@fjall/components-infrastructure 0.89.5 → 0.94.0

package/dist/lib/config/aws/accessAnalyser.js

@@ -0,0 +1,17 @@
+import { CfnAnalyzer } from "aws-cdk-lib/aws-accessanalyzer";
+import { Construct } from "constructs";
+/**
+ * Per-account IAM Access Analyser. Identifies resources shared with
+ * external entities (S3 buckets, IAM roles, KMS keys, Lambda functions).
+ * Free service -- no additional cost.
+ */
+export class AccountAccessAnalyser extends Construct {
+    analyser;
+    constructor(scope, id) {
+        super(scope, id);
+        this.analyser = new CfnAnalyzer(this, "Analyser", {
+            analyzerName: "FjallAccountAnalyser",
+            type: "ACCOUNT"
+        });
+    }
+}

package/dist/lib/config/aws/accountAuditRole.js

@@ -1,10 +1,7 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AccountAuditRole = void 0;
-const aws_cdk_lib_1 = require("aws-cdk-lib");
-const aws_iam_1 = require("aws-cdk-lib/aws-iam");
-const constructs_1 = require("constructs");
-const platform_1 = require("./platform");
+import { CfnOutput } from "aws-cdk-lib";
+import { Role, AccountPrincipal, ManagedPolicy } from "aws-cdk-lib/aws-iam";
+import { Construct } from "constructs";
+import { FJALL_PLATFORM_ACCOUNT_ID } from "./platform.js";
 /**
  * Per-account audit role for the Fjall platform.
  *
@@ -12,21 +9,22 @@ const platform_1 = require("./platform");
  * managed policies, trusting the Fjall platform account. Only instantiated when
  * a `fjallOrgId` context value is provided to the Account stack.
  */
-class AccountAuditRole extends constructs_1.Construct {
+export class AccountAuditRole extends Construct {
+    role;
     constructor(scope, id, props) {
         super(scope, id);
-        this.role = new aws_iam_1.Role(this, "Role", {
+        this.role = new Role(this, "Role", {
             roleName: `FjallAudit${props.fjallOrgId}`,
             path: "/",
-            assumedBy: new aws_iam_1.AccountPrincipal(platform_1.FJALL_PLATFORM_ACCOUNT_ID),
+            assumedBy: new AccountPrincipal(FJALL_PLATFORM_ACCOUNT_ID),
             description: `Cross-account audit role for Fjall organisation ${props.fjallOrgId}. Grants read-only access for asset discovery and compliance auditing.`,
             externalIds: [props.fjallOrgId],
             managedPolicies: [
-                aws_iam_1.ManagedPolicy.fromAwsManagedPolicyName("ReadOnlyAccess"),
-                aws_iam_1.ManagedPolicy.fromAwsManagedPolicyName("SecurityAudit")
+                ManagedPolicy.fromAwsManagedPolicyName("ReadOnlyAccess"),
+                ManagedPolicy.fromAwsManagedPolicyName("SecurityAudit")
             ]
         });
-        new aws_cdk_lib_1.CfnOutput(this, "FjallAuditRoleArn", {
+        new CfnOutput(this, "FjallAuditRoleArn", {
             key: "FjallAuditRoleArn",
             value: this.role.roleArn,
             description: `ARN of the Fjall audit role for organisation ${props.fjallOrgId}`,
@@ -34,5 +32,3 @@ class AccountAuditRole extends constructs_1.Construct {
         });
     }
 }
-exports.AccountAuditRole = AccountAuditRole;
