0
# Security & Identity Services
1
2
Complete security services including IAM (Identity and Access Management), KMS (Key Management Service), Secrets Manager, and security monitoring tools for comprehensive cloud security.
3
4
## Capabilities
5
6
### IAM (Identity and Access Management)
7
8
Create and manage IAM users, roles, policies, and groups for access control.
9
10
```typescript { .api }
11
/**
12
* Creates an IAM role
13
*/
14
class iam.Role extends pulumi.CustomResource {
15
constructor(name: string, args: iam.RoleArgs, opts?: pulumi.ResourceOptions);
16
17
/** The ARN assigned by AWS to this role */
18
public readonly arn!: pulumi.Output<string>;
19
/** The name of the role */
20
public readonly name!: pulumi.Output<string>;
21
/** The creation date of the IAM role */
22
public readonly createDate!: pulumi.Output<string>;
23
/** The policy document that grants an entity permission to assume the role */
24
public readonly assumeRolePolicy!: pulumi.Output<string>;
25
/** Description of the role */
26
public readonly description!: pulumi.Output<string>;
27
/** Whether the role is a service-linked role */
28
public readonly forceDetachPolicies!: pulumi.Output<boolean>;
29
/** Maximum session duration */
30
public readonly maxSessionDuration!: pulumi.Output<number>;
31
/** The path to the role */
32
public readonly path!: pulumi.Output<string>;
33
/** The permissions boundary ARN to apply to the role */
34
public readonly permissionsBoundary!: pulumi.Output<string>;
35
/** Resource tags */
36
public readonly tags!: pulumi.Output<{[key: string]: string}>;
37
/** The stable and unique string identifying the role */
38
public readonly uniqueId!: pulumi.Output<string>;
39
}
40
41
interface iam.RoleArgs {
42
/** The name of the role */
43
name?: pulumi.Input<string>;
44
/** The policy document that grants an entity permission to assume the role */
45
assumeRolePolicy: pulumi.Input<string>;
46
/** Description of the role */
47
description?: pulumi.Input<string>;
48
/** Whether policies attached to this role should be forcefully detached */
49
forceDetachPolicies?: pulumi.Input<boolean>;
50
/** Maximum session duration (in seconds) that you want to set for the specified role */
51
maxSessionDuration?: pulumi.Input<number>;
52
/** Path to the role */
53
path?: pulumi.Input<string>;
54
/** The ARN of the policy that is used to set the permissions boundary for the role */
55
permissionsBoundary?: pulumi.Input<string>;
56
/** Resource tags */
57
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
58
}
59
```
60
61
**Usage Example:**
62
63
```typescript
64
import * as aws from "@pulumi/aws";
65
66
// Create an IAM role for Lambda execution
67
const lambdaRole = new aws.iam.Role("lambda-execution-role", {
68
name: "lambda-execution-role",
69
assumeRolePolicy: JSON.stringify({
70
Version: "2012-10-17",
71
Statement: [{
72
Action: "sts:AssumeRole",
73
Effect: "Allow",
74
Principal: {
75
Service: "lambda.amazonaws.com",
76
},
77
}],
78
}),
79
description: "IAM role for Lambda function execution",
80
maxSessionDuration: 3600,
81
tags: {
82
Environment: "Production",
83
ManagedBy: "Pulumi",
84
},
85
});
86
87
// Create and attach a policy
88
const lambdaPolicy = new aws.iam.Policy("lambda-policy", {
89
name: "lambda-execution-policy",
90
description: "Policy for Lambda execution",
91
policy: JSON.stringify({
92
Version: "2012-10-17",
93
Statement: [{
94
Effect: "Allow",
95
Action: [
96
"logs:CreateLogGroup",
97
"logs:CreateLogStream",
98
"logs:PutLogEvents",
99
],
100
Resource: "arn:aws:logs:*:*:*",
101
}],
102
}),
103
});
104
105
const policyAttachment = new aws.iam.RolePolicyAttachment("lambda-policy-attachment", {
106
role: lambdaRole.name,
107
policyArn: lambdaPolicy.arn,
108
});
109
110
export const roleArn = lambdaRole.arn;
111
```
112
113
### IAM Policies
114
115
Create and manage IAM policies for fine-grained access control.
