Skip to content

feat(iot): device certificate age check audit configuration #33816

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 18 commits into from
May 6, 2025
Merged

feat(iot): device certificate age check audit configuration #33816

Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
e4f1db0
update integ
badmintoncryer Mar 18, 2025
b5f8fe5
update unit test
badmintoncryer Mar 18, 2025
bd34d1d
update readme
badmintoncryer Mar 18, 2025
78216c7
update readme
badmintoncryer Mar 19, 2025
1eeb527
Merge branch 'main' into iot
badmintoncryer Mar 19, 2025
e426f1b
Merge branch 'main' into iot
badmintoncryer Mar 19, 2025
a025415
Merge branch 'main' into iot
badmintoncryer Mar 21, 2025
9a35c47
Merge branch 'main' into iot
badmintoncryer Mar 25, 2025
c83d981
Merge branch 'main' into iot
badmintoncryer Apr 5, 2025
242c47d
Merge branch 'main' into iot
badmintoncryer Apr 12, 2025
1932e46
Merge branch 'main' into iot
badmintoncryer Apr 14, 2025
04ad544
Merge branch 'main' into iot
badmintoncryer Apr 16, 2025
12a8b41
Merge branch 'main' into iot
badmintoncryer Apr 16, 2025
4d850ba
Merge branch 'main' into iot
badmintoncryer Apr 30, 2025
cdea97c
Update packages/@aws-cdk/aws-iot-alpha/README.md
paulhcsun May 6, 2025
0a57656
Update packages/@aws-cdk/aws-iot-alpha/lib/audit-configuration.ts
paulhcsun May 6, 2025
05f0e6e
Merge branch 'main' into iot
mergify[bot] May 6, 2025
c31d5c0
Merge branch 'main' into iot
mergify[bot] May 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions packages/@aws-cdk/aws-iot-alpha/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,7 @@ new iot.AccountAuditConfiguration(this, 'AuditConfiguration', {
// disabled
caCertificateKeyQualityCheck: false,
conflictingClientIdsCheck: false,
deviceCertificateAgeCheck: false,
deviceCertificateExpiringCheck: false,
deviceCertificateKeyQualityCheck: false,
deviceCertificateSharedCheck: false,
Expand All @@ -140,6 +141,21 @@ new iot.AccountAuditConfiguration(this, 'AuditConfiguration', {
});
```

To configure [the device certificate age check](https://docs.aws.amazon.com/iot-device-defender/latest/devguide/device-certificate-age-check.html), you can specify the duration for the check:

```ts
import { Duration } from 'aws-cdk-lib';