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYWNjb3VudEF1ZGl0Um9sZS5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL2xpYi9jb25maWcvYXdzL2FjY291bnRBdWRpdFJvbGUudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQUEsNkNBQXdDO0FBQ3hDLGlEQUE0RTtBQUM1RSwyQ0FBdUM7QUFDdkMseUNBQXVEO0FBVXZEOzs7Ozs7R0FNRztBQUNILE1BQWEsZ0JBQWlCLFNBQVEsc0JBQVM7SUFHN0MsWUFBWSxLQUFnQixFQUFFLEVBQVUsRUFBRSxLQUE0QjtRQUNwRSxLQUFLLENBQUMsS0FBSyxFQUFFLEVBQUUsQ0FBQyxDQUFDO1FBRWpCLElBQUksQ0FBQyxJQUFJLEdBQUcsSUFBSSxjQUFJLENBQUMsSUFBSSxFQUFFLE1BQU0sRUFBRTtZQUNqQyxRQUFRLEVBQUUsYUFBYSxLQUFLLENBQUMsVUFBVSxFQUFFO1lBQ3pDLElBQUksRUFBRSxHQUFHO1lBQ1QsU0FBUyxFQUFFLElBQUksMEJBQWdCLENBQUMsb0NBQXlCLENBQUM7WUFDMUQsV0FBVyxFQUFFLG1EQUFtRCxLQUFLLENBQUMsVUFBVSx3RUFBd0U7WUFDeEosV0FBVyxFQUFFLENBQUMsS0FBSyxDQUFDLFVBQVUsQ0FBQztZQUMvQixlQUFlLEVBQUU7Z0JBQ2YsdUJBQWEsQ0FBQyx3QkFBd0IsQ0FBQyxnQkFBZ0IsQ0FBQztnQkFDeEQsdUJBQWEsQ0FBQyx3QkFBd0IsQ0FBQyxlQUFlLENBQUM7YUFDeEQ7U0FDRixDQUFDLENBQUM7UUFFSCxJQUFJLHVCQUFTLENBQUMsSUFBSSxFQUFFLG1CQUFtQixFQUFFO1lBQ3ZDLEdBQUcsRUFBRSxtQkFBbUI7WUFDeEIsS0FBSyxFQUFFLElBQUksQ0FBQyxJQUFJLENBQUMsT0FBTztZQUN4QixXQUFXLEVBQUUsZ0RBQWdELEtBQUssQ0FBQyxVQUFVLEVBQUU7WUFDL0UsVUFBVSxFQUFFLG1CQUFtQjtTQUNoQyxDQUFDLENBQUM7SUFDTCxDQUFDO0NBQ0Y7QUF6QkQsNENBeUJDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0IHsgQ2ZuT3V0cHV0IH0gZnJvbSBcImF3cy1jZGstbGliXCI7XG5pbXBvcnQgeyBSb2xlLCBBY2NvdW50UHJpbmNpcGFsLCBNYW5hZ2VkUG9saWN5IH0gZnJvbSBcImF3cy1jZGstbGliL2F3cy1pYW1cIjtcbmltcG9ydCB7IENvbnN0cnVjdCB9IGZyb20gXCJjb25zdHJ1Y3RzXCI7XG5pbXBvcnQgeyBGSkFMTF9QTEFURk9STV9BQ0NPVU5UX0lEIH0gZnJvbSBcIi4vcGxhdGZvcm1cIjtcblxuZXhwb3J0IGludGVyZmFjZSBBY2NvdW50QXVkaXRSb2xlUHJvcHMge1xuICAvKipcbiAgICogVGhlIEZqYWxsIG9yZ2FuaXNhdGlvbiBJRC4gVXNlZCBhcyBhIHN1ZmZpeCBpbiB0aGUgcm9sZSBuYW1lXG4gICAqIChgRmphbGxBdWRpdHtvcmdJZH1gKSBhbmQgYXMgdGhlIEV4dGVybmFsSWQgY29uZGl0aW9uLlxuICAgKi9cbiAgZmphbGxPcmdJZDogc3RyaW5nO1xufVxuXG4vKipcbiAqIFBlci1hY2NvdW50IGF1ZGl0IHJvbGUgZm9yIHRoZSBGamFsbCBwbGF0Zm9ybS5cbiAqXG4gKiBDcmVhdGVzIGEgYEZqYWxsQXVkaXR7b3JnSWR9YCBJQU0gcm9sZSB3aXRoIFJlYWRPbmx5QWNjZXNzIGFuZCBTZWN1cml0eUF1ZGl0XG4gKiBtYW5hZ2VkIHBvbGljaWVzLCB0cnVzdGluZyB0aGUgRmphbGwgcGxhdGZvcm0gYWNjb3VudC4gT25seSBpbnN0YW50aWF0ZWQgd2hlblxuICogYSBgZmphbGxPcmdJZGAgY29udGV4dCB2YWx1ZSBpcyBwcm92aWRlZCB0byB0aGUgQWNjb3VudCBzdGFjay5cbiAqL1xuZXhwb3J0IGNsYXNzIEFjY291bnRBdWRpdFJvbGUgZXh0ZW5kcyBDb25zdHJ1Y3Qge1xuICBwdWJsaWMgcmVhZG9ubHkgcm9sZTogUm9sZTtcblxuICBjb25zdHJ1Y3RvcihzY29wZTogQ29uc3RydWN0LCBpZDogc3RyaW5nLCBwcm9wczogQWNjb3VudEF1ZGl0Um9sZVByb3BzKSB7XG4gICAgc3VwZXIoc2NvcGUsIGlkKTtcblxuICAgIHRoaXMucm9sZSA9IG5ldyBSb2xlKHRoaXMsIFwiUm9sZVwiLCB7XG4gICAgICByb2xlTmFtZTogYEZqYWxsQXVkaXQke3Byb3BzLmZqYWxsT3JnSWR9YCxcbiAgICAgIHBhdGg6IFwiL1wiLFxuICAgICAgYXNzdW1lZEJ5OiBuZXcgQWNjb3VudFByaW5jaXBhbChGSkFMTF9QTEFURk9STV9BQ0NPVU5UX0lEKSxcbiAgICAgIGRlc2NyaXB0aW9uOiBgQ3Jvc3MtYWNjb3VudCBhdWRpdCByb2xlIGZvciBGamFsbCBvcmdhbmlzYXRpb24gJHtwcm9wcy5mamFsbE9yZ0lkfS4gR3JhbnRzIHJlYWQtb25seSBhY2Nlc3MgZm9yIGFzc2V0IGRpc2NvdmVyeSBhbmQgY29tcGxpYW5jZSBhdWRpdGluZy5gLFxuICAgICAgZXh0ZXJuYWxJZHM6IFtwcm9wcy5mamFsbE9yZ0lkXSxcbiAgICAgIG1hbmFnZWRQb2xpY2llczogW1xuICAgICAgICBNYW5hZ2VkUG9saWN5LmZyb21Bd3NNYW5hZ2VkUG9saWN5TmFtZShcIlJlYWRPbmx5QWNjZXNzXCIpLFxuICAgICAgICBNYW5hZ2VkUG9saWN5LmZyb21Bd3NNYW5hZ2VkUG9saWN5TmFtZShcIlNlY3VyaXR5QXVkaXRcIilcbiAgICAgIF1cbiAgICB9KTtcblxuICAgIG5ldyBDZm5PdXRwdXQodGhpcywgXCJGamFsbEF1ZGl0Um9sZUFyblwiLCB7XG4gICAgICBrZXk6IFwiRmphbGxBdWRpdFJvbGVBcm5cIixcbiAgICAgIHZhbHVlOiB0aGlzLnJvbGUucm9sZUFybixcbiAgICAgIGRlc2NyaXB0aW9uOiBgQVJOIG9mIHRoZSBGamFsbCBhdWRpdCByb2xlIGZvciBvcmdhbmlzYXRpb24gJHtwcm9wcy5mamFsbE9yZ0lkfWAsXG4gICAgICBleHBvcnROYW1lOiBcIkZqYWxsQXVkaXRSb2xlQXJuXCJcbiAgICB9KTtcbiAgfVxufVxuIl19