116
117
```typescript { .api }
118
/**
119
* Creates an IAM policy
120
*/
121
class iam.Policy extends pulumi.CustomResource {
122
constructor(name: string, args: iam.PolicyArgs, opts?: pulumi.ResourceOptions);
123
124
/** The ARN assigned by AWS to this policy */
125
public readonly arn!: pulumi.Output<string>;
126
/** The name of the policy */
127
public readonly name!: pulumi.Output<string>;
128
/** The description of the policy */
129
public readonly description!: pulumi.Output<string>;
130
/** The path of the policy in IAM */
131
public readonly path!: pulumi.Output<string>;
132
/** The policy document */
133
public readonly policy!: pulumi.Output<string>;
134
/** The policy ID */
135
public readonly policyId!: pulumi.Output<string>;
136
/** Resource tags */
137
public readonly tags!: pulumi.Output<{[key: string]: string}>;
138
}
139
140
interface iam.PolicyArgs {
141
/** The name of the policy */
142
name?: pulumi.Input<string>;
143
/** Description of the IAM policy */
144
description?: pulumi.Input<string>;
145
/** Path in which to create the policy */
146
path?: pulumi.Input<string>;
147
/** The policy document */
148
policy: pulumi.Input<string>;
149
/** Resource tags */
150
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
151
}
152
```
153
154
### IAM Users and Groups
155
156
Create and manage IAM users and groups.
157
158
```typescript { .api }
159
/**
160
* Creates an IAM user
161
*/
162
class iam.User extends pulumi.CustomResource {
163
constructor(name: string, args?: iam.UserArgs, opts?: pulumi.ResourceOptions);
164
165
/** The ARN assigned by AWS for this user */
166
public readonly arn!: pulumi.Output<string>;
167
/** The user's name */
168
public readonly name!: pulumi.Output<string>;
169
/** The path to the user */
170
public readonly path!: pulumi.Output<string>;
171
/** The permissions boundary ARN to apply to the user */
172
public readonly permissionsBoundary!: pulumi.Output<string>;
173
/** Resource tags */
174
public readonly tags!: pulumi.Output<{[key: string]: string}>;
175
/** The unique ID assigned by AWS */
176
public readonly uniqueId!: pulumi.Output<string>;
177
}
178
179
/**
180
* Creates an IAM group
181
*/
182
class iam.Group extends pulumi.CustomResource {
183
constructor(name: string, args?: iam.GroupArgs, opts?: pulumi.ResourceOptions);
184
185
/** The ARN assigned by AWS for this group */
186
public readonly arn!: pulumi.Output<string>;
187
/** The group's name */
188
public readonly name!: pulumi.Output<string>;
189
/** The path to the group */
190
public readonly path!: pulumi.Output<string>;
191
/** The unique ID assigned by AWS */
192
public readonly uniqueId!: pulumi.Output<string>;
193
}
194
```
195
196
### KMS (Key Management Service)
197
198
Create and manage KMS keys for encryption.
199
200
```typescript { .api }
201
/**
202
* Creates a KMS key
203
*/
204
class kms.Key extends pulumi.CustomResource {
205
constructor(name: string, args?: kms.KeyArgs, opts?: pulumi.ResourceOptions);
206
207
/** The globally unique identifier for the key */
208
public readonly keyId!: pulumi.Output<string>;
209
/** The ARN of the key */
210
public readonly arn!: pulumi.Output<string>;
211
/** The description of the key */
212
public readonly description!: pulumi.Output<string>;
213
/** Specifies whether the key is enabled */
214
public readonly isEnabled!: pulumi.Output<boolean>;
215
/** The key policy JSON document */
216
public readonly policy!: pulumi.Output<string>;
217
/** The key spec */
218
public readonly keySpec!: pulumi.Output<string>;
219
/** The key usage */
220
public readonly keyUsage!: pulumi.Output<string>;
221
/** The multi-Region configuration */
222
public readonly multiRegion!: pulumi.Output<boolean>;
223
/** The key rotation status */
224
public readonly keyRotationEnabled!: pulumi.Output<boolean>;
225
/** Resource tags */
226
public readonly tags!: pulumi.Output<{[key: string]: string}>;
227
}
228
229
interface kms.KeyArgs {
230
/** The description of the key */
231
description?: pulumi.Input<string>;
232
/** Specifies whether the key is enabled */
233
isEnabled?: pulumi.Input<boolean>;
234
/** The key policy JSON document */
235
policy?: pulumi.Input<string>;
236
/** Specifies whether key rotation is enabled */
237
enableKeyRotation?: pulumi.Input<boolean>;
238
/** The key spec */
239
keySpec?: pulumi.Input<string>;
240
/** The key usage */
241
keyUsage?: pulumi.Input<string>;
242
/** Indicates whether the KMS key is a multi-Region key */
243
multiRegion?: pulumi.Input<boolean>;
244
/** The number of days after which AWS KMS deletes the KMS key */
245
deletionWindowInDays?: pulumi.Input<number>;
246
/** Resource tags */
247
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
248
}
249
```
250
251
### KMS Aliases
252
253
Create and manage KMS key aliases.
254
255
```typescript { .api }
256
/**
257
* Creates a KMS alias
258
*/
259
class kms.Alias extends pulumi.CustomResource {
260
constructor(name: string, args: kms.AliasArgs, opts?: pulumi.ResourceOptions);
261
262
/** The ARN of the key alias */
263
public readonly arn!: pulumi.Output<string>;
264
/** The display name of the alias */
265
public readonly name!: pulumi.Output<string>;
266
/** The Amazon resource name (ARN) of the key to which the alias refers */
267
public readonly targetKeyArn!: pulumi.Output<string>;
268
/** The key ARN pointed to by the alias */
269
public readonly targetKeyId!: pulumi.Output<string>;
270
}
271
272
interface kms.AliasArgs {
273
/** The display name of the alias */
274
name?: pulumi.Input<string>;
275
/** The key ARN pointed to by the alias */
276
targetKeyId: pulumi.Input<string>;
277
}
278
```
279
280
### Secrets Manager
281
282
Create and manage secrets in AWS Secrets Manager.
283
284
```typescript { .api }
285
/**
286
* Creates a secret in AWS Secrets Manager
287
*/
288
class secretsmanager.Secret extends pulumi.CustomResource {
289
constructor(name: string, args?: secretsmanager.SecretArgs, opts?: pulumi.ResourceOptions);
290
291
/** Amazon Resource Name (ARN) of the secret */
292
public readonly arn!: pulumi.Output<string>;
293
/** The name of the secret */
294
public readonly name!: pulumi.Output<string>;
295
/** A description of the secret */
296
public readonly description!: pulumi.Output<string>;
297
/** The ARN of the KMS key used to encrypt the secret */
298
public readonly kmsKeyId!: pulumi.Output<string>;
299
/** The JSON representation of the secret policy */
300
public readonly policy!: pulumi.Output<string>;
301
/** The number of days that AWS Secrets Manager waits before deleting the secret */
302
public readonly recoveryWindowInDays!: pulumi.Output<number>;
303
/** The replica configuration */
304
public readonly replicas!: pulumi.Output<secretsmanager.SecretReplica[]>;
305
/** Resource tags */
306
public readonly tags!: pulumi.Output<{[key: string]: string}>;
307
}
308
309
interface secretsmanager.SecretArgs {
310
/** Name of the secret */
311
name?: pulumi.Input<string>;
312
/** Description of the secret */
313
description?: pulumi.Input<string>;
314
/** Whether to force delete the secret without recovery window */
315
forceOverwriteReplicaSecret?: pulumi.Input<boolean>;
316
/** ARN of the KMS key used to encrypt the secret */
317
kmsKeyId?: pulumi.Input<string>;
318
/** JSON representation of the resource policy */
319
policy?: pulumi.Input<string>;
320
/** Number of days that AWS Secrets Manager waits before deleting the secret */
321
recoveryWindowInDays?: pulumi.Input<number>;
322
/** Configuration block to support secret replication */
323
replicas?: pulumi.Input<pulumi.Input<secretsmanager.SecretReplica>[]>;
324
/** Resource tags */
325
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
326
}
327
```
328
329
### Secrets Manager Secret Version
330
331
Store secret values in AWS Secrets Manager.
332
333
```typescript { .api }
334
/**
335
* Creates a secret version in AWS Secrets Manager
336
*/
337
class secretsmanager.SecretVersion extends pulumi.CustomResource {
338
constructor(name: string, args: secretsmanager.SecretVersionArgs, opts?: pulumi.ResourceOptions);
339
340
/** The ARN of the secret */
341
public readonly arn!: pulumi.Output<string>;
342
/** The secret ID */
343
public readonly secretId!: pulumi.Output<string>;
344
/** The secret data (as plaintext string) */
345
public readonly secretString!: pulumi.Output<string>;
346
/** The secret data (as base64-encoded binary data) */
347
public readonly secretBinary!: pulumi.Output<string>;
348
/** The unique identifier of this version of the secret */
349
public readonly versionId!: pulumi.Output<string>;
350
/** List of staging labels attached to this version */
351
public readonly versionStages!: pulumi.Output<string[]>;
352
}
353
354
interface secretsmanager.SecretVersionArgs {
355
/** The secret ARN or name */
356
secretId: pulumi.Input<string>;
357
/** The secret data as a plaintext string */
358
secretString?: pulumi.Input<string>;
359
/** The secret data as a base64-encoded binary data */
360
secretBinary?: pulumi.Input<string>;
361
/** List of staging labels that are attached to this version of the secret */
362
versionStages?: pulumi.Input<pulumi.Input<string>[]>;
363
}
364
```
365
366
### GuardDuty
367
368
Enable and configure AWS GuardDuty for threat detection.
