feat(iot): device certificate age check audit configuration

packages/@aws-cdk/aws-iot-alpha/README.md

@@ -124,6 +124,7 @@ new iot.AccountAuditConfiguration(this, 'AuditConfiguration', {
     // disabled
     caCertificateKeyQualityCheck: false,
     conflictingClientIdsCheck: false,
+    deviceCertificateAgeCheck: false,
     deviceCertificateExpiringCheck: false,
     deviceCertificateKeyQualityCheck: false,
     deviceCertificateSharedCheck: false,
@@ -140,6 +141,21 @@ new iot.AccountAuditConfiguration(this, 'AuditConfiguration', {
 });
 ```
 
+To configure [the device certificate age check](https://docs.aws.amazon.com/iot-device-defender/latest/devguide/device-certificate-age-check.html), you can specify the duration for the check:
+
+```ts
+import { Duration } from 'aws-cdk-lib';
+
+new iot.AccountAuditConfiguration(this, 'AuditConfiguration', {
+  checkConfiguration: {
+    deviceCertificateAgeCheck: true,
+    // The default value is 365 days
+    // Valid values are 30-3652 days
+    deviceCertificateAgeCheckDuration: Duration.days(365),
+  },
+});
+```
+
 ### Scheduled Audit
 
 You can create a [scheduled audit](https://docs.aws.amazon.com/iot-device-defender/latest/devguide/AuditCommands.html#device-defender-AuditCommandsManageSchedules) that is run at a specified time interval. Checks must be enabled for your account by creating `AccountAuditConfiguration`.

packages/@aws-cdk/aws-iot-alpha/lib/audit-configuration.ts

@@ -1,4 +1,4 @@
-import { Resource, Stack, IResource } from 'aws-cdk-lib/core';
+import { Resource, Stack, IResource, Duration } from 'aws-cdk-lib/core';
 import { Construct } from 'constructs';
 import * as iot from 'aws-cdk-lib/aws-iot';
 import * as iam from 'aws-cdk-lib/aws-iam';
@@ -59,6 +59,25 @@ export interface CheckConfiguration {
    */
   readonly conflictingClientIdsCheck?: boolean;
 
+  /**
+   * Checks when a device certificate has been active for a number of days greater than or equal to the number you specify.
+   *
+   * @default true
+   */
+  readonly deviceCertificateAgeCheck?: boolean;
+
+  /**
+   * The duration used to check if a device certificate has been active
+   * for a number of days greater than or equal to the number you specify.
+   *
+   * Valid values are between 30 and 3652 days.
+   *
+   * You cannot specify a value for this check if `deviceCertificateAgeCheck` is set to `false`.
+   *
+   * @default - 365 days
+   */
+  readonly deviceCertificateAgeCheckDuration?: Duration;
+
   /**
    * Checks if a device certificate is expiring.
    *
@@ -201,6 +220,17 @@ export class AccountAuditConfiguration extends Resource implements IAccountAudit
     // Enhanced CDK Analytics Telemetry
     addConstructMetadata(this, props);
 
+    const deviceAgeCheckThreshold = props?.checkConfiguration?.deviceCertificateAgeCheckDuration;
+
+    if (deviceAgeCheckThreshold) {
+      if (props?.checkConfiguration?.deviceCertificateAgeCheck === false) {
+        throw new Error('You cannot specify a value for `deviceCertificateAgeCheckDuration` if `deviceCertificateAgeCheck` is set to `false`.');
+      }
+      if (!deviceAgeCheckThreshold.isUnresolved() && deviceAgeCheckThreshold.toDays() < 30 || deviceAgeCheckThreshold.toDays() > 3652) {
+        throw new Error(`The device certificate age check threshold must be between 30 and 3652 days. got: ${deviceAgeCheckThreshold.toDays()} days.`);
+      }
+    }
+
     this.accountId = Stack.of(this).account;
 
     const auditRole = new iam.Role(this, 'AuditRole', {
@@ -261,6 +291,15 @@ export class AccountAuditConfiguration extends Resource implements IAccountAudit
       caCertificateExpiringCheck: this.renderAuditCheckConfiguration(checkConfiguration?.caCertificateExpiringCheck),
       caCertificateKeyQualityCheck: this.renderAuditCheckConfiguration(checkConfiguration?.caCertificateKeyQualityCheck),
       conflictingClientIdsCheck: this.renderAuditCheckConfiguration(checkConfiguration?.conflictingClientIdsCheck),
+      deviceCertificateAgeCheck:
+        checkConfiguration?.deviceCertificateAgeCheck !== false ?
+          {
+            enabled: true,
+            configuration: {
+              certAgeThresholdInDays: String(checkConfiguration?.deviceCertificateAgeCheckDuration?.toDays() ?? 365),
+            },
+          } :
+          undefined,
       deviceCertificateExpiringCheck: this.renderAuditCheckConfiguration(checkConfiguration?.deviceCertificateExpiringCheck),
       deviceCertificateKeyQualityCheck: this.renderAuditCheckConfiguration(checkConfiguration?.deviceCertificateKeyQualityCheck),
       deviceCertificateSharedCheck: this.renderAuditCheckConfiguration(checkConfiguration?.deviceCertificateSharedCheck),

packages/@aws-cdk/aws-iot-alpha/test/audit-configuration.test.ts

@@ -15,6 +15,12 @@ test('Default property', () => {
       CaCertificateExpiringCheck: { Enabled: true },
       CaCertificateKeyQualityCheck: { Enabled: true },
       ConflictingClientIdsCheck: { Enabled: true },
+      DeviceCertificateAgeCheck: {
+        Enabled: true,
+        Configuration: {
+          CertAgeThresholdInDays: '365',
+        },
+      },
       DeviceCertificateExpiringCheck: { Enabled: true },
       DeviceCertificateKeyQualityCheck: { Enabled: true },
       DeviceCertificateSharedCheck: { Enabled: true },
@@ -129,6 +135,29 @@ test('configure check configuration', () => {
   });
 });
 
+test('throw error for configuring duration without enabling deviceCertificateAgeCheck', () => {
+  const stack = new cdk.Stack();
+  expect(() => new iot.AccountAuditConfiguration(stack, 'AccountAuditConfiguration', {
+    checkConfiguration: {
+      deviceCertificateAgeCheck: false,
+      deviceCertificateAgeCheckDuration: cdk.Duration.days(1229),
+    },
+  })).toThrow('You cannot specify a value for `deviceCertificateAgeCheckDuration` if `deviceCertificateAgeCheck` is set to `false`.');
+});
+
+test.each([
+  cdk.Duration.days(29),
+  cdk.Duration.days(3653),
+])('throw error for invalid duration %s', (duration) => {
+  const stack = new cdk.Stack();
+  expect(() => new iot.AccountAuditConfiguration(stack, 'AccountAuditConfiguration', {
+    checkConfiguration: {
+      deviceCertificateAgeCheck: true,
+      deviceCertificateAgeCheckDuration: duration,
+    },
+  })).toThrow(`The device certificate age check threshold must be between 30 and 3652 days. got: ${duration.toDays()} days.`);
+});
+
 test('import by Account ID', () => {
   const stack = new cdk.Stack();
 

packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.template.json

@@ -87,6 +87,12 @@
      "ConflictingClientIdsCheck": {
       "Enabled": true
      },
+     "DeviceCertificateAgeCheck": {
+      "Configuration": {
+       "CertAgeThresholdInDays": "1229"
+      },
+      "Enabled": true
+     },
      "DeviceCertificateExpiringCheck": {
       "Enabled": true
      },