*", - "Sid": "Allow Restricted read-data" - }, - { - "Action": [ - "kms:Encrypt", - "kms:GenerateDataKey", - "kms:GenerateDataKeyPair", - "kms:GenerateDataKeyPairWithoutPlaintext", - "kms:GenerateDataKeyWithoutPlaintext", - "kms:GenerateRandom", - "kms:ImportKeyMaterial", - "kms:ReEncryptFrom", - "kms:ReEncryptTo", - "kms:Sign" - ], - "Condition": { - "ArnEquals": { - "aws:PrincipalArn": [ - "arn:aws:iam::123456789012:role/app-backend" - ] - } - }, - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Resource": "*", - "Sid": "Allow Restricted write-data" - }, - { - "Action": [ - "kms:DeleteCustomKeyStore", - "kms:DeleteImportedKeyMaterial" - ], - "Condition": { - "ArnEquals": { - "aws:PrincipalArn": [] - } - }, - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Resource": "*", - "Sid": "Allow Restricted delete-data" - } - ], - "Version": "2012-10-17" + { + "Action": [ + "s3:GetAccelerateConfiguration", + "s3:GetAnalyticsConfiguration", + "s3:GetBucketAcl", + "s3:GetBucketCORS", + "s3:GetBucketLocation", + "s3:GetBucketLogging", + "s3:GetBucketNotification", + "s3:GetBucketObjectLockConfiguration", + "s3:GetBucketOwnershipControls", + "s3:GetBucketPolicy", + "s3:GetBucketPolicyStatus", + "s3:GetBucketPublicAccessBlock", + "s3:GetBucketRequestPayment", + "s3:GetBucketTagging", + "s3:GetBucketVersioning", + "s3:GetBucketWebsite", + "s3:GetEncryptionConfiguration", + "s3:GetIntelligentTieringConfiguration", + "s3:GetInventoryConfiguration", + "s3:GetLifecycleConfiguration", + "s3:GetMetricsConfiguration", + "s3:GetObjectAcl", + "s3:GetObjectAttributes", + "s3:GetObjectLegalHold", + "s3:GetObjectRetention", + "s3:GetObjectTagging", + "s3:GetObjectVersionAcl", + "s3:GetObjectVersionAttributes", + "s3:GetObjectVersionTagging", + "s3:GetReplicationConfiguration", + "s3:ListBucketMultipartUploads", + "s3:ListBucketVersions", + "s3:ListMultipartUploadParts" + ], + "Condition": { + "ArnEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::123456789012:user/ci", + "arn:aws:iam::123456789012:user/person1", + "arn:aws:iam::123456789012:role/k9-auditor", + "arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer" + ] + } + }, + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "TestBucket560B80BC", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "TestBucket560B80BC", + "Arn" + ] + }, + "/*" + ] + ] } + ], + "Sid": "Allow Restricted read-config" }, - "UpdateReplacePolicy": "Retain", - "DeletionPolicy": "Retain", - "Metadata": { - "aws:cdk:path": "K9Example/TestKey/Resource" - } - }, - "CDKMetadata": { - "Type": "AWS::CDK::Metadata", - "Properties": { - "Analytics": "v2:deflate64:H4sIAAAAAAAA/0WJQQ6CMBBFz8K+HS0aDyBLNwYOQLAdk6HQJkyrIU3vLlgTV+/992tQcKyGN0ttrJzoAakLg7ZiS33iE6Rr1BaDaJ7uZwV3P5Fe/7nsLOzMkG74fTbkvEuL7OOicffGO0OBvMvCeYMw8uGlLqDOUFcjE8klukAzQlv4ARZMD8OiAAAA" + { + "Action": [ + "s3:GetObject", + "s3:GetObjectTorrent", + "s3:GetObjectVersion", + "s3:GetObjectVersionForReplication", + "s3:GetObjectVersionTorrent", + "s3:ListBucket" + ], + "Condition": { + "ArnEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::123456789012:role/app-backend", + "arn:aws:iam::123456789012:role/customer-service" + ] + } + }, + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "TestBucket560B80BC", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "TestBucket560B80BC", + "Arn" + ] + }, + "/*" + ] + ] + } + ], + "Sid": "Allow Restricted read-data" }, - "Metadata": { - "aws:cdk:path": "K9Example/CDKMetadata/Default" + { + "Action": [ + "s3:AbortMultipartUpload", + "s3:InitiateReplication", + "s3:PutBucketTagging", + "s3:PutObject", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging", + "s3:ReplicateDelete", + "s3:ReplicateObject", + "s3:ReplicateTags", + "s3:RestoreObject" + ], + "Condition": { + "ArnEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::123456789012:role/app-backend" + ] + } + }, + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "TestBucket560B80BC", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "TestBucket560B80BC", + "Arn" + ] + }, + "/*" + ] + ] + } + ], + "Sid": "Allow Restricted write-data" }, - "Condition": "CDKMetadataAvailable" - } - }, - "Conditions": { - "CDKMetadataAvailable": { - "Fn::Or": [ + { + "Action": [ + "s3:DeleteObject", + "s3:DeleteObjectTagging", + "s3:DeleteObjectVersion", + "s3:DeleteObjectVersionTagging" + ], + "Condition": { + "ArnEquals": { + "aws:PrincipalArn": [] + } + }, + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Resource": [ { - "Fn::Or": [ - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "af-south-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-east-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-northeast-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-northeast-2" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-south-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-southeast-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ap-southeast-2" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "ca-central-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "cn-north-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "cn-northwest-1" - ] - } + "Fn::GetAtt": [ + "TestBucket560B80BC", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "TestBucket560B80BC", + "Arn" + ] + }, + "/*" ] + ] + } + ], + "Sid": "Allow Restricted delete-data" + }, + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": false + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "TestBucket560B80BC", + "Arn" + ] }, { - "Fn::Or": [ - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "eu-central-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "eu-north-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "eu-south-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "eu-west-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "eu-west-2" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "eu-west-3" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "me-south-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "sa-east-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "us-east-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "us-east-2" - ] - } + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "TestBucket560B80BC", + "Arn" + ] + }, + "/*" ] + ] + } + ], + "Sid": "DenyInsecureCommunications" + }, + { + "Action": [ + "s3:PutObject", + "s3:ReplicateObject" + ], + "Condition": { + "Null": { + "s3:x-amz-server-side-encryption": true + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "TestBucket560B80BC", + "Arn" + ] }, { - "Fn::Or": [ - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "us-west-1" - ] - }, - { - "Fn::Equals": [ - { - "Ref": "AWS::Region" - }, - "us-west-2" - ] - } + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "TestBucket560B80BC", + "Arn" + ] + }, + "/*" ] + ] } - ] + ], + "Sid": "DenyUnencryptedStorage" + }, + { + "Action": [ + "s3:PutObject", + "s3:ReplicateObject" + ], + "Condition": { + "StringNotEquals": { + "s3:x-amz-server-side-encryption": "aws:kms" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "TestBucket560B80BC", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "TestBucket560B80BC", + "Arn" + ] + }, + "/*" + ] + ] + } + ], + "Sid": "DenyUnexpectedEncryptionMethod" + }, + { + "Action": "s3:*", + "Condition": { + "ArnNotEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::123456789012:user/ci", + "arn:aws:iam::123456789012:user/person1", + "arn:aws:iam::123456789012:role/k9-auditor", + "arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer", + "arn:aws:iam::123456789012:role/app-backend", + "arn:aws:iam::123456789012:role/customer-service" + ] + } + }, + "Effect": "Deny", + "Principal": { + "AWS": [ + "*", + "*" + ] + }, + "Resource": [ + { + "Fn::GetAtt": [ + "TestBucket560B80BC", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "TestBucket560B80BC", + "Arn" + ] + }, + "/*" + ] + ] + } + ], + "Sid": "DenyEveryoneElse" + } + ], + "Version": "2012-10-17" } + }, + "Metadata": { + "aws:cdk:path": "K9Example/S3BucketPolicy/Resource" + } }, - "Parameters": { - "BootstrapVersion": { - "Type": "AWS::SSM::Parameter::Value", - "Default": "/cdk-bootstrap/hnb659fds/version", - "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + "TestKey4CACAF33": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Statement": [ + { + "Action": [ + "kms:CancelKeyDeletion", + "kms:ConnectCustomKeyStore", + "kms:CreateAlias", + "kms:CreateCustomKeyStore", + "kms:CreateGrant", + "kms:CreateKey", + "kms:DeleteAlias", + "kms:DisableKey", + "kms:DisableKeyRotation", + "kms:DisconnectCustomKeyStore", + "kms:EnableKey", + "kms:EnableKeyRotation", + "kms:PutKeyPolicy", + "kms:RetireGrant", + "kms:RevokeGrant", + "kms:ScheduleKeyDeletion", + "kms:TagResource", + "kms:UntagResource", + "kms:UpdateAlias", + "kms:UpdateCustomKeyStore", + "kms:UpdateKeyDescription" + ], + "Condition": { + "ArnEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::123456789012:user/ci", + "arn:aws:iam::123456789012:user/person1" + ] + } + }, + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Resource": "*", + "Sid": "Allow Restricted administer-resource" + }, + { + "Action": [ + "kms:DescribeCustomKeyStores", + "kms:DescribeKey", + "kms:GetKeyPolicy", + "kms:GetKeyRotationStatus", + "kms:GetParametersForImport", + "kms:GetPublicKey", + "kms:ListAliases", + "kms:ListGrants", + "kms:ListKeyPolicies", + "kms:ListKeys", + "kms:ListResourceTags", + "kms:ListRetirableGrants" + ], + "Condition": { + "ArnEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::123456789012:user/ci", + "arn:aws:iam::123456789012:user/person1" + ] + } + }, + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Resource": "*", + "Sid": "Allow Restricted read-config" + }, + { + "Action": [ + "kms:Decrypt", + "kms:Verify" + ], + "Condition": { + "ArnEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::123456789012:role/app-backend", + "arn:aws:iam::123456789012:role/customer-service" + ] + } + }, + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Resource": "*", + "Sid": "Allow Restricted read-data" + }, + { + "Action": [ + "kms:Encrypt", + "kms:GenerateDataKey", + "kms:GenerateDataKeyPair", + "kms:GenerateDataKeyPairWithoutPlaintext", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:GenerateRandom", + "kms:ImportKeyMaterial", + "kms:ReEncryptFrom", + "kms:ReEncryptTo", + "kms:Sign" + ], + "Condition": { + "ArnEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::123456789012:role/app-backend" + ] + } + }, + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Resource": "*", + "Sid": "Allow Restricted write-data" + }, + { + "Action": [ + "kms:DeleteCustomKeyStore", + "kms:DeleteImportedKeyMaterial" + ], + "Condition": { + "ArnEquals": { + "aws:PrincipalArn": [] + } + }, + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Resource": "*", + "Sid": "Allow Restricted delete-data" + } + ], + "Version": "2012-10-17" } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain", + "Metadata": { + "aws:cdk:path": "K9Example/TestKey/Resource" + } }, - "Rules": { - "CheckBootstrapVersion": { - "Assertions": [ - { - "Assert": { - "Fn::Not": [ - { - "Fn::Contains": [ - [ - "1", - "2", - "3", - "4", - "5" - ], - { - "Ref": "BootstrapVersion" - } - ] - } + "TestTable5769773A": { + "Type": "AWS::DynamoDB::GlobalTable", + "Properties": { + "AttributeDefinitions": [ + { + "AttributeName": "pk", + "AttributeType": "S" + } + ], + "BillingMode": "PAY_PER_REQUEST", + "KeySchema": [ + { + "AttributeName": "pk", + "KeyType": "HASH" + } + ], + "Replicas": [ + { + "Region": { + "Ref": "AWS::Region" + }, + "ResourcePolicy": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "dynamodb:CreateBackup", + "dynamodb:DeleteResourcePolicy", + "dynamodb:DeleteTableReplica", + "dynamodb:DisableKinesisStreamingDestination", + "dynamodb:EnableKinesisStreamingDestination", + "dynamodb:ExportTableToPointInTime", + "dynamodb:PutResourcePolicy", + "dynamodb:RestoreTableToPointInTime", + "dynamodb:TagResource", + "dynamodb:UntagResource", + "dynamodb:UpdateContinuousBackups", + "dynamodb:UpdateContributorInsights", + "dynamodb:UpdateKinesisStreamingDestination", + "dynamodb:UpdateTable", + "dynamodb:UpdateTableReplicaAutoScaling", + "dynamodb:UpdateTimeToLive" + ], + "Condition": { + "ArnEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::123456789012:user/ci", + "arn:aws:iam::123456789012:user/person1" ] + } }, - "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." - } + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Resource": "*", + "Sid": "AllowRestrictedAdministerResource" + }, + { + "Action": [ + "dynamodb:DescribeContinuousBackups", + "dynamodb:DescribeContributorInsights", + "dynamodb:DescribeExport", + "dynamodb:DescribeKinesisStreamingDestination", + "dynamodb:DescribeTable", + "dynamodb:DescribeTableReplicaAutoScaling", + "dynamodb:DescribeTimeToLive", + "dynamodb:GetResourcePolicy", + "dynamodb:ListTagsOfResource" + ], + "Condition": { + "ArnEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::123456789012:user/ci", + "arn:aws:iam::123456789012:user/person1", + "arn:aws:iam::123456789012:role/k9-auditor", + "arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer" + ] + } + }, + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Resource": "*", + "Sid": "AllowRestrictedReadConfig" + }, + { + "Action": [ + "dynamodb:BatchGetItem", + "dynamodb:ConditionCheckItem", + "dynamodb:GetItem", + "dynamodb:PartiQLSelect", + "dynamodb:Query", + "dynamodb:Scan" + ], + "Condition": { + "ArnEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::123456789012:role/app-backend", + "arn:aws:iam::123456789012:role/customer-service" + ] + } + }, + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Resource": "*", + "Sid": "AllowRestrictedReadData" + }, + { + "Action": [ + "dynamodb:BatchWriteItem", + "dynamodb:PartiQLInsert", + "dynamodb:PartiQLUpdate", + "dynamodb:PutItem", + "dynamodb:UpdateItem" + ], + "Condition": { + "ArnEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::123456789012:role/app-backend" + ] + } + }, + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Resource": "*", + "Sid": "AllowRestrictedWriteData" + }, + { + "Action": [ + "dynamodb:DeleteItem", + "dynamodb:DeleteTable", + "dynamodb:DeleteTableReplica", + "dynamodb:PartiQLDelete" + ], + "Condition": { + "ArnEquals": { + "aws:PrincipalArn": [] + } + }, + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Resource": "*", + "Sid": "AllowRestrictedDeleteData" + }, + { + "Action": "dynamodb:*", + "Condition": { + "Bool": { + "aws:PrincipalIsAWSService": [ + "false" + ] + }, + "ArnNotEquals": { + "aws:PrincipalArn": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + }, + "arn:aws:iam::123456789012:user/ci", + "arn:aws:iam::123456789012:user/person1", + "arn:aws:iam::123456789012:role/k9-auditor", + "arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer", + "arn:aws:iam::123456789012:role/app-backend", + "arn:aws:iam::123456789012:role/customer-service" + ] + } + }, + "Effect": "Deny", + "Principal": { + "AWS": [ + "*", + "*" + ] + }, + "Resource": "*", + "Sid": "DenyEveryoneElse" + } + ], + "Version": "2012-10-17" + } + } + } + ] + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain", + "Metadata": { + "aws:cdk:path": "K9Example/TestTable/Resource" + } + }, + "CDKMetadata": { + "Type": "AWS::CDK::Metadata", + "Properties": { + "Analytics": "v2:deflate64:H4sIAAAAAAAA/0WJyw6CMBBFv4V9GQGJHyALF2wIGremjzEZWtqEFglp+u8GMHF1zj23grK+QJHxxedS6dyQgHgPXGrGF/+K/gzxOkuNgTVv+7MDnTMk138+dmJ69BBb3J8W18TUavnolID44MLgs9qem3GCmz2ktIUevZsniZs3zioK5Gxi1imEwZ8+VQFlDUU2eKJ8mm2gEaE/+AVlye6ExgAAAA==" + }, + "Metadata": { + "aws:cdk:path": "K9Example/CDKMetadata/Default" + }, + "Condition": "CDKMetadataAvailable" + } + }, + "Conditions": { + "CDKMetadataAvailable": { + "Fn::Or": [ + { + "Fn::Or": [ + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "af-south-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-east-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-northeast-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-northeast-2" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-south-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-southeast-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ap-southeast-2" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "ca-central-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "cn-north-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "cn-northwest-1" + ] + } + ] + }, + { + "Fn::Or": [ + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-central-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-north-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-south-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-west-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-west-2" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-west-3" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "il-central-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "me-central-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "me-south-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "sa-east-1" + ] + } + ] + }, + { + "Fn::Or": [ + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "us-east-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "us-east-2" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "us-west-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "us-west-2" + ] + } + ] + } + ] + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." } + ] } + } } \ No newline at end of file diff --git a/examples/example.ts b/examples/example.ts index 093a79b..9737e6d 100644 --- a/examples/example.ts +++ b/examples/example.ts @@ -1,6 +1,7 @@ #!/usr/bin/env node import {writeFileSync} from 'fs'; import * as cdk from "aws-cdk-lib"; +import * as dynamodb from "aws-cdk-lib/aws-dynamodb"; import * as s3 from "aws-cdk-lib/aws-s3"; import * as kms from "aws-cdk-lib/aws-kms"; import * as k9 from "@k9securityio/k9-cdk"; @@ -11,7 +12,8 @@ const administerResourceArns = [ ]; const readConfigArns = administerResourceArns.concat([ - "arn:aws:iam::123456789012:role/k9-auditor" + "arn:aws:iam::123456789012:role/k9-auditor", + "arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer", ]); const writeDataArns = [ @@ -82,4 +84,19 @@ writeFileSync('generated.key-policy.json', new kms.Key(stack, 'TestKey', {policy: keyPolicy}); + +const ddbResourcePolicyProps: k9.dynamodb.K9DynamoDBResourcePolicyProps = { + k9DesiredAccess: k9BucketPolicyProps.k9DesiredAccess +}; + +const ddbResourcePolicy = k9.dynamodb.makeResourcePolicy(ddbResourcePolicyProps); + +writeFileSync('generated.dynamodb-policy.json', + JSON.stringify(ddbResourcePolicy.toJSON(), null, 2)); + +new dynamodb.TableV2(stack, 'TestTable', { + partitionKey: { name: 'pk', type: dynamodb.AttributeType.STRING }, + resourcePolicy: ddbResourcePolicy, +}); + app.synth(); diff --git a/examples/generated.bucket-policy.json b/examples/generated.bucket-policy.json index 8fbaf16..9fdc0f7 100644 --- a/examples/generated.bucket-policy.json +++ b/examples/generated.bucket-policy.json @@ -13,6 +13,7 @@ "s3:PutBucketLogging", "s3:PutBucketNotification", "s3:PutBucketObjectLockConfiguration", + "s3:PutBucketOwnershipControls", "s3:PutBucketPolicy", "s3:PutBucketPublicAccessBlock", "s3:PutBucketRequestPayment", @@ -20,6 +21,7 @@ "s3:PutBucketVersioning", "s3:PutBucketWebsite", "s3:PutEncryptionConfiguration", + "s3:PutIntelligentTieringConfiguration", "s3:PutInventoryConfiguration", "s3:PutLifecycleConfiguration", "s3:PutMetricsConfiguration", @@ -42,8 +44,8 @@ "AWS": "*" }, "Resource": [ - "${Token[TOKEN.203]}", - "${Token[TOKEN.203]}/*" + "${Token[TOKEN.20]}", + "${Token[TOKEN.20]}/*" ], "Sid": "Allow Restricted administer-resource" }, @@ -66,14 +68,17 @@ "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", + "s3:GetIntelligentTieringConfiguration", "s3:GetInventoryConfiguration", "s3:GetLifecycleConfiguration", "s3:GetMetricsConfiguration", "s3:GetObjectAcl", + "s3:GetObjectAttributes", "s3:GetObjectLegalHold", "s3:GetObjectRetention", "s3:GetObjectTagging", "s3:GetObjectVersionAcl", + "s3:GetObjectVersionAttributes", "s3:GetObjectVersionTagging", "s3:GetReplicationConfiguration", "s3:ListBucketMultipartUploads", @@ -85,7 +90,8 @@ "aws:PrincipalArn": [ "arn:aws:iam::123456789012:user/ci", "arn:aws:iam::123456789012:user/person1", - "arn:aws:iam::123456789012:role/k9-auditor" + "arn:aws:iam::123456789012:role/k9-auditor", + "arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer" ] } }, @@ -94,8 +100,8 @@ "AWS": "*" }, "Resource": [ - "${Token[TOKEN.203]}", - "${Token[TOKEN.203]}/*" + "${Token[TOKEN.20]}", + "${Token[TOKEN.20]}/*" ], "Sid": "Allow Restricted read-config" }, @@ -121,14 +127,15 @@ "AWS": "*" }, "Resource": [ - "${Token[TOKEN.203]}", - "${Token[TOKEN.203]}/*" + "${Token[TOKEN.20]}", + "${Token[TOKEN.20]}/*" ], "Sid": "Allow