0
# Security & Identity Services
1
2
Comprehensive security and identity management including IAM for access control, KMS for encryption, certificate management, and security monitoring services.
3
4
## Capabilities
5
6
### IAM - Identity and Access Management
7
8
AWS Identity and Access Management enables secure control of access to AWS services and resources.
9
10
```typescript { .api }
11
/**
12
* IAM User
13
*/
14
class iam.User extends pulumi.CustomResource {
15
constructor(name: string, args?: iam.UserArgs, opts?: pulumi.CustomResourceOptions);
16
17
/** User ARN */
18
readonly arn: pulumi.Output<string>;
19
/** User name */
20
readonly name: pulumi.Output<string>;
21
/** Unique ID */
22
readonly uniqueId: pulumi.Output<string>;
23
/** Path */
24
readonly path: pulumi.Output<string>;
25
/** Permissions boundary */
26
readonly permissionsBoundary: pulumi.Output<string>;
27
/** Force destroy */
28
readonly forceDestroy: pulumi.Output<boolean>;
29
/** Resource tags */
30
readonly tags: pulumi.Output<{[key: string]: string}>;
31
}
32
33
interface iam.UserArgs {
34
/** User name */
35
name?: pulumi.Input<string>;
36
/** Path for the user */
37
path?: pulumi.Input<string>;
38
/** Permissions boundary policy ARN */
39
permissionsBoundary?: pulumi.Input<string>;
40
/** Force destroy user on deletion */
41
forceDestroy?: pulumi.Input<boolean>;
42
/** Resource tags */
43
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
44
}
45
46
/**
47
* IAM Role
48
*/
49
class iam.Role extends pulumi.CustomResource {
50
constructor(name: string, args: iam.RoleArgs, opts?: pulumi.CustomResourceOptions);
51
52
/** Role ARN */
53
readonly arn: pulumi.Output<string>;
54
/** Role name */
55
readonly name: pulumi.Output<string>;
56
/** Unique ID */
57
readonly uniqueId: pulumi.Output<string>;
58
/** Path */
59
readonly path: pulumi.Output<string>;
60
/** Assume role policy document */
61
readonly assumeRolePolicy: pulumi.Output<string>;
62
/** Description */
63
readonly description: pulumi.Output<string>;
64
/** Maximum session duration */
65
readonly maxSessionDuration: pulumi.Output<number>;
66
/** Permissions boundary */
67
readonly permissionsBoundary: pulumi.Output<string>;
68
/** Resource tags */
69
readonly tags: pulumi.Output<{[key: string]: string}>;
70
}
71
72
interface iam.RoleArgs {
73
/** Assume role policy document (JSON) */
74
assumeRolePolicy: pulumi.Input<string>;
75
/** Role name */
76
name?: pulumi.Input<string>;
77
/** Path for the role */
78
path?: pulumi.Input<string>;
79
/** Description */
80
description?: pulumi.Input<string>;
81
/** Maximum session duration in seconds */
82
maxSessionDuration?: pulumi.Input<number>;
83
/** Permissions boundary policy ARN */
84
permissionsBoundary?: pulumi.Input<string>;
85
/** Force detach policies on deletion */
86
forceDetachPolicies?: pulumi.Input<boolean>;
87
/** Resource tags */
88
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
89
}
90
91
/**
92
* IAM Policy
93
*/
94
class iam.Policy extends pulumi.CustomResource {
95
constructor(name: string, args: iam.PolicyArgs, opts?: pulumi.CustomResourceOptions);
96
97
/** Policy ARN */
98
readonly arn: pulumi.Output<string>;
99
/** Policy name */
100
readonly name: pulumi.Output<string>;
101
/** Policy document */
102
readonly policy: pulumi.Output<string>;
103
/** Path */
104
readonly path: pulumi.Output<string>;
105
/** Description */
106
readonly description: pulumi.Output<string>;
107
/** Resource tags */
108
readonly tags: pulumi.Output<{[key: string]: string}>;
109
}
110
111
interface iam.PolicyArgs {
112
/** Policy document (JSON) */
113
policy: pulumi.Input<string>;
114
