0.0.26 • Published 21 days ago

blea v0.0.26

Weekly downloads
-
License
Apache-2.0
Repository
github
Last release
21 days ago

Blea-Jic

Blea-Jic is an AWS CDK construct library that make up Organizations settings

Installation

yarn add blea

OrgEvent

Overview

This provides eventBridge rule from securityhub to SNS which is encrypted

ItemDescription
Deploy AccountAudit Account
ResourcesEventBridgeRule,SNS Topic,KMS

Usage

import { OrgEvent } from 'blea';

const securityhubNotifyPattern = {
  source: ['aws.securityhub'],
  'detail-type': ['Security Hub Findings - Imported'],
  detail: {
    findings: {
      Compliance: {
        Status: ['FAILED', 'WARNING'],
      },
      Workflow: {
        Status: ['NEW'],
      },
    },
  },
};

const orgEvent = new OrgEvent(this, 'OrgEvent', {
    region: props?.env?.region || '',
    accountId: props?.env?.account || '',
    kmsAliasName: 'jicOrgTest',
    securityhubNotifyPattern: securityhubNotifyPattern,
});

OrgConfigRules

Overview

This provides OrganizationConfigRule to find child accounts Noncompliant

ItemDescription
Deploy AccountAudit Account
ResourcesOrganizationConfigRule

Prerequisites

Before using , you should set up for root or audit account enable config rule to organizations. for more detail , see below https://docs.aws.amazon.com/config/latest/developerguide/config-rule-multi-account-deployment.html

Usage

import { OrgConfigRules } from 'blea';
const orgConfigRules = new OrgConfigRules(this, 'OrgConfigRules', {
    region: props?.env?.region || '',
    configRulesAll: [
    { ruleIdentifier: 'DYNAMODB_TABLE_ENCRYPTED_KMS' },
    {
        ruleIdentifier: 'CW_LOGGROUP_RETENTION_PERIOD_CHECK',
        inputParameters: '{"MinRetentionTime":"1827"}',
    },
    ],
    configRulesOnlyUsEast1: [
    { ruleIdentifier: 'CLOUDFRONT_ASSOCIATED_WITH_WAF' },
    ],
    configExcludedAccounts: ['111111111111', '222222222222'],
});

OrgSlack

Overview

This provides aws chatbot for slack to notify findings .

ItemDescription
Deploy AccountAudit Account
Resourceschatbot

Prerequisites

before deploying ,you have done configure new client. for more details , see below https://docs.aws.amazon.com/dtconsole/latest/userguide/notifications-chatbot.html

Usage

it supposes to be used with OrgEvent.

  const slackWorkspaceId = "xxxxx"
  const slackChannelId   = "xxxxx"

  const OrgSlack = new OrgSlack(this, 'OrgSlack', {
      snsTopic: [orgEven.topic],
      workspaceId: slackWorkspaceId,
      channelId: slackChannelId,
      slackChannelConfigurationName: slackChannelConfigurationName,
    });

OrgConfigSecurityhub

Overview

This provides lambda to import findings to securityhub from all children accounts config compliance .

you have sns topic named 'aws-controltower-AggregateSecurityNotifications' that created by aws controltower . All config compliance informations are sent to that one .

ItemDescription
Deploy AccountAudit Account
Resourceslambda

Prerequisites

Control tower is enabled in your organizations .

Usage

new OrgConfigSecurityhub(stack, 'OrgConfigSecurityhub', {
  auditAccountId: '123456789012',
  snsTopicArn:
    'arn:aws:sns:ap-northeast-1:123456789012:aws-controltower-AggregateSecurityNotifications',
  controlTowerHomeRegion: 'ap-northeast-1',
  configurationAggregatorName:
    'aws-controltower-GuardrailsComplianceAggregator',
});

OrgStackSet

Overview

This provides IAM role to switch from auidt account to child account. this is deployed by cloudfromation stack sets.

ItemDescription
Deploy Accountroot Account
Resourcescloudformation stacksets , Iam

Usage

new OrgRoleStackSet(this, 'OrgRoleStackSet', {
  auditAccountID: "012345678912",
  roleName: 'swrole-from-blea',
  stackInstancesGroup: {
    regions: [controlTowerHomeRegion],
    deploymentTargets: {
      organizationalUnitIds: [
        'ou-xxxxxx',
        'ou-xxxxxx',
      ]
    },
  },
});

OrgAccountInitProc

Overview

This provides stepfunciton to disable specific item in securityhub standard cis and aws standard.

ItemDescription
Deploy Accountroot Account
Resourcesstepfunctions , lambda,Iam

Prerequisites

This is supporsed to be deployed with OrgStackSet . so, before run this, you must deploy OrgStackSet

Usage

new OrgAccountInit(this, 'OrgAccountInit', {
  roleName: 'swrole-from-blea',
  disableArnsBasicAll: ['ACM.1','APIGateway.1'],
  disableArnsCISAll: ['1.1','1.10'],
  disableArnsBasicVA: ['CloudFront.1','CloudFront.2'],
  disableArnsCISNotCtHome: ['1.12', '1.13', '1.16', '1.2', '1.2'],
  controlTowerHomeRegion: controlTowerHomeRegion,
});

once you create , execute stepfunction with event like below.

{
  "accountId": "xxxxxxxxxxx",
  "region": "ap-northeast-1"
}

for contributor

first step

$ yarn

compile in the background

$ yarn watch

IMPORTANT!

DO NOT EDIT by package.json

to check specific source

once you build your source.

$ yarn build

then, execute synth, deploy etc...

$ cdk synth --app='./lib/integ.xxxx.default.js'
or
$ cdk deploy --app='./lib/integ.xxxx.default.js'
cdk
cdk-constants
@everything-registry/sub-chunk-1243
0.0.26

21 days ago

0.0.25

1 month ago

0.0.24

2 months ago

0.0.23

2 months ago

0.0.22

2 months ago

0.0.20

1 year ago

0.0.21

1 year ago

0.0.19

2 years ago

0.0.16

2 years ago

0.0.17

2 years ago

0.0.18

2 years ago

0.0.14

2 years ago

0.0.15

2 years ago

0.0.13

2 years ago

0.0.12

2 years ago

0.0.11

2 years ago

0.0.10

2 years ago

0.0.9

2 years ago

0.0.8

2 years ago

0.0.7

2 years ago

0.0.6

2 years ago

0.0.5

2 years ago

0.0.4

2 years ago

0.0.3

2 years ago

0.0.2

2 years ago

0.0.0

2 years ago