All files / lib aws-config-recorder.ts

100% Statements 13/13
100% Branches 0/0
100% Functions 1/1
100% Lines 13/13

Press n or j to go to the next uncovered block, b, p or k for the previous block.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93                                3x 3x 3x 3x       3x     7x     7x   7x                             7x                   7x                           7x             7x         7x                    
/*
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  
Licensed under the Apache License, Version 2.0 (the "License").
You may not use this file except in compliance with the License.
You may obtain a copy of the License at
 
    http://www.apache.org/licenses/LICENSE-2.0
 
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
 
import * as cdk from '@aws-cdk/core';
import * as iam from '@aws-cdk/aws-iam';
import * as s3 from '@aws-cdk/aws-s3';
import * as cfg from '@aws-cdk/aws-config';
 
 
// from https://github.com/aws-samples/aws-startup-blueprint/blob/mainline/lib/aws-config-packs.ts
export class ConfigRecorder extends cdk.Construct {
 
	constructor(scope: cdk.Construct, id: string) {
    super(scope, id);
 
    
    const configBucket = new s3.Bucket(this, 'ConfigBucket', {blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL});
 
    configBucket.addToResourcePolicy(
      new iam.PolicyStatement({
        effect: iam.Effect.DENY,
        actions: ['*'],
        principals: [new iam.AnyPrincipal()],
        resources: [configBucket.bucketArn, configBucket.arnForObjects('*')],
        conditions: {
          Bool: {
            'aws:SecureTransport': false,
          },
        },
      }),
    );
 
    // Attach AWSConfigBucketPermissionsCheck to config bucket
    configBucket.addToResourcePolicy(
      new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        principals: [new iam.ServicePrincipal('config.amazonaws.com')],
        resources: [configBucket.bucketArn],
        actions: ['s3:GetBucketAcl'],
      }),
    );
 
    // Attach AWSConfigBucketDelivery to config bucket
    configBucket.addToResourcePolicy(
      new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        principals: [new iam.ServicePrincipal('config.amazonaws.com')],
        resources: [`${configBucket.bucketArn}/*`],
        actions: ['s3:PutObject'],
        conditions: {
          StringEquals: {
            's3:x-amz-acl': 'bucket-owner-full-control',
          },
        },
      }),
    );
 
    new cfg.CfnDeliveryChannel(this, 'ConfigDeliveryChannel', {
      s3BucketName: configBucket.bucketName,
      name: "ConfigDeliveryChannel"
    });
 
 
 
    const configRole = new iam.Role(this, 'ConfigRecorderRole', {
      assumedBy: new iam.ServicePrincipal('config.amazonaws.com'),
      managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSConfigRole')]
    });    
 
    new cfg.CfnConfigurationRecorder(this, 'ConfigRecorder', {
      name: "BlueprintConfigRecorder",
      roleArn: configRole.roleArn,
      recordingGroup: {
        resourceTypes: [
          "AWS::IAM::User"
        ]
      }
    });
  }
}