Restricted read-data" }, { "Action": [ "s3:AbortMultipartUpload", + "s3:InitiateReplication", "s3:PutBucketTagging", "s3:PutObject", "s3:PutObjectTagging", @@ -150,8 +157,8 @@ "AWS": "*" }, "Resource": [ - "${Token[TOKEN.203]}", - "${Token[TOKEN.203]}/*" + "${Token[TOKEN.20]}", + "${Token[TOKEN.20]}/*" ], "Sid": "Allow Restricted write-data" }, @@ -172,8 +179,8 @@ "AWS": "*" }, "Resource": [ - "${Token[TOKEN.203]}", - "${Token[TOKEN.203]}/*" + "${Token[TOKEN.20]}", + "${Token[TOKEN.20]}/*" ], "Sid": "Allow Restricted delete-data" }, @@ -189,8 +196,8 @@ "AWS": "*" }, "Resource": [ - "${Token[TOKEN.203]}", - "${Token[TOKEN.203]}/*" + "${Token[TOKEN.20]}", + "${Token[TOKEN.20]}/*" ], "Sid": "DenyInsecureCommunications" }, @@ -209,8 +216,8 @@ "AWS": "*" }, "Resource": [ - "${Token[TOKEN.203]}", - "${Token[TOKEN.203]}/*" + "${Token[TOKEN.20]}", + "${Token[TOKEN.20]}/*" ], "Sid": "DenyUnencryptedStorage" }, @@ -229,8 +236,8 @@ "AWS": "*" }, "Resource": [ - "${Token[TOKEN.203]}", - "${Token[TOKEN.203]}/*" + "${Token[TOKEN.20]}", + "${Token[TOKEN.20]}/*" ], "Sid": "DenyUnexpectedEncryptionMethod" }, @@ -242,6 +249,7 @@ "arn:aws:iam::123456789012:user/ci", "arn:aws:iam::123456789012:user/person1", "arn:aws:iam::123456789012:role/k9-auditor", + "arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer", "arn:aws:iam::123456789012:role/app-backend", "arn:aws:iam::123456789012:role/customer-service" ] @@ -255,8 +263,8 @@ ] }, "Resource": [ - "${Token[TOKEN.203]}", - "${Token[TOKEN.203]}/*" + "${Token[TOKEN.20]}", + "${Token[TOKEN.20]}/*" ], "Sid": "DenyEveryoneElse" } diff --git a/examples/generated.dynamodb-policy.json b/examples/generated.dynamodb-policy.json new file mode 100644 index 0000000..9f66078 --- /dev/null +++ b/examples/generated.dynamodb-policy.json @@ -0,0 +1,163 @@ +{ + "Statement": [ + { + "Action": [ + "dynamodb:CreateBackup", + "dynamodb:DeleteResourcePolicy", + "dynamodb:DeleteTableReplica", + "dynamodb:DisableKinesisStreamingDestination", + "dynamodb:EnableKinesisStreamingDestination", + "dynamodb:ExportTableToPointInTime", + "dynamodb:PutResourcePolicy", + "dynamodb:RestoreTableToPointInTime", + "dynamodb:TagResource", + "dynamodb:UntagResource", + "dynamodb:UpdateContinuousBackups", + "dynamodb:UpdateContributorInsights", + "dynamodb:UpdateKinesisStreamingDestination", + "dynamodb:UpdateTable", + "dynamodb:UpdateTableReplicaAutoScaling", + "dynamodb:UpdateTimeToLive" + ], + "Condition": { + "ArnEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::123456789012:user/ci", + "arn:aws:iam::123456789012:user/person1" + ] + } + }, + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Resource": "*", + "Sid": "AllowRestrictedAdministerResource" + }, + { + "Action": [ + "dynamodb:DescribeContinuousBackups", + "dynamodb:DescribeContributorInsights", + "dynamodb:DescribeExport", + "dynamodb:DescribeKinesisStreamingDestination", + "dynamodb:DescribeTable", + "dynamodb:DescribeTableReplicaAutoScaling", + "dynamodb:DescribeTimeToLive", + "dynamodb:GetResourcePolicy", + "dynamodb:ListTagsOfResource" + ], + "Condition": { + "ArnEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::123456789012:user/ci", + "arn:aws:iam::123456789012:user/person1", + "arn:aws:iam::123456789012:role/k9-auditor", + "arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer" + ] + } + }, + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Resource": "*", + "Sid": "AllowRestrictedReadConfig" + }, + { + "Action": [ + "dynamodb:BatchGetItem", + "dynamodb:ConditionCheckItem", + "dynamodb:GetItem", + "dynamodb:PartiQLSelect", + "dynamodb:Query", + "dynamodb:Scan" + ], + "Condition": { + "ArnEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::123456789012:role/app-backend", + "arn:aws:iam::123456789012:role/customer-service" + ] + } + }, + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Resource": "*", + "Sid": "AllowRestrictedReadData" + }, + { + "Action": [ + "dynamodb:BatchWriteItem", + "dynamodb:PartiQLInsert", + "dynamodb:PartiQLUpdate", + "dynamodb:PutItem", + "dynamodb:UpdateItem" + ], + "Condition": { + "ArnEquals": { + "aws:PrincipalArn": [ + "arn:aws:iam::123456789012:role/app-backend" + ] + } + }, + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Resource": "*", + "Sid": "AllowRestrictedWriteData" + }, + { + "Action": [ + "dynamodb:DeleteItem", + "dynamodb:DeleteTable", + "dynamodb:DeleteTableReplica", + "dynamodb:PartiQLDelete" + ], + "Condition": { + "ArnEquals": { + "aws:PrincipalArn": [] + } + }, + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Resource": "*", + "Sid": "AllowRestrictedDeleteData" + }, + { + "Action": "dynamodb:*", + "Condition": { + "Bool": { + "aws:PrincipalIsAWSService": [ + "false" + ] + }, + "ArnNotEquals": { + "aws:PrincipalArn": [ + "${Token[TOKEN.31]}", + "arn:aws:iam::123456789012:user/ci", + "arn:aws:iam::123456789012:user/person1", + "arn:aws:iam::123456789012:role/k9-auditor", + "arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer", + "arn:aws:iam::123456789012:role/app-backend", + "arn:aws:iam::123456789012:role/customer-service" + ] + } + }, + "Effect": "Deny", + "Principal": { + "AWS": [ + "*", + "*" + ] + }, + "Resource": "*", + "Sid": "DenyEveryoneElse" + } + ], + "Version": "2012-10-17" +} \ No newline at end of file diff --git a/examples/package-lock.json b/examples/package-lock.json index 137a4f6..9ec989d 100644 --- a/examples/package-lock.json +++ b/examples/package-lock.json @@ -9,19 +9,34 @@ "version": "2.0.0-dev", "license": "Apache-2.0", "dependencies": { - "@k9securityio/k9-cdk": "2.0.4", - "aws-cdk-lib": "2.1.0" + "@k9securityio/k9-cdk": "2.0.16", + "aws-cdk-lib": "2.146.0" }, "bin": { "example": "bin/example.js" }, "devDependencies": { - "aws-cdk": "^2.24.1", - "aws-cdk-lib": "2.1.0", + "aws-cdk": "^2.173.0", + "aws-cdk-lib": "2.146.0", "ts-node": "^10.8.0", - "typescript": "^3.9.10" + "typescript": "^5.4.5" } }, + "node_modules/@aws-cdk/asset-awscli-v1": { + "version": "2.2.214", + "resolved": "https://registry.npmjs.org/@aws-cdk/asset-awscli-v1/-/asset-awscli-v1-2.2.214.tgz", + "integrity": "sha512-JeuX1xoYWXEeFD4RyAyvv8OD/NPdbLD6leKKpFLECWqsKY1YrwX0U8lr753CskflwaDGpU42pyyjPdiMZ7NiWA==" + }, + "node_modules/@aws-cdk/asset-kubectl-v20": { + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/@aws-cdk/asset-kubectl-v20/-/asset-kubectl-v20-2.1.3.tgz", + "integrity": "sha512-cDG1w3ieM6eOT9mTefRuTypk95+oyD7P5X/wRltwmYxU7nZc3+076YEVS6vrjDKr3ADYbfn0lDKpfB1FBtO9CQ==" + }, + "node_modules/@aws-cdk/asset-node-proxy-agent-v6": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/@aws-cdk/asset-node-proxy-agent-v6/-/asset-node-proxy-agent-v6-2.1.0.tgz", + "integrity": "sha512-7bY3J8GCVxLupn/kNmpPc5VJz8grx+4RKfnnJiO1LG+uxkZfANZG3RMHhE+qQxxwkyQ9/MfPtTpf748UhR425A==" + }, "node_modules/@cspotcode/source-map-support": { "version": "0.8.1", "resolved": "https://registry.npmjs.org/@cspotcode/source-map-support/-/source-map-support-0.8.1.tgz", @@ -35,18 +50,18 @@ } }, "node_modules/@jridgewell/resolve-uri": { - "version": "3.0.7", - "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.0.7.tgz", - "integrity": "sha512-8cXDaBBHOr2pQ7j77Y6Vp5VDT2sIqWyWQ56TjEq4ih/a4iST3dItRe8Q9fp0rrIl9DoKhWQtUQz/YpOxLkXbNA==", + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz", + "integrity": "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==", "dev": true, "engines": { "node": ">=6.0.0" } }, "node_modules/@jridgewell/sourcemap-codec": { - "version": "1.4.13", - "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.4.13.tgz", - "integrity": "sha512-GryiOJmNcWbovBxTfZSF71V/mXbgcV3MewDe3kIMCLyIh5e7SKAeUZs+rMnJ8jkMolZ/4/VsdBmMrw3l+VdZ3w==", + "version": "1.5.0", + "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.0.tgz", + "integrity": "sha512-gv3ZRaISU3fjPAgNsriBRqGWQL6quFx04YMPW/zD8XMLsU32mhCCbfbO6KZFLjvYpCZ8zyDEgqsgf+PwPaM7GQ==", "dev": true }, "node_modules/@jridgewell/trace-mapping": { @@ -60,49 +75,52 @@ } }, "node_modules/@k9securityio/k9-cdk": { - "version": "2.0.4", - "resolved": "https://registry.npmjs.org/@k9securityio/k9-cdk/-/k9-cdk-2.0.4.tgz", - "integrity": "sha512-DpfczRy8tAwVLQh2fpX8fMNeiWTjx7xOrqg0QU/cFfyXGyyHU7Rf/jTQZYIwmHlmRNSqCe5rhhvMa49uruVLgg==", + "version": "2.0.16", + "resolved": "https://registry.npmjs.org/@k9securityio/k9-cdk/-/k9-cdk-2.0.16.tgz", + "integrity": "sha512-yc/b3ycqV2Wn+FlwRTizFRUHCTcqqOMjFNXyvnYSiPgGzQibRmLsOdEX23l6/A3UX3pLvJ5TxJXGdLe235qMZg==", "peerDependencies": { - "aws-cdk-lib": "^2.1.0", + "aws-cdk-lib": "^2.146.0", "constructs": "^10.0.5" } }, "node_modules/@tsconfig/node10": { - "version": "1.0.8", - "resolved": "https://registry.npmjs.org/@tsconfig/node10/-/node10-1.0.8.tgz", - "integrity": "sha512-6XFfSQmMgq0CFLY1MslA/CPUfhIL919M1rMsa5lP2P097N2Wd1sSX0tx1u4olM16fLNhtHZpRhedZJphNJqmZg==", + "version": "1.0.11", + "resolved": "https://registry.npmjs.org/@tsconfig/node10/-/node10-1.0.11.tgz", + "integrity": "sha512-DcRjDCujK/kCk/cUe8Xz8ZSpm8mS3mNNpta+jGCA6USEDfktlNvm1+IuZ9eTcDbNk41BHwpHHeW+N1lKCz4zOw==", "dev": true }, "node_modules/@tsconfig/node12": { - "version": "1.0.9", - "resolved": "https://registry.npmjs.org/@tsconfig/node12/-/node12-1.0.9.tgz", - "integrity": "sha512-/yBMcem+fbvhSREH+s14YJi18sp7J9jpuhYByADT2rypfajMZZN4WQ6zBGgBKp53NKmqI36wFYDb3yaMPurITw==", + "version": "1.0.11", + "resolved": "https://registry.npmjs.org/@tsconfig/node12/-/node12-1.0.11.tgz", + "integrity": "sha512-cqefuRsh12pWyGsIoBKJA9luFu3mRxCA+ORZvA4ktLSzIuCUtWVxGIuXigEwO5/ywWFMZ2QEGKWvkZG1zDMTag==", "dev": true }, "node_modules/@tsconfig/node14": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/@tsconfig/node14/-/node14-1.0.1.tgz", - "integrity": "sha512-509r2+yARFfHHE7T6Puu2jjkoycftovhXRqW328PDXTVGKihlb1P8Z9mMZH04ebyajfRY7dedfGynlrFHJUQCg==", + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/@tsconfig/node14/-/node14-1.0.3.tgz", + "integrity": "sha512-ysT8mhdixWK6Hw3i1V2AeRqZ5WfXg1G43mqoYlM2nc6388Fq5jcXyr5mRsqViLx/GJYdoL0bfXD8nmF+Zn/Iow==", "dev": true }, "node_modules/@tsconfig/node16": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/@tsconfig/node16/-/node16-1.0.2.tgz", - "integrity": "sha512-eZxlbI8GZscaGS7kkc/trHTT5xgrjH3/1n2JDwusC9iahPKWMRvRjJSAN5mCXviuTGQ/lHnhvv8Q1YTpnfz9gA==", + "version": "1.0.4", + "resolved": "https://registry.npmjs.org/@tsconfig/node16/-/node16-1.0.4.tgz", + "integrity": "sha512-vxhUy4J8lyeyinH7Azl1pdd43GJhZH/tP2weN8TntQblOY+A0XbT8DJk1/oCPuOOyg/Ja757rG0CgHcWC8OfMA==", "dev": true }, "node_modules/@types/node": { - "version": "17.0.35", - "resolved": "https://registry.npmjs.org/@types/node/-/node-17.0.35.tgz", - "integrity": "sha512-vu1SrqBjbbZ3J6vwY17jBs8Sr/BKA+/a/WtjRG+whKg1iuLFOosq872EXS0eXWILdO36DHQQeku/ZcL6hz2fpg==", + "version": "22.10.2", + "resolved": "https://registry.npmjs.org/@types/node/-/node-22.10.2.tgz", + "integrity": "sha512-Xxr6BBRCAOQixvonOye19wnzyDiUtTeqldOOmj3CkeblonbccA12PFwlufvRdrpjXxqnmUaeiU5EOA+7s5diUQ==", "dev": true, - "peer": true + "peer": true, + "dependencies": { + "undici-types": "~6.20.0" + } }, "node_modules/acorn": { - "version": "8.7.1", - "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.7.1.tgz", - "integrity": "sha512-Xx54uLJQZ19lKygFXOWsscKUbsBZW0CPykPhVQdhIeIwrbPmJzqeASDInc8nKBnp/JT6igTs82qPXz069H8I/A==", + "version": "8.14.0", + "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.14.0.tgz", + "integrity": "sha512-cl669nCJTZBsL97OF4kUQm5g5hC2uihk0NxY3WENAC0TYdILVkAyHymAntgxGkl7K+t0cXIrH5siy5S4XkFycA==", "dev": true, "bin": { "acorn": "bin/acorn" @@ -112,10 +130,13 @@ } }, "node_modules/acorn-walk": { - "version": "8.2.0", - "resolved": "https://registry.npmjs.org/acorn-walk/-/acorn-walk-8.2.0.tgz", - "integrity": "sha512-k+iyHEuPgSw6SbuDpGQM+06HQUa04DZ3o+F6CSzXMvvI5KMvnaEqXe+YVe555R9nn6GPt404fos4wcgpw12SDA==", + "version": "8.3.4", + "resolved": "https://registry.npmjs.org/acorn-walk/-/acorn-walk-8.3.4.tgz", + "integrity": "sha512-ueEepnujpqee2o5aIYnvHU6C0A42MNdsIDeqy5BydrkuC5R1ZuUFnm27EeFJGoEHJQgn3uleRvmTXaJgfXbt4g==", "dev": true, + "dependencies": { + "acorn": "^8.11.0" + }, "engines": { "node": ">=0.4.0" } @@ -127,9 +148,9 @@ "dev": true }, "node_modules/aws-cdk": { - "version": "2.25.0", - "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.25.0.tgz", - "integrity": "sha512-6NZKDPgCQ0O3xlpk22sR54N4yCvGt2tM2bkKHPrV6n4HCI+a349hsF4xSngiSrHAoaNQKMgAwScpj3GTZcI+oA==", + "version": "2.173.0", + "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.173.0.tgz", + "integrity": "sha512-riRGKSo5dzB0MSbdkZwXRC2t//dI220bgEUfVISilcEafBKj+BPzFBd/eNKuP/dEaS31njkCwtYrS7V7/lV4hQ==", "dev": true, "bin": { "cdk": "bin/cdk" @@ -142,9 +163,9 @@ } }, "node_modules/aws-cdk-lib": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/aws-cdk-lib/-/aws-cdk-lib-2.1.0.tgz", - "integrity": "sha512-W607G3aSrWpawpcqzIuUYKlU+grfvkbszyqikyVYqJgMHFCCQXq0S1ynPMzfQ49CwjlwZsu4LIsPM+dNR+Yj6g==", + "version": "2.146.0", + "resolved": "https://registry.npmjs.org/aws-cdk-lib/-/aws-cdk-lib-2.146.0.tgz", + "integrity": "sha512-W3F2zH+P7hUxmu2dlEKJBBi6Twc4//NsJJW00h2LN0dKU+2302QY8jR+P7jgEYzZ7U50phtH4zO6BPmJrhLVEg==", "bundleDependencies": [ "@balena/dockerignore", "case", @@ -154,17 +175,24 @@ "minimatch", "punycode", "semver", - "yaml" + "table", + "yaml", + "mime-types" ], "dependencies": { + "@aws-cdk/asset-awscli-v1": "^2.2.202", + "@aws-cdk/asset-kubectl-v20": "^2.1.2", + "@aws-cdk/asset-node-proxy-agent-v6": "^2.0.3", "@balena/dockerignore": "^1.0.2", "case": "1.6.3", - "fs-extra": "^9.1.0", - "ignore": "^5.1.9", - "jsonschema": "^1.4.0", - "minimatch": "^3.0.4", - "punycode": "^2.1.1", - "semver": "^7.3.5", + "fs-extra": "^11.2.0", + "ignore": "^5.3.1", + "jsonschema": "^1.4.1", + "mime-types": "^2.1.35", + "minimatch": "^3.1.2", + "punycode": "^2.3.1", + "semver": "^7.6.2", + "table": "^6.8.2", "yaml": "1.10.2" }, "engines": { @@ -179,12 +207,49 @@ "inBundle": true, "license": "Apache-2.0" }, - "node_modules/aws-cdk-lib/node_modules/at-least-node": { - "version": "1.0.0", + "node_modules/aws-cdk-lib/node_modules/ajv": { + "version": "8.16.0", "inBundle": true, - "license": "ISC", + "license": "MIT", + "dependencies": { + "fast-deep-equal": "^3.1.3", + "json-schema-traverse": "^1.0.0", + "require-from-string": "^2.0.2", + "uri-js": "^4.4.1" + }, + "funding": { + "type": "github", + "url": "https://github.com/sponsors/epoberezkin" + } + }, + "node_modules/aws-cdk-lib/node_modules/ansi-regex": { + "version": "5.0.1", + "inBundle": true, + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/aws-cdk-lib/node_modules/ansi-styles": { + "version": "4.3.0", + "inBundle": true, + "license": "MIT", + "dependencies": { + "color-convert": "^2.0.1" + }, + "engines": { + "node": ">=8" + }, + "funding": { + "url": "https://github.com/chalk/ansi-styles?sponsor=1" + } + }, + "node_modules/aws-cdk-lib/node_modules/astral-regex": { + "version": "2.0.0", + "inBundle": true, + "license": "MIT", "engines": { - "node": ">= 4.0.0" + "node": ">=8" } }, "node_modules/aws-cdk-lib/node_modules/balanced-match": { @@ -209,38 +274,76 @@ "node": ">= 0.8.0" } }, + "node_modules/aws-cdk-lib/node_modules/color-convert": { + "version": "2.0.1", + "inBundle": true, + "license": "MIT", + "dependencies": { + "color-name": "~1.1.4" + }, + "engines": { + "node": ">=7.0.0" + } + }, + "node_modules/aws-cdk-lib/node_modules/color-name": { + "version": "1.1.4", + "inBundle": true, + "license": "MIT" + }, "node_modules/aws-cdk-lib/node_modules/concat-map": { "version": "0.0.1", "inBundle": true, "license": "MIT" }, + "node_modules/aws-cdk-lib/node_modules/emoji-regex": { + "version": "8.0.0", + "inBundle": true, + "license": "MIT" + }, + "node_modules/aws-cdk-lib/node_modules/fast-deep-equal": { + "version": "3.1.3", + "inBundle": true, + "license": "MIT" + }, "node_modules/aws-cdk-lib/node_modules/fs-extra": { - "version": "9.1.0", + "version": "11.2.0", "inBundle": true, "license": "MIT", "dependencies": { - "at-least-node": "^1.0.0", "graceful-fs": "^4.2.0", "jsonfile": "^6.0.1", "universalify": "^2.0.0" }, "engines": { - "node": ">=10" + "node": ">=14.14" } }, "node_modules/aws-cdk-lib/node_modules/graceful-fs": { - "version": "4.2.8", + "version": "4.2.11", "inBundle": true, "license": "ISC" }, "node_modules/aws-cdk-lib/node_modules/ignore": { - "version": "5.1.9", + "version": "5.3.1", "inBundle": true, "license": "MIT", "engines": { "node": ">= 4" } }, + "node_modules/aws-cdk-lib/node_modules/is-fullwidth-code-point": { + "version": "3.0.0", + "inBundle": true, + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/aws-cdk-lib/node_modules/json-schema-traverse": { + "version": "1.0.0", + "inBundle": true, + "license": "MIT" + }, "node_modules/aws-cdk-lib/node_modules/jsonfile": { "version": "6.1.0", "inBundle": true, @@ -253,26 +356,39 @@ } }, "node_modules/aws-cdk-lib/node_modules/jsonschema": { - "version": "1.4.0", + "version": "1.4.1", "inBundle": true, "license": "MIT", "engines": { "node": "*" } }, - "node_modules/aws-cdk-lib/node_modules/lru-cache": { - "version": "6.0.0", + "node_modules/aws-cdk-lib/node_modules/lodash.truncate": { + "version": "4.4.2", "inBundle": true, - "license": "ISC", + "license": "MIT" + }, + "node_modules/aws-cdk-lib/node_modules/mime-db": { + "version": "1.52.0", + "inBundle": true, + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/aws-cdk-lib/node_modules/mime-types": { + "version": "2.1.35", + "inBundle": true, + "license": "MIT", "dependencies": { - "yallist": "^4.0.0" + "mime-db": "1.52.0" }, "engines": { - "node": ">=10" + "node": ">= 0.6" } }, "node_modules/aws-cdk-lib/node_modules/minimatch": { - "version": "3.0.4", + "version": "3.1.2", "inBundle": true, "license": "ISC", "dependencies": { @@ -283,20 +399,25 @@ } }, "node_modules/aws-cdk-lib/node_modules/punycode": { - "version": "2.1.1", + "version": "2.3.1", "inBundle": true, "license": "MIT", "engines": { "node": ">=6" } }, + "node_modules/aws-cdk-lib/node_modules/require-from-string": { + "version": "2.0.2", + "inBundle": true, + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/aws-cdk-lib/node_modules/semver": { - "version": "7.3.5", + "version": "7.6.2", "inBundle": true, "license": "ISC", - "dependencies": { - "lru-cache": "^6.0.0" - }, "bin": { "semver": "bin/semver.js" }, @@ -304,18 +425,76 @@ "node": ">=10" } }, + "node_modules/aws-cdk-lib/node_modules/slice-ansi": { + "version": "4.0.0", + "inBundle": true, + "license": "MIT", + "dependencies": { + "ansi-styles": "^4.0.0", + "astral-regex": "^2.0.0", + "is-fullwidth-code-point": "^3.0.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/chalk/slice-ansi?sponsor=1" + } + }, + "node_modules/aws-cdk-lib/node_modules/string-width": { + "version": "4.2.3", + "inBundle": true, + "license": "MIT", + "dependencies": { + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/aws-cdk-lib/node_modules/strip-ansi": { + "version": "6.0.1", + "inBundle": true, + "license": "MIT", + "dependencies": { + "ansi-regex": "^5.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/aws-cdk-lib/node_modules/table": { + "version": "6.8.2", + "inBundle": true, + "license": "BSD-3-Clause", + "dependencies": { + "ajv": "^8.0.1", + "lodash.truncate": "^4.4.2", + "slice-ansi": "^4.0.0", + "string-width": "^4.2.3", + "strip-ansi": "^6.0.1" + }, + "engines": { + "node": ">=10.0.0" + } + }, "node_modules/aws-cdk-lib/node_modules/universalify": { - "version": "2.0.0", + "version": "2.0.1", "inBundle": true, "license": "MIT", "engines": { "node": ">= 10.0.0" } }, - "node_modules/aws-cdk-lib/node_modules/yallist": { - "version": "4.0.0", + "node_modules/aws-cdk-lib/node_modules/uri-js": { + "version": "4.4.1", "inBundle": true, - "license": "ISC" + "license": "BSD-2-Clause", + "dependencies": { + "punycode": "^2.1.0" + } }, "node_modules/aws-cdk-lib/node_modules/yaml": { "version": "1.10.2", @@ -326,13 +505,10 @@ } }, "node_modules/constructs": { - "version": "10.1.8", - "resolved": "https://registry.npmjs.org/constructs/-/constructs-10.1.8.tgz", - "integrity": "sha512-iLHvRQEDfi+F6sTuzjEMylk3AqkaTfeGBzmGZZosE0lagtkUeygZTkQCn4FOS69Cr5RIvWBjg9EPFt74QVjcEQ==", - "peer": true, - "engines": { - "node": ">= 14.17.0" - } + "version": "10.4.2", + "resolved": "https://registry.npmjs.org/constructs/-/constructs-10.4.2.tgz", + "integrity": "sha512-wsNxBlAott2qg8Zv87q3eYZYgheb9lchtBfjHzzLHtXbttwSrHPs1NNQbBrmbb1YZvYg2+Vh0Dor76w4mFxJkA==", + "peer": true }, "node_modules/create-require": { "version": "1.1.1", @@ -370,9 +546,9 @@ "dev": true }, "node_modules/ts-node": { - "version": "10.8.0", - "resolved": "https://registry.npmjs.org/ts-node/-/ts-node-10.8.0.tgz", - "integrity": "sha512-/fNd5Qh+zTt8Vt1KbYZjRHCE9sI5i7nqfD/dzBBRDeVXZXS6kToW6R7tTU6Nd4XavFs0mAVCg29Q//ML7WsZYA==", + "version": "10.9.2", + "resolved": "https://registry.npmjs.org/ts-node/-/ts-node-10.9.2.tgz", + "integrity": "sha512-f0FFpIdcHgn8zcPSbf1dRevwt047YMnaiJM3u2w2RewrB+fob/zePZcrOyQoLMMO7aBIddLcQIEK5dYjkLnGrQ==", "dev": true, "dependencies": { "@cspotcode/source-map-support": "^0.8.0", @@ -413,18 +589,25 @@ } }, "node_modules/typescript": { - "version": "3.9.10", - "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.10.tgz", - "integrity": "sha512-w6fIxVE/H1PkLKcCPsFqKE7Kv7QUwhU8qQY2MueZXWx5cPZdwFupLgKK3vntcK98BtNHZtAF4LA/yl2a7k8R6Q==", + "version": "5.7.2", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.7.2.tgz", + "integrity": "sha512-i5t66RHxDvVN40HfDd1PsEThGNnlMCMT3jMUuoh9/0TaqWevNontacunWyN02LA9/fIbEWlcHZcgTKb9QoaLfg==", "dev": true, "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" }, "engines": { - "node": ">=4.2.0" + "node": ">=14.17" } }, + "node_modules/undici-types": { + "version": "6.20.0", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.20.0.tgz", + "integrity": "sha512-Ny6QZ2Nju20vw1SRHe3d9jVu6gJ+4e3+MMpqu7pqE5HT6WsTSlce++GQmK5UXS8mzV8DSYHrQH+Xrf2jVcuKNg==", + "dev": true, + "peer": true + }, "node_modules/v8-compile-cache-lib": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/v8-compile-cache-lib/-/v8-compile-cache-lib-3.0.1.tgz", @@ -442,6 +625,21 @@ } }, "dependencies": { + "@aws-cdk/asset-awscli-v1": { + "version": "2.2.214", + "resolved": "https://registry.npmjs.org/@aws-cdk/asset-awscli-v1/-/asset-awscli-v1-2.2.214.tgz", + "integrity": "sha512-JeuX1xoYWXEeFD4RyAyvv8OD/NPdbLD6leKKpFLECWqsKY1YrwX0U8lr753CskflwaDGpU42pyyjPdiMZ7NiWA==" + }, + "@aws-cdk/asset-kubectl-v20": { + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/@aws-cdk/asset-kubectl-v20/-/asset-kubectl-v20-2.1.3.tgz", + "integrity": "sha512-cDG1w3ieM6eOT9mTefRuTypk95+oyD7P5X/wRltwmYxU7nZc3+076YEVS6vrjDKr3ADYbfn0lDKpfB1FBtO9CQ==" + }, + "@aws-cdk/asset-node-proxy-agent-v6": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/@aws-cdk/asset-node-proxy-agent-v6/-/asset-node-proxy-agent-v6-2.1.0.tgz", + "integrity": "sha512-7bY3J8GCVxLupn/kNmpPc5VJz8grx+4RKfnnJiO1LG+uxkZfANZG3RMHhE+qQxxwkyQ9/MfPtTpf748UhR425A==" + }, "@cspotcode/source-map-support": { "version": "0.8.1", "resolved": "https://registry.npmjs.org/@cspotcode/source-map-support/-/source-map-support-0.8.1.tgz", @@ -452,15 +650,15 @@ } }, "@jridgewell/resolve-uri": { - "version": "3.0.7", - "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.0.7.tgz", - "integrity": "sha512-8cXDaBBHOr2pQ7j77Y6Vp5VDT2sIqWyWQ56TjEq4ih/a4iST3dItRe8Q9fp0rrIl9DoKhWQtUQz/YpOxLkXbNA==", + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz", + "integrity": "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==", "dev": true }, "@jridgewell/sourcemap-codec": { - "version": "1.4.13", - "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.4.13.tgz", - "integrity": "sha512-GryiOJmNcWbovBxTfZSF71V/mXbgcV3MewDe3kIMCLyIh5e7SKAeUZs+rMnJ8jkMolZ/4/VsdBmMrw3l+VdZ3w==", + "version": "1.5.0", + "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.0.tgz", + "integrity": "sha512-gv3ZRaISU3fjPAgNsriBRqGWQL6quFx04YMPW/zD8XMLsU32mhCCbfbO6KZFLjvYpCZ8zyDEgqsgf+PwPaM7GQ==", "dev": true }, "@jridgewell/trace-mapping": { @@ -474,53 +672,59 @@ } }, "@k9securityio/k9-cdk": { - "version": "2.0.4", - "resolved": "https://registry.npmjs.org/@k9securityio/k9-cdk/-/k9-cdk-2.0.4.tgz", - "integrity": "sha512-DpfczRy8tAwVLQh2fpX8fMNeiWTjx7xOrqg0QU/cFfyXGyyHU7Rf/jTQZYIwmHlmRNSqCe5rhhvMa49uruVLgg==", + "version": "2.0.16", + "resolved": "https://registry.npmjs.org/@k9securityio/k9-cdk/-/k9-cdk-2.0.16.tgz", + "integrity": "sha512-yc/b3ycqV2Wn+FlwRTizFRUHCTcqqOMjFNXyvnYSiPgGzQibRmLsOdEX23l6/A3UX3pLvJ5TxJXGdLe235qMZg==", "requires": {} }, "@tsconfig/node10": { - "version": "1.0.8", - "resolved": "https://registry.npmjs.org/@tsconfig/node10/-/node10-1.0.8.tgz", - "integrity": "sha512-6XFfSQmMgq0CFLY1MslA/CPUfhIL919M1rMsa5lP2P097N2Wd1sSX0tx1u4olM16fLNhtHZpRhedZJphNJqmZg==", + "version": "1.0.11", + "resolved": "https://registry.npmjs.org/@tsconfig/node10/-/node10-1.0.11.tgz", + "integrity": "sha512-DcRjDCujK/kCk/cUe8Xz8ZSpm8mS3mNNpta+jGCA6USEDfktlNvm1+IuZ9eTcDbNk41BHwpHHeW+N1lKCz4zOw==", "dev": true }, "@tsconfig/node12": { - "version": "1.0.9", - "resolved": "https://registry.npmjs.org/@tsconfig/node12/-/node12-1.0.9.tgz", - "integrity": "sha512-/yBMcem+fbvhSREH+s14YJi18sp7J9jpuhYByADT2rypfajMZZN4WQ6zBGgBKp53NKmqI36wFYDb3yaMPurITw==", + "version": "1.0.11", + "resolved": "https://registry.npmjs.org/@tsconfig/node12/-/node12-1.0.11.tgz", + "integrity": "sha512-cqefuRsh12pWyGsIoBKJA9luFu3mRxCA+ORZvA4ktLSzIuCUtWVxGIuXigEwO5/ywWFMZ2QEGKWvkZG1zDMTag==", "dev": true }, "@tsconfig/node14": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/@tsconfig/node14/-/node14-1.0.1.tgz", - "integrity": "sha512-509r2+yARFfHHE7T6Puu2jjkoycftovhXRqW328PDXTVGKihlb1P8Z9mMZH04ebyajfRY7dedfGynlrFHJUQCg==", + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/@tsconfig/node14/-/node14-1.0.3.tgz", + "integrity": "sha512-ysT8mhdixWK6Hw3i1V2AeRqZ5WfXg1G43mqoYlM2nc6388Fq5jcXyr5mRsqViLx/GJYdoL0bfXD8nmF+Zn/Iow==", "dev": true }, "@tsconfig/node16": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/@tsconfig/node16/-/node16-1.0.2.tgz", - "integrity": "sha512-eZxlbI8GZscaGS7kkc/trHTT5xgrjH3/1n2JDwusC9iahPKWMRvRjJSAN5mCXviuTGQ/lHnhvv8Q1YTpnfz9gA==", + "version": "1.0.4", + "resolved": "https://registry.npmjs.org/@tsconfig/node16/-/node16-1.0.4.tgz", + "integrity": "sha512-vxhUy4J8lyeyinH7Azl1pdd43GJhZH/tP2weN8TntQblOY+A0XbT8DJk1/oCPuOOyg/Ja757rG0CgHcWC8OfMA==", "dev": true }, "@types/node": { - "version": "17.0.35", - "resolved": "https://registry.npmjs.org/@types/node/-/node-17.0.35.tgz", - "integrity": "sha512-vu1SrqBjbbZ3J6vwY17jBs8Sr/BKA+/a/WtjRG+whKg1iuLFOosq872EXS0eXWILdO36DHQQeku/ZcL6hz2fpg==", + "version": "22.10.2", + "resolved": "https://registry.npmjs.org/@types/node/-/node-22.10.2.tgz", + "integrity": "sha512-Xxr6BBRCAOQixvonOye19wnzyDiUtTeqldOOmj3CkeblonbccA12PFwlufvRdrpjXxqnmUaeiU5EOA+7s5diUQ==", "dev": true, - "peer": true + "peer": true, + "requires": { + "undici-types": "~6.20.0" + } }, "acorn": { - "version": "8.7.1", - "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.7.1.tgz", - "integrity": "sha512-Xx54uLJQZ19lKygFXOWsscKUbsBZW0CPykPhVQdhIeIwrbPmJzqeASDInc8nKBnp/JT6igTs82qPXz069H8I/A==", + "version": "8.14.0", + "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.14.0.tgz", + "integrity": "sha512-cl669nCJTZBsL97OF4kUQm5g5hC2uihk0NxY3WENAC0TYdILVkAyHymAntgxGkl7K+t0cXIrH5siy5S4XkFycA==", "dev": true }, "acorn-walk": { - "version": "8.2.0", - "resolved": "https://registry.npmjs.org/acorn-walk/-/acorn-walk-8.2.0.tgz", - "integrity": "sha512-k+iyHEuPgSw6SbuDpGQM+06HQUa04DZ3o+F6CSzXMvvI5KMvnaEqXe+YVe555R9nn6GPt404fos4wcgpw12SDA==", - "dev": true + "version": "8.3.4", + "resolved": "https://registry.npmjs.org/acorn-walk/-/acorn-walk-8.3.4.tgz", + "integrity": "sha512-ueEepnujpqee2o5aIYnvHU6C0A42MNdsIDeqy5BydrkuC5R1ZuUFnm27EeFJGoEHJQgn3uleRvmTXaJgfXbt4g==", + "dev": true, + "requires": { + "acorn": "^8.11.0" + } }, "arg": { "version": "4.1.3", @@ -529,27 +733,32 @@ "dev": true }, "aws-cdk": { - "version": "2.25.0", - "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.25.0.tgz", - "integrity": "sha512-6NZKDPgCQ0O3xlpk22sR54N4yCvGt2tM2bkKHPrV6n4HCI+a349hsF4xSngiSrHAoaNQKMgAwScpj3GTZcI+oA==", + "version": "2.173.0", + "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.173.0.tgz", + "integrity": "sha512-riRGKSo5dzB0MSbdkZwXRC2t//dI220bgEUfVISilcEafBKj+BPzFBd/eNKuP/dEaS31njkCwtYrS7V7/lV4hQ==", "dev": true, "requires": { "fsevents": "2.3.2" } }, "aws-cdk-lib": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/aws-cdk-lib/-/aws-cdk-lib-2.1.0.tgz", - "integrity": "sha512-W607G3aSrWpawpcqzIuUYKlU+grfvkbszyqikyVYqJgMHFCCQXq0S1ynPMzfQ49CwjlwZsu4LIsPM+dNR+Yj6g==", + "version": "2.146.0", + "resolved": "https://registry.npmjs.org/aws-cdk-lib/-/aws-cdk-lib-2.146.0.tgz", + "integrity": "sha512-W3F2zH+P7hUxmu2dlEKJBBi6Twc4//NsJJW00h2LN0dKU+2302QY8jR+P7jgEYzZ7U50phtH4zO6BPmJrhLVEg==", "requires": { + "@aws-cdk/asset-awscli-v1": "^2.2.202", + "@aws-cdk/asset-kubectl-v20": "^2.1.2", + "@aws-cdk/asset-node-proxy-agent-v6": "^2.0.3", "@balena/dockerignore": "^1.0.2", "case": "1.6.3", - "fs-extra": "^9.1.0", - "ignore": "^5.1.9", - "jsonschema": "^1.4.0", - "minimatch": "^3.0.4", - "punycode": "^2.1.1", - "semver": "^7.3.5", + "fs-extra": "^11.2.0", + "ignore": "^5.3.1", + "jsonschema": "^1.4.1", + "mime-types": "^2.1.35", + "minimatch": "^3.1.2", + "punycode": "^2.3.1", + "semver": "^7.6.2", + "table": "^6.8.2", "yaml": "1.10.2" }, "dependencies": { @@ -557,8 +766,29 @@ "version": "1.0.2", "bundled": true }, - "at-least-node": { - "version": "1.0.0", + "ajv": { + "version": "8.16.0", + "bundled": true, + "requires": { + "fast-deep-equal": "^3.1.3", + "json-schema-traverse": "^1.0.0", + "require-from-string": "^2.0.2", + "uri-js": "^4.4.1" + } + }, + "ansi-regex": { + "version": "5.0.1", + "bundled": true + }, + "ansi-styles": { + "version": "4.3.0", + "bundled": true, + "requires": { + "color-convert": "^2.0.1" + } + }, + "astral-regex": { + "version": "2.0.0", "bundled": true }, "balanced-match": { @@ -577,26 +807,52 @@ "version": "1.6.3", "bundled": true }, + "color-convert": { + "version": "2.0.1", + "bundled": true, + "requires": { + "color-name": "~1.1.4" + } + }, + "color-name": { + "version": "1.1.4", + "bundled": true + }, "concat-map": { "version": "0.0.1", "bundled": true }, + "emoji-regex": { + "version": "8.0.0", + "bundled": true + }, + "fast-deep-equal": { + "version": "3.1.3", + "bundled": true + }, "fs-extra": { - "version": "9.1.0", + "version": "11.2.0", "bundled": true, "requires": { - "at-least-node": "^1.0.0", "graceful-fs": "^4.2.0", "jsonfile": "^6.0.1", "universalify": "^2.0.0" } }, "graceful-fs": { - "version": "4.2.8", + "version": "4.2.11", "bundled": true }, "ignore": { - "version": "5.1.9", + "version": "5.3.1", + "bundled": true + }, + "is-fullwidth-code-point": { + "version": "3.0.0", + "bundled": true + }, + "json-schema-traverse": { + "version": "1.0.0", "bundled": true }, "jsonfile": { @@ -608,41 +864,89 @@ } }, "jsonschema": { - "version": "1.4.0", + "version": "1.4.1", "bundled": true }, - "lru-cache": { - "version": "6.0.0", + "lodash.truncate": { + "version": "4.4.2", + "bundled": true + }, + "mime-db": { + "version": "1.52.0", + "bundled": true + }, + "mime-types": { + "version": "2.1.35", "bundled": true, "requires": { - "yallist": "^4.0.0" + "mime-db": "1.52.0" } }, "minimatch": { - "version": "3.0.4", + "version": "3.1.2", "bundled": true, "requires": { "brace-expansion": "^1.1.7" } }, "punycode": { - "version": "2.1.1", + "version": "2.3.1", + "bundled": true + }, + "require-from-string": { + "version": "2.0.2", "bundled": true }, "semver": { - "version": "7.3.5", + "version": "7.6.2", + "bundled": true + }, + "slice-ansi": { + "version": "4.0.0", + "bundled": true, + "requires": { + "ansi-styles": "^4.0.0", + "astral-regex": "^2.0.0", + "is-fullwidth-code-point": "^3.0.0" + } + }, + "string-width": { + "version": "4.2.3", + "bundled": true, + "requires": { + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" + } + }, + "strip-ansi": { + "version": "6.0.1", + "bundled": true, + "requires": { + "ansi-regex": "^5.0.1" + } + }, + "table": { + "version": "6.8.2", "bundled": true, "requires": { - "lru-cache": "^6.0.0" + "ajv": "^8.0.1", + "lodash.truncate": "^4.4.2", + "slice-ansi": "^4.0.0", + "string-width": "^4.2.3", + "strip-ansi": "^6.0.1" } }, "universalify": { - "version": "2.0.0", + "version": "2.0.1", "bundled": true }, - "yallist": { - "version": "4.0.0", - "bundled": true + "uri-js": { + "version": "4.4.1", + "bundled": true, + "requires": { + "punycode": "^2.1.0" + } }, "yaml": { "version": "1.10.2", @@ -651,9 +955,9 @@ } }, "constructs": { - "version": "10.1.8", - "resolved": "https://registry.npmjs.org/constructs/-/constructs-10.1.8.tgz", - "integrity": "sha512-iLHvRQEDfi+F6sTuzjEMylk3AqkaTfeGBzmGZZosE0lagtkUeygZTkQCn4FOS69Cr5RIvWBjg9EPFt74QVjcEQ==", + "version": "10.4.2", + "resolved": "https://registry.npmjs.org/constructs/-/constructs-10.4.2.tgz", + "integrity": "sha512-wsNxBlAott2qg8Zv87q3eYZYgheb9lchtBfjHzzLHtXbttwSrHPs1NNQbBrmbb1YZvYg2+Vh0Dor76w4mFxJkA==", "peer": true }, "create-require": { @@ -682,9 +986,9 @@ "dev": true }, "ts-node": { - "version": "10.8.0", - "resolved": "https://registry.npmjs.org/ts-node/-/ts-node-10.8.0.tgz", - "integrity": "sha512-/fNd5Qh+zTt8Vt1KbYZjRHCE9sI5i7nqfD/dzBBRDeVXZXS6kToW6R7tTU6Nd4XavFs0mAVCg29Q//ML7WsZYA==", + "version": "10.9.2", + "resolved": "https://registry.npmjs.org/ts-node/-/ts-node-10.9.2.tgz", + "integrity": "sha512-f0FFpIdcHgn8zcPSbf1dRevwt047YMnaiJM3u2w2RewrB+fob/zePZcrOyQoLMMO7aBIddLcQIEK5dYjkLnGrQ==", "dev": true, "requires": { "@cspotcode/source-map-support": "^0.8.0", @@ -703,11 +1007,18 @@ } }, "typescript": { - "version": "3.9.10", - "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.10.tgz", - "integrity": "sha512-w6fIxVE/H1PkLKcCPsFqKE7Kv7QUwhU8qQY2MueZXWx5cPZdwFupLgKK3vntcK98BtNHZtAF4LA/yl2a7k8R6Q==", + "version": "5.7.2", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.7.2.tgz", + "integrity": "sha512-i5t66RHxDvVN40HfDd1PsEThGNnlMCMT3jMUuoh9/0TaqWevNontacunWyN02LA9/fIbEWlcHZcgTKb9QoaLfg==", "dev": true }, + "undici-types": { + "version": "6.20.0", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.20.0.tgz", + "integrity": "sha512-Ny6QZ2Nju20vw1SRHe3d9jVu6gJ+4e3+MMpqu7pqE5HT6WsTSlce++GQmK5UXS8mzV8DSYHrQH+Xrf2jVcuKNg==", + "dev": true, + "peer": true + }, "v8-compile-cache-lib": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/v8-compile-cache-lib/-/v8-compile-cache-lib-3.0.1.tgz", diff --git a/examples/package.json b/examples/package.json index 5d63ef5..5585c9f 100644 --- a/examples/package.json +++ b/examples/package.json @@ -21,13 +21,13 @@ "cdk": "cdk" }, "devDependencies": { - "aws-cdk-lib": "2.1.0", + "aws-cdk-lib": "2.146.0", + "typescript": "^5.4.5", "ts-node": "^10.8.0", - "typescript": "^3.9.10", - "aws-cdk": "^2.24.1" + "aws-cdk": "^2.173.0" }, "dependencies": { - "aws-cdk-lib": "2.1.0", - "@k9securityio/k9-cdk": "2.0.4" + "aws-cdk-lib": "2.146.0", + "@k9securityio/k9-cdk": "2.0.16" } }