package/dist/lib/config/aws/accountMonitoringRole.js

@@ -1,10 +1,7 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AccountMonitoringRole = void 0;
-const aws_cdk_lib_1 = require("aws-cdk-lib");
-const aws_iam_1 = require("aws-cdk-lib/aws-iam");
-const constructs_1 = require("constructs");
-const platform_1 = require("./platform");
+import { CfnOutput } from "aws-cdk-lib";
+import { Role, AccountPrincipal, PolicyStatement, Effect } from "aws-cdk-lib/aws-iam";
+import { Construct } from "constructs";
+import { FJALL_PLATFORM_ACCOUNT_ID } from "./platform.js";
 /**
  * Per-account monitoring role for the Fjall platform.
  *
@@ -14,19 +11,20 @@ const platform_1 = require("./platform");
  *
  * This replaces the previous per-app `FjallMonitoring-{appName}` roles.
  */
-class AccountMonitoringRole extends constructs_1.Construct {
+export class AccountMonitoringRole extends Construct {
+    role;
     constructor(scope, id, props) {
         super(scope, id);
-        this.role = new aws_iam_1.Role(this, "Role", {
+        this.role = new Role(this, "Role", {
             roleName: "FjallMonitoring",
             path: "/",
-            assumedBy: new aws_iam_1.AccountPrincipal(platform_1.FJALL_PLATFORM_ACCOUNT_ID),
+            assumedBy: new AccountPrincipal(FJALL_PLATFORM_ACCOUNT_ID),
             description: "Cross-account monitoring role for the Fjall platform. Grants read access to CloudWatch, ECS, RDS, S3, Lambda, ALB, Logs, and Cost Explorer.",
             ...(props?.fjallOrgId ? { externalIds: [props.fjallOrgId] } : {})
         });
         // CloudWatch Metrics
-        this.role.addToPolicy(new aws_iam_1.PolicyStatement({
-            effect: aws_iam_1.Effect.ALLOW,
+        this.role.addToPolicy(new PolicyStatement({
+            effect: Effect.ALLOW,
             actions: [
                 "cloudwatch:GetMetricData",
                 "cloudwatch:GetMetricStatistics",
@@ -35,8 +33,8 @@ class AccountMonitoringRole extends constructs_1.Construct {
             resources: ["*"]
         }));
         // ECS
-        this.role.addToPolicy(new aws_iam_1.PolicyStatement({
-            effect: aws_iam_1.Effect.ALLOW,
+        this.role.addToPolicy(new PolicyStatement({
+            effect: Effect.ALLOW,
             actions: [
                 "ecs:DescribeServices",
                 "ecs:DescribeTasks",
@@ -47,8 +45,8 @@ class AccountMonitoringRole extends constructs_1.Construct {
             resources: ["*"]
         }));
         // RDS
-        this.role.addToPolicy(new aws_iam_1.PolicyStatement({
-            effect: aws_iam_1.Effect.ALLOW,
+        this.role.addToPolicy(new PolicyStatement({
+            effect: Effect.ALLOW,
             actions: [
                 "rds:DescribeDBInstances",
                 "rds:DescribeDBClusters",
@@ -58,8 +56,8 @@ class AccountMonitoringRole extends constructs_1.Construct {
             resources: ["*"]
         }));
         // S3
-        this.role.addToPolicy(new aws_iam_1.PolicyStatement({
-            effect: aws_iam_1.Effect.ALLOW,
+        this.role.addToPolicy(new PolicyStatement({
+            effect: Effect.ALLOW,
             actions: [
                 "s3:GetBucketLocation",
                 "s3:GetBucketMetricsConfiguration",
@@ -70,8 +68,8 @@ class AccountMonitoringRole extends constructs_1.Construct {
             resources: ["*"]
         }));
         // Lambda
-        this.role.addToPolicy(new aws_iam_1.PolicyStatement({
-            effect: aws_iam_1.Effect.ALLOW,
+        this.role.addToPolicy(new PolicyStatement({
+            effect: Effect.ALLOW,
             actions: [
                 "lambda:GetFunction",
                 "lambda:GetFunctionConfiguration",
@@ -81,8 +79,8 @@ class AccountMonitoringRole extends constructs_1.Construct {
             resources: ["*"]
         }));
         // Application Load Balancer
-        this.role.addToPolicy(new aws_iam_1.PolicyStatement({
-            effect: aws_iam_1.Effect.ALLOW,
+        this.role.addToPolicy(new PolicyStatement({