/** Policy name */
115
name?: pulumi.Input<string>;
116
/** Path for the policy */
117
path?: pulumi.Input<string>;
118
/** Description */
119
description?: pulumi.Input<string>;
120
/** Resource tags */
121
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
122
}
123
124
/**
125
* IAM Instance Profile
126
*/
127
class iam.InstanceProfile extends pulumi.CustomResource {
128
constructor(name: string, args?: iam.InstanceProfileArgs, opts?: pulumi.CustomResourceOptions);
129
130
/** Instance profile ARN */
131
readonly arn: pulumi.Output<string>;
132
/** Instance profile name */
133
readonly name: pulumi.Output<string>;
134
/** Path */
135
readonly path: pulumi.Output<string>;
136
/** Role */
137
readonly role: pulumi.Output<string>;
138
/** Unique ID */
139
readonly uniqueId: pulumi.Output<string>;
140
/** Resource tags */
141
readonly tags: pulumi.Output<{[key: string]: string}>;
142
}
143
144
/**
145
* IAM Policy Attachment
146
*/
147
class iam.RolePolicyAttachment extends pulumi.CustomResource {
148
constructor(name: string, args: iam.RolePolicyAttachmentArgs, opts?: pulumi.CustomResourceOptions);
149
150
/** Role name */
151
readonly role: pulumi.Output<string>;
152
/** Policy ARN */
153
readonly policyArn: pulumi.Output<string>;
154
}
155
156
interface iam.RolePolicyAttachmentArgs {
157
/** Role name */
158
role: pulumi.Input<string>;
159
/** Policy ARN */
160
policyArn: pulumi.Input<string>;
161
}
162
```
163
164
**Usage Examples:**
165
166
```typescript
167
// Create IAM role for Lambda function
168
const lambdaRole = new aws.iam.Role("lambda-role", {
169
name: "lambda-execution-role",
170
assumeRolePolicy: JSON.stringify({
171
Version: "2012-10-17",
172
Statement: [{
173
Action: "sts:AssumeRole",
174
Effect: "Allow",
175
Principal: {
176
Service: "lambda.amazonaws.com"
177
}
178
}]
179
}),
180
description: "Execution role for Lambda functions",
181
tags: {
182
Name: "LambdaExecutionRole",
183
Purpose: "lambda-execution"
184
}
185
});
186
187
// Attach basic execution policy
188
const lambdaBasicPolicy = new aws.iam.RolePolicyAttachment("lambda-basic", {
189
role: lambdaRole.name,
190
policyArn: "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
191
});
192
193
// Create custom policy for S3 access
194
const s3Policy = new aws.iam.Policy("s3-access", {
195
name: "S3AccessPolicy",
196
description: "Policy for S3 bucket access",
197
policy: JSON.stringify({
198
Version: "2012-10-17",
199
Statement: [{
200
Effect: "Allow",
201
Action: [
202
"s3:GetObject",
203
"s3:PutObject",
204
"s3:DeleteObject"
205
],
206
Resource: `${bucket.arn}/*`
207
}, {
208
Effect: "Allow",
209
Action: [
210
"s3:ListBucket"
211
],
212
Resource: bucket.arn
213
}]
214
})
215
});
216
217
// Attach custom policy to role
218
const s3PolicyAttachment = new aws.iam.RolePolicyAttachment("s3-policy", {
219
role: lambdaRole.name,
220
policyArn: s3Policy.arn
221
});
222
223
// Create instance profile for EC2
224
const instanceProfile = new aws.iam.InstanceProfile("ec2-profile", {
225
name: "ec2-instance-profile",
226
role: lambdaRole.name,
227
tags: {
228
Name: "EC2InstanceProfile"
229
}
230
});
231
232
// Create IAM user with programmatic access
233
const apiUser = new aws.iam.User("api-user", {
234
name: "api-service-user",
235
path: "/service-accounts/",
236
tags: {
237
Name: "APIServiceUser",
238
Purpose: "api-access"
239
}
240
});
241
242
// Create access key for user
243
const apiUserKey = new aws.iam.AccessKey("api-user-key", {
244
user: apiUser.name
245
});
246
```
247
248
### KMS - Key Management Service
249
250
AWS Key Management Service creates and manages cryptographic keys for data encryption.
251
252
```typescript { .api }
253
/**
254
* KMS Key
255
*/
256
class kms.Key extends pulumi.CustomResource {
257
constructor(name: string, args?: kms.KeyArgs, opts?: pulumi.CustomResourceOptions);
258
259
/** Key ARN */
260
readonly arn: pulumi.Output<string>;
261
/** Key ID */
262
readonly keyId: pulumi.Output<string>;
263
/** Description */
264
readonly description: pulumi.Output<string>;
265
/** Key usage */
266
readonly keyUsage: pulumi.Output<string>;
267
/** Key spec */
268
readonly keySpec: pulumi.Output<string>;
269
/** Policy */
270
readonly policy: pulumi.Output<string>;
271
/** Deletion window in days */
272
readonly deletionWindowInDays: pulumi.Output<number>;
273
/** Enable key */
274
readonly isEnabled: pulumi.Output<boolean>;
275
/** Enable key rotation */
276
readonly enableKeyRotation: pulumi.Output<boolean>;
277
/** Multi-region key */
278
readonly multiRegion: pulumi.Output<boolean>;
279
/** Resource tags */
280
readonly tags: pulumi.Output<{[key: string]: string}>;
281
}
282
283
interface kms.KeyArgs {
284
/** Description */
285
description?: pulumi.Input<string>;
286
/** Key usage (ENCRYPT_DECRYPT, SIGN_VERIFY) */
287
keyUsage?: pulumi.Input<string>;
288
/** Key spec */
289
keySpec?: pulumi.Input<string>;
290
/** Key policy document (JSON) */
291
policy?: pulumi.Input<string>;
292
/** Deletion window in days (7-30) */
293
deletionWindowInDays?: pulumi.Input<number>;
294
/** Enable key */
295
isEnabled?: pulumi.Input<boolean>;
296
/** Enable automatic key rotation */
297
enableKeyRotation?: pulumi.Input<boolean>;
298
/** Multi-region key */
299
multiRegion?: pulumi.Input<boolean>;
300
/** Resource tags */
301
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
302
}
303
304
/**
305
* KMS Alias
306
*/
307
class kms.Alias extends pulumi.CustomResource {
308
constructor(name: string, args: kms.AliasArgs, opts?: pulumi.CustomResourceOptions);
309
310
/** Alias ARN */
311
readonly arn: pulumi.Output<string>;
312
/** Alias name */
313
readonly name: pulumi.Output<string>;
314
/** Target key ID */
315
readonly targetKeyId: pulumi.Output<string>;
316
}
317
318
interface kms.AliasArgs {
319
/** Alias name (must start with 'alias/') */
320
name: pulumi.Input<string>;
321
/** Target key ID or ARN */
322
targetKeyId: pulumi.Input<string>;
323
}
324
325
/**
326
* KMS Grant
327
*/
328
class kms.Grant extends pulumi.CustomResource {
329
constructor(name: string, args: kms.GrantArgs, opts?: pulumi.CustomResourceOptions);
330
331
/** Grant ID */
332
readonly keyId: pulumi.Output<string>;
333
/** Grantee principal */
334
readonly granteePrincipal: pulumi.Output<string>;
335
/** Operations */
336
readonly operations: pulumi.Output<string[]>;
337
/** Grant token */
338
readonly token: pulumi.Output<string>;
339
}
340
```
341
342
**Usage Examples:**
343
344
```typescript
345
// Create KMS key for encryption
346
const encryptionKey = new aws.kms.Key("encryption-key", {
347
description: "Key for application data encryption",
348
keyUsage: "ENCRYPT_DECRYPT",
349
enableKeyRotation: true,
350
policy: JSON.stringify({
351
Version: "2012-10-17",
352
Statement: [
353
{
354
Sid: "Enable IAM User Permissions",
355
Effect: "Allow",
356
Principal: {
357
AWS: `arn:aws:iam::${current.accountId}:root`
358
},
359
Action: "kms:*",
360
Resource: "*"
361
},
362
{
363
Sid: "Allow use of the key",
364
Effect: "Allow",
365
Principal: {
366
AWS: lambdaRole.arn
367
},
368
Action: [
369
"kms:Encrypt",
370
"kms:Decrypt",
371
"kms:ReEncrypt*",
372
"kms:GenerateDataKey*",
373
"kms:DescribeKey"
374
],
375
Resource: "*"
376
}
377
]
378
}),
379
tags: {
380
Name: "ApplicationEncryptionKey",
381
Purpose: "data-encryption"
382
}
383
});
384
385
// Create alias for the key
386
const keyAlias = new aws.kms.Alias("encryption-key-alias", {
387
name: "alias/application-encryption",
388
targetKeyId: encryptionKey.keyId
389
});
390
391
// Create grant for specific operations
392
const lambdaGrant = new aws.kms.Grant("lambda-grant", {
393
keyId: encryptionKey.keyId,
394
granteePrincipal: lambdaRole.arn,
395
operations: [
396
"Encrypt",
397
"Decrypt",
398
"GenerateDataKey"
399
]
400
});
401
```
402
403
### ACM - Certificate Manager
404
405
AWS Certificate Manager provisions and manages SSL/TLS certificates for AWS services.
