CheckConfiguration

class aws_cdk.aws_iot_alpha.CheckConfiguration(*, authenticated_cognito_role_overly_permissive_check=None, ca_certificate_expiring_check=None, ca_certificate_key_quality_check=None, conflicting_client_ids_check=None, device_certificate_expiring_check=None, device_certificate_key_quality_check=None, device_certificate_shared_check=None, intermediate_ca_revoked_for_active_device_certificates_check=None, iot_policy_overly_permissive_check=None, io_t_policy_potential_mis_configuration_check=None, iot_role_alias_allows_access_to_unused_services_check=None, iot_role_alias_overly_permissive_check=None, logging_disabled_check=None, revoked_ca_certificate_still_active_check=None, revoked_device_certificate_still_active_check=None, unauthenticated_cognito_role_overly_permissive_check=None)

Bases: object

(experimental) The types of audit checks.

Parameters:

  • authenticated_cognito_role_overly_permissive_check (Optional[bool]) – (experimental) Checks the permissiveness of an authenticated Amazon Cognito identity pool role. For this check, AWS IoT Device Defender audits all Amazon Cognito identity pools that have been used to connect to the AWS IoT message broker during the 31 days before the audit is performed. Default: true

  • ca_certificate_expiring_check (Optional[bool]) – (experimental) Checks if a CA certificate is expiring. This check applies to CA certificates expiring within 30 days or that have expired. Default: true

  • ca_certificate_key_quality_check (Optional[bool]) – (experimental) Checks the quality of the CA certificate key. The quality checks if the key is in a valid format, not expired, and if the key meets a minimum required size. This check applies to CA certificates that are ACTIVE or PENDING_TRANSFER. Default: true

  • conflicting_client_ids_check (Optional[bool]) – (experimental) Checks if multiple devices connect using the same client ID. Default: true

  • device_certificate_expiring_check (Optional[bool]) – (experimental) Checks if a device certificate is expiring. This check applies to device certificates expiring within 30 days or that have expired. Default: true

  • device_certificate_key_quality_check (Optional[bool]) – (experimental) Checks the quality of the device certificate key. The quality checks if the key is in a valid format, not expired, signed by a registered certificate authority, and if the key meets a minimum required size. Default: true

  • device_certificate_shared_check (Optional[bool]) – (experimental) Checks if multiple concurrent connections use the same X.509 certificate to authenticate with AWS IoT. Default: true

  • intermediate_ca_revoked_for_active_device_certificates_check (Optional[bool]) – (experimental) Checks if device certificates are still active despite being revoked by an intermediate CA. Default: true

  • iot_policy_overly_permissive_check (Optional[bool]) – (experimental) Checks the permissiveness of a policy attached to an authenticated Amazon Cognito identity pool role. Default: true

  • io_t_policy_potential_mis_configuration_check (Optional[bool]) – (experimental) Checks if an AWS IoT policy is potentially misconfigured. Misconfigured policies, including overly permissive policies, can cause security incidents like allowing devices access to unintended resources. This check is a warning for you to make sure that only intended actions are allowed before updating the policy. Default: true

  • iot_role_alias_allows_access_to_unused_services_check (Optional[bool]) – (experimental) Checks if a role alias has access to services that haven’t been used for the AWS IoT device in the last year. Default: true

  • iot_role_alias_overly_permissive_check (Optional[bool]) – (experimental) Checks if the temporary credentials provided by AWS IoT role aliases are overly permissive. Default: true

  • logging_disabled_check (Optional[bool]) – (experimental) Checks if AWS IoT logs are disabled. Default: true

  • revoked_ca_certificate_still_active_check (Optional[bool]) – (experimental) Checks if a revoked CA certificate is still active. Default: true

  • revoked_device_certificate_still_active_check (Optional[bool]) – (experimental) Checks if a revoked device certificate is still active. Default: true

  • unauthenticated_cognito_role_overly_permissive_check (Optional[bool]) – (experimental) Checks if policy attached to an unauthenticated Amazon Cognito identity pool role is too permissive. Default: true

See:

https://docs.aws.amazon.com/iot-device-defender/latest/devguide/device-defender-audit-checks.html

