npm - @sureshgururajan/aws-console-private-access-validator - Versions diffs - 1.0.6 → 1.1.0 - Mend

@sureshgururajan/aws-console-private-access-validator 1.0.6 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/validator.d.ts CHANGED Viewed

@@ -15,5 +15,6 @@ export declare class ConsolePrivateAccessValidator {
     private checkNatGateway;
     private checkNetworkConfiguration;
     private generateSummary;
+    private checkDetectiveControls;
 }
 //# sourceMappingURL=validator.d.ts.map

package/dist/validator.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"validator.d.ts","sourceRoot":"","sources":["../src/validator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAmB,gBAAgB,EAAE,sBAAsB,EAAE,MAAM,SAAS,CAAC;AAEpF,qBAAa,6BAA6B;IACxC,OAAO,CAAC,QAAQ,CAAyB;IACzC,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,MAAM,CAAyB;gBAE3B,QAAQ,EAAE,sBAAsB,EAAE,MAAM,GAAE,MAAoB;IAK1E,QAAQ,IAAI,gBAAgB;~~IAqB5B~~,OAAO,CAAC,cAAc;IAwBtB,OAAO,CAAC,iBAAiB;IAiDzB,OAAO,CAAC,qBAAqB;~~IA8C7B~~,OAAO,CAAC,qBAAqB;IAe7B,OAAO,CAAC,uBAAuB;IAuC/B,OAAO,CAAC,mBAAmB;IAwB3B,OAAO,CAAC,gBAAgB;IAsBxB,OAAO,CAAC,eAAe;IAavB,OAAO,CAAC,yBAAyB;IAkCjC,OAAO,CAAC,eAAe;~~CAUxB~~"}
1	+ {"version":3,"file":"validator.d.ts","sourceRoot":"","sources":["../src/validator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAmB,gBAAgB,EAAE,sBAAsB,EAAE,MAAM,SAAS,CAAC;AAEpF,qBAAa,6BAA6B;IACxC,OAAO,CAAC,QAAQ,CAAyB;IACzC,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,MAAM,CAAyB;gBAE3B,QAAQ,EAAE,sBAAsB,EAAE,MAAM,GAAE,MAAoB;IAK1E,QAAQ,IAAI,gBAAgB;IAsB5B,OAAO,CAAC,cAAc;IAwBtB,OAAO,CAAC,iBAAiB;IAiDzB,OAAO,CAAC,qBAAqB;IAkC7B,OAAO,CAAC,qBAAqB;IAe7B,OAAO,CAAC,uBAAuB;IAuC/B,OAAO,CAAC,mBAAmB;IAwB3B,OAAO,CAAC,gBAAgB;IAsBxB,OAAO,CAAC,eAAe;IAavB,OAAO,CAAC,yBAAyB;IAkCjC,OAAO,CAAC,eAAe;IAWvB,OAAO,CAAC,sBAAsB;CAgL/B"}

package/dist/validator.js CHANGED Viewed

@@ -15,6 +15,7 @@ export class ConsolePrivateAccessValidator {
         this.checkEc2Instance();
         this.checkNatGateway();
         this.checkNetworkConfiguration();
+        this.checkDetectiveControls();
         const failCount = this.checks.filter(c => c.status === 'fail').length;
         const valid = failCount === 0;
         return {
@@ -85,36 +86,30 @@ export class ConsolePrivateAccessValidator {
     }
     checkEndpointPolicies() {
         const resources = this.template.Resources || {};
-        const consoleEndpoint = Object.entries(resources).find(([_, r]) => {
-            const serviceName = this.getServiceName(r.Properties?.ServiceName);
-            return (r.Type === 'AWS::EC2::VPCEndpoint' &&
-                serviceName &&
-                serviceName.includes('console'));
-        });
-        const signinEndpoint = Object.entries(resources).find(([_, r]) => {
-            const serviceName = this.getServiceName(r.Properties?.ServiceName);
-            return (r.Type === 'AWS::EC2::VPCEndpoint' &&
-                serviceName &&
-                serviceName.includes('signin'));
-        });
-        for (const [name, endpoint] of [
-            ['Console', consoleEndpoint],
-            ['Signin', signinEndpoint],
-        ]) {
-            if (!endpoint)
-                continue;
-            const [_, resource] = endpoint;
+        const interfaceEndpoints = Object.entries(resources).filter(([_, r]) => r.Type === 'AWS::EC2::VPCEndpoint' && r.Properties?.VpcEndpointType === 'Interface');
+        for (const [name, resource] of interfaceEndpoints) {
+            const serviceName = this.getServiceName(resource.Properties?.ServiceName);
             const hasPolicy = resource.Properties?.PolicyDocument;
+            const privateDnsEnabled = resource.Properties?.PrivateDnsEnabled;
+            // Check for policy
             this.checks.push({
-                name: `Endpoint Policy: ${name}`,
+                name: `Endpoint Policy: ${serviceName || name}`,
                 status: hasPolicy ? 'pass' : 'fail',
                 message: hasPolicy
-                    ? `${name} endpoint has a policy attached`
-                    : `${name} endpoint is missing a policy`,
+                    ? `${serviceName || name} endpoint has a policy attached`
+                    : `${serviceName || name} endpoint is missing a policy`,
                 details: hasPolicy
                     ? this.validatePolicyContent(resource.Properties.PolicyDocument)
                     : undefined,
             });
+            // Check for private DNS enabled
+            this.checks.push({
+                name: `Private DNS: ${serviceName || name}`,
+                status: privateDnsEnabled ? 'pass' : 'fail',
+                message: privateDnsEnabled
+                    ? `${serviceName || name} endpoint has private DNS enabled`
+                    : `${serviceName || name} endpoint does not have private DNS enabled`,
+            });
         }
     }
     validatePolicyContent(policy) {
@@ -232,5 +227,140 @@ export class ConsolePrivateAccessValidator {
         }
         return `✗ Validation failed. ${failCount} check(s) failed, ${passCount} passed, ${warningCount} warnings.`;
     }
+    checkDetectiveControls() {
+        const resources = this.template.Resources || {};
+        // Check for CloudTrail
+        const trail = Object.values(resources).find((r) => r.Type === 'AWS::CloudTrail::Trail');
+        this.checks.push({
+            name: 'CloudTrail: Trail Configuration',
+            status: trail ? 'pass' : 'fail',
+            message: trail
+                ? 'CloudTrail trail found for logging VPC endpoint activity'
+                : 'Missing CloudTrail trail - required for monitoring VPC endpoint policy denials',
+        });
+        if (trail) {
+            const trailProps = trail.Properties;
+            // Check for advanced event selectors with network activity
+            const hasNetworkActivitySelectors = trailProps?.AdvancedEventSelectors?.some((selector) => selector.FieldSelectors?.some((field) => field.Field === 'eventCategory' && field.Equals?.includes('NetworkActivity')));
+            this.checks.push({
+                name: 'CloudTrail: Network Activity Monitoring',