new iot.AccountAuditConfiguration(this, 'AuditConfiguration', {
checkConfiguration: {
deviceCertificateAgeCheck: true,
// The default value is 365 days
// Valid values range from 30 days (minimum) to 3652 days (10 years, maximum)
deviceCertificateAgeCheckDuration: Duration.days(365),
},
});
```

### Scheduled Audit

You can create a [scheduled audit](https://docs.aws.amazon.com/iot-device-defender/latest/devguide/AuditCommands.html#device-defender-AuditCommandsManageSchedules) that is run at a specified time interval. Checks must be enabled for your account by creating `AccountAuditConfiguration`.
Expand Down
41 changes: 40 additions & 1 deletion packages/@aws-cdk/aws-iot-alpha/lib/audit-configuration.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
import { Resource, Stack, IResource } from 'aws-cdk-lib/core';
import { Resource, Stack, IResource, Duration } from 'aws-cdk-lib/core';
import { Construct } from 'constructs';
import * as iot from 'aws-cdk-lib/aws-iot';
import * as iam from 'aws-cdk-lib/aws-iam';
Expand Down Expand Up @@ -59,6 +59,25 @@ export interface CheckConfiguration {
*/
readonly conflictingClientIdsCheck?: boolean;

/**
* Checks when a device certificate has been active for a number of days greater than or equal to the number you specify.
*
* @default true
*/
readonly deviceCertificateAgeCheck?: boolean;

/**
* The duration used to check if a device certificate has been active
* for a number of days greater than or equal to the number you specify.
*
* Valid values are between 30 and 3652 days.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CFn docs say the min is 1 and the max is 64. Just to confirm — this is clearly a mistake in the docs, right?

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iot-accountauditconfiguration-certagecheckcustomconfiguration.html#aws-properties-iot-accountauditconfiguration-certagecheckcustomconfiguration-properties

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mazyu36
Thank you for pointing this out!
At the time of creation, the CloudFormation specification was supposed to be 30-3652 days. It seems the specifications have changed...

I will test what settings are actually possible and make various adjustments accordingly.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mazyu36

The official documentation states that the valid range is 30 to 3652 days, which matches what is shown in the management console.

スクリーンショット 2025-04-16 22 39 55

Therefore, I think the cfn document may be wrong.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I created a new issue in the cloudformation roadmap.

*
* You cannot specify a value for this check if `deviceCertificateAgeCheck` is set to `false`.
*
* @default - 365 days
*/
readonly deviceCertificateAgeCheckDuration?: Duration;

/**
* Checks if a device certificate is expiring.
*
Expand Down Expand Up @@ -201,6 +220,17 @@ export class AccountAuditConfiguration extends Resource implements IAccountAudit
// Enhanced CDK Analytics Telemetry
addConstructMetadata(this, props);

const deviceAgeCheckThreshold = props?.checkConfiguration?.deviceCertificateAgeCheckDuration;

if (deviceAgeCheckThreshold) {
if (props?.checkConfiguration?.deviceCertificateAgeCheck === false) {
throw new Error('You cannot specify a value for `deviceCertificateAgeCheckDuration` if `deviceCertificateAgeCheck` is set to `false`.');
}
if (!deviceAgeCheckThreshold.isUnresolved() && deviceAgeCheckThreshold.toDays() < 30 || deviceAgeCheckThreshold.toDays() > 3652) {
throw new Error(`The device certificate age check threshold must be between 30 and 3652 days. got: ${deviceAgeCheckThreshold.toDays()} days.`);
}
}

this.accountId = Stack.of(this).account;

const auditRole = new iam.Role(this, 'AuditRole', {
Expand Down Expand Up @@ -261,6 +291,15 @@ export class AccountAuditConfiguration extends Resource implements IAccountAudit
caCertificateExpiringCheck: this.renderAuditCheckConfiguration(checkConfiguration?.caCertificateExpiringCheck),
caCertificateKeyQualityCheck: this.renderAuditCheckConfiguration(checkConfiguration?.caCertificateKeyQualityCheck),
conflictingClientIdsCheck: this.renderAuditCheckConfiguration(checkConfiguration?.conflictingClientIdsCheck),
deviceCertificateAgeCheck:
checkConfiguration?.deviceCertificateAgeCheck !== false ?
{
enabled: true,
configuration: {
certAgeThresholdInDays: String(checkConfiguration?.deviceCertificateAgeCheckDuration?.toDays() ?? 365),
},
} :
undefined,
deviceCertificateExpiringCheck: this.renderAuditCheckConfiguration(checkConfiguration?.deviceCertificateExpiringCheck),
deviceCertificateKeyQualityCheck: this.renderAuditCheckConfiguration(checkConfiguration?.deviceCertificateKeyQualityCheck),
deviceCertificateSharedCheck: this.renderAuditCheckConfiguration(checkConfiguration?.deviceCertificateSharedCheck),
Expand Down
29 changes: 29 additions & 0 deletions packages/@aws-cdk/aws-iot-alpha/test/audit-configuration.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,12 @@ test('Default property', () => {
CaCertificateExpiringCheck: { Enabled: true },
CaCertificateKeyQualityCheck: { Enabled: true },
ConflictingClientIdsCheck: { Enabled: true },
DeviceCertificateAgeCheck: {
Enabled: true,
Configuration: {
CertAgeThresholdInDays: '365',
},
},
DeviceCertificateExpiringCheck: { Enabled: true },
DeviceCertificateKeyQualityCheck: { Enabled: true },
DeviceCertificateSharedCheck: { Enabled: true },
Expand Down Expand Up @@ -129,6 +135,29 @@ test('configure check configuration', () => {
});
});

test('throw error for configuring duration without enabling deviceCertificateAgeCheck', () => {
const stack = new cdk.Stack();
expect(() => new iot.AccountAuditConfiguration(stack, 'AccountAuditConfiguration', {
checkConfiguration: {
deviceCertificateAgeCheck: false,
deviceCertificateAgeCheckDuration: cdk.Duration.days(1229),
},
})).toThrow('You cannot specify a value for `deviceCertificateAgeCheckDuration` if `deviceCertificateAgeCheck` is set to `false`.');
});

test.each([
cdk.Duration.days(29),
cdk.Duration.days(3653),
])('throw error for invalid duration %s', (duration) => {
const stack = new cdk.Stack();
expect(() => new iot.AccountAuditConfiguration(stack, 'AccountAuditConfiguration', {
checkConfiguration: {
deviceCertificateAgeCheck: true,
deviceCertificateAgeCheckDuration: duration,
},
})).toThrow(`The device certificate age check threshold must be between 30 and 3652 days. got: ${duration.toDays()} days.`);
});

test('import by Account ID', () => {
const stack = new cdk.Stack();

Expand Down
2 changes: 1 addition & 1 deletion ...guration.js.snapshot/IotAuditConfigurationTestDefaultTestDeployAssert6A603D00.assets.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions ...pha/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.assets.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions ...a/test/integ.audit-configuration.js.snapshot/IotAuditConfigurationTestStack.template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,12 @@
"ConflictingClientIdsCheck": {
"Enabled": true
},
"DeviceCertificateAgeCheck": {
"Configuration": {
"CertAgeThresholdInDays": "1229"
},
"Enabled": true
},
"DeviceCertificateExpiringCheck": {
"Enabled": true
},
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/cdk.out
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/integ.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

60 changes: 56 additions & 4 deletions packages/@aws-cdk/aws-iot-alpha/test/integ.audit-configuration.js.snapshot/manifest.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading