Package com.cloudforgeci.api.interfaces

Interface SecurityProfileConfiguration

All Known Implementing Classes:
DevSecurityProfileConfiguration, ProductionSecurityProfileConfiguration, StagingSecurityProfileConfiguration
public interface SecurityProfileConfiguration
Configuration interface for security profile settings. Defines security best practices and compliance requirements for each environment.

  • Method Details

    • getSecurityProfile

      SecurityProfile getSecurityProfile()
      Get the security profile this configuration applies to.

    • getLogRetentionDays

      software.amazon.awscdk.services.logs.RetentionDays getLogRetentionDays()
      Get the CloudWatch log retention period for application logs.

    • getFlowLogRetentionDays

      software.amazon.awscdk.services.logs.RetentionDays getFlowLogRetentionDays()
      Get the CloudWatch log retention period for VPC flow logs.

    • getLogRemovalPolicy

      software.amazon.awscdk.RemovalPolicy getLogRemovalPolicy()
      Get the removal policy for log groups.

    • isFlowLogsEnabled

      boolean isFlowLogsEnabled()
      Whether flow logs should be enabled for this security profile.

    • getFlowLogTrafficType

      software.amazon.awscdk.services.ec2.FlowLogTrafficType getFlowLogTrafficType()
      Get the flow log traffic type to capture.

    • isSecurityMonitoringEnabled

      boolean isSecurityMonitoringEnabled()
      Whether security monitoring and alerting should be enabled.

    • isCloudTrailEnabled

      boolean isCloudTrailEnabled()
      Whether CloudTrail should be enabled for audit logging.

    • isGuardDutyEnabled

      boolean isGuardDutyEnabled()
      Whether GuardDuty should be enabled for threat detection.

    • isAwsConfigEnabled

      boolean isAwsConfigEnabled()
      Whether AWS Config should be enabled for compliance monitoring.

    • isAuditManagerEnabled

      boolean isAuditManagerEnabled()
      Whether AWS Audit Manager should be enabled for continuous auditing.

    • isEbsEncryptionEnabled

      boolean isEbsEncryptionEnabled()
      Whether EBS volumes should be encrypted.

    • isEfsEncryptionInTransitEnabled

      boolean isEfsEncryptionInTransitEnabled()
      Whether EFS should be encrypted in transit.

    • isEfsEncryptionAtRestEnabled

      boolean isEfsEncryptionAtRestEnabled()
      Whether EFS should be encrypted at rest.

    • isS3EncryptionEnabled

      boolean isS3EncryptionEnabled()
      Whether S3 buckets should be encrypted.

    • isVpcEndpointsEnabled

      boolean isVpcEndpointsEnabled()
      Whether VPC endpoints should be used for AWS services.

    • isRestrictSecurityGroupEgressEnabled

      boolean isRestrictSecurityGroupEgressEnabled()
      Whether security group egress should be restricted to VPC CIDR only.

      When enabled, security groups are created with allowAllOutbound=false and egress is restricted to the VPC CIDR range. This requires VPC endpoints for AWS services (CloudWatch, RDS monitoring, etc.) to function properly.

      • DEV: false - Allow all outbound for simplicity
      • STAGING: false - Allow all outbound unless explicitly enabled
      • PRODUCTION: false - Requires VPC endpoints, enable via deployment context
      Returns:
      true if egress should be restricted to VPC CIDR only

    • isNatGatewayEnabled

      boolean isNatGatewayEnabled()
      Whether NAT Gateway should be used for outbound internet access.

    • getNatGatewayCount

      int getNatGatewayCount(TopologyType topology, RuntimeType runtime, NetworkMode networkMode)
      Get the number of NAT gateways to create based on topology, runtime, and security profile. This method encapsulates all NAT gateway logic including network mode, security requirements, and topology-specific needs.
      Parameters:
      topology - The deployment topology (JENKINS_SERVICE, S3_WEBSITE, etc.)
      runtime - The runtime type (EC2, FARGATE)
      networkMode - The network mode (public-no-nat, private-with-nat)
      Returns:
      The number of NAT gateways to create (0, 1, or 2)

    • isWafEnabled

      boolean isWafEnabled()
      Whether WAF should be enabled for web application protection.

