@ts-cloud/core 0.2.3 → 0.2.5

package/dist/compliance/aws-config.d.ts

@@ -0,0 +1,175 @@
+/**
+ * AWS Config Rules
+ * Automated compliance checking and configuration management
+ */
+export interface ConfigRule {
+    id: string;
+    name: string;
+    description: string;
+    source: 'AWS_MANAGED' | 'CUSTOM_LAMBDA';
+    identifier?: string;
+    lambdaFunctionArn?: string;
+    inputParameters?: Record<string, any>;
+    scope?: ConfigScope;
+    maxExecutionFrequency?: 'One_Hour' | 'Three_Hours' | 'Six_Hours' | 'Twelve_Hours' | 'TwentyFour_Hours';
+}
+export interface ConfigScope {
+    complianceResourceTypes?: string[];
+    tagKey?: string;
+    tagValue?: string;
+}
+export interface ConfigRecorder {
+    name: string;
+    roleArn: string;
+    recordingGroup?: RecordingGroup;
+}
+export interface RecordingGroup {
+    allSupported?: boolean;
+    includeGlobalResourceTypes?: boolean;
+    resourceTypes?: string[];
+}
+export interface DeliveryChannel {
+    name: string;
+    s3BucketName: string;
+    s3KeyPrefix?: string;
+    snsTopicArn?: string;
+    configSnapshotDeliveryProperties?: {
+        deliveryFrequency?: 'One_Hour' | 'Three_Hours' | 'Six_Hours' | 'Twelve_Hours' | 'TwentyFour_Hours';
+    };
+}
+/**
+ * AWS Config manager
+ */
+export declare class AWSConfigManager {
+    private configRules;
+    private configRecorders;
+    private deliveryChannels;
+    private ruleCounter;
+    /**
+     * Create config recorder
+     */
+    createConfigRecorder(recorder: ConfigRecorder): ConfigRecorder;
+    /**
+     * Create delivery channel
+     */
+    createDeliveryChannel(channel: DeliveryChannel): DeliveryChannel;
+    /**
+     * Create config rule
+     */
+    createConfigRule(rule: Omit<ConfigRule, 'id'>): ConfigRule;
+    /**
+     * Create S3 bucket encryption rule
+     */
+    createS3EncryptionRule(): ConfigRule;
+    /**
+     * Create S3 bucket public access block rule
+     */
+    createS3PublicAccessBlockRule(): ConfigRule;
+    /**
+     * Create S3 bucket versioning rule
+     */
+    createS3VersioningRule(): ConfigRule;
+    /**
+     * Create RDS encryption rule
+     */
+    createRdsEncryptionRule(): ConfigRule;
+    /**
+     * Create RDS snapshot encryption rule
+     */
+    createRdsSnapshotEncryptionRule(): ConfigRule;
+    /**
+     * Create RDS backup rule
+     */
+    createRdsBackupRule(retentionPeriod?: number): ConfigRule;
+    /**
+     * Create EC2 instance profile rule
+     */
+    createEc2InstanceProfileRule(): ConfigRule;
+    /**
+     * Create EBS encryption rule
+     */
+    createEbsEncryptionRule(): ConfigRule;
+    /**
+     * Create IAM password policy rule
+     */
+    createIamPasswordPolicyRule(): ConfigRule;
+    /**
+     * Create IAM MFA rule
+     */
+    createIamMfaRule(): ConfigRule;
+    /**
+     * Create IAM root account MFA rule
+     */
+    createRootAccountMfaRule(): ConfigRule;
+    /**
+     * Create VPC flow logs rule
+     */
+    createVpcFlowLogsRule(): ConfigRule;
+    /**
+     * Create CloudTrail enabled rule
+     */
+    createCloudTrailEnabledRule(): ConfigRule;
+    /**
+     * Create CloudWatch alarm rule
+     */
+    createCloudWatchAlarmRule(): ConfigRule;
+    /**
+     * Create custom Lambda rule
+     */
+    createCustomLambdaRule(options: {
+        name: string;
+        description: string;
+        lambdaFunctionArn: string;
+        resourceTypes?: string[];
+        maxExecutionFrequency?: ConfigRule['maxExecutionFrequency'];
+        inputParameters?: Record<string, any>;
+    }): ConfigRule;
+    /**
+     * Create compliance preset rules
+     */
+    createCompliancePreset(preset: 'hipaa' | 'pci-dss' | 'sox' | 'gdpr' | 'basic'): ConfigRule[];
+    /**
+     * Get config rule
+     */
+    getConfigRule(id: string): ConfigRule | undefined;
+    /**
+     * List config rules
+     */
+    listConfigRules(): ConfigRule[];
+    /**
+     * Get config recorder
+     */
+    getConfigRecorder(name: string): ConfigRecorder | undefined;
+    /**
+     * List config recorders
+     */
+    listConfigRecorders(): ConfigRecorder[];
+    /**
+     * Get delivery channel
+     */
+    getDeliveryChannel(name: string): DeliveryChannel | undefined;
+    /**
+     * List delivery channels
+     */
+    listDeliveryChannels(): DeliveryChannel[];
+    /**
+     * Generate CloudFormation for config rule
+     */
+    generateConfigRuleCF(rule: ConfigRule): any;
+    /**
+     * Generate CloudFormation for config recorder
+     */
+    generateConfigRecorderCF(recorder: ConfigRecorder): any;
+    /**
+     * Generate CloudFormation for delivery channel
+     */
+    generateDeliveryChannelCF(channel: DeliveryChannel): any;
+    /**
+     * Clear all data
+     */
+    clear(): void;
+}
+/**
+ * Global AWS Config manager instance
+ */
+export declare const awsConfigManager: AWSConfigManager;

