@fjall/components-infrastructure 0.89.4 → 0.89.6

package/dist/lib/config/aws/scpPreset.js

@@ -0,0 +1,311 @@
+import { Construct } from "constructs";
+import { OrganisationPolicy } from "../../resources/aws/organisation/organisationPolicy.js";
+const EXEMPT_ROLE_PATTERNS = [
+    "arn:aws:iam::*:role/FjallDeploy*",
+    "arn:aws:iam::*:role/OrganizationAccountAccessRole"
+];
+const SCP_BYTE_LIMIT = 5120;
+const IAM_POLICY_VERSION = "2012-10-17";
+const SCP_POLICY_TYPE = "SERVICE_CONTROL_POLICY";
+function automationExemption() {
+    return {
+        ArnNotLike: {
+            "aws:PrincipalArn": EXEMPT_ROLE_PATTERNS
+        }
+    };
+}
+function buildFoundationGuardrails(allowedRegions) {
+    return {
+        Version: IAM_POLICY_VERSION,
+        Statement: [
+            {
+                Sid: "DenyRootUserActions",
+                Effect: "Deny",
+                Action: "*",
+                Resource: "*",
+                Condition: {
+                    StringLike: {
+                        "aws:PrincipalArn": "arn:aws:iam::*:root"
+                    }
+                }
+            },
+            {
+                Sid: "DenyLeaveOrganisation",
+                Effect: "Deny",
+                Action: "organizations:LeaveOrganization",
+                Resource: "*",
+                Condition: automationExemption()
+            },
+            {
+                Sid: "DenyOutsideAllowedRegions",
+                Effect: "Deny",
+                NotAction: [
+                    "iam:*",
+                    "sts:*",
+                    "cloudfront:*",
+                    "route53:*",
+                    "organizations:*",
+                    "support:*",
+                    "budgets:*",
+                    "ce:*",
+                    "waf:*",
+                    "wafv2:*",
+                    "globalaccelerator:*",
+                    "health:*",
+                    "account:*",
+                    "tag:*",
+                    "trustedadvisor:*"
+                ],
+                Resource: "*",
+                Condition: {
+                    StringNotEquals: {
+                        "aws:RequestedRegion": allowedRegions
+                    },
+                    ...automationExemption()
+                }
+            }
+        ]
+    };
+}
+function buildSecurityProtection() {
+    return {
+        Version: IAM_POLICY_VERSION,
+        Statement: [
+            {
+                Sid: "ProtectCloudTrail",
+                Effect: "Deny",
+                Action: [
+                    "cloudtrail:DeleteTrail",
+                    "cloudtrail:StopLogging",
+                    "cloudtrail:UpdateTrail",
+                    "cloudtrail:PutEventSelectors"
+                ],
+                Resource: "*",
+                Condition: automationExemption()
+            },
+            {
+                Sid: "ProtectConfig",
+                Effect: "Deny",
+                Action: [
+                    "config:DeleteConfigurationRecorder",
+                    "config:DeleteDeliveryChannel",
+                    "config:DeleteRetentionConfiguration",
+                    "config:StopConfigurationRecorder"
+                ],
+                Resource: "*",
+                Condition: automationExemption()
+            },
+            {
+                Sid: "ProtectGuardDuty",
+                Effect: "Deny",
+                Action: [
+                    "guardduty:DeleteDetector",
+                    "guardduty:DisassociateFromMasterAccount",
+                    "guardduty:DisassociateMembers",
+                    "guardduty:StopMonitoringMembers"
+                ],
+                Resource: "*",
+                Condition: automationExemption()
+            },
+            {