    • isHttpsStrictEnabled

      boolean isHttpsStrictEnabled()
      Whether HTTPS-only mode should be enforced (no HTTP listener).

      When enabled with SSL, the ALB will only listen on port 443 (HTTPS). No HTTP listener on port 80 will be created, meaning users must explicitly use https:// in their URLs. This provides stricter security by eliminating any unencrypted traffic path.

      This is required by PCI-DSS and NIST for strict TLS enforcement. When disabled (default), HTTP requests are redirected to HTTPS.

      Returns:
      true if HTTPS-only mode should be enforced

    • isCloudFrontEnabled

      boolean isCloudFrontEnabled()
      Whether CloudFront should be enabled for DDoS protection.

    • isAutomatedBackupEnabled

      boolean isAutomatedBackupEnabled()
      Whether automated backups should be enabled.

    • getBackupRetentionDays

      int getBackupRetentionDays()
      Get the backup retention period in days.

    • isCrossRegionBackupEnabled

      boolean isCrossRegionBackupEnabled()
      Whether cross-region backup replication should be enabled.

    • isBackupVaultLockEnabled

      boolean isBackupVaultLockEnabled()
      Whether backup vault lock should be enabled.

      Vault lock prevents backups from being deleted or modified for a specified retention period, ensuring immutability of backup data.

      Required for:

      • PCI-DSS - Immutable backup retention
      • HIPAA - Data integrity and retention requirements
      • DEV: false - Not required for development
      • STAGING: false - Optional for testing
      • PRODUCTION: true when PCI-DSS or HIPAA compliance is required
      Returns:
      true if backup vault lock should be enabled

    • isBackupVaultRetentionEnabled

      boolean isBackupVaultRetentionEnabled()
      Whether backup vault should be retained on stack deletion.

      When enabled, the backup vault and its backups are retained even after the CloudFormation stack is deleted, ensuring compliance with data retention policies.

      • DEV: false - Allow cleanup for development
      • STAGING: false - Allow cleanup for staging
      • PRODUCTION: true when compliance frameworks are enabled
      Returns:
      true if backup vault should be retained

    • isDetailedBillingEnabled

      boolean isDetailedBillingEnabled()
      Whether detailed billing should be enabled.

    • isAlbAccessLoggingEnabled

      boolean isAlbAccessLoggingEnabled()
      Whether access logging should be enabled for ALB.

    • getAlbAccessLogRetentionDays

      software.amazon.awscdk.services.logs.RetentionDays getAlbAccessLogRetentionDays()
      Get the ALB access log retention period in days.

    • isMultiAzEnforced

      boolean isMultiAzEnforced()
      Whether multi-AZ deployment should be enforced.

    • isAutoScalingEnabled

      boolean isAutoScalingEnabled()
      Whether auto-scaling should be enabled.

    • getMinInstanceCount

      int getMinInstanceCount()
      Get the minimum number of instances for auto-scaling.

    • getMaxInstanceCount

      int getMaxInstanceCount()
      Get the maximum number of instances for auto-scaling.

    • isS3VersioningRemediationEnabled

      boolean isS3VersioningRemediationEnabled()
      Whether S3 bucket versioning remediation should be enabled. Automatically enables versioning on non-compliant S3 buckets. WARNING: Has cost implications - versioned objects consume additional storage.

    • isCloudTrailBucketAccessRemediationEnabled

      boolean isCloudTrailBucketAccessRemediationEnabled()
      Whether CloudTrail bucket access remediation should be enabled. Automatically fixes CloudTrail S3 bucket policy when CloudTrail can't write logs.

    • isEbsEncryptionRemediationEnabled

      boolean isEbsEncryptionRemediationEnabled()
      Whether EBS encryption remediation should be enabled. Automatically enables EBS encryption by default for the account.

    • isGuardDutyRemediationEnabled

      boolean isGuardDutyRemediationEnabled()
      Whether GuardDuty remediation should be enabled. Automatically enables GuardDuty threat detection if not already enabled.