+                status: hasNetworkActivitySelectors ? 'pass' : 'fail',
+                message: hasNetworkActivitySelectors
+                    ? 'CloudTrail configured to log network activity events (VpceAccessDenied)'
+                    : 'CloudTrail missing network activity event selectors - cannot detect VPC endpoint policy denials',
+            });
+            // Check for VpceAccessDenied error code filtering
+            const hasVpceAccessDeniedFilter = trailProps?.AdvancedEventSelectors?.some((selector) => selector.FieldSelectors?.some((field) => field.Field === 'errorCode' && field.Equals?.includes('VpceAccessDenied')));
+            this.checks.push({
+                name: 'CloudTrail: VpceAccessDenied Filter',
+                status: hasVpceAccessDeniedFilter ? 'pass' : 'warning',
+                message: hasVpceAccessDeniedFilter
+                    ? 'CloudTrail configured to filter VpceAccessDenied events'
+                    : 'CloudTrail not filtering by VpceAccessDenied error code - may log unnecessary events',
+            });
+            // Check for CloudWatch Logs integration
+            const hasCloudWatchLogs = trailProps?.CloudWatchLogsLogGroupArn;
+            this.checks.push({
+                name: 'CloudTrail: CloudWatch Logs Integration',
+                status: hasCloudWatchLogs ? 'pass' : 'fail',
+                message: hasCloudWatchLogs
+                    ? 'CloudTrail sending logs to CloudWatch for real-time analysis'
+                    : 'CloudTrail not integrated with CloudWatch Logs - cannot create real-time alarms',
+            });
+        }
+        // Check for CloudWatch Log Group
+        const logGroup = Object.values(resources).find((r) => r.Type === 'AWS::Logs::LogGroup');
+        this.checks.push({
+            name: 'CloudWatch: Log Group',
+            status: logGroup ? 'pass' : 'fail',
+            message: logGroup
+                ? 'CloudWatch Log Group found for CloudTrail logs'
+                : 'Missing CloudWatch Log Group - required for metric filters and alarms',
+        });
+        // Check for Metric Filters
+        const metricFilters = Object.values(resources).filter((r) => r.Type === 'AWS::Logs::MetricFilter');
+        // Required: VpceAccessDenied filter
+        const hasVpceAccessDeniedFilter = metricFilters.some((mf) => {
+            const filterPattern = mf.Properties?.FilterPattern || '';
+            return filterPattern.toLowerCase().includes('errorcode') &&
+                filterPattern.toLowerCase().includes('vpceaccessdenied');
+        });
+        this.checks.push({
+            name: 'Metric Filter: VpceAccessDenied',
+            status: hasVpceAccessDeniedFilter ? 'pass' : 'fail',
+            message: hasVpceAccessDeniedFilter
+                ? 'Metric filter for VpceAccessDenied found'
+                : 'Missing metric filter for VpceAccessDenied - cannot detect VPC endpoint policy denials',
+        });
+        // Optional: Additional filters for enhanced security monitoring
+        const hasCrossAccountFilter = metricFilters.some((mf) => {
+            const filterPattern = mf.Properties?.FilterPattern || '';
+            return filterPattern.toLowerCase().includes('cross') ||
+                filterPattern.toLowerCase().includes('account');
+        });
+        const hasSuspiciousUserAgentFilter = metricFilters.some((mf) => {
+            const filterPattern = mf.Properties?.FilterPattern || '';
+            return filterPattern.toLowerCase().includes('useragent') ||
+                filterPattern.toLowerCase().includes('data') ||
+                filterPattern.toLowerCase().includes('exfil');
+        });
+        if (hasCrossAccountFilter || hasSuspiciousUserAgentFilter) {
+            this.checks.push({
+                name: 'Metric Filters: Enhanced Monitoring',
+                status: 'pass',
+                message: `Additional metric filters found for enhanced security monitoring (${hasCrossAccountFilter ? 'CrossAccountAccess' : ''}${hasCrossAccountFilter && hasSuspiciousUserAgentFilter ? ', ' : ''}${hasSuspiciousUserAgentFilter ? 'SuspiciousUserAgent' : ''})`,
+            });
+        }
+        // Check for CloudWatch Alarms
+        const alarms = Object.values(resources).filter((r) => r.Type === 'AWS::CloudWatch::Alarm');
+        this.checks.push({
+            name: 'CloudWatch: Alarms',
+            status: alarms.length >= 1 ? 'pass' : 'fail',
+            message: alarms.length >= 1
+                ? `Found ${alarms.length} CloudWatch alarm(s) for security monitoring`
+                : 'No CloudWatch alarms found - cannot receive real-time security alerts',
+        });
+        // Check for SNS Topic
+        const snsTopic = Object.values(resources).find((r) => r.Type === 'AWS::SNS::Topic');
+        this.checks.push({
+            name: 'SNS: Alert Topic',
+            status: snsTopic ? 'pass' : 'fail',
+            message: snsTopic
+                ? 'SNS topic found for security alert notifications'
+                : 'Missing SNS topic - cannot send security alert notifications',
+        });
+        // Check that alarms are connected to SNS topic
+        if (snsTopic && alarms.length > 0) {
+            const alarmsWithActions = alarms.filter((alarm) => alarm.Properties?.AlarmActions && alarm.Properties.AlarmActions.length > 0);
+            this.checks.push({
+                name: 'CloudWatch: Alarm Actions',
+                status: alarmsWithActions.length === alarms.length ? 'pass' : 'warning',
+                message: alarmsWithActions.length === alarms.length
+                    ? 'All alarms configured to send notifications'
+                    : `${alarmsWithActions.length}/${alarms.length} alarms configured with actions - some alarms may not send notifications`,
+            });
+        }
+        // Check for S3 bucket for CloudTrail logs
+        const s3Buckets = Object.values(resources).filter((r) => r.Type === 'AWS::S3::Bucket');
+        const hasTrailBucket = s3Buckets.length > 0;
+        this.checks.push({
+            name: 'S3: CloudTrail Log Bucket',
