k9 Security's k9-cdk
for CDKv2 (CDKv1) makes strong security usable and helps you provision best practice AWS security policies
defined using the simplified k9 access capability model and
safe defaults. In CDK terms, this library provides Curated (L2) constructs that wrap core CloudFormation resources (L1) to simplify security.
Supported services:
- S3
- KMS
- DynamoDB
This library simplifies IAM as described in Effective IAM for AWS and is fully-supported by k9 Security. We're happy to answer questions or help you integrate it via a GitHub issue or email to support@k9security.io.
Use the k9 CDK to generate a policy and use it in your existing code base.
For example, the following code will:
- provision an S3 Bucket
- allow the
ci
andperson1
users to administer the bucket - allow administrators and
k9-auditor
to read bucket configuration - allow the
app-backend
role to write data into the bucket - allow the
app-backend
andcustomer-service
role to read data in the bucket
import * as cdk from "aws-cdk-lib";
import * as s3 from "aws-cdk-lib/aws-s3";
import * as k9 from "@k9securityio/k9-cdk";
// Define which principals may access the bucket and what capabilities they should have
const administerResourceArns = [
"arn:aws:iam::123456789012:user/ci",
"arn:aws:iam::123456789012:user/person1"
];
const readConfigArns = administerResourceArns.concat([
"arn:aws:iam::123456789012:role/k9-auditor",
"arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer"
]);
const app = new cdk.App();
const stack = new cdk.Stack(app, 'K9Example');
const bucket = new s3.Bucket(stack, 'TestBucket', {});
const k9BucketPolicyProps: k9.s3.K9BucketPolicyProps = {
bucket: bucket,
k9DesiredAccess: new Array<k9.k9policy.IAccessSpec>(
{ // declare access capabilities individually
accessCapability: k9.k9policy.AccessCapability.ADMINISTER_RESOURCE,
allowPrincipalArns: administerResourceArns,
},
{
accessCapability: k9.k9policy.AccessCapability.READ_CONFIG,
allowPrincipalArns: readConfigArns,
},
{ // or declare multiple access capabilities at once
accessCapabilities: [
k9.k9policy.AccessCapability.READ_DATA,
k9.k9policy.AccessCapability.WRITE_DATA
],
allowPrincipalArns: [
"arn:aws:iam::123456789012:role/app-backend",
],
},
{
accessCapability: k9.k9policy.AccessCapability.READ_DATA,
allowPrincipalArns: [
"arn:aws:iam::123456789012:role/customer-service"
],
}
// omit access spec for delete-data because it is unneeded
)
};
k9.s3.grantAccessViaResourcePolicy(stack, "S3Bucket", k9BucketPolicyProps);
Granting access to a KMS key is similar, but the custom resource policy is created first
so it can be set via props
per CDK convention:
import * as kms from "aws-cdk-lib/aws-kms";
import {PolicyDocument} from "aws-cdk-lib/aws-iam";
const k9KeyPolicyProps: k9.kms.K9KeyPolicyProps = {
k9DesiredAccess: k9BucketPolicyProps.k9DesiredAccess
};
const keyPolicy: PolicyDocument = k9.kms.makeKeyPolicy(k9KeyPolicyProps);
new kms.Key(stack, 'KMSKey', {
alias: 'app-key-with-k9-policy',
policy: keyPolicy
});
Protecting a DynamoDB table follows the same path as KMS, generating a policy then providing it to the DynamoDB table construct via props:
import * as dynamodb from "aws-cdk-lib/aws-dynamodb";
const ddbResourcePolicyProps: k9.dynamodb.K9DynamoDBResourcePolicyProps = {
k9DesiredAccess: k9BucketPolicyProps.k9DesiredAccess
};
const ddbResourcePolicy = k9.dynamodb.makeResourcePolicy(ddbResourcePolicyProps);
const table = new dynamodb.TableV2(stack, 'app-table-with-k9-policy', {
partitionKey: { name: 'pk', type: dynamodb.AttributeType.STRING },
resourcePolicy: ddbResourcePolicy,
});
The example stack demonstrates full use of the k9 S3, KMS, and DynamoDB policy generators. Generated policies:
S3 Bucket Policy:
KMS Key Policy:
DynamoDB Resource Policy:
- Templatized DynamoDB Resource Policy
- ResourcePolicy attribute of GlobalTable resource in CFn template
k9-cdk can be configured to support specialized use cases, including:
- Public Bucket - Publicly readable objects, least privilege for all other actions
The high level build commands for this project are driven by make
:
-
make all
- build library, run tests, and deploy -
make build
- build the library -
make converge
- deploy the integration test resources -
make destroy
- destroy the integration test resources
The low level build commands for this project are:
-
npx projen build
compile typescript to js, lint, transpile with JSII, execute tests -
cdk synth
emits the synthesized CloudFormation template -
cdk deploy
deploy this stack to your default AWS account/region -
cdk diff
compare deployed stack with current state