+            effect: Effect.ALLOW,
             actions: [
                 "elasticloadbalancing:DescribeLoadBalancers",
                 "elasticloadbalancing:DescribeTargetGroups",
@@ -92,8 +90,8 @@ class AccountMonitoringRole extends constructs_1.Construct {
             resources: ["*"]
         }));
         // CloudWatch Logs
-        this.role.addToPolicy(new aws_iam_1.PolicyStatement({
-            effect: aws_iam_1.Effect.ALLOW,
+        this.role.addToPolicy(new PolicyStatement({
+            effect: Effect.ALLOW,
             actions: [
                 "logs:FilterLogEvents",
                 "logs:GetLogEvents",
@@ -103,8 +101,8 @@ class AccountMonitoringRole extends constructs_1.Construct {
             resources: ["*"]
         }));
         // Cost Explorer
-        this.role.addToPolicy(new aws_iam_1.PolicyStatement({
-            effect: aws_iam_1.Effect.ALLOW,
+        this.role.addToPolicy(new PolicyStatement({
+            effect: Effect.ALLOW,
             actions: [
                 "ce:GetCostAndUsage",
                 "ce:GetCostAndUsageWithResources",
@@ -121,7 +119,7 @@ class AccountMonitoringRole extends constructs_1.Construct {
             ],
             resources: ["*"]
         }));
-        new aws_cdk_lib_1.CfnOutput(this, "FjallMonitoringRoleArn", {
+        new CfnOutput(this, "FjallMonitoringRoleArn", {
             key: "FjallMonitoringRoleArn",
             value: this.role.roleArn,
             description: "ARN of the per-account Fjall monitoring role",
@@ -129,5 +127,3 @@ class AccountMonitoringRole extends constructs_1.Construct {
         });
     }
 }
-exports.AccountMonitoringRole = AccountMonitoringRole;
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYWNjb3VudE1vbml0b3JpbmdSb2xlLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vbGliL2NvbmZpZy9hd3MvYWNjb3VudE1vbml0b3JpbmdSb2xlLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUFBLDZDQUF3QztBQUN4QyxpREFLNkI7QUFDN0IsMkNBQXVDO0FBQ3ZDLHlDQUF1RDtBQVV2RDs7Ozs7Ozs7R0FRRztBQUNILE1BQWEscUJBQXNCLFNBQVEsc0JBQVM7SUFHbEQsWUFDRSxLQUFnQixFQUNoQixFQUFVLEVBQ1YsS0FBa0M7UUFFbEMsS0FBSyxDQUFDLEtBQUssRUFBRSxFQUFFLENBQUMsQ0FBQztRQUVqQixJQUFJLENBQUMsSUFBSSxHQUFHLElBQUksY0FBSSxDQUFDLElBQUksRUFBRSxNQUFNLEVBQUU7WUFDakMsUUFBUSxFQUFFLGlCQUFpQjtZQUMzQixJQUFJLEVBQUUsR0FBRztZQUNULFNBQVMsRUFBRSxJQUFJLDBCQUFnQixDQUFDLG9DQUF5QixDQUFDO1lBQzFELFdBQVcsRUFDVCw2SUFBNkk7WUFDL0ksR0FBRyxDQUFDLEtBQUssRUFBRSxVQUFVLENBQUMsQ0FBQyxDQUFDLEVBQUUsV0FBVyxFQUFFLENBQUMsS0FBSyxDQUFDLFVBQVUsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQztTQUNsRSxDQUFDLENBQUM7UUFFSCxxQkFBcUI7UUFDckIsSUFBSSxDQUFDLElBQUksQ0FBQyxXQUFXLENBQ25CLElBQUkseUJBQWUsQ0FBQztZQUNsQixNQUFNLEVBQUUsZ0JBQU0sQ0FBQyxLQUFLO1lBQ3BCLE9BQU8sRUFBRTtnQkFDUCwwQkFBMEI7Z0JBQzFCLGdDQUFnQztnQkFDaEMsd0JBQXdCO2FBQ3pCO1lBQ0QsU0FBUyxFQUFFLENBQUMsR0FBRyxDQUFDO1NBQ2pCLENBQUMsQ0FDSCxDQUFDO1FBRUYsTUFBTTtRQUNOLElBQUksQ0FBQyxJQUFJLENBQUMsV0FBVyxDQUNuQixJQUFJLHlCQUFlLENBQUM7WUFDbEIsTUFBTSxFQUFFLGdCQUFNLENBQUMsS0FBSztZQUNwQixPQUFPLEVBQUU7Z0JBQ1Asc0JBQXNCO2dCQUN0QixtQkFBbUI7Z0JBQ25CLGVBQWU7Z0JBQ2Ysc0JBQXNCO2dCQUN0QixrQkFBa0I7YUFDbkI7WUFDRCxTQUFTLEVBQUUsQ0FBQyxHQUFHLENBQUM7U0FDakIsQ0FBQyxDQUNILENBQUM7UUFFRixNQUFNO1FBQ04sSUFBSSxDQUFDLElBQUksQ0FBQyxXQUFXLENBQ25CLElBQUkseUJBQWUsQ0FBQztZQUNsQixNQUFNLEVBQUUsZ0JBQU0sQ0FBQyxLQUFLO1lBQ3BCLE9BQU8sRUFBRTtnQkFDUCx5QkFBeUI7Z0JBQ3pCLHdCQUF3QjtnQkFDeEIsdUJBQXVCO2dCQUN2Qix5QkFBeUI7YUFDMUI7WUFDRCxTQUFTLEVBQUUsQ0FBQyxHQUFHLENBQUM7U0FDakIsQ0FBQyxDQUNILENBQUM7UUFFRixLQUFLO1FBQ0wsSUFBSSxDQUFDLElBQUksQ0FBQyxXQUFXLENBQ25CLElBQUkseUJBQWUsQ0FBQztZQUNsQixNQUFNLEVBQUUsZ0JBQU0sQ0FBQyxLQUFLO1lBQ3BCLE9BQU8sRUFBRTtnQkFDUCxzQkFBc0I7Z0JBQ3RCLGtDQUFrQztnQkFDbEMscUJBQXFCO2dCQUNyQixlQUFlO2dCQUNmLHFCQUFxQjthQUN0QjtZQUNELFNBQVMsRUFBRSxDQUFDLEdBQUcsQ0FBQztTQUNqQixDQUFDLENBQ0gsQ0FBQztRQUVGLFNBQVM7UUFDVCxJQUFJLENBQUMsSUFBSSxDQUFDLFdBQVcsQ0FDbkIsSUFBSSx5QkFBZSxDQUFDO1lBQ2xCLE1BQU0sRUFBRSxnQkFBTSxDQUFDLEtBQUs7WUFDcEIsT0FBTyxFQUFFO2dCQUNQLG9CQUFvQjtnQkFDcEIsaUNBQWlDO2dCQUNqQyxzQkFBc0I7Z0JBQ3RCLGlCQUFpQjthQUNsQjtZQUNELFNBQVMsRUFBRSxDQUFDLEdBQUcsQ0FBQztTQUNqQixDQUFDLENBQ0gsQ0