Aws-cdk-organization-configrule NPM

Overview

CDK construct library to deploy config rule for organizations simply.

Prerequisites

Before using , you should set up for root or audit account enable config rule to organizations.
for more detail , see ※1 https://docs.aws.amazon.com/config/latest/developerguide/config-rule-multi-account-deployment.html

CLI command

auditAccount="xxxxxxxxx" # only when delegate
aws organizations register-delegated-administrator --account-id ${auditAccount}  --service-principal config.amazonaws.com
aws organizations enable-aws-service-access --service-principal=config-multiaccountsetup.amazonaws.com
aws organizations register-delegated-administrator --service-principal=config-multiaccountsetup.amazonaws.com --account-id ${auditAccount}

How to use

you can specify inputParameters as needed like below example.

import { AwsCdkOrganizationConfigrule } from 'aws-cdk-organization-configrule';

// example
new AwsCdkOrganizationConfigrule(this, 'OrgConfig',{
  configRulesAll: [
    { ruleIdentifier: "DYNAMODB_TABLE_ENCRYPTED_KMS" },
    {
      ruleIdentifier: "CW_LOGGROUP_RETENTION_PERIOD_CHECK",
      inputParameters: '{"MinRetentionTime":"1827"}',
    }
  ]

})

Option settings

when deploing to multi region, if you add rule to only us-east-1 , use configRulesOnlyUsEast1 option.

new AwsCdkOrganizationConfigrule(this, "OrgConfig", {
  configRulesAll: [
    { ruleIdentifier: "DYNAMODB_TABLE_ENCRYPTED_KMS" },
    {
      ruleIdentifier: "CW_LOGGROUP_RETENTION_PERIOD_CHECK",
      inputParameters: '{"MinRetentionTime":"1827"}',
    },
  ],
  configRulesOnlyUsEast1:[
    { ruleIdentifier: "CLOUDFRONT_ASSOCIATED_WITH_WAF" },
  ]
});

when not deploying to specific aws accounts, use configExcludedAccounts option.

    new AwsCdkOrganizationConfigrule(this, "OrgConfig", {
      configRulesAll: [
        { ruleIdentifier: "DYNAMODB_TABLE_ENCRYPTED_KMS" },
        {
          ruleIdentifier: "CW_LOGGROUP_RETENTION_PERIOD_CHECK",
          inputParameters: '{"MinRetentionTime":"1827"}',
        },
      ],
      configRulesOnlyUsEast1:[
        { ruleIdentifier: "CLOUDFRONT_ASSOCIATED_WITH_WAF" },
      ],
      configExcludedAccounts: ["111111111111", "222222222222"]
    });

aws cdk config awscdk

acorn abab acorn-walk acorn-globals agent-base ansi-escapes ansi-regex ansi-styles anymatch argparse arr-diff arr-union arr-flatten array-unique assign-symbols asynckit atob babel-jest babel-plugin-istanbul babel-plugin-jest-hoist babel-preset-current-node-syntax balanced-match brace-expansion braces base babel-preset-jest browser-process-hrtime browserslist bser bs-logger callsites cache-base buffer-from camelcase caniuse-lite capture-exit chalk char-regex ci-info cjs-module-lexer class-utils cliui collect-v8-coverage co collection-visit color-name combined-stream component-emitter concat-map convert-source-map copy-descriptor cross-spawn cssom data-urls cssstyle debug decode-uri-component deep-is decimal.js deepmerge define-property delayed-stream detect-newline domexception electron-to-chromium emittery emoji-regex end-of-stream error-ex escape-string-regexp escodegen estraverse esprima esutils exec-sh execa exit expand-brackets expect extend-shallow extglob fast-json-stable-stringify fast-levenshtein fb-watchman fill-range find-up for-in fragment-cache color-convert fsevents form-data function-bind get-caller-file gensync get-package-type get-value get-stream fs.realpath globals glob growly graceful-fs has has-flag has-value has-values hosted-git-info html-escaper http-proxy-agent human-signals https-proxy-agent import-local iconv-lite inflight imurmurhash inherits is-accessor-descriptor is-arrayish is-buffer is-ci is-core-module is-data-descriptor is-descriptor is-extendable is-docker is-generator-fn is-fullwidth-code-point is-number is-plain-object is-stream is-windows is-potential-custom-element-name is-typedarray is-wsl isexe isarray isobject istanbul-lib-instrument istanbul-lib-coverage istanbul-lib-source-maps istanbul-lib-report istanbul-reports jest-changed-files jest-cli jest-docblock jest-each jest-environment-jsdom escalade jest-haste-map jest-environment-node jest-get-type jest-jasmine2 jest-leak-detector jest-message-util jest-matcher-utils jest-mock jest-pnp-resolver jest-resolve jest-regex-util jest-resolve-dependencies jest-runner jest-serializer jest-runtime jest-util jest-validate jest-watcher js-tokens jest-worker js-yaml jsdom jest-snapshot jsesc json5 json-parse-even-better-errors kind-of kleur leven levn lines-and-columns lodash lru-cache make-dir jest-diff makeerror map-cache map-visit merge-stream micromatch mime-db mimic-fn mime-types minimatch minimist mixin-deep mkdirp ms nanomatch natural-compare nice-try node-int64 node-notifier node-releases normalize-package-data normalize-path npm-run-path object-visit nwsapi object-copy object.pick once make-error onetime p-each-series optionator p-finally p-locate p-limit p-try parse5 pascalcase path-exists path-key locate-path path-parse picomatch pirates pkg-dir prelude-ls posix-character-classes pretty-format psl prompts punycode read-pkg react-is read-pkg-up diff-sequences regex-not remove-trailing-separator repeat-element repeat-string require-directory require-main-filename resolve-cwd resolve resolve-from resolve-url ret rimraf parse-json safe-regex picocolors safer-buffer sane saxes semver set-blocking set-value shebang-command shebang-regex shellwords signal-exit sisteransi safe-buffer snapdragon snapdragon-util snapdragon-node source-map source-map-resolve source-map-support spdx-correct source-map-url spdx-exceptions spdx-expression-parse spdx-license-ids split-string sprintf-js stack-utils static-extend strip-ansi string-width strip-bom string-length strip-eof strip-final-newline supports-hyperlinks rsvp symbol-tree test-exclude throat slash tmpl to-fast-properties to-object-path to-regex to-regex-range terminal-link tough-cookie tr46 type-detect supports-color type-check union-value type-fest typedarray-to-buffer universalify unset-value urix use uuid v8-to-istanbul w3c-hr-time validate-npm-package-license w3c-xmlserializer walker whatwg-mimetype whatwg-encoding webidl-conversions whatwg-url which which-module word-wrap wrap-ansi wrappy write-file-atomic path-is-absolute ws xml-name-validator xmlchars y18n yallist pump html-encoding-sniffer yargs-parser yargs decamelize

@everything-registry/sub-chunk-1193 @infinitebrahmanuniverse/nolb-aws-c

2 years ago

2 years ago

2 years ago

2 years ago

2 years ago