369
370
```typescript { .api }
371
/**
372
* Enables GuardDuty detector
373
*/
374
class guardduty.Detector extends pulumi.CustomResource {
375
constructor(name: string, args?: guardduty.DetectorArgs, opts?: pulumi.ResourceOptions);
376
377
/** The ID of the GuardDuty detector */
378
public readonly id!: pulumi.Output<string>;
379
/** The ARN of the GuardDuty detector */
380
public readonly arn!: pulumi.Output<string>;
381
/** The account ID of the GuardDuty detector */
382
public readonly accountId!: pulumi.Output<string>;
383
/** Whether the detector is enabled */
384
public readonly enable!: pulumi.Output<boolean>;
385
/** The publishing frequency of findings */
386
public readonly findingPublishingFrequency!: pulumi.Output<string>;
387
/** The service role ARN */
388
public readonly serviceRole!: pulumi.Output<string>;
389
/** The status of the detector */
390
public readonly status!: pulumi.Output<string>;
391
/** Resource tags */
392
public readonly tags!: pulumi.Output<{[key: string]: string}>;
393
}
394
395
interface guardduty.DetectorArgs {
396
/** Enable monitoring and feedback reporting */
397
enable?: pulumi.Input<boolean>;
398
/** Specifies the frequency of notifications sent for finding occurrences */
399
findingPublishingFrequency?: pulumi.Input<string>;
400
/** Describes which data sources will be enabled for the detector */
401
datasources?: pulumi.Input<guardduty.DetectorDatasources>;
402
/** Resource tags */
403
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
404
}
405
```
406
407
### Security Hub
408
409
Enable and configure AWS Security Hub for security posture management.
410
411
```typescript { .api }
412
/**
413
* Enables Security Hub
414
*/
415
class securityhub.Account extends pulumi.CustomResource {
416
constructor(name: string, args?: securityhub.AccountArgs, opts?: pulumi.ResourceOptions);
417
418
/** The ARN of the Security Hub Hub resource */
419
public readonly arn!: pulumi.Output<string>;
420
/** The ID of the Security Hub Hub */
421
public readonly id!: pulumi.Output<string>;
422
/** Whether to automatically enable new controls when they are added to standards */
423
public readonly autoEnableControls!: pulumi.Output<boolean>;
424
/** The control finding format */
425
public readonly controlFindingGenerator!: pulumi.Output<string>;
426
/** Whether to enable default standards */
427
public readonly enableDefaultStandards!: pulumi.Output<boolean>;
428
}
429
430
interface securityhub.AccountArgs {
431
/** Whether to automatically enable new controls when they are added to standards */
432
autoEnableControls?: pulumi.Input<boolean>;
433
/** Updates whether the calling account has consolidated control findings turned on */
434
controlFindingGenerator?: pulumi.Input<string>;
435
/** Whether to enable the security standards that Security Hub has designated as automatically enabled */
436
enableDefaultStandards?: pulumi.Input<boolean>;
437
}
438
```
439
440
### CloudTrail
441
442
Create and manage CloudTrail for AWS API logging and auditing.