+                Sid: "ProtectSecurityHub",
+                Effect: "Deny",
+                Action: [
+                    "securityhub:DisableSecurityHub",
+                    "securityhub:DeleteMembers",
+                    "securityhub:DisassociateMembers"
+                ],
+                Resource: "*",
+                Condition: automationExemption()
+            },
+            {
+                Sid: "ProtectVpcFlowLogs",
+                Effect: "Deny",
+                Action: ["ec2:DeleteFlowLogs"],
+                Resource: "*",
+                Condition: automationExemption()
+            },
+            {
+                Sid: "ProtectKmsKeys",
+                Effect: "Deny",
+                Action: ["kms:ScheduleKeyDeletion"],
+                Resource: "*",
+                Condition: automationExemption()
+            }
+        ]
+    };
+}
+function buildEncryptionAndAccess() {
+    return {
+        Version: IAM_POLICY_VERSION,
+        Statement: [
+            {
+                Sid: "EnforceEbsEncryption",
+                Effect: "Deny",
+                Action: "ec2:RunInstances",
+                Resource: "arn:aws:ec2:*:*:volume/*",
+                Condition: {
+                    Bool: { "ec2:Encrypted": "false" }
+                }
+            },
+            {
+                Sid: "EnforceRdsEncryption",
+                Effect: "Deny",
+                Action: ["rds:CreateDBInstance", "rds:CreateDBCluster"],
+                Resource: "*",
+                Condition: {
+                    Bool: { "rds:StorageEncrypted": "false" }
+                }
+            },
+            {
+                Sid: "EnforceS3Encryption",
+                Effect: "Deny",
+                Action: "s3:PutObject",
+                Resource: "*",
+                Condition: {
+                    StringNotEquals: {
+                        "s3:x-amz-server-side-encryption": ["AES256", "aws:kms"]
+                    },
+                    Null: { "s3:x-amz-server-side-encryption": "false" }
+                }
+            },
+            {
+                Sid: "DenyDisableEbsDefaultEncryption",
+                Effect: "Deny",
+                Action: "ec2:DisableEbsEncryptionByDefault",
+                Resource: "*"
+            },
+            {
+                Sid: "DenyS3PublicAccessChanges",
+                Effect: "Deny",
+                Action: [
+                    "s3:PutBucketPublicAccessBlock",
+                    "s3:PutAccountPublicAccessBlock"
+                ],
+                Resource: "*",
+                Condition: automationExemption()
+            },
+            {
+                Sid: "EnforceImdsV2",
+                Effect: "Deny",
+                Action: "ec2:RunInstances",
+                Resource: "arn:aws:ec2:*:*:instance/*",
+                Condition: {
+                    StringNotEquals: { "ec2:MetadataHttpTokens": "required" }
+                }
+            },
+            {
+                Sid: "DenyIamUserCreation",
+                Effect: "Deny",
+                Action: [
+                    "iam:CreateUser",
+                    "iam:CreateAccessKey",
+                    "iam:CreateLoginProfile"
+                ],
+                Resource: "*",
+                Condition: automationExemption()
+            }
+        ]
+    };
+}
+function buildCostControls() {
+    return {
+        Version: IAM_POLICY_VERSION,
+        Statement: [
+            {
+                Sid: "DenyExpensiveEc2Instances",
+                Effect: "Deny",
+                Action: "ec2:RunInstances",
+                Resource: "arn:aws:ec2:*:*:instance/*",
+                Condition: {
+                    StringNotLike: {
+                        "ec2:InstanceType": ["t3.*", "t3a.*", "t4g.*"]