406
407
```typescript { .api }
408
/**
409
* ACM Certificate
410
*/
411
class acm.Certificate extends pulumi.CustomResource {
412
constructor(name: string, args: acm.CertificateArgs, opts?: pulumi.CustomResourceOptions);
413
414
/** Certificate ARN */
415
readonly arn: pulumi.Output<string>;
416
/** Domain name */
417
readonly domainName: pulumi.Output<string>;
418
/** Subject alternative names */
419
readonly subjectAlternativeNames: pulumi.Output<string[]>;
420
/** Validation method */
421
readonly validationMethod: pulumi.Output<string>;
422
/** Domain validation options */
423
readonly domainValidationOptions: pulumi.Output<acm.CertificateDomainValidationOption[]>;
424
/** Status */
425
readonly status: pulumi.Output<string>;
426
/** Resource tags */
427
readonly tags: pulumi.Output<{[key: string]: string}>;
428
}
429
430
interface acm.CertificateArgs {
431
/** Domain name */
432
domainName: pulumi.Input<string>;
433
/** Subject alternative names */
434
subjectAlternativeNames?: pulumi.Input<pulumi.Input<string>[]>;
435
/** Validation method (DNS or EMAIL) */
436
validationMethod?: pulumi.Input<string>;
437
/** Lifecycle rule */
438
lifecycle?: pulumi.Input<acm.CertificateLifecycle>;
439
/** Resource tags */
440
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
441
}
442
443
/**
444
* ACM Certificate Validation
445
*/
446
class acm.CertificateValidation extends pulumi.CustomResource {
447
constructor(name: string, args: acm.CertificateValidationArgs, opts?: pulumi.CustomResourceOptions);
448
449
/** Certificate ARN */
450
readonly certificateArn: pulumi.Output<string>;
451
/** Validation record FQDNs */
452
readonly validationRecordFqdns: pulumi.Output<string[]>;
453
}
454
455
interface acm.CertificateValidationArgs {
456
/** Certificate ARN */
457
certificateArn: pulumi.Input<string>;
458
/** Validation record FQDNs */
459
validationRecordFqdns?: pulumi.Input<pulumi.Input<string>[]>;
460
/** Timeout */
461
timeouts?: pulumi.Input<acm.CertificateValidationTimeouts>;
462
}
463
```
464
465
**Usage Examples:**
466
467
```typescript
468
// Request SSL certificate with DNS validation
469
const certificate = new aws.acm.Certificate("ssl-cert", {
470
domainName: "example.com",
471
subjectAlternativeNames: ["*.example.com"],
472
validationMethod: "DNS",
473
lifecycle: {
474
createBeforeDestroy: true
475
},
476
tags: {
477
Name: "ExampleSSLCert",
478
Environment: "production"
479
}
480
});
481
482
// Create validation DNS records
483
const certValidationRecords = certificate.domainValidationOptions.apply(options =>
484
options.map(option =>
485
new aws.route53.Record(`cert-validation-${option.domainName}`, {
486
zoneId: zone.zoneId,
487
name: option.resourceRecordName,
488
type: option.resourceRecordType,
489
records: [option.resourceRecordValue],
490
ttl: 60
491
})
492
)
493
);
494
495
// Validate certificate
496
const certificateValidation = new aws.acm.CertificateValidation("cert-validation", {
497
certificateArn: certificate.arn,
498
validationRecordFqdns: certValidationRecords.apply(records =>
499
records.map(record => record.fqdn)
500
)
501
});
502
```
503
504
### Secrets Manager
505
506
AWS Secrets Manager securely stores and manages sensitive information like API keys and database passwords.