+            status: hasTrailBucket ? 'pass' : 'warning',
+            message: hasTrailBucket
+                ? 'S3 bucket found for CloudTrail log storage'
+                : 'No S3 bucket found - CloudTrail logs may not be persisted long-term',
+        });
+        // Check for bucket encryption
+        if (hasTrailBucket) {
+            const hasEncryption = s3Buckets.some((bucket) => bucket.Properties?.BucketEncryption);
+            this.checks.push({
+                name: 'S3: Bucket Encryption',
+                status: hasEncryption ? 'pass' : 'warning',
+                message: hasEncryption
+                    ? 'S3 bucket configured with encryption'
+                    : 'S3 bucket missing encryption configuration - logs may not be encrypted at rest',
+            });
+        }
+    }
 }
 //# sourceMappingURL=validator.js.map

package/dist/validator.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"validator.js","sourceRoot":"","sources":["../src/validator.ts"],"names":[],"mappings":"AAEA,MAAM,OAAO,6BAA6B;IAChC,QAAQ,CAAyB;IACjC,MAAM,CAAS;IACf,MAAM,GAAsB,EAAE,CAAC;IAEvC,YAAY,QAAgC,EAAE,SAAiB,WAAW;QACxE,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,QAAQ;QACN,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC;QAEjB,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACzB,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC7B,IAAI,CAAC,uBAAuB,EAAE,CAAC;QAC/B,IAAI,CAAC,mBAAmB,EAAE,CAAC;QAC3B,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACxB,IAAI,CAAC,eAAe,EAAE,CAAC;QACvB,IAAI,CAAC,yBAAyB,EAAE,CAAC;QAEjC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;QACtE,MAAM,KAAK,GAAG,SAAS,KAAK,CAAC,CAAC;QAE9B,OAAO;YACL,KAAK;YACL,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,OAAO,EAAE,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,SAAS,CAAC;SAChD,CAAC;IACJ,CAAC;IAEO,cAAc,CAAC,WAAgB;QACrC,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;YACpC,OAAO,WAAW,CAAC;QACrB,CAAC;QACD,IAAI,WAAW,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,MAAM,KAAK,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;YACzC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzB,4DAA4D;gBAC5D,OAAO,KAAK;qBACT,GAAG,CAAC,CAAC,IAAS,EAAE,EAAE;oBACjB,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;wBAC7B,OAAO,IAAI,CAAC;oBACd,CAAC;oBACD,IAAI,IAAI,EAAE,GAAG,KAAK,aAAa,EAAE,CAAC;wBAChC,OAAO,IAAI,CAAC,MAAM,CAAC;oBACrB,CAAC;oBACD,OAAO,EAAE,CAAC;gBACZ,CAAC,CAAC;qBACD,IAAI,CAAC,EAAE,CAAC,CAAC;YACd,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,iBAAiB;QACvB,MAAM,iBAAiB,GAAG;YACxB,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,iBAAiB,IAAI,CAAC,MAAM,UAAU,EAAE;YACpE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,iBAAiB,IAAI,CAAC,MAAM,SAAS,EAAE;YAClE,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,iBAAiB,IAAI,CAAC,MAAM,MAAM,EAAE;YAC5D,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,iBAAiB,IAAI,CAAC,MAAM,cAAc,EAAE;YAC5E,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,iBAAiB,IAAI,CAAC,MAAM,cAAc,EAAE;SAC7E,CAAC;QAEF,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC;QAChD,MAAM,kBAAkB,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CACxD,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,uBAAuB,IAAI,CAAC,CAAC,UAAU,EAAE,eAAe,KAAK,WAAW,CAChG,CAAC;QAEF,KAAK,MAAM,QAAQ,IAAI,iBAAiB,EAAE,CAAC;YACzC,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE;gBAC/C,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;gBACnE,OAAO,WAAW,IAAI,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAC/D,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;gBACf,IAAI,EAAE,iBAAiB,QAAQ,CAAC,IAAI,EAAE;gBACtC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;gBAC/B,OAAO,EAAE,KAAK;oBACZ,CAAC,CAAC,8BAA8B,QAAQ,CAAC,IAAI,QAAQ;oBACrD,CAAC,CAAC,sCAAsC,QAAQ,CAAC,IAAI,EAAE;aAC1D,CAAC,CAAC;QACL,CAAC;QAED,gCAAgC;QAChC,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAC7C,CAAC,CAAM,EAAE,EAAE;YACT,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;YACnE,OAAO,CACL,CAAC,CAAC,IAAI,KAAK,uBAAuB;gBAClC,CAAC,CAAC,UAAU,EAAE,eAAe,KAAK,SAAS;gBAC3C,WAAW;gBACX,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,CAC3B,CAAC;QACJ,CAAC,CACF,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,0BAA0B;YAChC,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;YACnC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,+BAA+B,CAAC,CAAC,CAAC,iCAAiC;SACzF,CAAC,CAAC;IACL,CAAC;IAEO,qBAAqB;QAC3B,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC;QAChD,MAAM,eAAe,GAAG,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,IAAI,CACpD,CAAC,CAAC,CAAC,EAAE,CAAC,CAAgB,EAAE,EAAE;YACxB,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;YACnE,OAAO,CACL,CAAC,CAAC,IAAI,KAAK,uBAAuB;gBAClC,WAAW;gBACX,WAAW,CAAC,QAAQ,CAAC,SAAS,CAAC,CAChC,CAAC;QACJ,CAAC,CACF,CAAC;QAEF,MAAM,cAAc,GAAG,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,IAAI,CACnD,CAAC,CAAC,CAAC,EAAE,CAAC,CAAgB,EAAE,EAAE;YACxB,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;YACnE,OAAO,CACL,CAAC,CAAC,IAAI,KAAK,uBAAuB;gBAClC,WAAW;gBACX,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAC/B,CAAC;QACJ,CAAC,CACF,CAAC;QAEF,KAAK,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI;YAC7B,CAAC,SAAS,EAAE,eAAe,CAAC;YAC5B,CAAC,QAAQ,EAAE,cAAc,CAAC;SAC3B,EAAE,CAAC;YACF,IAAI,CAAC,QAAQ;gBAAE,SAAS;YAExB,MAAM,CAAC,CAAC,EAAE,QAAQ,CAAC,GAAG,QAAyB,CAAC;YAChD,MAAM,SAAS,GAAG,QAAQ,CAAC,UAAU,EAAE,cAAc,CAAC;YAEtD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;gBACf,IAAI,EAAE,oBAAoB,IAAI,EAAE;gBAChC,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;gBACnC,OAAO,EAAE,SAAS;oBAChB,CAAC,CAAC,GAAG,IAAI,iCAAiC;oBAC1C,CAAC,CAAC,GAAG,IAAI,+BAA+B;gBAC1C,OAAO,EAAE,SAAS;oBAChB,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,UAAU,CAAC,cAAc,CAAC;oBAChE,CAAC,CAAC,SAAS;aACd,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAEO,qBAAqB,CAAC,MAAW;QACvC,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvD,OAAO,0BAA0B,CAAC;QACpC,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QACtC,MAAM,mBAAmB,GAAG,SAAS,CAAC,SAAS,EAAE,YAAY,EAAE,CAAC,sBAAsB,CAAC,CAAC;QAExF,IAAI,mBAAmB,EAAE,CAAC;YACxB,OAAO,gDAAgD,CAAC;QAC1D,CAAC;QAED,OAAO,4CAA4C,CAAC;IACtD,CAAC;IAEO,uBAAuB;QAC7B,