+                    }
+                }
+            },
+            {
+                Sid: "DenyExpensiveRdsInstances",
+                Effect: "Deny",
+                Action: [
+                    "rds:CreateDBInstance",
+                    "rds:CreateDBCluster",
+                    "rds:ModifyDBInstance",
+                    "rds:ModifyDBCluster"
+                ],
+                Resource: "*",
+                Condition: {
+                    StringNotLike: {
+                        "rds:DatabaseClass": ["db.t3.*", "db.t4g.*"]
+                    }
+                }
+            }
+        ]
+    };
+}
+function validateByteLimit(name, policy) {
+    const json = JSON.stringify(policy);
+    const byteLength = Buffer.byteLength(json, "utf-8");
+    if (byteLength > SCP_BYTE_LIMIT) {
+        throw new Error(`SCP "${name}" exceeds ${SCP_BYTE_LIMIT}-byte limit: ${byteLength} bytes`);
+    }
+}
+/**
+ * Creates a set of Service Control Policies (SCPs) based on a preset level.
+ *
+ * Standard preset: 3 root-level SCPs (FoundationGuardrails, SecurityProtection, EncryptionAndAccess).
+ * Hardened preset: 3 root + per-OU cost controls for development environments.
+ *
+ * All deny statements (except DenyRootUser) exempt automation roles to prevent deployment lockout.
+ */
+export class ScpPreset extends Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.createRootScps(props.rootId, props.allowedRegions);
+        if (props.preset === "hardened" && props.organisationalUnitIds) {
+            this.createHardenedScps(props.organisationalUnitIds);
+        }
+    }
+    createRootScps(rootId, allowedRegions) {
+        const foundationPolicy = buildFoundationGuardrails(allowedRegions);
+        validateByteLimit("FoundationGuardrails", foundationPolicy);
+        new OrganisationPolicy(this, "FoundationGuardrails", {
+            name: "fjall-foundation-guardrails",
+            policyType: SCP_POLICY_TYPE,
+            content: foundationPolicy,
+            description: "Root user lockout, organisation leave prevention, region restriction",
+            targetIds: [rootId]
+        });
+        const securityPolicy = buildSecurityProtection();
+        validateByteLimit("SecurityProtection", securityPolicy);
+        new OrganisationPolicy(this, "SecurityProtection", {
+            name: "fjall-security-protection",
+            policyType: SCP_POLICY_TYPE,
+            content: securityPolicy,
+            description: "Protects CloudTrail, Config, GuardDuty, SecurityHub, VPC Flow Logs, and KMS keys",
+            targetIds: [rootId]
+        });
+        const encryptionPolicy = buildEncryptionAndAccess();
+        validateByteLimit("EncryptionAndAccess", encryptionPolicy);
+        new OrganisationPolicy(this, "EncryptionAndAccess", {
+            name: "fjall-encryption-and-access",
+            policyType: SCP_POLICY_TYPE,
+            content: encryptionPolicy,
+            description: "Enforces encryption for EBS, RDS, S3; blocks public access changes; requires IMDSv2; denies IAM user creation",
+            targetIds: [rootId]
+        });
+    }
+    createHardenedScps(organisationalUnitIds) {
+        const developmentOuId = organisationalUnitIds["development"];
+        if (developmentOuId) {
+            const costPolicy = buildCostControls();
+            validateByteLimit("CostControls", costPolicy);
+            new OrganisationPolicy(this, "CostControls", {
+                name: "fjall-cost-controls",
+                policyType: SCP_POLICY_TYPE,
+                content: costPolicy,
+                description: "Restricts instance types in development environments to prevent accidental spend",
+                targetIds: [developmentOuId]
+            });
+        }
+    }
+}

