Interface PrerequisitesConfig

Interface for Prerequisites Stacks in the Firewall Factory

interface PrerequisitesConfig {
    DdosNotifications?: {
        WebhookSopsFile: string;
    };
    General: {
        Prefix: string;
    };
    Grafana?: {
        BucketKmsKey?: string;
        BucketName?: string;
        DelegatedAdminAccountId?: string;
        FmsLogAthenaDatabase: string;
        FmsLogsAthenaTable: string;
        TimeWindow: number;
    };
    Information?: {
        WebhookSopsFile: string;
    };
    Logging?: {
        Athena?: {
            DatabaseName?: string;
            Regions?: string;
            TableName: string;
        };
        BucketProperties?: {
            BucketName?: string;
            KmsEncryptionKey: boolean;
            ObjectLock?: {
                Days: number;
                Mode: "GOVERNANCE" | "COMPLIANCE";
            };
        };
        CrossAccountIdforPermissions?: string;
        FireHoseKey?: {
            KeyAlias: string;
        };
    };
    UnutilizedWafs?: {
        CrossAccountRoleName: string;
        ScheduleExpression: Schedule;
        SkipWafRegexString?: string;
        WebhookSopsFile: string;
    };
}

Properties

DdosNotifications? General Grafana? Information? Logging? UnutilizedWafs?

Properties

Optional ReadonlyDdosNotifications

DdosNotifications?: {
    WebhookSopsFile: string;
}

Will add a Lambda function to prerequisite Stack that send notifications about potential DDoS activity for protected resources to messengers (Slack/Teams) This feature, coupled with AWS Shield Advanced.

Type declaration

ReadonlyGeneral

General: {
    Prefix: string;
}

Type declaration

  • ReadonlyPrefix: string

    Defines a Prefix which will be added to all resources.

Optional ReadonlyGrafana

Grafana?: {
    BucketKmsKey?: string;
    BucketName?: string;
    DelegatedAdminAccountId?: string;
    FmsLogAthenaDatabase: string;
    FmsLogsAthenaTable: string;
    TimeWindow: number;
}

Type declaration

  • Optional ReadonlyBucketKmsKey?: string
  • Optional ReadonlyBucketName?: string

    S3 Bucket where the FMS Logs are beeing stored. Allowed Pattern: ^[a-z0-9][a-z0-9//.//-]*[a-z0-9]$

  • Optional ReadonlyDelegatedAdminAccountId?: string

    Firewall Manager Delegated Admin Account Id @TJS-pattern "^[0-9]{12}$"

  • ReadonlyFmsLogAthenaDatabase: string
  • ReadonlyFmsLogsAthenaTable: string
  • ReadonlyTimeWindow: number

Optional ReadonlyInformation

Information?: {
    WebhookSopsFile: string;
}

Will add a Lambda function to the prerequisite stack that sends notifications when new versions and updates to a AWS ManagedRuleGroup appear in messengers (Slack/Teams).

Optional ReadonlyLogging

Logging?: {
    Athena?: {
        DatabaseName?: string;
        Regions?: string;
        TableName: string;
    };
    BucketProperties?: {
        BucketName?: string;
        KmsEncryptionKey: boolean;
        ObjectLock?: {
            Days: number;
            Mode: "GOVERNANCE" | "COMPLIANCE";
        };
    };
    CrossAccountIdforPermissions?: string;
    FireHoseKey?: {
        KeyAlias: string;
    };
}

Type declaration

  • Optional ReadonlyAthena?: {
        DatabaseName?: string;
        Regions?: string;
        TableName: string;
    }
    • Optional ReadonlyDatabaseName?: string

      Define a Athena DatabaseName where the Table will be created.

    • Optional ReadonlyRegions?: string

      Define a AWS Regions where FMS WAFs will be created. This value is used to create Index for regions on Athena Table. If this value is not set, the Index will be created for all AWS Regions using public region parameter.

    • ReadonlyTableName: string

      Define a Athena Table for the Firewall Logs will be created.

  • Optional ReadonlyBucketProperties?: {
        BucketName?: string;
        KmsEncryptionKey: boolean;
        ObjectLock?: {
            Days: number;
            Mode: "GOVERNANCE" | "COMPLIANCE";
        };
    }
    • Optional ReadonlyBucketName?: string

      A name for the bucket. Allowed Pattern: ^[a-z0-9][a-z0-9//.//-]*[a-z0-9]$

    • ReadonlyKmsEncryptionKey: boolean

      Define if a KMS Key for the bucket will be created.

    • Optional ReadonlyObjectLock?: {
          Days: number;
          Mode: "GOVERNANCE" | "COMPLIANCE";
      }

      Will add Object Lock (write-once-read-many (WORM)) to the S3 Bucket (Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.)

      • ReadonlyDays: number
      • ReadonlyMode: "GOVERNANCE" | "COMPLIANCE"
  • Optional ReadonlyCrossAccountIdforPermissions?: string

    Defines access to a central security account. Please specify a account ID such as 123456789012.This is necessary if you want to use a different account for all your firewalls.

  • Optional ReadonlyFireHoseKey?: {
        KeyAlias: string;
    }

    Define if a KMS Key for Kinesis FireHose will be created.

    • ReadonlyKeyAlias: string

      Define if a Alias for the KMS Key

Optional ReadonlyUnutilizedWafs

UnutilizedWafs?: {
    CrossAccountRoleName: string;
    ScheduleExpression: Schedule;
    SkipWafRegexString?: string;
    WebhookSopsFile: string;
}

Will add a StepFunction which is indentifying and sending information about unutilized WAFs to messengers (Slack/Teams).

Type declaration

  • CrossAccountRoleName: string

    Define a Cross Account Role Name for the Lambda which is identifying unutilized WAFs in the managed accounts.

  • ScheduleExpression: Schedule

    Define a Schedule for the StepFunction. The ScheduleExpression is a cron expression that specifies when the rule is triggered.

  • OptionalSkipWafRegexString?: string

    Define a Regex to skip WAFs with specific names

  • WebhookSopsFile: string

    Define a Sops File for the Webhook URL with the Slack or Teams Webhook URL. https://github.com/dbsystel/cdk-sops-secrets

Settings

Member Visibility

On This Page

Properties