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC;QAChD,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CACjD,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,0BAA0B,CAClD,CAAC;QAEF,MAAM,aAAa,GAAG,CAAC,wBAAwB,EAAE,uBAAuB,CAAC,CAAC;QAE1E,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;YACjC,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,EAAO,EAAE,EAAE;gBACzC,MAAM,QAAQ,GAAG,EAAE,CAAC,UAAU,EAAE,IAAI,CAAC;gBACrC,6CAA6C;gBAC7C,OAAO,QAAQ,KAAK,IAAI,IAAI,QAAQ,KAAK,GAAG,IAAI,GAAG,CAAC;YACtD,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;gBACf,IAAI,EAAE,wBAAwB,IAAI,EAAE;gBACpC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;gBAC/B,OAAO,EAAE,KAAK;oBACZ,CAAC,CAAC,2BAA2B,IAAI,QAAQ;oBACzC,CAAC,CAAC,mCAAmC,IAAI,EAAE;aAC9C,CAAC,CAAC;QACL,CAAC;QAED,4BAA4B;QAC5B,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAChD,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,yBAAyB,CACjD,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,iBAAiB;YACvB,MAAM,EAAE,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YAClD,OAAO,EACL,UAAU,CAAC,MAAM,GAAG,CAAC;gBACnB,CAAC,CAAC,SAAS,UAAU,CAAC,MAAM,kBAAkB;gBAC9C,CAAC,CAAC,0BAA0B;SACjC,CAAC,CAAC;IACL,CAAC;IAEO,mBAAmB;QACzB,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC;QAChD,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CACpD,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,yBAAyB,CACjD,CAAC;QAEF,MAAM,eAAe,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,EAAO,EAAE,EAAE;YACtD,MAAM,OAAO,GAAG,EAAE,CAAC,UAAU,EAAE,oBAAoB,IAAI,EAAE,CAAC;YAC1D,OAAO,OAAO,CAAC,IAAI,CACjB,CAAC,IAAS,EAAE,EAAE,CACZ,CAAC,IAAI,CAAC,QAAQ,KAAK,GAAG,IAAI,IAAI,CAAC,UAAU,KAAK,KAAK,CAAC;gBACpD,CAAC,IAAI,CAAC,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,UAAU,KAAK,KAAK,CAAC,CACrD,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,8BAA8B;YACpC,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YAC5C,OAAO,EAAE,eAAe;gBACtB,CAAC,CAAC,gDAAgD;gBAClD,CAAC,CAAC,mDAAmD;SACxD,CAAC,CAAC;IACL,CAAC;IAEO,gBAAgB;QACtB,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC;QAChD,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,oBAAoB,CAAC,CAAC;QAE5F,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,cAAc;YACpB,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YACrC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,kCAAkC;SAC9E,CAAC,CAAC;QAEH,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,UAAU,GAAI,QAAgB,CAAC,UAAU,EAAE,kBAAkB,CAAC;YACpE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;gBACf,IAAI,EAAE,cAAc;gBACpB,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;gBACvC,OAAO,EAAE,UAAU;oBACjB,CAAC,CAAC,uCAAuC;oBACzC,CAAC,CAAC,2CAA2C;aAChD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAEO,eAAe;QACrB,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC;QAChD,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,sBAAsB,CAAC,CAAC;QAEhG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YACvC,OAAO,EAAE,UAAU;gBACjB,CAAC,CAAC,6CAA6C;gBAC/C,CAAC,CAAC,oEAAoE;SACzE,CAAC,CAAC;IACL,CAAC;IAEO,yBAAyB;QAC/B,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC;QAEhD,4BAA4B;QAC5B,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CACpD,CAAC,CAAM,EAAE,EAAE,CACT,CAAC,CAAC,IAAI,KAAK,kBAAkB;YAC7B,CAAC,CAAC,CAAC,UAAU,EAAE,mBAAmB,CACrC,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,iBAAiB;YACvB,MAAM,EAAE,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;YACnD,OAAO,EACL,cAAc,CAAC,MAAM,GAAG,CAAC;gBACvB,CAAC,CAAC,SAAS,cAAc,CAAC,MAAM,oBAAoB;gBACpD,CAAC,CAAC,0BAA0B;SACjC,CAAC,CAAC;QAEH,yBAAyB;QACzB,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CACjD,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,sBAAsB,CAC9C,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,cAAc;YACpB,MAAM,EAAE,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YACnD,OAAO,EACL,WAAW,CAAC,MAAM,GAAG,CAAC;gBACpB,CAAC,CAAC,SAAS,WAAW,CAAC,MAAM,iBAAiB;gBAC9C,CAAC,CAAC,uBAAuB;SAC9B,CAAC,CAAC;IACL,CAAC;IAEO,eAAe,CAAC,KAAc,EAAE,SAAiB;QACvD,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;QACtE,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM,CAAC;QAE5E,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,oDAAoD,SAAS,YAAY,YAAY,aAAa,CAAC;QAC5G,CAAC;QAED,OAAO,wBAAwB,SAAS,qBAAqB,SAAS,YAAY,YAAY,YAAY,CAAC;IAC7G,CAAC;CACF"}
1	+ {"version":3,"file":"validator.js","sourceRoot":"","sources":["../src/validator.ts"],"names":[],"mappings":"AAEA,MAAM,OAAO,6BAA6B;IAChC,QAAQ,CAAyB;IACjC,MAAM,CAAS;IACf,MAAM,GAAsB,EAAE,CAAC;IAEvC,YAAY,QAAgC,EAAE,SAAiB,WAAW;QACxE,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,QAAQ;QACN,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC;QAEjB,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACzB,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC7B,IAAI,CAAC,uBAAuB,EAAE,CAAC;QAC/B,IAAI,CAAC,mBAAmB,EAAE,CAAC;QAC3B,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACxB,IAAI,CAAC,eAAe,EAAE,CAAC;QACvB,IAAI,CAAC,yBAAyB,EAAE,CAAC;QACjC,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAE9B,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;QACtE,MAAM,KAAK,GAAG,SAAS,KAAK,CAAC,CAAC;QAE9B,OAAO;YACL,KAAK;YACL,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,OAAO,EAAE,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,SAAS,CAAC;SAChD,CAAC;IACJ,CAAC;IAEO,cAAc,CAAC,WAAgB;QACrC,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;YACpC,OAAO,WAAW,CAAC;QACrB,CAAC;QACD,IAAI,WAAW,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,MAAM,KAAK,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;YACzC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzB,4DAA4D;gBAC5D,OAAO,KAAK;qBACT,GAAG,CAAC,CAAC,IAAS,EAAE,EAAE;oBACjB,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;wBAC7B,OAAO,IAAI,CAAC;oBACd,CAAC;oBACD,IAAI,IAAI,EAAE,GAAG,KAAK,aAAa,EAAE,CAAC;wBAChC,OAAO,IAAI,CAAC,MAAM,CAAC;oBACrB,CAAC;oBACD,OAAO,EAAE,CAAC;gBACZ,CAAC,CAAC;qBACD,IAAI,CAAC,EAAE,CAAC,CAAC;YACd,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,iBAAiB;QACvB,MAAM,iBAAiB,GAAG;YACxB,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,iBAAiB,IAAI,CAAC,MAAM,UAAU,EAAE;YACpE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,iBAAiB,IAAI,CAAC,MAAM,SAAS,EAAE;YAClE,