constructor()

in source/aws-bootstrap-kit/lib/secure-root-user.ts [26:78]

• 35 lines of code
• 1 McCabe index (conditional complexity)

  constructor(scope: Construct, id: string, notificationEmail: string) {
    super(scope, id);

    // Build notification topic
    const secureRootUserConfigTopic = new sns.Topic(this, 'SecureRootUserConfigTopic');
    secureRootUserConfigTopic.addSubscription(new subs.EmailSubscription(notificationEmail));


    // Enforce MFA
    const configRecorder = new ConfigRecorder(this, "ConfigRecorder");

    const enforceMFARule = new config.ManagedRule(this, "EnableRootMfa", {
      identifier: "ROOT_ACCOUNT_MFA_ENABLED",
      maximumExecutionFrequency:
      config.MaximumExecutionFrequency.TWENTY_FOUR_HOURS,
    });

    // Enforce No root access key
    const enforceNoAccessKeyRule = new config.ManagedRule(
      this,
      "NoRootAccessKey",
      {
        identifier: "IAM_ROOT_ACCESS_KEY_CHECK",
        maximumExecutionFrequency:
        config.MaximumExecutionFrequency.TWENTY_FOUR_HOURS,
      }
    );

    // Create role used for auto remediation
    const autoRemediationRole = new iam.Role(this, 'AutoRemediationRole', {
      assumedBy: new iam.CompositePrincipal(
          new iam.ServicePrincipal("events.amazonaws.com"),
          new iam.ServicePrincipal("ssm.amazonaws.com")
      )
    });

    // See: https://github.com/aws/aws-cdk/issues/16188
    const ssmaAsgRoleAsCfn = autoRemediationRole.node.defaultChild as iam.CfnRole;
    ssmaAsgRoleAsCfn.addOverride('Properties.AssumeRolePolicyDocument.Statement.0.Principal.Service', ['events.amazonaws.com', 'ssm.amazonaws.com']);

    enforceMFARule.node.addDependency(configRecorder);
    enforceNoAccessKeyRule.node.addDependency(configRecorder);

    secureRootUserConfigTopic.grantPublish(autoRemediationRole);

    // Create remediations by notifying owner

    const mfaRemediationInstructionMessage = `Your main account (${core.Stack.of(this).account}) root user still not have MFA activated.\n\t1. Go to https://signin.aws.amazon.com/console and sign in using your root account\n\t2. Go to https://console.aws.amazon.com/iam/home#/security_credentials\n\t3. Activate MFA`;
    this.addNotCompliancyNotificationMechanism(enforceMFARule, autoRemediationRole, secureRootUserConfigTopic, mfaRemediationInstructionMessage);

    const accessKeyRemediationInstructionMessage = `Your main account (${core.Stack.of(this).account}) root user have static access keys.\n\t1. Go to https://signin.aws.amazon.com/console and sign in using your root account\n\t2. Go to https://console.aws.amazon.com/iam/home#/security_credentials\n\t3. Delete your Access keys`;
    this.addNotCompliancyNotificationMechanism(enforceNoAccessKeyRule, autoRemediationRole, secureRootUserConfigTopic, accessKeyRemediationInstructionMessage);
  }