package/dist/compliance/cloudtrail.d.ts

@@ -0,0 +1,132 @@
+/**
+ * AWS CloudTrail Configuration
+ * API logging and auditing for security and compliance
+ */
+export interface CloudTrailConfig {
+    id: string;
+    name: string;
+    s3BucketName: string;
+    s3KeyPrefix?: string;
+    includeGlobalServiceEvents?: boolean;
+    isMultiRegionTrail?: boolean;
+    enableLogFileValidation?: boolean;
+    cloudWatchLogsLogGroupArn?: string;
+    cloudWatchLogsRoleArn?: string;
+    snsTopicName?: string;
+    kmsKeyId?: string;
+    eventSelectors?: EventSelector[];
+    insightSelectors?: InsightSelector[];
+    advancedEventSelectors?: AdvancedEventSelector[];
+}
+export interface EventSelector {
+    readWriteType: 'ReadOnly' | 'WriteOnly' | 'All';
+    includeManagementEvents?: boolean;
+    dataResources?: DataResource[];
+    excludeManagementEventSources?: string[];
+}
+export interface DataResource {
+    type: string;
+    values: string[];
+}
+export interface InsightSelector {
+    insightType: 'ApiCallRateInsight' | 'ApiErrorRateInsight';
+}
+export interface AdvancedEventSelector {
+    name: string;
+    fieldSelectors: FieldSelector[];
+}
+export interface FieldSelector {
+    field: string;
+    equals?: string[];
+    startsWith?: string[];
+    endsWith?: string[];
+    notEquals?: string[];
+    notStartsWith?: string[];
+    notEndsWith?: string[];
+}
+/**
+ * CloudTrail manager
+ */
+export declare class CloudTrailManager {
+    private trails;
+    private trailCounter;
+    /**
+     * Create CloudTrail
+     */
+    createTrail(trail: Omit<CloudTrailConfig, 'id'>): CloudTrailConfig;
+    /**
+     * Create organization trail
+     */
+    createOrganizationTrail(options: {
+        name: string;
+        s3BucketName: string;
+        kmsKeyId?: string;
+        cloudWatchLogsLogGroupArn?: string;
+        cloudWatchLogsRoleArn?: string;
+    }): CloudTrailConfig;
+    /**
+     * Create security audit trail
+     */
+    createSecurityAuditTrail(options: {
+        name: string;
+        s3BucketName: string;
+        kmsKeyId: string;
+        cloudWatchLogsLogGroupArn: string;
+        cloudWatchLogsRoleArn: string;
+    }): CloudTrailConfig;
+    /**
+     * Create data events trail (S3 and Lambda)
+     */
+    createDataEventsTrail(options: {
+        name: string;
+        s3BucketName: string;
+        s3DataBuckets?: string[];
+        lambdaFunctions?: string[];
+    }): CloudTrailConfig;
+    /**
+     * Create advanced event selectors trail
+     */
+    createAdvancedTrail(options: {
+        name: string;
+        s3BucketName: string;
+        selectors: AdvancedEventSelector[];
+    }): CloudTrailConfig;
+    /**
+     * Create read-only trail
+     */
+    createReadOnlyTrail(options: {
+        name: string;
+        s3BucketName: string;
+    }): CloudTrailConfig;
+    /**
+     * Create write-only trail
+     */
+    createWriteOnlyTrail(options: {
+        name: string;
+        s3BucketName: string;
+    }): CloudTrailConfig;
+    /**
+     * Get trail
+     */
+    getTrail(id: string): CloudTrailConfig | undefined;
+    /**
+     * List trails
+     */
+    listTrails(): CloudTrailConfig[];
+    /**
+     * Generate CloudFormation for trail
+     */
+    generateTrailCF(trail: CloudTrailConfig): any;
+    /**
+     * Generate CloudTrail bucket policy
+     */
+    generateBucketPolicy(bucketName: string, trailAccountIds: string[]): any;
+    /**
+     * Clear all data
+     */
+    clear(): void;
+}
+/**
+ * Global CloudTrail manager instance
+ */
+export declare const cloudTrailManager: CloudTrailManager;