    • isVpcDefaultSgRemediationEnabled

      boolean isVpcDefaultSgRemediationEnabled()
      Whether VPC default security group remediation should be enabled. Automatically removes all rules from the default security group.

    • isElbDeletionProtectionRemediationEnabled

      boolean isElbDeletionProtectionRemediationEnabled()
      Whether ELB deletion protection remediation should be enabled. Automatically enables deletion protection on load balancers.

    • isKmsKeyRotationRemediationEnabled

      boolean isKmsKeyRotationRemediationEnabled()
      Whether KMS key rotation remediation should be enabled. Automatically enables automatic key rotation for customer-managed KMS keys.

    • isSshRemovalRemediationEnabled

      boolean isSshRemovalRemediationEnabled()
      Whether SSH removal remediation should be enabled. Automatically removes public SSH access from security groups. WARNING: Could break access if SSH is required.

    • isAccessKeyRotationRemediationEnabled

      boolean isAccessKeyRotationRemediationEnabled()
      Whether access key rotation remediation should be enabled. Automatically revokes IAM access keys that are 90+ days old. WARNING: Requires user notification workflow.

    • isDynamoDbPitrRemediationEnabled

      boolean isDynamoDbPitrRemediationEnabled()
      Whether DynamoDB point-in-time recovery remediation should be enabled. Automatically enables PITR for DynamoDB tables.

    • isRdsMultiAzRemediationEnabled

      boolean isRdsMultiAzRemediationEnabled()
      Whether RDS Multi-AZ remediation should be enabled. Automatically enables Multi-AZ for RDS instances. WARNING: Requires maintenance window and causes brief downtime.

    • isRdsEncryptionRemediationEnabled

      boolean isRdsEncryptionRemediationEnabled()
      Whether RDS encryption remediation should be enabled. Automatically creates encrypted snapshot and replaces unencrypted RDS instances. WARNING: Complex operation requiring snapshot recreation.

    • isRdsDeletionProtectionRemediationEnabled

      boolean isRdsDeletionProtectionRemediationEnabled()
      Whether RDS deletion protection remediation should be enabled. Automatically enables deletion protection on RDS instances.

    • isRdsDeletionProtectionEnabled

      boolean isRdsDeletionProtectionEnabled()
      Whether RDS deletion protection should be enabled.

      Deletion protection prevents accidental deletion of RDS instances. Required for production deployments with compliance frameworks (PCI-DSS, HIPAA, SOC2, GDPR).

      • DEV: false - Allow easy cleanup during development
      • STAGING: false - Allow cleanup of staging environments
      • PRODUCTION: true when compliance frameworks are enabled
      Returns:
      true if deletion protection should be enabled

    • isRdsDatabaseMultiAzEnabled

      boolean isRdsDatabaseMultiAzEnabled()
      Whether RDS database Multi-AZ deployment should be enabled.

      Multi-AZ provides high availability and automatic failover for RDS instances. Required for production deployments with compliance frameworks (PCI-DSS, HIPAA, SOC2, GDPR, NIST).

      Required for:

      • PCI-DSS - Req 12.10.4: Critical system availability
      • HIPAA - §164.308(a)(7)(ii)(B): Disaster recovery
      • SOC2 - A1.2: System availability
      • GDPR - Art. 32(1)(b): System resilience
      • NIST - CP-6: Alternate Storage Site
      • DEV: false - Single AZ for cost savings
      • STAGING: false by default, true when compliance frameworks require it
      • PRODUCTION: true when compliance frameworks are enabled
      Returns:
      true if RDS Multi-AZ should be enabled

    • isSecurityHubRemediationEnabled

      boolean isSecurityHubRemediationEnabled()
      Whether Security Hub remediation should be enabled. Automatically enables AWS Security Hub if not already enabled. Security Hub aggregates security findings from GuardDuty, Inspector, Macie, and other services.

    • isInspectorRemediationEnabled

      boolean isInspectorRemediationEnabled()
      Whether Inspector remediation should be enabled. Automatically enables Amazon Inspector v2 for vulnerability scanning if not already enabled. Inspector continuously scans EC2, ECR, and Lambda for software vulnerabilities.