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,iBAAiB,IAAI,CAAC,MAAM,MAAM,EAAE;YAC5D,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,iBAAiB,IAAI,CAAC,MAAM,cAAc,EAAE;YAC5E,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,iBAAiB,IAAI,CAAC,MAAM,cAAc,EAAE;SAC7E,CAAC;QAEF,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC;QAChD,MAAM,kBAAkB,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CACxD,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,uBAAuB,IAAI,CAAC,CAAC,UAAU,EAAE,eAAe,KAAK,WAAW,CAChG,CAAC;QAEF,KAAK,MAAM,QAAQ,IAAI,iBAAiB,EAAE,CAAC;YACzC,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE;gBAC/C,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;gBACnE,OAAO,WAAW,IAAI,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAC/D,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;gBACf,IAAI,EAAE,iBAAiB,QAAQ,CAAC,IAAI,EAAE;gBACtC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;gBAC/B,OAAO,EAAE,KAAK;oBACZ,CAAC,CAAC,8BAA8B,QAAQ,CAAC,IAAI,QAAQ;oBACrD,CAAC,CAAC,sCAAsC,QAAQ,CAAC,IAAI,EAAE;aAC1D,CAAC,CAAC;QACL,CAAC;QAED,gCAAgC;QAChC,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAC7C,CAAC,CAAM,EAAE,EAAE;YACT,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;YACnE,OAAO,CACL,CAAC,CAAC,IAAI,KAAK,uBAAuB;gBAClC,CAAC,CAAC,UAAU,EAAE,eAAe,KAAK,SAAS;gBAC3C,WAAW;gBACX,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,CAC3B,CAAC;QACJ,CAAC,CACF,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,0BAA0B;YAChC,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;YACnC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,+BAA+B,CAAC,CAAC,CAAC,iCAAiC;SACzF,CAAC,CAAC;IACL,CAAC;IAEO,qBAAqB;QAC3B,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC;QAChD,MAAM,kBAAkB,GAAG,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,MAAM,CACzD,CAAC,CAAC,CAAC,EAAE,CAAC,CAAgB,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,uBAAuB,IAAI,CAAC,CAAC,UAAU,EAAE,eAAe,KAAK,WAAW,CAC/G,CAAC;QAEF,KAAK,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,kBAAkB,EAAE,CAAC;YAClD,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAE,QAAgB,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;YACnF,MAAM,SAAS,GAAI,QAAgB,CAAC,UAAU,EAAE,cAAc,CAAC;YAC/D,MAAM,iBAAiB,GAAI,QAAgB,CAAC,UAAU,EAAE,iBAAiB,CAAC;YAE1E,mBAAmB;YACnB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;gBACf,IAAI,EAAE,oBAAoB,WAAW,IAAI,IAAI,EAAE;gBAC/C,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;gBACnC,OAAO,EAAE,SAAS;oBAChB,CAAC,CAAC,GAAG,WAAW,IAAI,IAAI,iCAAiC;oBACzD,CAAC,CAAC,GAAG,WAAW,IAAI,IAAI,+BAA+B;gBACzD,OAAO,EAAE,SAAS;oBAChB,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAE,QAAgB,CAAC,UAAU,CAAC,cAAc,CAAC;oBACzE,CAAC,CAAC,SAAS;aACd,CAAC,CAAC;YAEH,gCAAgC;YAChC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;gBACf,IAAI,EAAE,gBAAgB,WAAW,IAAI,IAAI,EAAE;gBAC3C,MAAM,EAAE,iBAAiB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;gBAC3C,OAAO,EAAE,iBAAiB;oBACxB,CAAC,CAAC,GAAG,WAAW,IAAI,IAAI,mCAAmC;oBAC3D,CAAC,CAAC,GAAG,WAAW,IAAI,IAAI,6CAA6C;aACxE,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAEO,qBAAqB,CAAC,MAAW;QACvC,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvD,OAAO,0BAA0B,CAAC;QACpC,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QACtC,MAAM,mBAAmB,GAAG,SAAS,CAAC,SAAS,EAAE,YAAY,EAAE,CAAC,sBAAsB,CAAC,CAAC;QAExF,IAAI,mBAAmB,EAAE,CAAC;YACxB,OAAO,gDAAgD,CAAC;QAC1D,CAAC;QAED,OAAO,4CAA4C,CAAC;IACtD,CAAC;IAEO,uBAAuB;QAC7B,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC;QAChD,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CACjD,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,0BAA0B,CAClD,CAAC;QAEF,MAAM,aAAa,GAAG,CAAC,wBAAwB,EAAE,uBAAuB,CAAC,CAAC;QAE1E,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;YACjC,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,EAAO,EAAE,EAAE;gBACzC,MAAM,QAAQ,GAAG,EAAE,CAAC,UAAU,EAAE,IAAI,CAAC;gBACrC,6CAA6C;gBAC7C,OAAO,QAAQ,KAAK,IAAI,IAAI,QAAQ,KAAK,GAAG,IAAI,GAAG,CAAC;YACtD,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;gBACf,IAAI,EAAE,wBAAwB,IAAI,EAAE;gBACpC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;gBAC/B,OAAO,EAAE,KAAK;oBACZ,CAAC,CAAC,2BAA2B,IAAI,QAAQ;oBACzC,CAAC,CAAC,mCAAmC,IAAI,EAAE;aAC9C,CAAC,CAAC;QACL,CAAC;QAED,4BAA4B;QAC5B,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAChD,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,yBAAyB,CACjD,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,iBAAiB;YACvB,MAAM,EAAE,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YAClD,OAAO,EACL,UAAU,CAAC,MAAM,GAAG,CAAC;gBACnB,CAAC,CAAC,SAAS,UAAU,CAAC,MAAM,kBAAkB;gBAC9C,CAAC,CAAC,0BAA0B;SACjC,CAAC,CAAC;IACL,CAAC;IAEO,mBAAmB;QACzB,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC;QAChD,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CACpD,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,yBAAyB,CACjD,CAAC;QAEF,MAAM,eAAe,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,EAAO,EAAE,EAAE;YACtD,MAAM,OAAO,GAAG,EAAE,CAAC,UAAU,EAAE,oBAAoB,IAAI,EAAE,CAAC;YAC1D,OAAO,OAAO,CAAC,IAAI,CACjB,CAAC,IAAS,EAAE,EAAE,CACZ,CAAC,IAAI,CAAC,QAAQ,KAAK,GAAG,IAAI,IAAI,CAAC,UAAU,KAAK,KAAK,CAAC;gBACpD,CAAC,IAAI,CAAC,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,UAAU,KAAK,KAAK,CAAC,CACrD,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,8BAA8B;YACpC,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YAC5C,OAAO,EAAE,eAAe;gBACtB,CAAC,CAAC,gDAAgD;gBAClD,CAAC,CAAC,mDAAmD;SACxD,CAAC,CAAC;IACL,CAAC;IAEO,gBAAgB;QACtB,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC;QAChD,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,oBAAoB,CAAC,CAAC;QAE5F,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,cAAc;YACpB,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YACrC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,kCAAkC;SAC9E,CAAC,CAAC;QAEH,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,UAAU,GAAI,QAAgB,CAAC,UAAU,EAAE,kBAAkB,CAAC;YACpE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;gBACf,IAAI,EAAE,cAAc;gBACpB,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;gBACvC,OAAO,EAAE,UAAU;oBACjB,CAAC,CAAC,uCAAuC;oBACzC,CAAC,CAAC,2CAA2C;aAChD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAEO,eAAe;QACrB,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC;QAChD,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,sBAAsB,CAAC,CAAC;QAEhG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YACvC,OAAO,EAAE,UAAU;gBACjB,CAAC,CAAC,6CAA6C;gBAC/C,CAAC,CAAC,oEAAoE;SACzE,CAAC,CAAC;IACL,CAAC;IAEO,yBAAyB;QAC/B,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC;QAEhD,4BAA4B;QAC5B,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CACpD,CAAC,CAAM,EAAE,EAAE,CACT,CAAC,CAAC,IAAI,KAAK,kBAAkB;YAC7B,CAAC,CAAC,CAAC,UAAU,EAAE,mBAAmB,CACrC,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,iBAAiB;YACvB,MAAM,EAAE,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;YACnD,OAAO,EACL,cAAc,CAAC,MAAM,GAAG,CAAC;gBACvB,CAAC,CAAC,SAAS,cAAc,CAAC,MAAM,oBAAoB;gBACpD,CAAC,CAAC,0BAA0B;SACjC,CAAC,CAAC;QAEH,yBAAyB;QACzB,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CACjD,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,sBAAsB,CAC9C,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,cAAc;YACpB,MAAM,EAAE,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YACnD,OAAO,EACL,WAAW,CAAC,MAAM,GAAG,CAAC;gBACpB,CAAC,CAAC,SAAS,WAAW,CAAC,MAAM,iBAAiB;gBAC9C,CAAC,CAAC,uBAAuB;SAC9B,CAAC,CAAC;IACL,CAAC;IAEO,eAAe,CAAC,KAAc,EAAE,SAAiB;QACvD,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;QACtE,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM,CAAC;QAE5E,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,oDAAoD,SAAS,YAAY,YAAY,aAAa,CAAC;QAC5G,CAAC;QAED,OAAO,wBAAwB,SAAS,qBAAqB,SAAS,YAAY,YAAY,YAAY,CAAC;IAC7G,CAAC;IAEO,sBAAsB;QAC5B,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,EAAE,CAAC;QAEhD,uBAAuB;QACvB,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,wBAAwB,CAAC,CAAC;QAE7F,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,iCAAiC;YACvC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;YAC/B,OAAO,EAAE,KAAK;gBACZ,CAAC,CAAC,0DAA0D;gBAC5D,CAAC,CAAC,gFAAgF;SACrF,CAAC,CAAC;QAEH,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,UAAU,GAAI,KAAa,CAAC,UAAU,CAAC;YAE7C,2DAA2D;YAC3D,MAAM,2BAA2B,GAAG,UAAU,EAAE,sBAAsB,EAAE,IAAI,CAAC,CAAC,QAAa,EAAE,EAAE,CAC7F,QAAQ,CAAC,cAAc,EAAE,IAAI,CAAC,CAAC,KAAU,EAAE,EAAE,CAC3C,KAAK,CAAC,KAAK,KAAK,eAAe,IAAI,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,iBAAiB,CAAC,CAC7E,CACF,CAAC;YAEF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;gBACf,IAAI,EAAE,yCAAyC;gBAC/C,MAAM,EAAE,2BAA2B,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;gBACrD,OAAO,EAAE,2BAA2B;oBAClC,CAAC,CAAC,yEAAyE;oBAC3E,CAAC,CAAC,iGAAiG;aACtG,CAAC,CAAC;YAEH,kDAAkD;YAClD,MAAM,yBAAyB,GAAG,UAAU,EAAE,sBAAsB,EAAE,IAAI,CAAC,CAAC,QAAa,EAAE,EAAE,CAC3F,QAAQ,CAAC,cAAc,EAAE,IAAI,CAAC,CAAC,KAAU,EAAE,EAAE,CAC3C,KAAK,CAAC,KAAK,KAAK,WAAW,IAAI,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,kBAAkB,CAAC,CAC1E,CACF,CAAC;YAEF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;gBACf,IAAI,EAAE,qCAAqC;gBAC3C,MAAM,EAAE,yBAAyB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;gBACtD,OAAO,EAAE,yBAAyB;oBAChC,CAAC,CAAC,yDAAyD;oBAC3D,CAAC,CAAC,sFAAsF;aAC3F,CAAC,CAAC;YAEH,wCAAwC;YACxC,MAAM,iBAAiB,GAAG,UAAU,EAAE,yBAAyB,CAAC;YAEhE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;gBACf,IAAI,EAAE,yCAAyC;gBAC/C,MAAM,EAAE,iBAAiB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;gBAC3C,OAAO,EAAE,iBAAiB;oBACxB,CAAC,CAAC,8DAA8D;oBAChE,CAAC,CAAC,iFAAiF;aACtF,CAAC,CAAC;QACL,CAAC;QAED,iCAAiC;QACjC,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,qBAAqB,CAAC,CAAC;QAE7F,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,uBAAuB;YAC7B,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;YAClC,OAAO,EAAE,QAAQ;gBACf,CAAC,CAAC,gDAAgD;gBAClD,CAAC,CAAC,uEAAuE;SAC5E,CAAC,CAAC;QAEH,2BAA2B;QAC3B,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,yBAAyB,CAAC,CAAC;QAExG,oCAAoC;QACpC,MAAM,yBAAyB,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,EAAO,EAAE,EAAE;YAC/D,MAAM,aAAa,GAAG,EAAE,CAAC,UAAU,EAAE,aAAa,IAAI,EAAE,CAAC;YACzD,OAAO,aAAa,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC;gBACjD,aAAa,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC;QAClE,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,iCAAiC;YACvC,MAAM,EAAE,yBAAyB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;YACnD,OAAO,EAAE,yBAAyB;gBAChC,CAAC,CAAC,0CAA0C;gBAC5C,CAAC,CAAC,wFAAwF;SAC7F,CAAC,CAAC;QAEH,gEAAgE;QAChE,MAAM,qBAAqB,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,EAAO,EAAE,EAAE;YAC3D,MAAM,aAAa,GAAG,EAAE,CAAC,UAAU,EAAE,aAAa,IAAI,EAAE,CAAC;YACzD,OAAO,aAAa,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAC7C,aAAa,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;QAEH,MAAM,4BAA4B,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,EAAO,EAAE,EAAE;YAClE,MAAM,aAAa,GAAG,EAAE,CAAC,UAAU,EAAE,aAAa,IAAI,EAAE,CAAC;YACzD,OAAO,aAAa,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC;gBACjD,aAAa,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;gBAC5C,aAAa,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACvD,CAAC,CAAC,CAAC;QAEH,IAAI,qBAAqB,IAAI,4BAA4B,EAAE,CAAC;YAC1D,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;gBACf,IAAI,EAAE,qCAAqC;gBAC3C,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,qEAAqE,qBAAqB,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,EAAE,GAAG,qBAAqB,IAAI,4BAA4B,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,GAAG,4BAA4B,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,EAAE,GAAG;aACnQ,CAAC,CAAC;QACL,CAAC;QAED,8BAA8B;QAC9B,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,wBAAwB,CAAC,CAAC;QAEhG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,oBAAoB;YAC1B,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;YAC5C,OAAO,EACL,MAAM,CAAC,MAAM,IAAI,CAAC;gBAChB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,8CAA8C;gBACtE,CAAC,CAAC,uEAAuE;SAC9E,CAAC,CAAC;QAEH,sBAAsB;QACtB,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,iBAAiB,CAAC,CAAC;QAEzF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,kBAAkB;YACxB,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;YAClC,OAAO,EAAE,QAAQ;gBACf,CAAC,CAAC,kDAAkD;gBACpD,CAAC,CAAC,8DAA8D;SACnE,CAAC,CAAC;QAEH,+CAA+C;QAC/C,IAAI,QAAQ,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClC,MAAM,iBAAiB,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,KAAU,EAAE,EAAE,CACrD,KAAK,