package/dist/lib/config/aws/securityBaseline.d.ts

@@ -0,0 +1,15 @@
+import { Construct } from "constructs";
+export interface SecurityBaselineProps {
+    /** Controls which services are instantiated. "off" creates nothing. */
+    level: "off" | "baseline" | "compliance";
+}
+/**
+ * Convenience orchestrator for per-account security services.
+ * Instantiates child constructs based on the selected level.
+ *
+ * Does NOT include ConfigRulePreset -- Config Rules are applied independently
+ * at the Account stack level with environment-aware presets.
+ */
+export declare class SecurityBaseline extends Construct {
+    constructor(scope: Construct, id: string, props: SecurityBaselineProps);
+}

package/dist/lib/config/aws/securityBaseline.js

@@ -0,0 +1,27 @@
+import { Construct } from "constructs";
+import { GuardDutyDetector } from "./guardDutyDetector.js";
+import { SecurityHubHub } from "./securityHubHub.js";
+import { ConfigRecorder } from "./configRecorder.js";
+import { AccountAccessAnalyser } from "./accessAnalyser.js";
+import { InspectorEnablement } from "./inspectorEnablement.js";
+/**
+ * Convenience orchestrator for per-account security services.
+ * Instantiates child constructs based on the selected level.
+ *
+ * Does NOT include ConfigRulePreset -- Config Rules are applied independently
+ * at the Account stack level with environment-aware presets.
+ */
+export class SecurityBaseline extends Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        if (props.level === "off")
+            return;
+        new GuardDutyDetector(this, "GuardDuty");
+        new SecurityHubHub(this, "SecurityHub");
+        new ConfigRecorder(this, "Config");
+        new AccountAccessAnalyser(this, "AccessAnalyser");
+        if (props.level === "compliance") {
+            new InspectorEnablement(this, "Inspector");
+        }
+    }
+}

package/dist/lib/config/aws/securityHubHub.d.ts

@@ -0,0 +1,15 @@
+import { CfnHub } from "aws-cdk-lib/aws-securityhub";
+import { Construct } from "constructs";
+export type SecurityHubStandard = "aws-foundational-security" | "cis-aws-foundations" | "pci-dss";
+export interface SecurityHubHubProps {
+    /** Standards to enable. Default: ["aws-foundational-security"] */
+    standards?: SecurityHubStandard[];
+}
+/**
+ * Per-account SecurityHub enablement with configurable compliance standards.
+ * Aggregates findings from GuardDuty, Inspector, Config, and IAM Access Analyser.
+ */
+export declare class SecurityHubHub extends Construct {
+    readonly hub: CfnHub;
+    constructor(scope: Construct, id: string, props?: SecurityHubHubProps);
+}

package/dist/lib/config/aws/securityHubHub.js

@@ -0,0 +1,28 @@
+import { Aws } from "aws-cdk-lib";
+import { CfnHub, CfnStandard } from "aws-cdk-lib/aws-securityhub";
+import { Construct } from "constructs";
+const STANDARD_ARNS = {
+    "aws-foundational-security": `arn:aws:securityhub:${Aws.REGION}::standards/aws-foundational-security-best-practices/v/1.0.0`,
+    "cis-aws-foundations": `arn:aws:securityhub:${Aws.REGION}::standards/cis-aws-foundations-benchmark/v/3.0.0`,
+    "pci-dss": `arn:aws:securityhub:${Aws.REGION}::standards/pci-dss/v/4.0.0`
+};
+/**
+ * Per-account SecurityHub enablement with configurable compliance standards.
+ * Aggregates findings from GuardDuty, Inspector, Config, and IAM Access Analyser.
+ */
+export class SecurityHubHub extends Construct {
+    hub;
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.hub = new CfnHub(this, "Hub", {
+            enableDefaultStandards: false
+        });
+        const standards = props?.standards ?? ["aws-foundational-security"];
+        for (const standard of standards) {
+            const cfnStandard = new CfnStandard(this, `Standard-${standard}`, {
+                standardsArn: STANDARD_ARNS[standard]
+            });
+            cfnStandard.addDependency(this.hub);
+        }
+    }
+}

package/dist/lib/config/aws/securityServicesAdmin.d.ts

@@ -0,0 +1,20 @@
+import { Construct } from "constructs";
+export type SecurityAdminService = "guardduty" | "securityhub" | "config";
+export interface SecurityServicesAdminProps {
+    /** Services to configure for organisation-wide auto-enablement. */
+    services: SecurityAdminService[];
+}
+/**
+ * Platform-level construct for org-wide security service configuration.
+ * Deployed in the delegated admin (platform) account.
+ *
+ * - GuardDuty: Custom Resource to auto-enable across the organisation
+ * - SecurityHub: Custom Resource to auto-enable with default standards
+ * - Config: Native CfnConfigurationAggregator for cross-account view
+ */
+export declare class SecurityServicesAdmin extends Construct {
+    constructor(scope: Construct, id: string, props: SecurityServicesAdminProps);
+    private createGuardDutyAdmin;
+    private createSecurityHubAdmin;
+    private createConfigAggregator;
+}

