From e4f1db09a08f28678f6289768d92d2bf2fc121ca Mon Sep 17 00:00:00 2001 From: Kazuho Cryer-Shinozuka Date: Tue, 18 Mar 2025 23:06:46 +0900 Subject: [PATCH 1/4] update integ --- .../aws-iot-alpha/lib/audit-configuration.ts | 41 ++++++++- ...efaultTestDeployAssert6A603D00.assets.json | 2 +- ...IotAuditConfigurationTestStack.assets.json | 6 +- ...tAuditConfigurationTestStack.template.json | 6 ++ .../cdk.out | 2 +- .../integ.json | 2 +- .../manifest.json | 60 +++++++++++++- .../tree.json | 83 +++++++++++++------ .../test/integ.audit-configuration.ts | 3 + 9 files changed, 169 insertions(+), 36 deletions(-) diff --git a/packages/@aws-cdk/aws-iot-alpha/lib/audit-configuration.ts b/packages/@aws-cdk/aws-iot-alpha/lib/audit-configuration.ts index 45a2016ee0291..8685d1b96be96 100644 --- a/packages/@aws-cdk/aws-iot-alpha/lib/audit-configuration.ts +++ b/packages/@aws-cdk/aws-iot-alpha/lib/audit-configuration.ts @@ -1,4 +1,4 @@ -import { Resource, Stack, IResource } from 'aws-cdk-lib/core'; +import { Resource, Stack, IResource, Duration } from 'aws-cdk-lib/core'; import { Construct } from 'constructs'; import * as iot from 'aws-cdk-lib/aws-iot'; import * as iam from 'aws-cdk-lib/aws-iam'; @@ -59,6 +59,25 @@ export interface CheckConfiguration { */ readonly conflictingClientIdsCheck?: boolean; + /** + * Checks when a device certificate has been active for a number of days greater than or equal to the number you specify. + * + * @default true + */ + readonly deviceCertificateAgeCheck?: boolean; + + /** + * The duration used to check if a device certificate has been active + * for a number of days greater than or equal to the number you specify. + * + * Valid values are between 30 and 3652 days. + * + * You cannot specify a value for this check if `deviceCertificateAgeCheck` is set to `false`. + * + * @default - 365 days + */ + readonly deviceCertificateAgeCheckDuration?: Duration; + /** * Checks if a device certificate is expiring. * @@ -201,6 +220,17 @@ export class AccountAuditConfiguration extends Resource implements IAccountAudit // Enhanced CDK Analytics Telemetry addConstructMetadata(this, props); + const deviceAgeCheckThreshold = props?.checkConfiguration?.deviceCertificateAgeCheckDuration?.toDays(); + + if (deviceAgeCheckThreshold) { + if (props?.checkConfiguration?.deviceCertificateAgeCheck === false) { + throw new Error('You cannot specify a value for `deviceCertificateAgeCheckDuration` if `deviceCertificateAgeCheck` is set to `false`.'); + } + if (deviceAgeCheckThreshold < 30 || deviceAgeCheckThreshold > 3652) { + throw new Error(`The device certificate age check threshold must be between 30 and 3652 days. got: ${deviceAgeCheckThreshold} days`); + } + } + this.accountId = Stack.of(this).account; const auditRole = new iam.Role(this, 'AuditRole', { @@ -261,6 +291,15 @@ export class AccountAuditConfiguration extends Resource implements IAccountAudit caCertificateExpiringCheck: this.renderAuditCheckConfiguration(checkConfiguration?.caCertificateExpiringCheck), caCertificateKeyQualityCheck: this.renderAuditCheckConfiguration(checkConfiguration?.caCertificateKeyQualityCheck), conflictingClientIdsCheck: this.renderAuditCheckConfiguration(checkConfiguration?.conflictingClientIdsCheck), + deviceCertificateAgeCheck: + checkConfiguration?.deviceCertificateAgeCheck !== false ? + { + enabled: true, + configuration: { + certAgeThresholdInDays: String(checkConfiguration?.deviceCertificateAgeCheckDuration?.toDays() ?? 365), + }, + } : + undefined, deviceCertificateExpiringCheck: this.renderAuditCheckConfiguration(checkConfiguration?.deviceCertificateExpiringCheck), deviceCertificateKeyQualityCheck: this.renderAuditCheckConfiguration(checkConfiguration?.deviceCertificateKeyQualityCheck), deviceCertificateSharedCheck: this.renderAuditCheckConfiguration(checkConfiguration?.deviceCertificateSharedCheck), diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets.json index 057363705de1d..034c90567d5fc 100644 --- a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets.json +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets.json @@ -1,5 +1,5 @@ { - "version": "38.0.1", + "version": "40.