    • isMacieRemediationEnabled

      boolean isMacieRemediationEnabled()
      Whether Macie remediation should be enabled. Automatically enables Amazon Macie for sensitive data discovery if not already enabled. WARNING: Has cost implications - charges per GB of data scanned.

    • isEcrImageScanningRemediationEnabled

      boolean isEcrImageScanningRemediationEnabled()
      Whether ECR image scanning remediation should be enabled. Automatically enables scan-on-push for ECR repositories if not already enabled. Scans container images for vulnerabilities before they can be deployed.

    • isMfaRequired

      boolean isMfaRequired()
      Whether MFA (Multi-Factor Authentication) is required for user authentication.

      MFA provides an additional layer of security by requiring users to provide a second form of verification beyond their password.

      • DEV: false - MFA optional for development convenience
      • STAGING: true - MFA required to test production-like security
      • PRODUCTION: true - MFA required for compliance (PCI-DSS, HIPAA, SOC 2)
      Returns:
      true if MFA should be required

    • getDefaultMfaMethod

      String getDefaultMfaMethod()
      Get the default MFA method for the security profile.

      Available methods:

      • "totp" - Time-based One-Time Password (authenticator apps)
      • "sms" - SMS text message codes
      • "both" - Users can choose their preferred method
      • DEV: "totp" - Simple authenticator app
      • STAGING: "both" - Test all MFA methods
      • PRODUCTION: "both" - Maximum flexibility for users
      Returns:
      MFA method: "totp", "sms", or "both"

    • getAccessTokenValidityHours

      int getAccessTokenValidityHours()
      Get the OAuth 2.0 access token validity duration in hours.

      Shorter durations are more secure but require more frequent re-authentication.

      • DEV: 8 hours - Full workday without re-auth
      • STAGING: 2 hours - Balance security and convenience
      • PRODUCTION: 1 hour - Strict security, comply with PCI-DSS requirements
      Returns:
      Access token validity in hours

    • getIdTokenValidityHours

      int getIdTokenValidityHours()
      Get the OAuth 2.0 ID token validity duration in hours.

      ID tokens contain user identity information and should have limited lifetime.

      • DEV: 8 hours - Match access token for simplicity
      • STAGING: 2 hours - Balance security and convenience
      • PRODUCTION: 1 hour - Minimize exposure window
      Returns:
      ID token validity in hours

    • getRefreshTokenValidityDays

      int getRefreshTokenValidityDays()
      Get the OAuth 2.0 refresh token validity duration in days.

      Refresh tokens allow obtaining new access tokens without re-authentication. Longer durations improve UX but increase risk if token is compromised.

      • DEV: 30 days - Long-lived for development convenience
      • STAGING: 7 days - Weekly re-authentication
      • PRODUCTION: 1 day - Daily re-authentication for maximum security
      Returns:
      Refresh token validity in days

    • getMinimumPasswordLength

      int getMinimumPasswordLength()
      Get the minimum password length required for user accounts.

      Longer passwords provide better security against brute-force attacks.

      • DEV: 8 - Minimum acceptable for testing
      • STAGING: 12 - Production-like requirements
      • PRODUCTION: 14 - Strong password policy (NIST 800-63B compliant)
      Returns:
      Minimum password length

    • getTempPasswordValidityDays

      int getTempPasswordValidityDays()
      Get the temporary password validity duration in days.

      Temporary passwords are issued to new users and must be changed on first login. Shorter durations reduce the window for password interception.

      • DEV: 7 days - Flexible for testing
      • STAGING: 3 days - Production-like urgency
      • PRODUCTION: 1 day - Immediate action required
      Returns:
      Temporary password validity in days

    • isSelfSignupEnabled

      boolean isSelfSignupEnabled()
      Whether self-service user registration is allowed.

      Self-signup allows users to create their own accounts without admin intervention. This should be disabled in production for controlled access.

      • DEV: true - Allow easy account creation for testing
      • STAGING: false - Admin-controlled access like production
      • PRODUCTION: false - Strict access control, admins create accounts
      Returns:
      true if self-service signup is allowed

    • isPreventUserExistenceErrorsEnabled

      boolean isPreventUserExistenceErrorsEnabled()
      Whether to prevent user existence errors in authentication responses.

