Cant turn ON the AWS IoT security audit through CDK

Question

I want to enable the AWS IoT security audit through a CDK stack but it is not working.

First I followed this documentation for the interfaceAuditCheckConfigurationProperty and the following was the CDK code to enable the IoT security audit:

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as sqs from 'aws-cdk-lib/aws-sqs';
import { aws_iot as iot } from 'aws-cdk-lib';

export class CdkIotDeviceDefenderStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const auditCheckConfigurationProperty: iot.CfnAccountAuditConfiguration.AuditCheckConfigurationProperty = {
      enabled: true,
    };

    //https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iot.CfnAccountAuditConfiguration.AuditCheckConfigurationsProperty.html
    const auditCheckConfigurationsProperty: iot.CfnAccountAuditConfiguration.AuditCheckConfigurationsProperty = {
        deviceCertificateExpiringCheck: {
            enabled: true,
        }
    };

  }
}

But the previous approach did not work. Then I followed another approach which was to use the AWS SDK inside the CDK to generate the resources in cloudformation. This is the full code:

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';

import { IoTClient, UpdateAccountAuditConfigurationCommand } from "@aws-sdk/client-iot";

import * as sns from 'aws-cdk-lib/aws-sns';
import * as subscriptions from 'aws-cdk-lib/aws-sns-subscriptions';

export class CdkIotDeviceDefenderStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // SNS to receive the device defender results
    const expiredDeviceCertificateSNTopic = new sns.Topic(this, "SNSDeviceDefender", {
      displayName: 'Device Defender Expired Certificate SNS',
      fifo: false
    });

    const clientIoT = new IoTClient({ region: "us-west-2" });
    
    const auditCheckConfigParams: any = {
        roleArn: "arn:aws:iam::996242555412:role/Role_AWSIoTDeviceDefenderAudit", //Role manually created - AWSIoTDeviceDefenderAudit policy
        auditNotificationTargetConfigurations: {
            "SNS": {
                "targetArn": expiredDeviceCertificateSNTopic.topicArn,
                "roleArn": "arn:aws:iam::996242555412:role/Role_AWSIoTDeviceDefenderAudit",
                "enabled": true
            }
        },
        auditCheckConfigurations: {
            "DEVICE_CERTIFICATE_EXPIRING_CHECK": {
              enabled: true,
            }
        }
    };
    (async () => {
        try {
            const iotUpdateCmd = new UpdateAccountAuditConfigurationCommand(auditCheckConfigParams);
            const iotUpdateResponse = await clientIoT.send(iotUpdateCmd);
        } catch { }
    })();

  }
}

Here I am creating a SNS to receive the results from device defender audit.

It did not work as well.

This is the expected result after run the CDK (The Device Defender audit settings enabled to true and the Device certificate expiring enabled to true):

But this is what I am getting in both attempts (The Device Defender audit settings not enabled - IoT security audit is off):

I am out of ideas. I don't know what I am missing. Any idea would be helpful.

Answer 1

Here is my CDK stack (in python) to enable Device Defender, create audit and get notification in SNS:

class DeviceDefenderStackStack(Stack):
    def __init__(
        self,
        scope: Construct,
        construct_id: str,
        env: Environment,
        env_params: dict,
        **kwargs
    ) -> None:
        super().__init__(scope, construct_id, **kwargs)

        # Create IAM Role for Device Defender
        device_defender_account_audit_role = iam.Role(
            self,
            "DeviceDefenderAccountAuditRole",
            assumed_by=iam.ServicePrincipal("iot.amazonaws.com"),
        )

        device_defender_account_audit_role.add_managed_policy(
            iam.ManagedPolicy.from_aws_managed_policy_name(
                "service-role/AWSIoTDeviceDefenderAudit"
            )
        )

        topic = sns.Topic(
            self,
            "DeviceDefenderSnsTopic",
            topic_name="device-defender-audit-topic",
            display_name="IoT Defender audit notifications",
        )

        iot_allow_sns_role = iam.Role(
            self,
            "IoTAllowSNSRole",
            assumed_by=iam.ServicePrincipal("iot.amazonaws.com"),
            path="/",
        )