package/dist/compliance/compliance.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/compliance/guardduty.d.ts

@@ -0,0 +1,176 @@
+/**
+ * AWS GuardDuty
+ * Intelligent threat detection and continuous monitoring
+ */
+export interface GuardDutyDetector {
+    id: string;
+    enable: boolean;
+    findingPublishingFrequency?: 'FIFTEEN_MINUTES' | 'ONE_HOUR' | 'SIX_HOURS';
+    dataSources?: DataSourceConfigurations;
+    features?: DetectorFeature[];
+}
+export interface DataSourceConfigurations {
+    s3Logs?: {
+        enable: boolean;
+    };
+    kubernetes?: {
+        auditLogs: {
+            enable: boolean;
+        };
+    };
+    malwareProtection?: {
+        scanEc2InstanceWithFindings: {
+            ebsVolumes: {
+                enable: boolean;
+            };
+        };
+    };
+}
+export interface DetectorFeature {
+    name: 'S3_DATA_EVENTS' | 'EKS_AUDIT_LOGS' | 'EBS_MALWARE_PROTECTION' | 'RDS_LOGIN_EVENTS' | 'LAMBDA_NETWORK_LOGS';
+    status: 'ENABLED' | 'DISABLED';
+    additionalConfiguration?: {
+        name: string;
+        status: 'ENABLED' | 'DISABLED';
+    }[];
+}
+export interface ThreatIntelSet {
+    id: string;
+    detectorId: string;
+    name: string;
+    format: 'TXT' | 'STIX' | 'OTX_CSV' | 'ALIEN_VAULT' | 'PROOF_POINT' | 'FIRE_EYE';
+    location: string;
+    activate: boolean;
+}
+export interface IPSet {
+    id: string;
+    detectorId: string;
+    name: string;
+    format: 'TXT' | 'STIX' | 'OTX_CSV' | 'ALIEN_VAULT' | 'PROOF_POINT' | 'FIRE_EYE';
+    location: string;
+    activate: boolean;
+}
+export interface FindingFilter {
+    id: string;
+    detectorId: string;
+    name: string;
+    description?: string;
+    action: 'NOOP' | 'ARCHIVE';
+    rank: number;
+    findingCriteria: FindingCriteria;
+}
+export interface FindingCriteria {
+    criterion: Record<string, {
+        eq?: string[];
+        neq?: string[];
+        gt?: number;
+        gte?: number;
+        lt?: number;
+        lte?: number;
+    }>;
+}
+/**
+ * GuardDuty manager
+ */
+export declare class GuardDutyManager {
+    private detectors;
+    private threatIntelSets;
+    private ipSets;
+    private filters;
+    private detectorCounter;
+    private threatIntelCounter;
+    private ipSetCounter;
+    private filterCounter;
+    /**
+     * Create GuardDuty detector
+     */
+    createDetector(detector: Omit<GuardDutyDetector, 'id'>): GuardDutyDetector;
+    /**
+     * Create comprehensive detector with all features
+     */
+    createComprehensiveDetector(): GuardDutyDetector;
+    /**
+     * Create basic detector
+     */
+    createBasicDetector(): GuardDutyDetector;
+    /**
+     * Create threat intel set
+     */
+    createThreatIntelSet(set: Omit<ThreatIntelSet, 'id'>): ThreatIntelSet;
+    /**
+     * Create IP set
+     */
+    createIPSet(set: Omit<IPSet, 'id'>): IPSet;
+    /**
+     * Create finding filter
+     */
+    createFindingFilter(filter: Omit<FindingFilter, 'id'>): FindingFilter;
+    /**
+     * Create auto-archive filter for low severity findings
+     */
+    createLowSeverityArchiveFilter(detectorId: string): FindingFilter;
+    /**
+     * Create filter for specific finding types
+     */
+    createFindingTypeFilter(detectorId: string, findingTypes: string[], action: 'NOOP' | 'ARCHIVE'): FindingFilter;
+    /**
+     * Create filter for trusted IP addresses
+     */
+    createTrustedIPFilter(detectorId: string, ipAddresses: string[]): FindingFilter;
+    /**
+     * Get detector
+     */
+    getDetector(id: string): GuardDutyDetector | undefined;
+    /**
+     * List detectors
+     */
+    listDetectors(): GuardDutyDetector[];
+    /**
+     * Get threat intel set
+     */
+    getThreatIntelSet(id: string): ThreatIntelSet | undefined;
+    /**
+     * List threat intel sets
+     */
+    listThreatIntelSets(): ThreatIntelSet[];
+    /**
+     * Get IP set
+     */
+    getIPSet(id: string): IPSet | undefined;
+    /**
+     * List IP sets
+     */
+    listIPSets(): IPSet[];
+    /**
+     * Get finding filter
+     */
+    getFindingFilter(id: string): FindingFilter | undefined;
+    /**
+     * List finding filters
+     */
+    listFindingFilters(): FindingFilter[];
+    /**
+     * Generate CloudFormation for detector
+     */
+    generateDetectorCF(detector: GuardDutyDetector): any;
+    /**
+     * Generate CloudFormation for threat intel set
+     */
+    generateThreatIntelSetCF(set: ThreatIntelSet): any;
+    /**
+     * Generate CloudFormation for IP set
+     */
+    generateIPSetCF(set: IPSet): any;
+    /**
+     * Generate CloudFormation for finding filter
+     */
+    generateFilterCF(filter: FindingFilter): any;
+    /**
+     * Clear all data
+     */
+    clear(): void;
+}
+/**
+ * Global GuardDuty manager instance
+ */
+export declare const guardDutyManager: GuardDutyManager;