      When enabled, authentication errors don't reveal whether a username exists. This prevents username enumeration attacks but makes debugging harder.

      • DEV: false - Helpful error messages for debugging
      • STAGING: true - Test production security behavior
      • PRODUCTION: true - Prevent username enumeration
      Returns:
      true if user existence errors should be prevented

    • isAdvancedSecurityEnabled

      boolean isAdvancedSecurityEnabled()
      Whether advanced security features (risk-based authentication) should be enabled.

      Advanced security includes adaptive authentication that analyzes login patterns and can block suspicious activity. Requires Cognito Plus tier.

      • DEV: false - Not needed for development
      • STAGING: false - Optional for testing
      • PRODUCTION: true - Recommended for threat detection (requires Plus tier)
      Returns:
      true if advanced security features should be enabled

    • isMacieEnabled

      boolean isMacieEnabled()
      Whether Amazon Macie should be enabled for sensitive data discovery.

      Macie uses machine learning to automatically discover, classify, and protect sensitive data like PII and PHI in S3 buckets.

      • DEV: false - Not required for development
      • STAGING: false - Optional for testing
      • PRODUCTION: true - Required for HIPAA/GDPR compliance
      Returns:
      true if Macie should be enabled

    • isMacieAutomatedDiscoveryEnabled

      boolean isMacieAutomatedDiscoveryEnabled()
      Whether Macie automated discovery jobs should be enabled.

      Automated discovery continuously scans S3 buckets for sensitive data. Only applicable when Macie is enabled.

      • DEV: false - Not applicable
      • STAGING: false - Manual discovery preferred
      • PRODUCTION: true - Continuous monitoring required for compliance
      Returns:
      true if automated discovery should be enabled

    • isSecurityHubEnabled

      boolean isSecurityHubEnabled()
      Whether AWS Security Hub should be enabled for centralized security findings.

      Security Hub aggregates security findings from multiple AWS services (GuardDuty, Inspector, Macie, etc.) and provides compliance checks.

      • DEV: false - Not needed for development
      • STAGING: true - Test security monitoring
      • PRODUCTION: true - Centralized security monitoring
      Returns:
      true if Security Hub should be enabled

    • isInspectorEnabled

      boolean isInspectorEnabled()
      Whether Amazon Inspector should be enabled for vulnerability scanning.

      Inspector automatically discovers workloads and continuously scans for software vulnerabilities and network exposure.

      • DEV: false - Not needed for development
      • STAGING: true - Test vulnerability scanning
      • PRODUCTION: true - Required for PCI-DSS and security best practices
      Returns:
      true if Inspector should be enabled

    • isAntiMalwareEnabled

      boolean isAntiMalwareEnabled()
      Whether anti-malware protection should be enabled on EC2 instances.

      Deploys and configures anti-malware software on EC2 instances. Only applicable for EC2 runtime (not Fargate).

      • DEV: false - Not required for development
      • STAGING: false - Optional for testing
      • PRODUCTION: true (EC2 only) - Required for PCI-DSS Req 5.1
      Returns:
      true if anti-malware should be enabled

    • isFileIntegrityMonitoringEnabled

      boolean isFileIntegrityMonitoringEnabled()
      Whether file integrity monitoring should be enabled on EC2 instances.

      Monitors critical system files for unauthorized changes. Only applicable for EC2 runtime (not Fargate).

      • DEV: false - Not required for development
      • STAGING: false - Optional for testing
      • PRODUCTION: true (EC2 only) - Required for PCI-DSS Req 11.5
      Returns:
      true if file integrity monitoring should be enabled

    • isContainerRuntimeSecurityEnabled

      boolean isContainerRuntimeSecurityEnabled()
      Whether container runtime security monitoring should be enabled.

      Monitors container behavior at runtime for suspicious activity. Only applicable for containerized workloads (Fargate, ECS, EKS).

      • DEV: false - Not required for development
      • STAGING: false - Optional for testing
      • PRODUCTION: true (Fargate/ECS only) - Security best practice
      Returns:
      true if container runtime security should be enabled

    • isContainerImageScanningEnabled

      boolean isContainerImageScanningEnabled()
      Whether container image scanning should be enabled.

      Scans container images for vulnerabilities before deployment. Typically handled by ECR image scanning.

      • DEV: false - Not required for development
      • STAGING: true - Test image scanning pipeline
      • PRODUCTION: true - Required for secure container deployments
      Returns:
      true if container image scanning should be enabled

    • isCloudWatchLogsKmsEncryptionEnabled

      boolean isCloudWatchLogsKmsEncryptionEnabled()
      Whether CloudWatch Logs should be encrypted with KMS.

      KMS encryption provides customer-managed encryption keys for CloudWatch Logs, ensuring audit logs are protected at rest with customer-controlled keys.

      • DEV: false - Standard CloudWatch encryption is sufficient
      • STAGING: false - Optional for testing
      • PRODUCTION: true when compliance frameworks require it (PCI-DSS, HIPAA, SOC2)
      Returns:
      true if CloudWatch Logs should use KMS encryption

    • isCloudTrailInsightsEnabled

      boolean isCloudTrailInsightsEnabled()
      Whether CloudTrail Insights should be enabled for anomaly detection.

      CloudTrail Insights analyzes API activity and detects unusual patterns that may indicate security incidents or operational issues.

      • DEV: false - Not required for development
      • STAGING: false - Optional for testing
      • PRODUCTION: true when compliance frameworks require it (SOC2, NIST)
      Returns:
      true if CloudTrail Insights should be enabled

    • isRoute53QueryLoggingEnabled

      boolean isRoute53QueryLoggingEnabled()
      Whether Route53 DNS query logging should be enabled.

      DNS query logging captures all DNS queries made to Route53 hosted zones, providing network visibility for security monitoring and forensics.

      • DEV: false - Not required for development
      • STAGING: false - Optional for testing
      • PRODUCTION: true when compliance frameworks require it (SOC2, NIST)
      Returns:
      true if Route53 query logging should be enabled

    • isS3ObjectLockEnabled

      boolean isS3ObjectLockEnabled()
      Whether S3 Object Lock should be enabled for compliance audit buckets.

      S3 Object Lock prevents objects from being deleted or overwritten for a specified retention period, ensuring immutability of audit trails.

      Required for:

      • HIPAA § 164.312(c)(1) - Data integrity controls
      • PCI-DSS Req 10.7 - Audit log retention
      • SEC 17a-4 - Record retention for financial services
      • DEV: false - Not required for development
      • STAGING: false - Optional for testing
      • PRODUCTION: true when HIPAA or PCI-DSS compliance is required
      Returns:
      true if S3 Object Lock should be enabled

    • isSnsKmsEncryptionEnabled

      boolean isSnsKmsEncryptionEnabled()
      Whether SNS topics should be encrypted with KMS.

      KMS encryption provides customer-managed encryption keys for SNS topics, ensuring messages at rest are protected with customer-controlled keys.

      Required for:

      • HIPAA § 164.312(a)(2)(iv) - Encryption of ePHI
      • HIPAA § 164.312(e)(2)(ii) - Encryption mechanism
      • PCI-DSS Req 8.2.1 - Data at rest encryption
      • DEV: false - Standard SNS encryption is sufficient
      • STAGING: false - Optional for testing
      • PRODUCTION: true when HIPAA or PCI-DSS compliance is required
      Returns:
      true if SNS topics should use KMS encryption

    • isImdsv2Required

      boolean isImdsv2Required()
      Whether EC2 instances must use IMDSv2 (Instance Metadata Service Version 2).

      IMDSv2 uses session-based tokens and provides better protection against SSRF attacks and unauthorized access to instance metadata.

      Required for:

      • HIPAA § 164.308(a)(3)(i) - Access controls
      • HIPAA § 164.308(a)(4)(ii)(A) - Access authorization
      • HIPAA § 164.312(a)(1) - Access control
      • PCI-DSS - Defense in depth
      • DEV: false - IMDSv1 allowed for development convenience
      • STAGING: true - Test production security behavior
      • PRODUCTION: true - Required for HIPAA compliance
      Returns:
      true if IMDSv2 should be required