FBQztRQUVGLDRCQUE0QjtRQUM1QixJQUFJLENBQUMsSUFBSSxDQUFDLFdBQVcsQ0FDbkIsSUFBSSx5QkFBZSxDQUFDO1lBQ2xCLE1BQU0sRUFBRSxnQkFBTSxDQUFDLEtBQUs7WUFDcEIsT0FBTyxFQUFFO2dCQUNQLDRDQUE0QztnQkFDNUMsMkNBQTJDO2dCQUMzQywyQ0FBMkM7Z0JBQzNDLG1DQUFtQzthQUNwQztZQUNELFNBQVMsRUFBRSxDQUFDLEdBQUcsQ0FBQztTQUNqQixDQUFDLENBQ0gsQ0FBQztRQUVGLGtCQUFrQjtRQUNsQixJQUFJLENBQUMsSUFBSSxDQUFDLFdBQVcsQ0FDbkIsSUFBSSx5QkFBZSxDQUFDO1lBQ2xCLE1BQU0sRUFBRSxnQkFBTSxDQUFDLEtBQUs7WUFDcEIsT0FBTyxFQUFFO2dCQUNQLHNCQUFzQjtnQkFDdEIsbUJBQW1CO2dCQUNuQix3QkFBd0I7Z0JBQ3hCLHlCQUF5QjthQUMxQjtZQUNELFNBQVMsRUFBRSxDQUFDLEdBQUcsQ0FBQztTQUNqQixDQUFDLENBQ0gsQ0FBQztRQUVGLGdCQUFnQjtRQUNoQixJQUFJLENBQUMsSUFBSSxDQUFDLFdBQVcsQ0FDbkIsSUFBSSx5QkFBZSxDQUFDO1lBQ2xCLE1BQU0sRUFBRSxnQkFBTSxDQUFDLEtBQUs7WUFDcEIsT0FBTyxFQUFFO2dCQUNQLG9CQUFvQjtnQkFDcEIsaUNBQWlDO2dCQUNqQyxvQkFBb0I7Z0JBQ3BCLHNCQUFzQjtnQkFDdEIsK0JBQStCO2dCQUMvQixzQ0FBc0M7Z0JBQ3RDLDRCQUE0QjtnQkFDNUIsMENBQTBDO2dCQUMxQyw4QkFBOEI7Z0JBQzlCLDJCQUEyQjtnQkFDM0IseUNBQXlDO2dCQUN6QyxpQ0FBaUM7YUFDbEM7WUFDRCxTQUFTLEVBQUUsQ0FBQyxHQUFHLENBQUM7U0FDakIsQ0FBQyxDQUNILENBQUM7UUFFRixJQUFJLHVCQUFTLENBQUMsSUFBSSxFQUFFLHdCQUF3QixFQUFFO1lBQzVDLEdBQUcsRUFBRSx3QkFBd0I7WUFDN0IsS0FBSyxFQUFFLElBQUksQ0FBQyxJQUFJLENBQUMsT0FBTztZQUN4QixXQUFXLEVBQUUsOENBQThDO1lBQzNELFVBQVUsRUFBRSx3QkFBd0I7U0FDckMsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztDQUNGO0FBbkpELHNEQW1KQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCB7IENmbk91dHB1dCB9IGZyb20gXCJhd3MtY2RrLWxpYlwiO1xuaW1wb3J0IHtcbiAgUm9sZSxcbiAgQWNjb3VudFByaW5jaXBhbCxcbiAgUG9saWN5U3RhdGVtZW50LFxuICBFZmZlY3Rcbn0gZnJvbSBcImF3cy1jZGstbGliL2F3cy1pYW1cIjtcbmltcG9ydCB7IENvbnN0cnVjdCB9IGZyb20gXCJjb25zdHJ1Y3RzXCI7XG5pbXBvcnQgeyBGSkFMTF9QTEFURk9STV9BQ0NPVU5UX0lEIH0gZnJvbSBcIi4vcGxhdGZvcm1cIjtcblxuZXhwb3J0IGludGVyZmFjZSBBY2NvdW50TW9uaXRvcmluZ1JvbGVQcm9wcyB7XG4gIC8qKlxuICAgKiBPcHRpb25hbCBGamFsbCBvcmdhbmlzYXRpb24gSUQuIFdoZW4gcHJvdmlkZWQsIHVzZWQgYXMgdGhlIEV4dGVybmFsSWRcbiAgICogY29uZGl0aW9uIGZvciBhZGRpdGlvbmFsIGFzc3VtZS1yb2xlIHNlY3VyaXR5LlxuICAgKi9cbiAgZmphbGxPcmdJZD86IHN0cmluZztcbn1cblxuLyoqXG4gKiBQZXItYWNjb3VudCBtb25pdG9yaW5nIHJvbGUgZm9yIHRoZSBGamFsbCBwbGF0Zm9ybS5cbiAqXG4gKiBDcmVhdGVzIGEgc2luZ2xlIGBGamFsbE1vbml0b3JpbmdgIElBTSByb2xlIHBlciBBV1MgYWNjb3VudCAoaW4gdGhlIEFjY291bnQgc3RhY2spXG4gKiB0aGF0IGdyYW50cyB0aGUgRmphbGwgcGxhdGZvcm0gcmVhZCBhY2Nlc3MgdG8gQ2xvdWRXYXRjaCBtZXRyaWNzLCBFQ1MsIFJEUywgUzMsXG4gKiBMYW1iZGEsIEFMQiwgQ2xvdWRXYXRjaCBMb2dzLCBhbmQgQ29zdCBFeHBsb3Jlci5cbiAqXG4gKiBUaGlzIHJlcGxhY2VzIHRoZSBwcmV2aW91cyBwZXItYXBwIGBGamFsbE1vbml0b3Jpbmcte2FwcE5hbWV9YCByb2xlcy5cbiAqL1xuZXhwb3J0IGNsYXNzIEFjY291bnRNb25pdG9yaW5nUm9sZSBleHRlbmRzIENvbnN0cnVjdCB7XG4gIHB1YmxpYyByZWFkb25seSByb2xlOiBSb2xlO1xuXG4gIGNvbnN0cnVjdG9yKFxuICAgIHNjb3BlOiBDb25zdHJ1Y3QsXG4gICAgaWQ6IHN0cmluZyxcbiAgICBwcm9wcz86IEFjY291bnRNb25pdG9yaW5nUm9sZVByb3BzXG4gICkge1xuICAgIHN1cGVyKHNjb3BlLCBpZCk7XG5cbiAgICB0aGlzLnJvbGUgPSBuZXcgUm9sZSh0aGlzLCBcIlJvbGVcIiwge1xuICAgICAgcm9sZU5hbWU6IFwiRmphbGxNb25pdG9yaW5nXCIsXG4gICAgICBwYXRoOiBcIi9cIixcbiAgICAgIGFzc3VtZWRCeTogbmV3IEFjY291bnRQcmluY2lwYWwoRkpBTExfUExBVEZPUk1fQUNDT1VOVF9JRCksXG4gICAgICBkZXNjcmlwdGlvbjpcbiAgICAgICAgXCJDcm9zcy1hY2NvdW50IG1vbml0b3Jpbmcgcm9sZSBmb3IgdGhlIEZqYWxsIHBsYXRmb3JtLiBHcmFudHMgcmVhZCBhY2Nlc3MgdG8gQ2xvdWRXYXRjaCwgRUNTLCBSRFMsIFMzLCBMYW1iZGEsIEFMQiwgTG9ncywgYW5kIENvc3QgRXhwbG9yZXIuXCIsXG4gICAgICAuLi4ocHJvcHM/LmZqYWxsT3JnSWQgPyB7IGV4dGVybmFsSWRzOiBbcHJvcHMuZmphbGxPcmdJZF0gfSA6IHt9KVxuICAgIH0pO1xuXG4gICAgLy8gQ2xvdWRXYXRjaCBNZXRyaWNzXG4gICAgdGhpcy5yb2xlLmFkZFRvUG9saWN5KFxuICAgICAgbmV3IFBvbGljeVN0YXRlbWVudCh7XG4gICAgICAgIGVmZmVjdDogRWZmZWN0LkFMTE9XLFxuICAgICAgICBhY3Rpb25zOiBbXG4gICAgICAgICAgXCJjbG91ZHdhdGNoOkdldE1ldHJpY0RhdGFcIixcbiAgICAgICAgICBcImNsb3Vkd2F0Y2g6R2V0TWV0cmljU3RhdGlzdGljc1wiLFxuICAgICAgICAgIFwiY2xvdWR3YXRjaDpMaXN0TWV0cmljc1wiXG4gICAgICAgIF0sXG4gICAgICAgIHJlc291cmNlczogW1wiKlwiXVxuICAgICAgfSlcbiAgICApO1xuXG4gICAgLy8gRUNTXG4gICAgdGhpcy5yb2xlLmFkZFRvUG9saWN5KFxuICAgICAgbmV3IFBvbGljeVN0YXRlbWVudCh7XG4gICAgICAgIGVmZmVjdDogRWZmZWN0LkFMTE9XLFxuICAgICAgICBhY3Rpb25zOiBbXG4gICAgICAgICAgXCJlY3M6RGVzY3JpYmVTZXJ2aWNlc1wiLFxuICAgICAgICAgIFwiZWNzOkRlc2NyaWJlVGFza