package/dist/lib/config/aws/securityServicesAdmin.js

@@ -0,0 +1,115 @@
+import { Duration } from "aws-cdk-lib";
+import { CfnConfigurationAggregator } from "aws-cdk-lib/aws-config";
+import { Role, ServicePrincipal, ManagedPolicy, PolicyStatement, Effect } from "aws-cdk-lib/aws-iam";
+import { Runtime } from "aws-cdk-lib/aws-lambda";
+import { Construct } from "constructs";
+import { CustomResource } from "../../resources/aws/utilities/customResource.js";
+/**
+ * Platform-level construct for org-wide security service configuration.
+ * Deployed in the delegated admin (platform) account.
+ *
+ * - GuardDuty: Custom Resource to auto-enable across the organisation
+ * - SecurityHub: Custom Resource to auto-enable with default standards
+ * - Config: Native CfnConfigurationAggregator for cross-account view
+ */
+export class SecurityServicesAdmin extends Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        for (const service of props.services) {
+            switch (service) {
+                case "guardduty":
+                    this.createGuardDutyAdmin();
+                    break;
+                case "securityhub":
+                    this.createSecurityHubAdmin();
+                    break;
+                case "config":
+                    this.createConfigAggregator();
+                    break;
+                default: {
+                    const _exhaustive = service;
+                    throw new Error(`Unsupported security admin service: ${String(_exhaustive)}`);
+                }
+            }
+        }
+    }
+    createGuardDutyAdmin() {
+        new CustomResource(this, "GuardDutyOrgConfig", {
+            runtime: Runtime.NODEJS_22_X,
+            timeout: Duration.minutes(5),
+            lambdaDescription: "Configures GuardDuty organisation-wide auto-enablement",
+            inlinePolicy: [
+                new PolicyStatement({
+                    effect: Effect.ALLOW,
+                    actions: [
+                        "guardduty:UpdateOrganizationConfiguration",
+                        "guardduty:ListDetectors"
+                    ],
+                    resources: ["*"]
+                })
+            ],
+            inlineCode: `
+const { GuardDutyClient, ListDetectorsCommand, UpdateOrganizationConfigurationCommand } = require('@aws-sdk/client-guardduty');
+
+exports.handler = async (event) => {
+  const physicalResourceId = event.PhysicalResourceId || event.LogicalResourceId || 'guardduty-org-config';
+  if (event.RequestType === 'Delete') {
+    return { PhysicalResourceId: physicalResourceId };
+  }
+  const client = new GuardDutyClient({});
+  const detectors = await client.send(new ListDetectorsCommand({}));
+  const detectorId = (detectors.DetectorIds || [])[0];
+  if (!detectorId) throw new Error('No GuardDuty detector found in delegated admin account');
+  await client.send(new UpdateOrganizationConfigurationCommand({
+    DetectorId: detectorId,
+    AutoEnableOrganizationMembers: 'ALL',
+  }));
+  return { PhysicalResourceId: physicalResourceId };
+};`
+        });
+    }
+    createSecurityHubAdmin() {
+        new CustomResource(this, "SecurityHubOrgConfig", {
+            runtime: Runtime.NODEJS_22_X,
+            timeout: Duration.minutes(5),
+            lambdaDescription: "Configures SecurityHub organisation-wide auto-enablement",
+            inlinePolicy: [
+                new PolicyStatement({
+                    effect: Effect.ALLOW,
+                    actions: ["securityhub:UpdateOrganizationConfiguration"],
+                    resources: ["*"]
+                })
+            ],
+            inlineCode: `
+const { SecurityHubClient, UpdateOrganizationConfigurationCommand } = require('@aws-sdk/client-securityhub');
+
+exports.handler = async (event) => {
+  const physicalResourceId = event.PhysicalResourceId || event.LogicalResourceId || 'securityhub-org-config';
+  if (event.RequestType === 'Delete') {
+    return { PhysicalResourceId: physicalResourceId };
+  }
+  const client = new SecurityHubClient({});
+  await client.send(new UpdateOrganizationConfigurationCommand({
+    AutoEnableOrganizationMembers: 'ALL',
+    AutoEnableStandards: 'NONE',
+  }));
+  return { PhysicalResourceId: physicalResourceId };
+};`
+        });
+    }
+    createConfigAggregator() {
+        const aggregatorRole = new Role(this, "ConfigAggregatorRole", {
+            assumedBy: new ServicePrincipal("config.amazonaws.com"),
+            managedPolicies: [
+                ManagedPolicy.fromAwsManagedPolicyName("service-role/AWSConfigRoleForOrganizations")
+            ]
+        });
+        new CfnConfigurationAggregator(this, "ConfigAggregator", {
+            configurationAggregatorName: "FjallOrganisationAggregator",
+            organizationAggregationSource: {
+                roleArn: aggregatorRole.roleArn,
+                allAwsRegions: true
+            }
+        });
+    }
+}