Stability:

experimental

ExampleMetadata:

infused

Example:

iot.AccountAuditConfiguration(self, "AuditConfiguration",
    check_configuration=iot.CheckConfiguration(
        # enabled
        authenticated_cognito_role_overly_permissive_check=True,
        # enabled by default
        ca_certificate_expiring_check=undefined,
        # disabled
        ca_certificate_key_quality_check=False,
        conflicting_client_ids_check=False,
        device_certificate_expiring_check=False,
        device_certificate_key_quality_check=False,
        device_certificate_shared_check=False,
        intermediate_ca_revoked_for_active_device_certificates_check=False,
        io_tPolicy_potential_mis_configuration_check=False,
        iot_policy_overly_permissive_check=False,
        iot_role_alias_allows_access_to_unused_services_check=False,
        iot_role_alias_overly_permissive_check=False,
        logging_disabled_check=False,
        revoked_ca_certificate_still_active_check=False,
        revoked_device_certificate_still_active_check=False,
        unauthenticated_cognito_role_overly_permissive_check=False
    )
)

Attributes

authenticated_cognito_role_overly_permissive_check

(experimental) Checks the permissiveness of an authenticated Amazon Cognito identity pool role.

For this check, AWS IoT Device Defender audits all Amazon Cognito identity pools that have been used to connect to the AWS IoT message broker during the 31 days before the audit is performed.

Default:

true

Stability:

experimental

ca_certificate_expiring_check

(experimental) Checks if a CA certificate is expiring.

This check applies to CA certificates expiring within 30 days or that have expired.

Default:

true

Stability:

experimental

ca_certificate_key_quality_check

(experimental) Checks the quality of the CA certificate key.

The quality checks if the key is in a valid format, not expired, and if the key meets a minimum required size.

This check applies to CA certificates that are ACTIVE or PENDING_TRANSFER.

Default:

true

Stability:

experimental

conflicting_client_ids_check

(experimental) Checks if multiple devices connect using the same client ID.

Default:

true

Stability:

experimental

device_certificate_expiring_check

(experimental) Checks if a device certificate is expiring.

This check applies to device certificates expiring within 30 days or that have expired.

Default:

true

Stability:

experimental

device_certificate_key_quality_check

(experimental) Checks the quality of the device certificate key.

The quality checks if the key is in a valid format, not expired, signed by a registered certificate authority, and if the key meets a minimum required size.

Default:

true

Stability:

experimental

device_certificate_shared_check

(experimental) Checks if multiple concurrent connections use the same X.509 certificate to authenticate with AWS IoT.

Default:

true

Stability:

experimental

intermediate_ca_revoked_for_active_device_certificates_check

(experimental) Checks if device certificates are still active despite being revoked by an intermediate CA.

Default:

true

Stability:

experimental

io_t_policy_potential_mis_configuration_check

(experimental) Checks if an AWS IoT policy is potentially misconfigured.

Misconfigured policies, including overly permissive policies, can cause security incidents like allowing devices access to unintended resources.

This check is a warning for you to make sure that only intended actions are allowed before updating the policy.

Default:

true

Stability:

experimental

iot_policy_overly_permissive_check

(experimental) Checks the permissiveness of a policy attached to an authenticated Amazon Cognito identity pool role.

Default:

true

Stability:

experimental

iot_role_alias_allows_access_to_unused_services_check

(experimental) Checks if a role alias has access to services that haven’t been used for the AWS IoT device in the last year.

Default:

true

Stability:

experimental

iot_role_alias_overly_permissive_check

(experimental) Checks if the temporary credentials provided by AWS IoT role aliases are overly permissive.

Default:

true

Stability:

experimental

logging_disabled_check

(experimental) Checks if AWS IoT logs are disabled.

Default:

true

Stability:

experimental

revoked_ca_certificate_still_active_check

(experimental) Checks if a revoked CA certificate is still active.

Default:

true

Stability:

experimental

revoked_device_certificate_still_active_check

(experimental) Checks if a revoked device certificate is still active.

Default:

true

Stability:

experimental

unauthenticated_cognito_role_overly_permissive_check

(experimental) Checks if policy attached to an unauthenticated Amazon Cognito identity pool role is too permissive.

Default:

true

Stability:

experimental