3NcIixcbiAgICAgICAgICBcImVjczpMaXN0VGFza3NcIixcbiAgICAgICAgICBcImVjczpEZXNjcmliZUNsdXN0ZXJzXCIsXG4gICAgICAgICAgXCJlY3M6TGlzdFNlcnZpY2VzXCJcbiAgICAgICAgXSxcbiAgICAgICAgcmVzb3VyY2VzOiBbXCIqXCJdXG4gICAgICB9KVxuICAgICk7XG5cbiAgICAvLyBSRFNcbiAgICB0aGlzLnJvbGUuYWRkVG9Qb2xpY3koXG4gICAgICBuZXcgUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgZWZmZWN0OiBFZmZlY3QuQUxMT1csXG4gICAgICAgIGFjdGlvbnM6IFtcbiAgICAgICAgICBcInJkczpEZXNjcmliZURCSW5zdGFuY2VzXCIsXG4gICAgICAgICAgXCJyZHM6RGVzY3JpYmVEQkNsdXN0ZXJzXCIsXG4gICAgICAgICAgXCJyZHM6RGVzY3JpYmVEQlByb3hpZXNcIixcbiAgICAgICAgICBcInJkczpMaXN0VGFnc0ZvclJlc291cmNlXCJcbiAgICAgICAgXSxcbiAgICAgICAgcmVzb3VyY2VzOiBbXCIqXCJdXG4gICAgICB9KVxuICAgICk7XG5cbiAgICAvLyBTM1xuICAgIHRoaXMucm9sZS5hZGRUb1BvbGljeShcbiAgICAgIG5ldyBQb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgICBlZmZlY3Q6IEVmZmVjdC5BTExPVyxcbiAgICAgICAgYWN0aW9uczogW1xuICAgICAgICAgIFwiczM6R2V0QnVja2V0TG9jYXRpb25cIixcbiAgICAgICAgICBcInMzOkdldEJ1Y2tldE1ldHJpY3NDb25maWd1cmF0aW9uXCIsXG4gICAgICAgICAgXCJzMzpHZXRCdWNrZXRUYWdnaW5nXCIsXG4gICAgICAgICAgXCJzMzpMaXN0QnVja2V0XCIsXG4gICAgICAgICAgXCJzMzpMaXN0QWxsTXlCdWNrZXRzXCJcbiAgICAgICAgXSxcbiAgICAgICAgcmVzb3VyY2VzOiBbXCIqXCJdXG4gICAgICB9KVxuICAgICk7XG5cbiAgICAvLyBMYW1iZGFcbiAgICB0aGlzLnJvbGUuYWRkVG9Qb2xpY3koXG4gICAgICBuZXcgUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgZWZmZWN0OiBFZmZlY3QuQUxMT1csXG4gICAgICAgIGFjdGlvbnM6IFtcbiAgICAgICAgICBcImxhbWJkYTpHZXRGdW5jdGlvblwiLFxuICAgICAgICAgIFwibGFtYmRhOkdldEZ1bmN0aW9uQ29uZmlndXJhdGlvblwiLFxuICAgICAgICAgIFwibGFtYmRhOkxpc3RGdW5jdGlvbnNcIixcbiAgICAgICAgICBcImxhbWJkYTpMaXN0VGFnc1wiXG4gICAgICAgIF0sXG4gICAgICAgIHJlc291cmNlczogW1wiKlwiXVxuICAgICAgfSlcbiAgICApO1xuXG4gICAgLy8gQXBwbGljYXRpb24gTG9hZCBCYWxhbmNlclxuICAgIHRoaXMucm9sZS5hZGRUb1BvbGljeShcbiAgICAgIG5ldyBQb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgICBlZmZlY3Q6IEVmZmVjdC5BTExPVyxcbiAgICAgICAgYWN0aW9uczogW1xuICAgICAgICAgIFwiZWxhc3RpY2xvYWRiYWxhbmNpbmc6RGVzY3JpYmVMb2FkQmFsYW5jZXJzXCIsXG4gICAgICAgICAgXCJlbGFzdGljbG9hZGJhbGFuY2luZzpEZXNjcmliZVRhcmdldEdyb3Vwc1wiLFxuICAgICAgICAgIFwiZWxhc3RpY2xvYWRiYWxhbmNpbmc6RGVzY3JpYmVUYXJnZXRIZWFsdGhcIixcbiAgICAgICAgICBcImVsYXN0aWNsb2FkYmFsYW5jaW5nOkRlc2NyaWJlVGFnc1wiXG4gICAgICAgIF0sXG4gICAgICAgIHJlc291cmNlczogW1wiKlwiXVxuICAgICAgfSlcbiAgICApO1xuXG4gICAgLy8gQ2xvdWRXYXRjaCBMb2dzXG4gICAgdGhpcy5yb2xlLmFkZFRvUG9saWN5KFxuICAgICAgbmV3IFBvbGljeVN0YXRlbWVudCh7XG4gICAgICAgIGVmZmVjdDogRWZmZWN0LkFMTE9XLFxuICAgICAgICBhY3Rpb25zOiBbXG4gICAgICAgICAgXCJsb2dzOkZpbHRlckxvZ0V2ZW50c1wiLFxuICAgICAgICAgIFwibG9nczpHZXRMb2dFdmVudHNcIixcbiAgICAgICAgICBcImxvZ3M6RGVzY3JpYmVMb2dHcm91cHNcIixcbiAgICAgICAgICBcImxvZ3M6RGVzY3JpYmVMb2dTdHJlYW1zXCJcbiAgICAgICAgXSxcbiAgICAgICAgcmVzb3VyY2VzOiBbXCIqXCJdXG4gICAgICB9KVxuICAgICk7XG5cbiAgICAvLyBDb3N0IEV4cGxvcmVyXG4gICAgdGhpcy5yb2xlLmFkZFRvUG9saWN5KFxuICAgICAgbmV3IFBvbGljeVN0YXRlbWVudCh7XG4gICAgICAgIGVmZmVjdDogRWZmZWN0LkFMTE9XLFxuICAgICAgICBhY3Rpb25zOiBbXG4gICAgICAgICAgXCJjZTpHZXRDb3N0QW5kVXNhZ2VcIixcbiAgICAgICAgICBcImNlOkdldENvc3RBbmRVc2FnZVdpdGhSZXNvdXJjZXNcIixcbiAgICAgICAgICBcImNlOkdldENvc3RGb3JlY2FzdFwiLFxuICAgICAgICAgIFwiY2U6R2V0Q29zdENhdGVnb3JpZXNcIixcbiAgICAgICAgICBcImNlOkdldFNhdmluZ3NQbGFuc1V0aWxpemF0aW9uXCIsXG4gICAgICAgICAgXCJjZTpHZXRTYXZpbmdzUGxhbnNVdGlsaXphdGlvbkRldGFpbHNcIixcbiAgICAgICAgICBcImNlOkdldFNhdmluZ3NQbGFuc0NvdmVyYWdlXCIsXG4gICAgICAgICAgXCJjZTpHZXRTYXZpbmdzUGxhbnNQdXJjaGFzZVJlY29tbWVuZGF0aW9uXCIsXG4gICAgICAgICAgXCJjZTpHZXRSZXNlcnZhdGlvblV0aWxpemF0aW9uXCIsXG4gICAgICAgICAgXCJjZTpHZXRSZXNlcnZhdGlvbkNvdmVyYWdlXCIsXG4gICAgICAgICAgXCJjZTpHZXRSZXNlcnZhdGlvblB1cmNoYXNlUmVjb21tZW5kYXRpb25cIixcbiAgICAgICAgICBcImNlOkdldFJpZ2h0c2l6aW5nUmVjb21tZW5kYXRpb25cIlxuICAgICAgICBdLFxuICAgICAgICByZXNvdXJjZXM6IFtcIipcIl1cbiAgICAgIH0pXG4gICAgKTtcblxuICAgIG5ldyBDZm5PdXRwdXQodGhpcywgXCJGamFsbE1vbml0b3JpbmdSb2xlQXJuXCIsIHtcbiAgICAgIGtleTogXCJGamFsbE1vbml0b3JpbmdSb2xlQXJuXCIsXG4gICAgICB2YWx1ZTogdGhpcy5yb2xlLnJvbGVBcm4sXG4gICAgICBkZXNjcmlwdGlvbjogXCJBUk4gb2YgdGhlIHBlci1hY2NvdW50IEZqYWxsIG1vbml0b3Jpbmcgcm9sZVwiLFxuICAgICAgZXhwb3J0TmFtZTogXCJGamFsbE1vbml0b3JpbmdSb2xlQXJuXCJcbiAgICB9KTtcbiAgfVxufVxuIl19

