2.170.0

enum AuditCheck ๐Ÿ”น

LanguageType name
.NETAmazon.CDK.AWS.IoT.Alpha.AuditCheck
Gogithub.com/aws/aws-cdk-go/awscdkiotalpha/v2#AuditCheck
Javasoftware.amazon.awscdk.services.iot.alpha.AuditCheck
Pythonaws_cdk.aws_iot_alpha.AuditCheck
TypeScript (source)@aws-cdk/aws-iot-alpha ยป AuditCheck

The AWS IoT Device Defender audit checks.

See also: https://docs.aws.amazon.com/iot-device-defender/latest/devguide/device-defender-audit-checks.html

Example

declare const config: iot.AccountAuditConfiguration;

// Daily audit
const dailyAudit = new iot.ScheduledAudit(this, 'DailyAudit', {
  accountAuditConfiguration: config,
  frequency: iot.Frequency.DAILY,
  auditChecks: [
    iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK,
  ],
})

// Weekly audit
const weeklyAudit = new iot.ScheduledAudit(this, 'WeeklyAudit', {
  accountAuditConfiguration: config,
  frequency: iot.Frequency.WEEKLY,
  dayOfWeek: iot.DayOfWeek.SUNDAY,
  auditChecks: [
    iot.AuditCheck.CA_CERTIFICATE_EXPIRING_CHECK,
  ],
});

// Monthly audit
const monthlyAudit = new iot.ScheduledAudit(this, 'MonthlyAudit', {
  accountAuditConfiguration: config,
  frequency: iot.Frequency.MONTHLY,
  dayOfMonth: iot.DayOfMonth.of(1),
  auditChecks: [
    iot.AuditCheck.CA_CERTIFICATE_KEY_QUALITY_CHECK,
  ],
});

Members

NameDescription
AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK ๐Ÿ”นChecks the permissiveness of an authenticated Amazon Cognito identity pool role.
CA_CERTIFICATE_EXPIRING_CHECK ๐Ÿ”นChecks if a CA certificate is expiring.
CA_CERTIFICATE_KEY_QUALITY_CHECK ๐Ÿ”นChecks the quality of the CA certificate key.
CONFLICTING_CLIENT_IDS_CHECK ๐Ÿ”นChecks if multiple devices connect using the same client ID.
DEVICE_CERTIFICATE_EXPIRING_CHECK ๐Ÿ”นChecks if a device certificate is expiring.
DEVICE_CERTIFICATE_KEY_QUALITY_CHECK ๐Ÿ”นChecks the quality of the device certificate key.
DEVICE_CERTIFICATE_SHARED_CHECK ๐Ÿ”นChecks if multiple concurrent connections use the same X.509 certificate to authenticate with AWS IoT.
IOT_POLICY_OVERLY_PERMISSIVE_CHECK ๐Ÿ”นChecks the permissiveness of a policy attached to an authenticated Amazon Cognito identity pool role.
IOT_ROLE_ALIAS_ALLOWS_ACCESS_TO_UNUSED_SERVICES_CHECK ๐Ÿ”นChecks if a role alias has access to services that haven't been used for the AWS IoT device in the last year.
IOT_ROLE_ALIAS_OVERLY_PERMISSIVE_CHECK ๐Ÿ”นChecks if the temporary credentials provided by AWS IoT role aliases are overly permissive.
LOGGING_DISABLED_CHECK ๐Ÿ”นChecks if AWS IoT logs are disabled.
REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK ๐Ÿ”นChecks if a revoked CA certificate is still active.
REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK ๐Ÿ”นChecks if a revoked device certificate is still active.
UNAUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK ๐Ÿ”นChecks if policy attached to an unauthenticated Amazon Cognito identity pool role is too permissive.

AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK ๐Ÿ”น

Checks the permissiveness of an authenticated Amazon Cognito identity pool role.

For this check, AWS IoT Device Defender audits all Amazon Cognito identity pools that have been used to connect to the AWS IoT message broker during the 31 days before the audit is performed.

CA_CERTIFICATE_EXPIRING_CHECK ๐Ÿ”น

Checks if a CA certificate is expiring.

This check applies to CA certificates expiring within 30 days or that have expired.

CA_CERTIFICATE_KEY_QUALITY_CHECK ๐Ÿ”น

Checks the quality of the CA certificate key.

The quality checks if the key is in a valid format, not expired, and if the key meets a minimum required size.

This check applies to CA certificates that are ACTIVE or PENDING_TRANSFER.

CONFLICTING_CLIENT_IDS_CHECK ๐Ÿ”น

Checks if multiple devices connect using the same client ID.

DEVICE_CERTIFICATE_EXPIRING_CHECK ๐Ÿ”น

Checks if a device certificate is expiring.

This check applies to device certificates expiring within 30 days or that have expired.

DEVICE_CERTIFICATE_KEY_QUALITY_CHECK ๐Ÿ”น

Checks the quality of the device certificate key.

The quality checks if the key is in a valid format, not expired, signed by a registered certificate authority, and if the key meets a minimum required size.

DEVICE_CERTIFICATE_SHARED_CHECK ๐Ÿ”น

Checks if multiple concurrent connections use the same X.509 certificate to authenticate with AWS IoT.

IOT_POLICY_OVERLY_PERMISSIVE_CHECK ๐Ÿ”น

Checks the permissiveness of a policy attached to an authenticated Amazon Cognito identity pool role.

IOT_ROLE_ALIAS_ALLOWS_ACCESS_TO_UNUSED_SERVICES_CHECK ๐Ÿ”น

Checks if a role alias has access to services that haven't been used for the AWS IoT device in the last year.

IOT_ROLE_ALIAS_OVERLY_PERMISSIVE_CHECK ๐Ÿ”น

Checks if the temporary credentials provided by AWS IoT role aliases are overly permissive.

LOGGING_DISABLED_CHECK ๐Ÿ”น

Checks if AWS IoT logs are disabled.

REVOKED_CA_CERTIFICATE_STILL_ACTIVE_CHECK ๐Ÿ”น

Checks if a revoked CA certificate is still active.

REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK ๐Ÿ”น

Checks if a revoked device certificate is still active.

UNAUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK ๐Ÿ”น

Checks if policy attached to an unauthenticated Amazon Cognito identity pool role is too permissive.

โ† PreviousNext โ†’