507
508
```typescript { .api }
509
/**
510
* Secrets Manager Secret
511
*/
512
class secretsmanager.Secret extends pulumi.CustomResource {
513
constructor(name: string, args?: secretsmanager.SecretArgs, opts?: pulumi.CustomResourceOptions);
514
515
/** Secret ARN */
516
readonly arn: pulumi.Output<string>;
517
/** Secret name */
518
readonly name: pulumi.Output<string>;
519
/** Description */
520
readonly description: pulumi.Output<string>;
521
/** KMS key ID */
522
readonly kmsKeyId: pulumi.Output<string>;
523
/** Recovery window in days */
524
readonly recoveryWindowInDays: pulumi.Output<number>;
525
/** Resource tags */
526
readonly tags: pulumi.Output<{[key: string]: string}>;
527
}
528
529
interface secretsmanager.SecretArgs {
530
/** Secret name */
531
name?: pulumi.Input<string>;
532
/** Description */
533
description?: pulumi.Input<string>;
534
/** KMS key ID for encryption */
535
kmsKeyId?: pulumi.Input<string>;
536
/** Recovery window in days (0-30) */
537
recoveryWindowInDays?: pulumi.Input<number>;
538
/** Force overwrite of replica secret */
539
forceOverwriteReplicaSecret?: pulumi.Input<boolean>;
540
/** Resource tags */
541
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
542
}
543
544
/**
545
* Secret Version
546
*/
547
class secretsmanager.SecretVersion extends pulumi.CustomResource {
548
constructor(name: string, args: secretsmanager.SecretVersionArgs, opts?: pulumi.CustomResourceOptions);
549
550
/** Secret ID */
551
readonly secretId: pulumi.Output<string>;
552
/** Secret string */
553
readonly secretString: pulumi.Output<string>;
554
/** Secret binary */
555
readonly secretBinary: pulumi.Output<string>;
556
/** Version ID */
557
readonly versionId: pulumi.Output<string>;
558
/** Version stages */
559
readonly versionStages: pulumi.Output<string[]>;
560
}
561
562
interface secretsmanager.SecretVersionArgs {
563
/** Secret ID or ARN */
564
secretId: pulumi.Input<string>;
565
/** Secret string value */
566
secretString?: pulumi.Input<string>;
567
/** Secret binary value */
568
secretBinary?: pulumi.Input<string>;
569
/** Version stages */
570
versionStages?: pulumi.Input<pulumi.Input<string>[]>;
571
}
572
```
573
574
**Usage Examples:**
575
576
```typescript
577
// Create secret for database password
578
const dbSecret = new aws.secretsmanager.Secret("db-password", {
579
name: "prod/database/password",
580
description: "Database password for production environment",
581
kmsKeyId: encryptionKey.arn,
582
tags: {
583
Name: "DatabasePassword",
584
Environment: "production"
585
}
586
});
587
588
// Set secret value
589
const dbSecretVersion = new aws.secretsmanager.SecretVersion("db-password-version", {
590
secretId: dbSecret.id,
591
secretString: JSON.stringify({
592
username: "dbadmin",
593
password: "super-secure-password",
594
host: database.endpoint,
595
port: database.port,
596
dbname: database.dbName
597
})
598
});
599
600
// Create secret for API keys
601
const apiSecret = new aws.secretsmanager.Secret("api-keys", {
602
name: "prod/api/keys",
603
description: "API keys for external services",
604
tags: {
605
Name: "APIKeys",
606
Environment: "production"
607
}
608
});
609
610
const apiSecretVersion = new aws.secretsmanager.SecretVersion("api-keys-version", {
611
secretId: apiSecret.id,
612
secretString: JSON.stringify({
613
stripeKey: "sk_live_...",
614
twilioKey: "AC...",
615
googleMapsKey: "AIza..."
616
})
617
});
618
```