        # Attach the policy to the IAM Role
        policy_attachment = iam.Policy(
            self,
            "SnsPolicyAttachment",
            policy_name="IotDeviceDefenderSnsPolicy",
            statements=[
                iam.PolicyStatement(
                    actions=["sns:Publish"], resources=[topic.topic_arn]
                )
            ],
        )

        iot_allow_sns_role.attach_inline_policy(policy_attachment)

        cfn_account_audit_configuration = iot.CfnAccountAuditConfiguration(
            self,
            "AccountAuditConfiguration",
            account_id=env.account,
            audit_check_configurations=iot.CfnAccountAuditConfiguration.AuditCheckConfigurationsProperty(
                authenticated_cognito_role_overly_permissive_check=iot.CfnAccountAuditConfiguration.AuditCheckConfigurationProperty(
                    enabled=True
                ),
                ca_certificate_expiring_check=iot.CfnAccountAuditConfiguration.AuditCheckConfigurationProperty(
                    enabled=True
                ),
                ca_certificate_key_quality_check=iot.CfnAccountAuditConfiguration.AuditCheckConfigurationProperty(
                    enabled=True
                ),
                conflicting_client_ids_check=iot.CfnAccountAuditConfiguration.AuditCheckConfigurationProperty(
                    enabled=True
                ),
                device_certificate_expiring_check=iot.CfnAccountAuditConfiguration.AuditCheckConfigurationProperty(
                    enabled=True
                ),
                device_certificate_key_quality_check=iot.CfnAccountAuditConfiguration.AuditCheckConfigurationProperty(
                    enabled=True
                ),
                device_certificate_shared_check=iot.CfnAccountAuditConfiguration.AuditCheckConfigurationProperty(
                    enabled=True
                ),
                intermediate_ca_revoked_for_active_device_certificates_check=iot.CfnAccountAuditConfiguration.AuditCheckConfigurationProperty(
                    enabled=True
                ),
                iot_policy_overly_permissive_check=iot.CfnAccountAuditConfiguration.AuditCheckConfigurationProperty(
                    enabled=True
                ),
                io_t_policy_potential_mis_configuration_check=iot.CfnAccountAuditConfiguration.AuditCheckConfigurationProperty(
                    enabled=True
                ),
                iot_role_alias_allows_access_to_unused_services_check=iot.CfnAccountAuditConfiguration.AuditCheckConfigurationProperty(
                    enabled=True
                ),
                iot_role_alias_overly_permissive_check=iot.CfnAccountAuditConfiguration.AuditCheckConfigurationProperty(
                    enabled=True
                ),
                logging_disabled_check=iot.CfnAccountAuditConfiguration.AuditCheckConfigurationProperty(
                    enabled=True
                ),
                revoked_ca_certificate_still_active_check=iot.CfnAccountAuditConfiguration.AuditCheckConfigurationProperty(
                    enabled=True
                ),
                revoked_device_certificate_still_active_check=iot.CfnAccountAuditConfiguration.AuditCheckConfigurationProperty(
                    enabled=True
                ),
                unauthenticated_cognito_role_overly_permissive_check=iot.CfnAccountAuditConfiguration.AuditCheckConfigurationProperty(
                    enabled=True
                ),
            ),
            role_arn=device_defender_account_audit_role.role_arn,
            # the properties below are optional
            audit_notification_target_configurations=iot.CfnAccountAuditConfiguration.AuditNotificationTargetConfigurationsProperty(
                sns=iot.CfnAccountAuditConfiguration.AuditNotificationTargetProperty(
                    enabled=True,
                    role_arn=iot_allow_sns_role.role_arn,
                    target_arn=topic.topic_arn,
                )
            ),
        )

        # Create Device Defender (DD) Audit Schedule
        dd_scheduled_audit = iot.CfnScheduledAudit(
            self,
            "DDScheduledAudit",
            scheduled_audit_name=env_params["name"]
            + env_params["device_defender"]["scheduled_audit_name"],
            frequency="DAILY",
            target_check_names=[
                "CONFLICTING_CLIENT_IDS_CHECK",
                "DEVICE_CERTIFICATE_EXPIRING_CHECK",
                "DEVICE_CERTIFICATE_KEY_QUALITY_CHECK",
                "DEVICE_CERTIFICATE_SHARED_CHECK",
                "IOT_POLICY_OVERLY_PERMISSIVE_CHECK",
                "LOGGING_DISABLED_CHECK",
                "REVOKED_DEVICE_CERTIFICATE_STILL_ACTIVE_CHECK",
                "IOT_POLICY_POTENTIAL_MISCONFIGURATION_CHECK",
                "IOT_ROLE_ALIAS_OVERLY_PERMISSIVE_CHECK",
                "IOT_ROLE_ALIAS_ALLOWS_ACCESS_TO_UNUSED_SERVICES_CHECK",
            ],
        )

        dd_scheduled_audit.add_depends_on(cfn_account_audit_configuration)