package/dist/lib/config/aws/alarmTopic.d.ts

@@ -0,0 +1,8 @@
+import { CfnOutput } from "aws-cdk-lib";
+import type { ITopic } from "aws-cdk-lib/aws-sns";
+import { Construct } from "constructs";
+export declare class SharedAlarmTopic extends Construct {
+    readonly topic: ITopic;
+    readonly topicArn: CfnOutput;
+    constructor(scope: Construct, id: string);
+}

package/dist/lib/config/aws/alarmTopic.js

@@ -0,0 +1,19 @@
+import { CfnOutput } from "aws-cdk-lib";
+import * as sns from "aws-cdk-lib/aws-sns";
+import { Construct } from "constructs";
+export class SharedAlarmTopic extends Construct {
+    topic;
+    topicArn;
+    constructor(scope, id) {
+        super(scope, id);
+        const topic = new sns.Topic(this, "AlarmNotifications", {
+            displayName: "Fjall CloudWatch Alarm Notifications"
+        });
+        this.topic = topic;
+        this.topicArn = new CfnOutput(this, "SharedAlarmTopicArn", {
+            key: "SharedAlarmTopicArn",
+            value: topic.topicArn,
+            exportName: "SharedAlarmTopicArn"
+        });
+    }
+}

package/dist/lib/config/aws/cloudTrail.js

@@ -1,17 +1,12 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ManagementEventsTrail = void 0;
-const constructs_1 = require("constructs");
-const cloudTrail_1 = require("../../resources/aws/logging/cloudTrail");
-class ManagementEventsTrail extends constructs_1.Construct {
+import { Construct } from "constructs";
+import { Trail } from "../../resources/aws/logging/cloudTrail.js";
+export class ManagementEventsTrail extends Construct {
     constructor(scope, id, props) {
         super(scope, id);
-        new cloudTrail_1.Trail(this, "managementEventsTrail", {
+        new Trail(this, "managementEventsTrail", {
             bucketName: `cloudtrail-management-events-${props.accountId}-${props.region}`,
             trailName: "managementEvents",
             isMultiRegionTrail: true
         });
     }
 }
-exports.ManagementEventsTrail = ManagementEventsTrail;
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xvdWRUcmFpbC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL2xpYi9jb25maWcvYXdzL2Nsb3VkVHJhaWwudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQUEsMkNBQXVDO0FBQ3ZDLHVFQUErRDtBQU8vRCxNQUFhLHFCQUFzQixTQUFRLHNCQUFTO0lBQ2xELFlBQVksS0FBZ0IsRUFBRSxFQUFVLEVBQUUsS0FBaUM7UUFDekUsS0FBSyxDQUFDLEtBQUssRUFBRSxFQUFFLENBQUMsQ0FBQztRQUVqQixJQUFJLGtCQUFLLENBQUMsSUFBSSxFQUFFLHVCQUF1QixFQUFFO1lBQ3ZDLFVBQVUsRUFBRSxnQ0FBZ0MsS0FBSyxDQUFDLFNBQVMsSUFBSSxLQUFLLENBQUMsTUFBTSxFQUFFO1lBQzdFLFNBQVMsRUFBRSxrQkFBa0I7WUFDN0Isa0JBQWtCLEVBQUUsSUFBSTtTQUN6QixDQUFDLENBQUM7SUFDTCxDQUFDO0NBQ0Y7QUFWRCxzREFVQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCB7IENvbnN0cnVjdCB9IGZyb20gXCJjb25zdHJ1Y3RzXCI7XG5pbXBvcnQgeyBUcmFpbCB9IGZyb20gXCIuLi8uLi9yZXNvdXJjZXMvYXdzL2xvZ2dpbmcvY2xvdWRUcmFpbFwiO1xuXG5leHBvcnQgaW50ZXJmYWNlIE1hbmFnZW1lbnRFdmVudHNUcmFpbFByb3BzIHtcbiAgYWNjb3VudElkOiBzdHJpbmc7XG4gIHJlZ2lvbjogc3RyaW5nO1xufVxuXG5leHBvcnQgY2xhc3MgTWFuYWdlbWVudEV2ZW50c1RyYWlsIGV4dGVuZHMgQ29uc3RydWN0IHtcbiAgY29uc3RydWN0b3Ioc2NvcGU6IENvbnN0cnVjdCwgaWQ6IHN0cmluZywgcHJvcHM6IE1hbmFnZW1lbnRFdmVudHNUcmFpbFByb3BzKSB7XG4gICAgc3VwZXIoc2NvcGUsIGlkKTtcblxuICAgIG5ldyBUcmFpbCh0aGlzLCBcIm1hbmFnZW1lbnRFdmVudHNUcmFpbFwiLCB7XG4gICAgICBidWNrZXROYW1lOiBgY2xvdWR0cmFpbC1tYW5hZ2VtZW50LWV2ZW50cy0ke3Byb3BzLmFjY291bnRJZH0tJHtwcm9wcy5yZWdpb259YCxcbiAgICAgIHRyYWlsTmFtZTogXCJtYW5hZ2VtZW50RXZlbnRzXCIsXG4gICAgICBpc011bHRpUmVnaW9uVHJhaWw6IHRydWVcbiAgICB9KTtcbiAgfVxufVxuIl19

package/dist/lib/config/aws/configRecorder.d.ts

@@ -0,0 +1,16 @@
+import { Construct } from "constructs";
+export interface ConfigRecorderProps {
+    /** Record all supported resource types. Default: true */
+    allResources?: boolean;
+    /** Include global resource types (IAM, etc.). Default: true */
+    includeGlobalResources?: boolean;
+}
+/**
+ * AWS Config recorder with S3 delivery channel.
+ * Records configuration changes to all supported resources.
+ * Prerequisite for SecurityHub compliance checks and Config Rules.
+ */
+export declare class ConfigRecorder extends Construct {
+    readonly deliveryBucketName: string;
+    constructor(scope: Construct, id: string, props?: ConfigRecorderProps);
+}

package/dist/lib/config/aws/configRecorder.js

@@ -0,0 +1,51 @@
+import { Duration, RemovalPolicy } from "aws-cdk-lib";
+import { CfnConfigurationRecorder, CfnDeliveryChannel } from "aws-cdk-lib/aws-config";
+import { Role, ServicePrincipal, ManagedPolicy } from "aws-cdk-lib/aws-iam";
+import { Bucket, BucketEncryption, BlockPublicAccess } from "aws-cdk-lib/aws-s3";
+import { Construct } from "constructs";
+/**
+ * AWS Config recorder with S3 delivery channel.
+ * Records configuration changes to all supported resources.
+ * Prerequisite for SecurityHub compliance checks and Config Rules.
+ */
+export class ConfigRecorder extends Construct {
+    deliveryBucketName;
+    constructor(scope, id, props) {
+        super(scope, id);
+        const allResources = props?.allResources !== false;
+        const includeGlobalResources = props?.includeGlobalResources !== false;
+        // Delivery bucket -- S3-managed encryption, 90-day lifecycle, no public access
+        const deliveryBucket = new Bucket(this, "DeliveryBucket", {
+            encryption: BucketEncryption.S3_MANAGED,
+            blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
+            enforceSSL: true,
+            removalPolicy: RemovalPolicy.RETAIN,
+            lifecycleRules: [{ expiration: Duration.days(90), enabled: true }]
+        });
+        this.deliveryBucketName = deliveryBucket.bucketName;
+        // IAM role for Config service
+        const configRole = new Role(this, "ConfigRole", {
+            assumedBy: new ServicePrincipal("config.amazonaws.com"),
+            managedPolicies: [
+                ManagedPolicy.fromAwsManagedPolicyName("service-role/AWS_ConfigRole")
+            ]
+        });
+        deliveryBucket.grantReadWrite(configRole);
+        // Configuration recorder
+        const recorder = new CfnConfigurationRecorder(this, "Recorder", {
+            roleArn: configRole.roleArn,
+            recordingGroup: {
+                allSupported: allResources,
+                includeGlobalResourceTypes: includeGlobalResources
+            }
+        });
+        // Delivery channel
+        const deliveryChannel = new CfnDeliveryChannel(this, "DeliveryChannel", {
+            s3BucketName: deliveryBucket.bucketName,
+            configSnapshotDeliveryProperties: {
+                deliveryFrequency: "TwentyFour_Hours"
+            }
+        });
+        deliveryChannel.addDependency(recorder);
+    }
+}

package/dist/lib/config/aws/configRulePreset.d.ts

@@ -0,0 +1,13 @@
+import { Construct } from "constructs";
+export interface ConfigRulePresetProps {
+    /** Preset to apply: "essential" (8 rules) or "production" (20 rules). */
+    preset: "essential" | "production";
+}
+/**
+ * Curated AWS Config Rule presets for common compliance checks.
+ * Each rule is deployed as a managed rule. Requires an active Config recorder
+ * in the same account (enforced at the Account stack level, not within this construct).
+ */
+export declare class ConfigRulePreset extends Construct {
+    constructor(scope: Construct, id: string, props: ConfigRulePresetProps);
+}

package/dist/lib/config/aws/configRulePreset.js

@@ -0,0 +1,62 @@
+import { ManagedRule } from "aws-cdk-lib/aws-config";
+import { Construct } from "constructs";
+const ESSENTIAL_RULES = [
+    { identifier: "ENCRYPTED_VOLUMES", name: "encrypted-volumes" },
+    { identifier: "INCOMING_SSH_DISABLED", name: "restricted-ssh" },
+    { identifier: "S3_BUCKET_SSL_REQUESTS_ONLY", name: "s3-ssl-only" },
+    { identifier: "RDS_STORAGE_ENCRYPTED", name: "rds-encryption" },
+    { identifier: "ROOT_ACCOUNT_MFA_ENABLED", name: "root-mfa" },
+    { identifier: "IAM_ROOT_ACCESS_KEY_CHECK", name: "root-access-keys" },
+    {
+        identifier: "RESTRICTED_INCOMING_TRAFFIC",
+        name: "restricted-incoming-traffic"
+    },
+    { identifier: "EC2_INSTANCE_NO_PUBLIC_IP", name: "ec2-no-public-ip" }
+];
+const PRODUCTION_EXTRA_RULES = [
+    { identifier: "S3_BUCKET_PUBLIC_READ_PROHIBITED", name: "s3-public-read" },
+    { identifier: "S3_BUCKET_PUBLIC_WRITE_PROHIBITED", name: "s3-public-write" },
+    { identifier: "RDS_INSTANCE_PUBLIC_ACCESS_CHECK", name: "rds-not-public" },
+    { identifier: "CLOUD_TRAIL_ENABLED", name: "cloudtrail-enabled" },
+    { identifier: "VPC_FLOW_LOGS_ENABLED", name: "vpc-flow-logs" },
+    { identifier: "IAM_USER_MFA_ENABLED", name: "iam-user-mfa" },
+    {
+        identifier: "LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED",
+        name: "lambda-not-public"
+    },
+    { identifier: "EBS_OPTIMIZED_INSTANCE", name: "ebs-optimised-instance" },
+    {
+        identifier: "SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED",
+        name: "subnet-no-public-ip"
+    },
+    {
+        identifier: "RDS_SNAPSHOTS_PUBLIC_PROHIBITED",
+        name: "rds-snapshots-private"
+    },
+    { identifier: "EKS_ENDPOINT_NO_PUBLIC_ACCESS", name: "eks-private-endpoint" },
+    {
+        identifier: "S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC",
+        name: "s3-account-bpa"
+    }
+];
+const PRESET_RULES = {
+    essential: ESSENTIAL_RULES,
+    production: [...ESSENTIAL_RULES, ...PRODUCTION_EXTRA_RULES]
+};
+/**
+ * Curated AWS Config Rule presets for common compliance checks.
+ * Each rule is deployed as a managed rule. Requires an active Config recorder
+ * in the same account (enforced at the Account stack level, not within this construct).
+ */
+export class ConfigRulePreset extends Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const rules = PRESET_RULES[props.preset];
+        for (const rule of rules) {
+            new ManagedRule(this, rule.identifier, {
+                identifier: rule.identifier,
+                configRuleName: `fjall-${rule.name}`
+            });
+        }
+    }
+}

package/dist/lib/config/aws/disasterRecovery.d.ts

@@ -1,5 +1,5 @@
 import { Construct } from "constructs";
-import { BackupVault, BackupPlan } from "../../resources/aws/backup";
+import { BackupVault, BackupPlan } from "../../resources/aws/backup/index.js";
 import { BackupPlanRule } from "aws-cdk-lib/aws-backup";
 export interface CustomBackupPlanConfig {
     planName: string;