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.assets.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.assets.json index 770e7ed409613..e2061e6f5692f 100644 --- a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.assets.json +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.assets.json @@ -1,7 +1,7 @@ { - "version": "38.0.1", + "version": "40.0.0", "files": { - "c093a5b4a568daafc27fab102fea007eaf70c883b8e02171441d44e702e0cebc": { + "77535bf7edb380d8bb5a9fbc765b1670aea66dc74869bb92ed8009d578125ece": { "source": { "path": "IotAuditConfigurationTestStack.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "c093a5b4a568daafc27fab102fea007eaf70c883b8e02171441d44e702e0cebc.json", + "objectKey": "77535bf7edb380d8bb5a9fbc765b1670aea66dc74869bb92ed8009d578125ece.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.template.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.template.json index ed4e8c63400f8..e3f528d1b0a43 100644 --- a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.template.json +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.template.json @@ -87,6 +87,12 @@ "ConflictingClientIdsCheck": { "Enabled": true }, + "DeviceCertificateAgeCheck": { + "Configuration": { + "CertAgeThresholdInDays": "1229" + }, + "Enabled": true + }, "DeviceCertificateExpiringCheck": { "Enabled": true }, diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/cdk.out b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/cdk.out index c6e612584e352..1e02a2deb191b 100644 --- a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/cdk.out +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"38.0.1"} \ No newline at end of file +{"version":"40.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/integ.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/integ.json index b4d8fa9d08bf3..738964350a6eb 100644 --- a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/integ.json +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "38.0.1", + "version": "40.0.0", "testCases": { "IotAuditConfigurationTest/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/manifest.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/manifest.json index da95d1a0a5749..4ff67f8f94dc4 100644 --- a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/manifest.json +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "38.0.1", + "version": "40.0.0", "artifacts": { "IotAuditConfigurationTestStack.assets": { "type": "cdk:asset-manifest", @@ -16,10 +16,9 @@ "templateFile": "IotAuditConfigurationTestStack.template.json", "terminationProtection": false, "validateOnSynth": false, - "notificationArns": [], "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c093a5b4a568daafc27fab102fea007eaf70c883b8e02171441d44e702e0cebc.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/77535bf7edb380d8bb5a9fbc765b1670aea66dc74869bb92ed8009d578125ece.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -35,18 +34,54 @@ "IotAuditConfigurationTestStack.assets" ], "metadata": { + "/IotAuditConfigurationTestStack/Topic": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/IotAuditConfigurationTestStack/Topic/Resource": [ { "type": "aws:cdk:logicalId", "data": "TopicBFC7AF6E" } ], + "/IotAuditConfigurationTestStack/AuditConfiguration": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/IotAuditConfigurationTestStack/AuditConfiguration/AuditRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/IotAuditConfigurationTestStack/AuditConfiguration/AuditRole/ImportAuditRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/IotAuditConfigurationTestStack/AuditConfiguration/AuditRole/Resource": [ { "type": "aws:cdk:logicalId", "data": "AuditConfigurationAuditRole0FFA1461" } ], + "/IotAuditConfigurationTestStack/AuditConfiguration/NotificationRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/IotAuditConfigurationTestStack/AuditConfiguration/NotificationRole/ImportNotificationRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/IotAuditConfigurationTestStack/AuditConfiguration/NotificationRole/Resource": [ { "type": "aws:cdk:logicalId", @@ -59,18 +94,36 @@ "data": "AuditConfiguration8C793652" } ], + "/IotAuditConfigurationTestStack/DailyAudit": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/IotAuditConfigurationTestStack/DailyAudit/Resource": [ { "type": "aws:cdk:logicalId", "data": "DailyAudit1160906D" } ], + "/IotAuditConfigurationTestStack/WeeklyAudit": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/IotAuditConfigurationTestStack/WeeklyAudit/Resource": [ { "type": "aws:cdk:logicalId", "data": "WeeklyAudit5489D5FF" } ], + "/IotAuditConfigurationTestStack/MonthlyAudit": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/IotAuditConfigurationTestStack/MonthlyAudit/Resource": [ { "type": "aws:cdk:logicalId", @@ -107,7 +160,6 @@ "templateFile": "IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.template.json", "terminationProtection": false, "validateOnSynth": false, - "notificationArns": [], "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/tree.json b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/tree.json index a8a4569a1201f..9b2a16f8c86f8 100644 --- a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/tree.json +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/tree.json @@ -21,13 +21,16 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } } }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2", + "metadata": [ + "*" + ] } }, "AuditConfiguration": { @@ -43,7 +46,10 @@ "path": "IotAuditConfigurationTestStack/AuditConfiguration/AuditRole/ImportAuditRole", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2", + "metadata": [ + "*" + ] } }, "Resource": { @@ -82,13 +88,16 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } } }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2", + "metadata": [ + "*" + ] } }, "NotificationRole": { @@ -100,7 +109,10 @@ "path": "IotAuditConfigurationTestStack/AuditConfiguration/NotificationRole/ImportNotificationRole", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2", + "metadata": [ + "*" + ] } }, "Resource": { @@ -142,13 +154,16 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } } }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2", + "metadata": [ + "*" + ] } }, "Resource": { @@ -173,6 +188,12 @@ "conflictingClientIdsCheck": { "enabled": true }, + "deviceCertificateAgeCheck": { + "enabled": true, + "configuration": { + "certAgeThresholdInDays": "1229" + } + }, "deviceCertificateExpiringCheck": { "enabled": true }, @@ -234,13 +255,16 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } } }, "constructInfo": { "fqn": "@aws-cdk/aws-iot-alpha.AccountAuditConfiguration", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "DailyAudit": { @@ -261,13 +285,16 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } } }, "constructInfo": { "fqn": "@aws-cdk/aws-iot-alpha.ScheduledAudit", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "WeeklyAudit": { @@ -289,13 +316,16 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } } }, "constructInfo": { "fqn": "@aws-cdk/aws-iot-alpha.ScheduledAudit", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "MonthlyAudit": { @@ -328,13 +358,16 @@ }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } } }, "constructInfo": { "fqn": "@aws-cdk/aws-iot-alpha.ScheduledAudit", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "BootstrapVersion": { @@ -342,7 +375,7 @@ "path": "IotAuditConfigurationTestStack/BootstrapVersion", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } }, "CheckBootstrapVersion": { @@ -350,13 +383,13 @@ "path": "IotAuditConfigurationTestStack/CheckBootstrapVersion", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } } }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } }, "IotAuditConfigurationTest": { @@ -372,7 +405,7 @@ "path": "IotAuditConfigurationTest/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } }, "DeployAssert": { @@ -384,7 +417,7 @@ "path": "IotAuditConfigurationTest/DefaultTest/DeployAssert/BootstrapVersion", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } }, "CheckBootstrapVersion": { @@ -392,13 +425,13 @@ "path": "IotAuditConfigurationTest/DefaultTest/DeployAssert/CheckBootstrapVersion", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } } }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } } }, @@ -418,13 +451,13 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } } }, "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } } } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.ts b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.ts index 6d37bf3b59df0..3a4f7eb354972 100644 --- a/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.ts +++ b/packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.ts @@ -11,6 +11,9 @@ class TestStack extends cdk.Stack { const config = new iot.AccountAuditConfiguration(this, 'AuditConfiguration', { targetTopic, + checkConfiguration: { + deviceCertificateAgeCheckDuration: cdk.Duration.days(1229), + }, }); new iot.ScheduledAudit(this, 'DailyAudit', { From b5f8fe5076915231ab53d6756e602c825c3e7b30 Mon Sep 17 00:00:00 2001 From: Kazuho Cryer-Shinozuka Date: Tue, 18 Mar 2025 23:18:42 +0900 Subject: [PATCH 2/4] update unit test --- .../aws-iot-alpha/lib/audit-configuration.ts | 6 ++-- .../test/audit-configuration.test.ts | 29 +++++++++++++++++++ 2 files changed, 32 insertions(+), 3 deletions(-) diff --git a/packages/@aws-cdk/aws-iot-alpha/lib/audit-configuration.ts b/packages/@aws-cdk/aws-iot-alpha/lib/audit-configuration.ts index 8685d1b96be96..75771e7d6ae44 100644 --- a/packages/@aws-cdk/aws-iot-alpha/lib/audit-configuration.ts +++ b/packages/@aws-cdk/aws-iot-alpha/lib/audit-configuration.ts @@ -220,14 +220,14 @@ export class AccountAuditConfiguration extends Resource implements IAccountAudit // Enhanced CDK Analytics Telemetry addConstructMetadata(this, props); - const deviceAgeCheckThreshold = props?.checkConfiguration?.deviceCertificateAgeCheckDuration?.toDays(); + const deviceAgeCheckThreshold = props?.checkConfiguration?.deviceCertificateAgeCheckDuration; if (deviceAgeCheckThreshold) { if (props?.checkConfiguration?.deviceCertificateAgeCheck === false) { throw new Error('You cannot specify a value for `deviceCertificateAgeCheckDuration` if `deviceCertificateAgeCheck` is set to `false`.'); } - if (deviceAgeCheckThreshold < 30 || deviceAgeCheckThreshold > 3652) { - throw new Error(`The device certificate age check threshold must be between 30 and 3652 days. got: ${deviceAgeCheckThreshold} days`); + if (!deviceAgeCheckThreshold.isUnresolved() && deviceAgeCheckThreshold.toDays() < 30 || deviceAgeCheckThreshold.toDays() > 3652) { + throw new Error(`The device certificate age check threshold must be between 30 and 3652 days. got: ${deviceAgeCheckThreshold.toDays()} days.`); } } diff --git a/packages/@aws-cdk/aws-iot-alpha/test/audit-configuration.test.ts b/packages/@aws-cdk/aws-iot-alpha/test/audit-configuration.test.ts index f779909036dc4..9fc359eb4b5c1 100644 --- a/packages/@aws-cdk/aws-iot-alpha/test/audit-configuration.test.ts +++ b/packages/@aws-cdk/aws-iot-alpha/test/audit-configuration.test.ts @@ -15,6 +15,12 @@ test('Default property', () => { CaCertificateExpiringCheck: { Enabled: true }, CaCertificateKeyQualityCheck: { Enabled: true }, ConflictingClientIdsCheck: { Enabled: true }, + DeviceCertificateAgeCheck: { + Enabled: true, + Configuration: { + CertAgeThresholdInDays: '365', + }, + }, DeviceCertificateExpiringCheck: { Enabled: true }, DeviceCertificateKeyQualityCheck: { Enabled: true }, DeviceCertificateSharedCheck: { Enabled: true }, @@ -129,6 +135,29 @@ test('configure check configuration', () => { }); }); +test('throw error for configuring duration without enabling deviceCertificateAgeCheck', () => { + const stack = new cdk.Stack(); + expect(() => new iot.AccountAuditConfiguration(stack, 'AccountAuditConfiguration', { + checkConfiguration: { + deviceCertificateAgeCheck: false, + deviceCertificateAgeCheckDuration: cdk.Duration.days(1229), + }, + })).toThrow('You cannot specify a value for `deviceCertificateAgeCheckDuration` if `deviceCertificateAgeCheck` is set to `false`.'); +}); + +test.each([ + cdk.Duration.days(29), + cdk.Duration.days(3653), +])('throw error for invalid duration %s', (duration) => { + const stack = new cdk.Stack(); + expect(() => new iot.AccountAuditConfiguration(stack, 'AccountAuditConfiguration', { + checkConfiguration: { + deviceCertificateAgeCheck: true, + deviceCertificateAgeCheckDuration: duration, + }, + })).toThrow(`The device certificate age check threshold must be between 30 and 3652 days. got: ${duration.toDays()} days.`); +}); + test('import by Account ID', () => { const stack = new cdk.Stack(); From bd34d1d97a2a0dbc984b9b44d54244233628a5e3 Mon Sep 17 00:00:00 2001 From: Kazuho Cryer-Shinozuka Date: Tue, 18 Mar 2025 23:25:43 +0900 Subject: [PATCH 3/4] update readme --- packages/@aws-cdk/aws-iot-alpha/README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/packages/@aws-cdk/aws-iot-alpha/README.md b/packages/@aws-cdk/aws-iot-alpha/README.md index 65a0c740bf9ee..b3cfff6d4dd01 100644 --- a/packages/@aws-cdk/aws-iot-alpha/README.md +++ b/packages/@aws-cdk/aws-iot-alpha/README.md @@ -124,6 +124,7 @@ new iot.AccountAuditConfiguration(this, 'AuditConfiguration', { // disabled caCertificateKeyQualityCheck: false, conflictingClientIdsCheck: false, + deviceCertificateAgeCheck: false, deviceCertificateExpiringCheck: false, deviceCertificateKeyQualityCheck: false, deviceCertificateSharedCheck: false, @@ -140,6 +141,19 @@ new iot.AccountAuditConfiguration(this, 'AuditConfiguration', { }); ``` +To configure [the device certificate age check](https://docs.aws.amazon.com/iot-device-defender/latest/devguide/device-certificate-age-check.html), you can specify the duration for the check: + +```ts +new iot.AccountAuditConfiguration(this, 'AuditConfiguration', { + checkConfiguration: { + deviceCertificateAgeCheck: true, + // The default value is 365 days + // Valid values are 30-3652 days + deviceCertificateAgeCheckDuration: cdk.Duration.days(365), + }, +}); +``` + ### Scheduled Audit You can create a [scheduled audit](https://docs.aws.amazon.com/iot-device-defender/latest/devguide/AuditCommands.html#device-defender-AuditCommandsManageSchedules) that is run at a specified time interval. Checks must be enabled for your account by creating `AccountAuditConfiguration`. From 78216c78531c70001327572e7620acbe8b312b11 Mon Sep 17 00:00:00 2001 From: Kazuho Cryer-Shinozuka Date: Wed, 19 Mar 2025 09:37:21 +0900 Subject: [PATCH 4/4] update readme --- packages/@aws-cdk/aws-iot-alpha/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-iot-alpha/README.md b/packages/@aws-cdk/aws-iot-alpha/README.md index b3cfff6d4dd01..1b405d171b1f9 100644 --- a/packages/@aws-cdk/aws-iot-alpha/README.md +++ b/packages/@aws-cdk/aws-iot-alpha/README.md @@ -144,12 +144,14 @@ new iot.AccountAuditConfiguration(this, 'AuditConfiguration', { To configure [the device certificate age check](https://docs.aws.amazon.com/iot-device-defender/latest/devguide/device-certificate-age-check.html), you can specify the duration for the check: ```ts +import { Duration } from 'aws-cdk-lib'; + new iot.AccountAuditConfiguration(this, 'AuditConfiguration', { checkConfiguration: { deviceCertificateAgeCheck: true, // The default value is 365 days // Valid values are 30-3652 days - deviceCertificateAgeCheckDuration: cdk.Duration.days(365), + deviceCertificateAgeCheckDuration: Duration.days(365), }, }); ```