package/dist/compliance/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Compliance & Governance
+ * AWS Config, CloudTrail, GuardDuty, and Security Hub integrations
+ */
+export { AWSConfigManager, awsConfigManager, } from './aws-config';
+export type { ConfigRule, ConfigScope, ConfigRecorder, RecordingGroup, DeliveryChannel, } from './aws-config';
+export { CloudTrailManager, cloudTrailManager, } from './cloudtrail';
+export type { CloudTrailConfig, EventSelector, DataResource, InsightSelector, AdvancedEventSelector, FieldSelector, } from './cloudtrail';
+export { GuardDutyManager, guardDutyManager, } from './guardduty';
+export type { GuardDutyDetector, DataSourceConfigurations, DetectorFeature, ThreatIntelSet, IPSet, FindingFilter, FindingCriteria, } from './guardduty';
+export { SecurityHubManager, securityHubManager, } from './security-hub';
+export type { SecurityHubConfig, SecurityStandard, AutomationRule, AutomationAction, AutomationCriteria, StringFilter, NumberFilter, MapFilter, } from './security-hub';

package/dist/compliance/security-hub.d.ts

@@ -0,0 +1,178 @@
+/**
+ * AWS Security Hub
+ * Centralized security and compliance view across AWS accounts
+ */
+export interface SecurityHubConfig {
+    id: string;
+    enable: boolean;
+    controlFindingGenerator?: 'STANDARD_CONTROL' | 'SECURITY_CONTROL';
+    enableDefaultStandards?: boolean;
+    standards?: SecurityStandard[];
+    automationRules?: AutomationRule[];
+}
+export interface SecurityStandard {
+    id: string;
+    arn: string;
+    name: string;
+    description: string;
+    enabled: boolean;
+    disabledControls?: string[];
+}
+export interface AutomationRule {
+    id: string;
+    ruleName: string;
+    description?: string;
+    actions: AutomationAction[];
+    criteria: AutomationCriteria;
+    ruleStatus: 'ENABLED' | 'DISABLED';
+    ruleOrder: number;
+}
+export interface AutomationAction {
+    type: 'FINDING_FIELDS_UPDATE';
+    findingFieldsUpdate: {
+        note?: {
+            text: string;
+            updatedBy: string;
+        };
+        severity?: {
+            label: 'INFORMATIONAL' | 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL';
+        };
+        workflow?: {
+            status: 'NEW' | 'NOTIFIED' | 'RESOLVED' | 'SUPPRESSED';
+        };
+        relatedFindings?: Array<{
+            productArn: string;
+            id: string;
+        }>;
+        userDefinedFields?: Record<string, string>;
+    };
+}
+export interface AutomationCriteria {
+    productName?: StringFilter[];
+    companyName?: StringFilter[];
+    severityLabel?: StringFilter[];
+    resourceType?: StringFilter[];
+    resourceId?: StringFilter[];
+    recordState?: StringFilter[];
+    workflowStatus?: StringFilter[];
+    complianceStatus?: StringFilter[];
+    verificationState?: StringFilter[];
+    confidence?: NumberFilter[];
+    criticality?: NumberFilter[];
+    title?: StringFilter[];
+    description?: StringFilter[];
+    sourceUrl?: StringFilter[];
+    productFields?: MapFilter[];
