import { aws_iam as iam, aws_kms as kms, aws_s3 as s3, aws_sqs as sqs } from 'aws-cdk-lib';
import { Construct } from 'constructs';
/**
 * Properties for the CrowdStrikeBucket construct.
 */
export interface CrowdStrikeBucketProps extends s3.BucketProps {
    /**
     * Properties for the SQS queue.
     *
     * @default - enforceSSL: true, deadLetterQueue: { maxReceiveCount: 5, queue: new sqs.Queue(this, 'DLQ', { queueName: `${this.bucketName}-dlq`, enforceSSL: true, }), },
     */
    readonly queueProps?: sqs.QueueProps;
    /**
     * Whether to create a KMS key for the bucket.
     *
     * @default - false
     */
    readonly createKmsKey?: boolean;
    /**
     * Properties for the KMS key.
     *
     * @default - removalPolicy: RemovalPolicy.RETAIN_ON_UPDATE_OR_DELETE, enableKeyRotation: false, multiRegion: true, description: `KMS Key for CrowdStrike ingestion bucket ${this.bucketName}`,
     */
    readonly keyProps?: kms.KeyProps;
    /**
     * Properties for the IAM role.
     *
     * If you provide this, you must provide the roleProps.assumedBy property,
     * and you don't need to provide the crowdStrikeRoleParameterArn and crowdStrikeExternalIdParameterArn.
     *
     * @default - none except for the assumedBy property which is set to a CrowdStrike principal.
     */
    readonly roleProps?: iam.RoleProps;
    /**
     * The CrowdStrike role ARN.
     *
     * Required unless the role principal is provided directly in the roleProps.
     */
    readonly crowdStrikeRoleArn?: string;
    /**
     * The ARN of the SSM parameter containing the CrowdStrike external ID.
     *
     * Required unless the role principal is provided directly in the roleProps.
     */
    readonly crowdStrikeExternalIdParameterArn?: string;
    /**
     * The organization ID.
     * If provided, the bucket will allow write access to all accounts in the organization.
     * If there is a KMS key, it will also allow encrypt/decrypt access to the organization.
     *
     * @default - none
     */
    readonly orgId?: string;
    /**
     * The name of the S3 bucket that will be sending S3 access logs to this bucket.
     * This is used to configure the bucket policy to allow logging from that bucket.
     *
     * @default - none
     */
    readonly loggingBucketSourceName?: string;
}
/**
 * A construct that creates an S3 bucket for CrowdStrike data ingestion,
 * along with an SQS queue for notifications, an IAM role for access,
 * and optionally a KMS key for encryption.
 */
export declare class CrowdStrikeBucket extends s3.Bucket {
    /**
     * The SQS queue that receives notifications for new objects in the bucket.
     */
    readonly queue: sqs.Queue;
    /**
     * The KMS key used for encrypting data in the bucket, if created.
     * This will be undefined if createKmsKey is false.
     *
     * Note that the bucket will still be created with S3-managed encryption
     * even if this is provided. The key is used by the service writing to the bucket.
     */
    readonly key?: kms.Key;
    /**
     * The IAM role that CrowdStrike will assume to access the data in the bucket.
     */
    readonly role: iam.Role;
    /**
     * Constructs a new CrowdStrikeBucket.
     *
     * @param scope The scope in which this construct is defined.
     * @param id The scoped construct ID.
     * @param props The properties for the bucket, queue, role, and optional KMS key.
     */
    constructor(scope: Construct, id: string, props: CrowdStrikeBucketProps);
}