443
444
```typescript { .api }
445
/**
446
* Creates a CloudTrail
447
*/
448
class cloudtrail.Trail extends pulumi.CustomResource {
449
constructor(name: string, args: cloudtrail.TrailArgs, opts?: pulumi.ResourceOptions);
450
451
/** The ARN of the trail */
452
public readonly arn!: pulumi.Output<string>;
453
/** The name of the trail */
454
public readonly name!: pulumi.Output<string>;
455
/** The S3 bucket name where the log files are delivered */
456
public readonly s3BucketName!: pulumi.Output<string>;
457
/** The S3 key prefix that follows the name of the bucket */
458
public readonly s3KeyPrefix!: pulumi.Output<string>;
459
/** The region in which the trail was created */
460
public readonly homeRegion!: pulumi.Output<string>;
461
/** Whether the trail is a multi-region trail */
462
public readonly isMultiRegionTrail!: pulumi.Output<boolean>;
463
/** Whether the trail is an organization trail */
464
public readonly isOrganizationTrail!: pulumi.Output<boolean>;
465
/** Whether log file validation is enabled */
466
public readonly enableLogFileValidation!: pulumi.Output<boolean>;
467
/** Whether the trail is enabled */
468
public readonly enableLogging!: pulumi.Output<boolean>;
469
/** Resource tags */
470
public readonly tags!: pulumi.Output<{[key: string]: string}>;
471
}
472
473
interface cloudtrail.TrailArgs {
474
/** Name of the trail */
475
name?: pulumi.Input<string>;
476
/** S3 bucket name to deliver events to */
477
s3BucketName: pulumi.Input<string>;
478
/** S3 key prefix that follows the name of the bucket */
479
s3KeyPrefix?: pulumi.Input<string>;
480
/** Whether the trail is publishing events from global services */
481
includeGlobalServiceEvents?: pulumi.Input<boolean>;
482
/** Whether the trail is a multi-region trail */
483
isMultiRegionTrail?: pulumi.Input<boolean>;
484
/** Whether the trail is an organization trail */
485
isOrganizationTrail?: pulumi.Input<boolean>;
486
/** Whether log file validation is enabled */
487
enableLogFileValidation?: pulumi.Input<boolean>;
488
/** Specifies whether the trail is enabled */
489
enableLogging?: pulumi.Input<boolean>;
490
/** Configuration block for CloudWatch Logs group */
491
cloudWatchLogsGroupArn?: pulumi.Input<string>;
492
/** Role for the CloudWatch Logs endpoint to assume to write to a user's log group */
493
cloudWatchLogsRoleArn?: pulumi.Input<string>;
494
/** ARN of the key used to encrypt the events delivered by CloudTrail */
495
kmsKeyId?: pulumi.Input<string>;
496
/** Configuration block for an SNS topic */
497
snsTopicName?: pulumi.Input<string>;
498
/** Resource tags */
499
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
500
}
501
```
502
503
### Data Source Functions
504
505
Query existing security resources.
506
507
```typescript { .api }
508
/**
509
* Get information about an IAM role
510
*/
511
function iam.getRole(args: iam.GetRoleArgs): Promise<iam.GetRoleResult>;
512
513
/**
514
* Get information about an IAM policy
515
*/
516
function iam.getPolicy(args: iam.GetPolicyArgs): Promise<iam.GetPolicyResult>;
517
518
/**
519
* Get information about an IAM user
520
*/
521
function iam.getUser(args: iam.GetUserArgs): Promise<iam.GetUserResult>;
522
523
/**
524
* Get information about a KMS key
525
*/
526
function kms.getKey(args: kms.GetKeyArgs): Promise<kms.GetKeyResult>;
527
528
/**
529
* Get information about a secret
530
*/
531
function secretsmanager.getSecret(args: secretsmanager.GetSecretArgs): Promise<secretsmanager.GetSecretResult>;
532
533
/**
534
* Get information about a secret version
535
*/
536
function secretsmanager.getSecretVersion(args: secretsmanager.GetSecretVersionArgs): Promise<secretsmanager.GetSecretVersionResult>;
537
```
538
539
## Types
540
541
```typescript { .api }
542
interface secretsmanager.SecretReplica {
543
/** ARN of the KMS key used to encrypt the replica secret */
544
kmsKeyId?: pulumi.Input<string>;
545
/** Region for replicating the secret */
546
region: pulumi.Input<string>;
547
}
548
549
interface guardduty.DetectorDatasources {
550
/** S3 logs configuration */
551
s3Logs?: pulumi.Input<guardduty.DetectorDatasourcesS3Logs>;
552
/** Kubernetes configuration */
553
kubernetes?: pulumi.Input<guardduty.DetectorDatasourcesKubernetes>;
554
/** Malware protection configuration */
555
malwareProtection?: pulumi.Input<guardduty.DetectorDatasourcesMalwareProtection>;
556
}
557
558
interface guardduty.DetectorDatasourcesS3Logs {
559
/** Whether S3 data source is enabled */
560
enable: pulumi.Input<boolean>;
561
}
562
563
interface guardduty.DetectorDatasourcesKubernetes {
564
/** Kubernetes audit logs configuration */
565
auditLogs: pulumi.Input<guardduty.DetectorDatasourcesKubernetesAuditLogs>;
566
}
567
568
interface guardduty.DetectorDatasourcesKubernetesAuditLogs {
569
/** Whether Kubernetes audit logs are enabled */
570
enable: pulumi.Input<boolean>;
571
}
572
```