feat(iot): scheduled audit (#31776)

### Issue # (if applicable) Closes #31779. ### Reason for this change Cloudformation supports for creating AWS IoT scheduled audit but AWS CDK does not. ### Description of changes - Define `ScheduledAudit` construct Cloudformation does not support two audit checks. Therefore I have not implemented these checks in the `AuditCheck` enum. - INTERMEDIATE_CA_REVOKED_FOR_ACTIVE_DEVICE_CERTIFICATES_CHECK - IOT_POLICY_POTENTIAL_MIS_CONFIGURATION_CHECK If we try to deploy these checks, the deployment will fail. ```sh Resource handler returned message: "Request contains an invalid Audit Check Name. (Service: Iot, Status Code: 400, Request ID: 3fb58c68-2845-4cc0-882c-7d9b5495ff2a)" (RequestToken: dcb09acd-609f-dfe5-7b63-6eb208052949, HandlerErrorCode: InvalidRequest) ``` ### Description of how you validated changes Added both unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Oct 21, 2024 · 366b492 · 366b492
1 parent 0a0e4ad
commit 366b492
Show file tree

Hide file tree

Showing 9 changed files with 855 additions and 4 deletions.
diff --git a/packages/@aws-cdk/aws-iot-alpha/README.md b/packages/@aws-cdk/aws-iot-alpha/README.md
@@ -139,3 +139,40 @@ new iot.AccountAuditConfiguration(this, 'AuditConfiguration', {
   },
 });
 ```
+
+### Scheduled Audit
+
+You can create a [scheduled audit](https://docs.aws.amazon.com/iot-device-defender/latest/devguide/AuditCommands.html#device-defender-AuditCommandsManageSchedules) that is run at a specified time interval. Checks must be enabled for your account by creating `AccountAuditConfiguration`.
+
+```ts
+declare const config: iot.AccountAuditConfiguration;
+
+// Daily audit
+const dailyAudit = new iot.ScheduledAudit(this, 'DailyAudit', {
+  accountAuditConfiguration: config,
+  frequency: iot.Frequency.DAILY,
+  auditChecks: [
+    iot.AuditCheck.AUTHENTICATED_COGNITO_ROLE_OVERLY_PERMISSIVE_CHECK,
+  ],
+})
+
+// Weekly audit
+const weeklyAudit = new iot.ScheduledAudit(this, 'WeeklyAudit', {
+  accountAuditConfiguration: config,
+  frequency: iot.Frequency.WEEKLY,
+  dayOfWeek: iot.DayOfWeek.SUNDAY,
+  auditChecks: [
+    iot.AuditCheck.CA_CERTIFICATE_EXPIRING_CHECK,
+  ],
+});
+
+// Monthly audit
+const monthlyAudit = new iot.ScheduledAudit(this, 'MonthlyAudit', {
+  accountAuditConfiguration: config,
+  frequency: iot.Frequency.MONTHLY,
+  dayOfMonth: iot.DayOfMonth.of(1),
+  auditChecks: [
+    iot.AuditCheck.CA_CERTIFICATE_KEY_QUALITY_CHECK,
+  ],
+});
+```
diff --git a/packages/@aws-cdk/aws-iot-alpha/lib/index.ts b/packages/@aws-cdk/aws-iot-alpha/lib/index.ts
@@ -2,6 +2,7 @@ export * from './action';
 export * from './audit-configuration';
 export * from './iot-sql';
 export * from './logging';
+export * from './scheduled-audit';
 export * from './topic-rule';
 
 // AWS::IoT CloudFormation Resources: