AWS security and identity services provide authentication, authorization, access control, and encryption capabilities for securing cloud resources and applications.
Manage users, groups, roles, and permissions for AWS resources with fine-grained access control.
/**
* IAM role for AWS services and users
*/
class Role extends Resource implements IRole {
constructor(scope: Construct, id: string, props: RoleProps);
/**
* Import an existing role by ARN
*/
static fromRoleArn(scope: Construct, id: string, roleArn: string, options?: FromRoleArnOptions): IRole;
/**
* Import an existing role by name
*/
static fromRoleName(scope: Construct, id: string, roleName: string, options?: FromRoleNameOptions): IRole;
/**
* Add a policy statement to the role's default policy
*/
addToPolicy(statement: PolicyStatement): boolean;
/**
* Attach a managed policy to this role
*/
addManagedPolicy(policy: IManagedPolicy): void;
/**
* Grant the actions defined in actions to the identity Principal on this resource
*/
grantPassRole(identity: IGrantable): Grant;
/**
* Grant permissions to assume this role
*/
grantAssumeRole(identity: IPrincipal): Grant;
readonly assumeRoleAction: string;
readonly grantPrincipal: IPrincipal;
readonly policyFragment: PrincipalPolicyFragment;
readonly roleArn: string;
readonly roleName: string;
}
/**
* Managed policy that can be attached to users, groups, and roles
*/
class ManagedPolicy extends Resource implements IManagedPolicy {
constructor(scope: Construct, id: string, props?: ManagedPolicyProps);
/**
* Import an existing managed policy by ARN
*/
static fromAwsManagedPolicyName(managedPolicyName: string): IManagedPolicy;
/**
* Import a customer managed policy by ARN
*/
static fromManagedPolicyArn(scope: Construct, id: string, managedPolicyArn: string): IManagedPolicy;
/**
* Import a customer managed policy by name
*/
static fromManagedPolicyName(scope: Construct, id: string, managedPolicyName: string): IManagedPolicy;
/**
* Add a statement to this policy
*/
addStatements(...statement: PolicyStatement[]): void;
readonly managedPolicyArn: string;
readonly managedPolicyName: string;
readonly document: PolicyDocument;
}
/**
* Policy statement for IAM policies
*/
class PolicyStatement {
constructor(props?: PolicyStatementProps);
/**
* Add a condition to the statement
*/
addCondition(key: string, value: any): void;
/**
* Add actions to the statement
*/
addActions(...actions: string[]): void;
/**
* Add resources to the statement
*/
addResources(...arns: string[]): void;
/**
* Add principals to the statement
*/
addPrincipals(...principals: IPrincipal[]): void;
/**
* Add a principal to the statement
*/
addArnPrincipal(arn: string): void;
readonly actions: string[];
readonly conditions: any;
readonly effect: Effect;
readonly notActions: string[];
readonly notPrincipals: IPrincipal[];
readonly notResources: string[];
readonly principals: IPrincipal[];
readonly resources: string[];
}Manage encryption keys for securing data at rest and in transit across AWS services.
/**
* KMS encryption key
*/
class Key extends Resource implements IKey {
constructor(scope: Construct, id: string, props?: KeyProps);
/**
* Import an existing KMS key by ARN
*/
static fromKeyArn(scope: Construct, id: string, keyArn: string): IKey;
/**
* Import an existing KMS key by alias
*/
static fromLookup(scope: Construct, id: string, options: KeyLookupOptions): IKey;
/**
* Grant decryption permissions for this key to the given principal
*/
grantDecrypt(grantee: IGrantable): Grant;
/**
* Grant encryption permissions for this key to the given principal
*/
grantEncrypt(grantee: IGrantable): Grant;
/**
* Grant encryption and decryption permissions for this key to the given principal
*/
grantEncryptDecrypt(grantee: IGrantable): Grant;
/**
* Grant permissions to generate data keys protected by this key to the given principal
*/
grantGenerateDataKey(grantee: IGrantable): Grant;
readonly keyArn: string;
readonly keyId: string;
}
/**
* KMS key alias
*/
class Alias extends Resource {
constructor(scope: Construct, id: string, props: AliasProps);
/**
* Import an existing KMS alias by name
*/
static fromAliasName(scope: Construct, id: string, aliasName: string): IAlias;
readonly aliasName: string;
readonly aliasTargetKey: IKey;
readonly keyArn: string;
readonly keyId: string;
}Securely store and manage sensitive information like passwords, API keys, and database credentials.