package/dist/lib/config/index.d.ts

@@ -1,2 +1,2 @@
-export { FJALL_AUDIT_CONFIG } from "./audit";
-export * from "./aws";
+export { FJALL_AUDIT_CONFIG } from "./audit.js";
+export * from "./aws/index.js";

package/dist/lib/config/index.js

@@ -1,21 +1,2 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __exportStar = (this && this.__exportStar) || function(m, exports) {
-    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.FJALL_AUDIT_CONFIG = void 0;
-var audit_1 = require("./audit");
-Object.defineProperty(exports, "FJALL_AUDIT_CONFIG", { enumerable: true, get: function () { return audit_1.FJALL_AUDIT_CONFIG; } });
-__exportStar(require("./aws"), exports);
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9saWIvY29uZmlnL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7Ozs7Ozs7Ozs7Ozs7O0FBQUEsaUNBQTZDO0FBQXBDLDJHQUFBLGtCQUFrQixPQUFBO0FBQzNCLHdDQUFzQiIsInNvdXJjZXNDb250ZW50IjpbImV4cG9ydCB7IEZKQUxMX0FVRElUX0NPTkZJRyB9IGZyb20gXCIuL2F1ZGl0XCI7XG5leHBvcnQgKiBmcm9tIFwiLi9hd3NcIjtcbiJdfQ==
+export { FJALL_AUDIT_CONFIG } from "./audit.js";
+export * from "./aws/index.js";

package/dist/lib/index.d.ts

@@ -1,5 +1,5 @@
-export * from "./patterns/aws";
-export * from "./utils";
-export * from "./resources";
-export * from "./app";
+export * from "./patterns/aws/index.js";
+export * from "./utils/index.js";
+export * from "./resources/index.js";
+export * from "./app.js";
 export { Code, Runtime, FunctionUrlAuthType } from "aws-cdk-lib/aws-lambda";