CAAC,UAAU,EAAE,YAAY,IAAI,KAAK,CAAC,UAAU,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAC3E,CAAC;YAEF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;gBACf,IAAI,EAAE,2BAA2B;gBACjC,MAAM,EAAE,iBAAiB,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;gBACvE,OAAO,EACL,iBAAiB,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM;oBACxC,CAAC,CAAC,6CAA6C;oBAC/C,CAAC,CAAC,GAAG,iBAAiB,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,0EAA0E;aAC7H,CAAC,CAAC;QACL,CAAC;QAED,0CAA0C;QAC1C,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,iBAAiB,CAAC,CAAC;QAC5F,MAAM,cAAc,GAAG,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC;QAE5C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,2BAA2B;YACjC,MAAM,EAAE,cAAc,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YAC3C,OAAO,EAAE,cAAc;gBACrB,CAAC,CAAC,4CAA4C;gBAC9C,CAAC,CAAC,qEAAqE;SAC1E,CAAC,CAAC;QAEH,8BAA8B;QAC9B,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,aAAa,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,MAAW,EAAE,EAAE,CACnD,MAAM,CAAC,UAAU,EAAE,gBAAgB,CACpC,CAAC;YAEF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;gBACf,IAAI,EAAE,uBAAuB;gBAC7B,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;gBAC1C,OAAO,EAAE,aAAa;oBACpB,CAAC,CAAC,sCAAsC;oBACxC,CAAC,CAAC,gFAAgF;aACrF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;CACF"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@sureshgururajan/aws-console-private-access-validator",
-  "version": "1.0.6",
+  "version": "1.1.0",
   "type": "module",
   "description": "MCP server for validating AWS Console Private Access CloudFormation templates",
   "main": "dist/index.js",

package/src/validator.ts CHANGED Viewed

@@ -20,6 +20,7 @@ export class ConsolePrivateAccessValidator {
     this.checkEc2Instance();
     this.checkNatGateway();
     this.checkNetworkConfiguration();
+    this.checkDetectiveControls();
     const failCount = this.checks.filter(c => c.status === 'fail').length;
     const valid = failCount === 0;
@@ -106,47 +107,35 @@ export class ConsolePrivateAccessValidator {
   private checkEndpointPolicies(): void {
     const resources = this.template.Resources || {};
-    const consoleEndpoint = Object.entries(resources).find(
-      ([_, r]: [string, any]) => {
-        const serviceName = this.getServiceName(r.Properties?.ServiceName);
-        return (
-          r.Type === 'AWS::EC2::VPCEndpoint' &&
-          serviceName &&
-          serviceName.includes('console')
-        );
-      }
+    const interfaceEndpoints = Object.entries(resources).filter(
+      ([_, r]: [string, any]) => r.Type === 'AWS::EC2::VPCEndpoint' && r.Properties?.VpcEndpointType === 'Interface'
     );
-    const signinEndpoint = Object.entries(resources).find(
-      ([_, r]: [string, any]) => {
-        const serviceName = this.getServiceName(r.Properties?.ServiceName);
-        return (
-          r.Type === 'AWS::EC2::VPCEndpoint' &&
-          serviceName &&
-          serviceName.includes('signin')
-        );
-      }
-    );
-    for (const [name, endpoint] of [
-      ['Console', consoleEndpoint],
-      ['Signin', signinEndpoint],
-    ]) {
-      if (!endpoint) continue;
-      const [_, resource] = endpoint as [string, any];
-      const hasPolicy = resource.Properties?.PolicyDocument;
+    for (const [name, resource] of interfaceEndpoints) {
+      const serviceName = this.getServiceName((resource as any).Properties?.ServiceName);
+      const hasPolicy = (resource as any).Properties?.PolicyDocument;
+      const privateDnsEnabled = (resource as any).Properties?.PrivateDnsEnabled;
+      // Check for policy
       this.checks.push({
-        name: `Endpoint Policy: ${name}`,
+        name: `Endpoint Policy: ${serviceName || name}`,
         status: hasPolicy ? 'pass' : 'fail',
         message: hasPolicy
-          ? `${name} endpoint has a policy attached`
-          : `${name} endpoint is missing a policy`,
+          ? `${serviceName || name} endpoint has a policy attached`
+          : `${serviceName || name} endpoint is missing a policy`,
         details: hasPolicy
-          ? this.validatePolicyContent(resource.Properties.PolicyDocument)
+          ? this.validatePolicyContent((resource as any).Properties.PolicyDocument)
           : undefined,
       });
+      // Check for private DNS enabled
+      this.checks.push({
+        name: `Private DNS: ${serviceName || name}`,
+        status: privateDnsEnabled ? 'pass' : 'fail',
+        message: privateDnsEnabled
+          ? `${serviceName || name} endpoint has private DNS enabled`
+          : `${serviceName || name} endpoint does not have private DNS enabled`,
+      });
     }
   }
@@ -307,4 +296,181 @@ export class ConsolePrivateAccessValidator {
     return `✗ Validation failed. ${failCount} check(s) failed, ${passCount} passed, ${warningCount} warnings.`;
   }
+  private checkDetectiveControls(): void {
+    const resources = this.template.Resources || {};
+    // Check for CloudTrail
+    const trail = Object.values(resources).find((r: any) => r.Type === 'AWS::CloudTrail::Trail');
+    this.checks.push({
+      name: 'CloudTrail: Trail Configuration',
+      status: trail ? 'pass' : 'fail',
+      message: trail
+        ? 'CloudTrail trail found for logging VPC endpoint activity'
+        : 'Missing CloudTrail trail - required for monitoring VPC endpoint policy denials',
+    });
+    if (trail) {
+      const trailProps = (trail as any).Properties;
+      // Check for advanced event selectors with network activity
+      const hasNetworkActivitySelectors = trailProps?.AdvancedEventSelectors?.some((selector: any) =>
+        selector.FieldSelectors?.some((field: any) =>
+          field.Field === 'eventCategory' && field.Equals?.includes('NetworkActivity')
+        )
+      );
+      this.checks.push({
+        name: 'CloudTrail: Network Activity Monitoring',
+        status: hasNetworkActivitySelectors ? 'pass' : 'fail',
+        message: hasNetworkActivitySelectors
+          ? 'CloudTrail configured to log network activity events (VpceAccessDenied)'
+          : 'CloudTrail missing network activity event selectors - cannot detect VPC endpoint policy denials',