/**
* Secret stored in AWS Secrets Manager
*/
class Secret extends Resource implements ISecret {
constructor(scope: Construct, id: string, props?: SecretProps);
/**
* Import an existing secret by name
*/
static fromSecretNameV2(scope: Construct, id: string, secretName: string): ISecret;
/**
* Import an existing secret by ARN
*/
static fromSecretCompleteArn(scope: Construct, id: string, secretCompleteArn: string): ISecret;
/**
* Add rotation to this secret
*/
addRotationSchedule(id: string, options: RotationScheduleOptions): RotationSchedule;
/**
* Grant read permissions for this secret to an IAM principal
*/
grantRead(grantee: IGrantable, versionstages?: string[]): Grant;
/**
* Grant write permissions for this secret to an IAM principal
*/
grantWrite(grantee: IGrantable): Grant;
/**
* Add a value to the secret
*/
addToResourcePolicy(statement: PolicyStatement): AddToResourcePolicyResult;
readonly secretArn: string;
readonly secretName: string;
readonly secretFullArn?: string;
readonly encryptionKey?: IKey;
}interface RoleProps {
readonly assumedBy: IPrincipal;
readonly description?: string;
readonly externalIds?: string[];
readonly inlinePolicies?: { [name: string]: PolicyDocument };
readonly managedPolicies?: IManagedPolicy[];
readonly maxSessionDuration?: Duration;
readonly path?: string;
readonly permissionsBoundary?: IManagedPolicy;
readonly roleName?: string;
}
interface ManagedPolicyProps {
readonly description?: string;
readonly document?: PolicyDocument;
readonly groups?: IGroup[];
readonly managedPolicyName?: string;
readonly path?: string;
readonly roles?: IRole[];
readonly statements?: PolicyStatement[];
readonly users?: IUser[];
}
interface PolicyStatementProps {
readonly actions?: string[];
readonly conditions?: { [key: string]: any };
readonly effect?: Effect;
readonly notActions?: string[];
readonly notPrincipals?: IPrincipal[];
readonly notResources?: string[];
readonly principals?: IPrincipal[];
readonly resources?: string[];
readonly sid?: string;
}
interface KeyProps {
readonly admins?: IPrincipal[];
readonly alias?: string;
readonly description?: string;
readonly enabled?: boolean;
readonly enableKeyRotation?: boolean;
readonly keySpec?: KeySpec;
readonly keyUsage?: KeyUsage;
readonly origin?: KeyOrigin;
readonly policy?: PolicyDocument;
readonly removalPolicy?: RemovalPolicy;
readonly rotationPeriod?: Duration;
}
interface SecretProps {
readonly description?: string;
readonly encryptionKey?: IKey;
readonly generateSecretString?: SecretStringGenerator;
readonly removalPolicy?: RemovalPolicy;
readonly replicaRegions?: ReplicaRegion[];
readonly secretName?: string;
readonly secretObjectValue?: SecretValue;
readonly secretStringBeta1?: SecretValue;
readonly secretStringValue?: SecretValue;
}
enum Effect {
ALLOW = "Allow",
DENY = "Deny"
}
enum KeySpec {
SYMMETRIC_DEFAULT = "SYMMETRIC_DEFAULT",
RSA_2048 = "RSA_2048",
RSA_3072 = "RSA_3072",
RSA_4096 = "RSA_4096",
ECC_NIST_P256 = "ECC_NIST_P256",
ECC_NIST_P384 = "ECC_NIST_P384",
ECC_NIST_P521 = "ECC_NIST_P521",
ECC_SECG_P256K1 = "ECC_SECG_P256K1",
HMAC_224 = "HMAC_224",
HMAC_256 = "HMAC_256",
HMAC_384 = "HMAC_384",
HMAC_512 = "HMAC_512",
SM2 = "SM2"
}
enum KeyUsage {
ENCRYPT_DECRYPT = "ENCRYPT_DECRYPT",
SIGN_VERIFY = "SIGN_VERIFY",
GENERATE_VERIFY_MAC = "GENERATE_VERIFY_MAC"
}
enum KeyOrigin {
AWS_KMS = "AWS_KMS",
EXTERNAL = "EXTERNAL",
AWS_CLOUDHSM = "AWS_CLOUDHSM",
EXTERNAL_KEY_STORE = "EXTERNAL_KEY_STORE"
}