package/dist/lib/index.js

@@ -1,27 +1,6 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __exportStar = (this && this.__exportStar) || function(m, exports) {
-    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.FunctionUrlAuthType = exports.Runtime = exports.Code = void 0;
-__exportStar(require("./patterns/aws"), exports);
-__exportStar(require("./utils"), exports);
-__exportStar(require("./resources"), exports);
-__exportStar(require("./app"), exports);
+export * from "./patterns/aws/index.js";
+export * from "./utils/index.js";
+export * from "./resources/index.js";
+export * from "./app.js";
 // Re-export CDK Lambda types for use in generated infrastructure code
-var aws_lambda_1 = require("aws-cdk-lib/aws-lambda");
-Object.defineProperty(exports, "Code", { enumerable: true, get: function () { return aws_lambda_1.Code; } });
-Object.defineProperty(exports, "Runtime", { enumerable: true, get: function () { return aws_lambda_1.Runtime; } });
-Object.defineProperty(exports, "FunctionUrlAuthType", { enumerable: true, get: function () { return aws_lambda_1.FunctionUrlAuthType; } });
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9saWIvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7Ozs7Ozs7Ozs7QUFBQSxpREFBK0I7QUFDL0IsMENBQXdCO0FBQ3hCLDhDQUE0QjtBQUM1Qix3Q0FBc0I7QUFFdEIsc0VBQXNFO0FBQ3RFLHFEQUE0RTtBQUFuRSxrR0FBQSxJQUFJLE9BQUE7QUFBRSxxR0FBQSxPQUFPLE9BQUE7QUFBRSxpSEFBQSxtQkFBbUIsT0FBQSIsInNvdXJjZXNDb250ZW50IjpbImV4cG9ydCAqIGZyb20gXCIuL3BhdHRlcm5zL2F3c1wiO1xuZXhwb3J0ICogZnJvbSBcIi4vdXRpbHNcIjtcbmV4cG9ydCAqIGZyb20gXCIuL3Jlc291cmNlc1wiO1xuZXhwb3J0ICogZnJvbSBcIi4vYXBwXCI7XG5cbi8vIFJlLWV4cG9ydCBDREsgTGFtYmRhIHR5cGVzIGZvciB1c2UgaW4gZ2VuZXJhdGVkIGluZnJhc3RydWN0dXJlIGNvZGVcbmV4cG9ydCB7IENvZGUsIFJ1bnRpbWUsIEZ1bmN0aW9uVXJsQXV0aFR5cGUgfSBmcm9tIFwiYXdzLWNkay1saWIvYXdzLWxhbWJkYVwiO1xuIl19
+export { Code, Runtime, FunctionUrlAuthType } from "aws-cdk-lib/aws-lambda";

package/dist/lib/patterns/aws/account.d.ts

@@ -1,6 +1,16 @@
 import { Stack, type StackProps } from "aws-cdk-lib";
 import { type Construct } from "constructs";
-import type { OrganisationType } from "./interfaces/organisation";
+import { ConfigRulePreset } from "../../config/aws/configRulePreset.js";
+import { GuardDutyDetector } from "../../config/aws/guardDutyDetector.js";
+import { SecurityHubHub } from "../../config/aws/securityHubHub.js";
+import { ConfigRecorder } from "../../config/aws/configRecorder.js";
+import { AccountAccessAnalyser } from "../../config/aws/accessAnalyser.js";
+import { InspectorEnablement } from "../../config/aws/inspectorEnablement.js";
+import type { GuardDutyDetectorProps } from "../../config/aws/guardDutyDetector.js";
+import type { SecurityHubHubProps } from "../../config/aws/securityHubHub.js";
+import type { ConfigRecorderProps } from "../../config/aws/configRecorder.js";
+import type { ConfigRulePresetProps } from "../../config/aws/configRulePreset.js";
+import type { OrganisationType } from "./interfaces/organisation.js";
 export interface AccountProps extends StackProps {
     accountId?: string;
     region?: string;
@@ -9,4 +19,10 @@ export declare class Account extends Stack {
     readonly organisationType: OrganisationType;
     protected readonly resolvedRegion: string;
     constructor(scope: Construct, id: string, props: AccountProps);
+    enableGuardDuty(props?: GuardDutyDetectorProps): GuardDutyDetector;
+    enableSecurityHub(props?: SecurityHubHubProps): SecurityHubHub;
+    enableConfigRecorder(props?: ConfigRecorderProps): ConfigRecorder;
+    enableAccessAnalyser(): AccountAccessAnalyser;
+    enableInspector(): InspectorEnablement;
+    enableConfigRules(props: ConfigRulePresetProps): ConfigRulePreset;
 }