+    resourceTags?: MapFilter[];
+    userDefinedFields?: MapFilter[];
+}
+export interface StringFilter {
+    value: string;
+    comparison: 'EQUALS' | 'PREFIX' | 'NOT_EQUALS' | 'PREFIX_NOT_EQUALS';
+}
+export interface NumberFilter {
+    gte?: number;
+    lte?: number;
+    eq?: number;
+    gt?: number;
+    lt?: number;
+}
+export interface MapFilter {
+    key: string;
+    value?: string;
+    comparison: 'EQUALS' | 'NOT_EQUALS';
+}
+/**
+ * Security Hub manager
+ */
+export declare class SecurityHubManager {
+    private hubs;
+    private hubCounter;
+    private ruleCounter;
+    /**
+     * Available security standards
+     */
+    static readonly Standards: {
+        AWS_FOUNDATIONAL_SECURITY: {
+            arn: string;
+            name: string;
+            description: string;
+        };
+        CIS_AWS_FOUNDATIONS_1_2: {
+            arn: string;
+            name: string;
+            description: string;
+        };
+        CIS_AWS_FOUNDATIONS_1_4: {
+            arn: string;
+            name: string;
+            description: string;
+        };
+        PCI_DSS: {
+            arn: string;
+            name: string;
+            description: string;
+        };
+        NIST_800_53: {
+            arn: string;
+            name: string;
+            description: string;
+        };
+    };
+    /**
+     * Create Security Hub
+     */
+    createHub(hub: Omit<SecurityHubConfig, 'id'>): SecurityHubConfig;
+    /**
+     * Create comprehensive Security Hub with all standards
+     */
+    createComprehensiveHub(): SecurityHubConfig;
+    /**
+     * Create basic Security Hub
+     */
+    createBasicHub(): SecurityHubConfig;
+    /**
+     * Create automation rule for low severity findings
+     */
+    createLowSeveritySuppressionRule(): AutomationRule;
+    /**
+     * Create automation rule for specific resource types
+     */
+    createResourceTypeNotificationRule(resourceTypes: string[]): AutomationRule;
+    /**
+     * Create automation rule for compliance failures
+     */
+    createComplianceFailureRule(): AutomationRule;
+    /**
+     * Create automation rule for false positives
+     */
+    createFalsePositiveSuppressionRule(productName: string, titlePatterns: string[]): AutomationRule;
+    /**
+     * Get Security Hub
+     */
+    getHub(id: string): SecurityHubConfig | undefined;
+    /**
+     * List Security Hubs
+     */
+    listHubs(): SecurityHubConfig[];
+    /**
+     * Generate CloudFormation for Security Hub
+     */
+    generateHubCF(hub: SecurityHubConfig): any;
+    /**
+     * Generate CloudFormation for security standard subscription
+     */
+    generateStandardCF(standard: SecurityStandard): any;
+    /**
+     * Generate CloudFormation for automation rule
+     */
+    generateAutomationRuleCF(rule: AutomationRule): any;
+    /**
+     * Clear all data
+     */
+    clear(): void;
+}
+/**
+ * Global Security Hub manager instance
+ */
+export declare const securityHubManager: SecurityHubManager;