+      });
+      // Check for VpceAccessDenied error code filtering
+      const hasVpceAccessDeniedFilter = trailProps?.AdvancedEventSelectors?.some((selector: any) =>
+        selector.FieldSelectors?.some((field: any) =>
+          field.Field === 'errorCode' && field.Equals?.includes('VpceAccessDenied')
+        )
+      );
+      this.checks.push({
+        name: 'CloudTrail: VpceAccessDenied Filter',
+        status: hasVpceAccessDeniedFilter ? 'pass' : 'warning',
+        message: hasVpceAccessDeniedFilter
+          ? 'CloudTrail configured to filter VpceAccessDenied events'
+          : 'CloudTrail not filtering by VpceAccessDenied error code - may log unnecessary events',
+      });
+      // Check for CloudWatch Logs integration
+      const hasCloudWatchLogs = trailProps?.CloudWatchLogsLogGroupArn;
+      this.checks.push({
+        name: 'CloudTrail: CloudWatch Logs Integration',
+        status: hasCloudWatchLogs ? 'pass' : 'fail',
+        message: hasCloudWatchLogs
+          ? 'CloudTrail sending logs to CloudWatch for real-time analysis'
+          : 'CloudTrail not integrated with CloudWatch Logs - cannot create real-time alarms',
+      });
+    }
+    // Check for CloudWatch Log Group
+    const logGroup = Object.values(resources).find((r: any) => r.Type === 'AWS::Logs::LogGroup');
+    this.checks.push({
+      name: 'CloudWatch: Log Group',
+      status: logGroup ? 'pass' : 'fail',
+      message: logGroup
+        ? 'CloudWatch Log Group found for CloudTrail logs'
+        : 'Missing CloudWatch Log Group - required for metric filters and alarms',
+    });
+    // Check for Metric Filters
+    const metricFilters = Object.values(resources).filter((r: any) => r.Type === 'AWS::Logs::MetricFilter');
+    // Required: VpceAccessDenied filter
+    const hasVpceAccessDeniedFilter = metricFilters.some((mf: any) => {
+      const filterPattern = mf.Properties?.FilterPattern || '';
+      return filterPattern.toLowerCase().includes('errorcode') &&
+             filterPattern.toLowerCase().includes('vpceaccessdenied');
+    });
+    this.checks.push({
+      name: 'Metric Filter: VpceAccessDenied',
+      status: hasVpceAccessDeniedFilter ? 'pass' : 'fail',
+      message: hasVpceAccessDeniedFilter
+        ? 'Metric filter for VpceAccessDenied found'
+        : 'Missing metric filter for VpceAccessDenied - cannot detect VPC endpoint policy denials',
+    });
+    // Optional: Additional filters for enhanced security monitoring
+    const hasCrossAccountFilter = metricFilters.some((mf: any) => {
+      const filterPattern = mf.Properties?.FilterPattern || '';
+      return filterPattern.toLowerCase().includes('cross') ||
+             filterPattern.toLowerCase().includes('account');
+    });
+    const hasSuspiciousUserAgentFilter = metricFilters.some((mf: any) => {
+      const filterPattern = mf.Properties?.FilterPattern || '';
+      return filterPattern.toLowerCase().includes('useragent') ||
+             filterPattern.toLowerCase().includes('data') ||
+             filterPattern.toLowerCase().includes('exfil');
+    });
+    if (hasCrossAccountFilter || hasSuspiciousUserAgentFilter) {
+      this.checks.push({
+        name: 'Metric Filters: Enhanced Monitoring',
+        status: 'pass',
+        message: `Additional metric filters found for enhanced security monitoring (${hasCrossAccountFilter ? 'CrossAccountAccess' : ''}${hasCrossAccountFilter && hasSuspiciousUserAgentFilter ? ', ' : ''}${hasSuspiciousUserAgentFilter ? 'SuspiciousUserAgent' : ''})`,
+      });
+    }
+    // Check for CloudWatch Alarms
+    const alarms = Object.values(resources).filter((r: any) => r.Type === 'AWS::CloudWatch::Alarm');
+    this.checks.push({
+      name: 'CloudWatch: Alarms',
+      status: alarms.length >= 1 ? 'pass' : 'fail',
+      message:
+        alarms.length >= 1
+          ? `Found ${alarms.length} CloudWatch alarm(s) for security monitoring`
+          : 'No CloudWatch alarms found - cannot receive real-time security alerts',
+    });
+    // Check for SNS Topic
+    const snsTopic = Object.values(resources).find((r: any) => r.Type === 'AWS::SNS::Topic');
+    this.checks.push({
+      name: 'SNS: Alert Topic',
+      status: snsTopic ? 'pass' : 'fail',
+      message: snsTopic
+        ? 'SNS topic found for security alert notifications'
+        : 'Missing SNS topic - cannot send security alert notifications',
+    });
+    // Check that alarms are connected to SNS topic
+    if (snsTopic && alarms.length > 0) {
+      const alarmsWithActions = alarms.filter((alarm: any) =>
+        alarm.Properties?.AlarmActions && alarm.Properties.AlarmActions.length > 0
+      );
+      this.checks.push({
+        name: 'CloudWatch: Alarm Actions',
+        status: alarmsWithActions.length === alarms.length ? 'pass' : 'warning',
+        message:
+          alarmsWithActions.length === alarms.length
+            ? 'All alarms configured to send notifications'
+            : `${alarmsWithActions.length}/${alarms.length} alarms configured with actions - some alarms may not send notifications`,
+      });
+    }
+    // Check for S3 bucket for CloudTrail logs
+    const s3Buckets = Object.values(resources).filter((r: any) => r.Type === 'AWS::S3::Bucket');
+    const hasTrailBucket = s3Buckets.length > 0;
+    this.checks.push({
+      name: 'S3: CloudTrail Log Bucket',
+      status: hasTrailBucket ? 'pass' : 'warning',
+      message: hasTrailBucket
+        ? 'S3 bucket found for CloudTrail log storage'
+        : 'No S3 bucket found - CloudTrail logs may not be persisted long-term',
+    });
+    // Check for bucket encryption
+    if (hasTrailBucket) {
+      const hasEncryption = s3Buckets.some((bucket: any) =>
+        bucket.Properties?.BucketEncryption
+      );
+      this.checks.push({
+        name: 'S3: Bucket Encryption',
+        status: hasEncryption ? 'pass' : 'warning',
+        message: hasEncryption
+          ? 'S3 bucket configured with encryption'
+          : 'S3 bucket missing encryption configuration - logs may not be encrypted at rest',
+      });
+    }
+  }
 }