import { AccessLevelList } from '../../shared/access-level'; import { PolicyStatement, Operator } from '../../shared'; import { aws_iam as iam } from "aws-cdk-lib"; /** * Statement provider for service [shield](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsshield.html). * * @param sid [SID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html) of the statement */ export declare class Shield extends PolicyStatement { servicePrefix: string; /** * Grants permission to authorize the DDoS Response team to access the specified Amazon S3 bucket containing your flow logs * * Access Level: Write * * Dependent actions: * - s3:GetBucketPolicy * - s3:PutBucketPolicy * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_AssociateDRTLogBucket.html */ toAssociateDRTLogBucket(): this; /** * Grants permission to authorize the DDoS Response team using the specified role, to access your AWS account to assist with DDoS attack mitigation during potential attacks * * Access Level: Write * * Dependent actions: * - iam:GetRole * - iam:ListAttachedRolePolicies * - iam:PassRole * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_AssociateDRTRole.html */ toAssociateDRTRole(): this; /** * Grants permission to add health-based detection to the Shield Advanced protection for a resource * * Access Level: Write * * Possible conditions: * - .ifAwsResourceTag() * * Dependent actions: * - route53:GetHealthCheck * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_AssociateHealthCheck.html */ toAssociateHealthCheck(): this; /** * Grants permission to initialize proactive engagement and set the list of contacts for the DDoS Response Team (DRT) to use * * Access Level: Write * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_AssociateProactiveEngagementDetails.html */ toAssociateProactiveEngagementDetails(): this; /** * Grants permission to activate DDoS protection service for a given resource ARN * * Access Level: Write * * Possible conditions: * - .ifAwsRequestTag() * - .ifAwsTagKeys() * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_CreateProtection.html */ toCreateProtection(): this; /** * Grants permission to create a grouping of protected resources so they can be handled as a collective * * Access Level: Write * * Possible conditions: * - .ifAwsRequestTag() * - .ifAwsTagKeys() * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_CreateProtectionGroup.html */ toCreateProtectionGroup(): this; /** * Grants permission to activate subscription * * Access Level: Write * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_CreateSubscription.html */ toCreateSubscription(): this; /** * Grants permission to delete an existing protection * * Access Level: Write * * Possible conditions: * - .ifAwsResourceTag() * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_DeleteProtection.html */ toDeleteProtection(): this; /** * Grants permission to remove the specified protection group * * Access Level: Write * * Possible conditions: * - .ifAwsResourceTag() * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_DeleteProtectionGroup.html */ toDeleteProtectionGroup(): this; /** * Grants permission to deactivate subscription * * Access Level: Write * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_DeleteSubscription.html */ toDeleteSubscription(): this; /** * Grants permission to get attack details. For getting attack details protected by AWS WAF anti-DDoS managed rule group, this action additionally calls wafv2:DescribeTopContributorsByEvent to retrieve application layer attack contributors, which requires to have wafv2:DescribeTopContributorsByEvent permission in IAM policy * * Access Level: Read * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_DescribeAttack.html */ toDescribeAttack(): this; /** * Grants permission to get detailed information about the contributors to a specific DDoS attack * * Access Level: Read * * https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsshield.html */ toDescribeAttackContributors(): this; /** * Grants permission to describe information about the number and type of attacks AWS Shield has detected in the last year * * Access Level: Read * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_DescribeAttackStatistics.html */ toDescribeAttackStatistics(): this; /** * Grants permission to describe the current role and list of Amazon S3 log buckets used by the DDoS Response team to access your AWS account while assisting with attack mitigation * * Access Level: Read * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_DescribeDRTAccess.html */ toDescribeDRTAccess(): this; /** * Grants permission to list the email addresses that the DRT can use to contact you during a suspected attack * * Access Level: Read * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_DescribeEmergencyContactSettings.html */ toDescribeEmergencyContactSettings(): this; /** * Grants permission to get protection details * * Access Level: Read * * Possible conditions: * - .ifAwsResourceTag() * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_DescribeProtection.html */ toDescribeProtection(): this; /** * Grants permission to describe the specification for the specified protection group * * Access Level: Read * * Possible conditions: * - .ifAwsResourceTag() * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_DescribeProtectionGroup.html */ toDescribeProtectionGroup(): this; /** * Grants permission to get subscription details, such as start time * * Access Level: Read * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_DescribeSubscription.html */ toDescribeSubscription(): this; /** * Grants permission to disable application layer automatic response for Shield Advanced protection for a resource * * Access Level: Write * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_DisableApplicationLayerAutomaticResponse.html */ toDisableApplicationLayerAutomaticResponse(): this; /** * Grants permission to remove authorization from the DDoS Response Team (DRT) to notify contacts about escalations * * Access Level: Write * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_DisableProactiveEngagement.html */ toDisableProactiveEngagement(): this; /** * Grants permission to remove the DDoS Response team's access to the specified Amazon S3 bucket containing your flow logs * * Access Level: Write * * Dependent actions: * - s3:DeleteBucketPolicy * - s3:GetBucketPolicy * - s3:PutBucketPolicy * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_DisassociateDRTLogBucket.html */ toDisassociateDRTLogBucket(): this; /** * Grants permission to remove the DDoS Response team's access to your AWS account * * Access Level: Write * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_DisassociateDRTRole.html */ toDisassociateDRTRole(): this; /** * Grants permission to remove health-based detection from the Shield Advanced protection for a resource * * Access Level: Write * * Possible conditions: * - .ifAwsResourceTag() * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_DisassociateHealthCheck.html */ toDisassociateHealthCheck(): this; /** * Grants permission to enable application layer automatic response for Shield Advanced protection for a resource * * Access Level: Write * * Dependent actions: * - apprunner:DescribeWebAclForService * - cloudfront:GetDistribution * - cognito-idp:GetWebACLForResource * - ec2:GetVerifiedAccessInstanceWebAcl * - iam:CreateServiceLinkedRole * - iam:GetRole * - wafv2:GetWebACL * - wafv2:GetWebACLForResource * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_EnableApplicationLayerAutomaticResponse.html */ toEnableApplicationLayerAutomaticResponse(): this; /** * Grants permission to authorize the DDoS Response Team (DRT) to use email and phone to notify contacts about escalations * * Access Level: Write * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_EnableProactiveEngagement.html */ toEnableProactiveEngagement(): this; /** * Grants permission to retrieve global threat intelligence data and trends from AWS Shield's threat monitoring systems * * Access Level: Read * * https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsshield.html */ toGetGlobalThreatData(): this; /** * Grants permission to get subscription state * * Access Level: Read * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_GetSubscriptionState.html */ toGetSubscriptionState(): this; /** * Grants permission to list all existing attacks * * Access Level: List * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_ListAttacks.html */ toListAttacks(): this; /** * Grants permission to retrieve a list of mitigation actions that have been applied during DDoS attacks * * Access Level: List * * https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsshield.html */ toListMitigations(): this; /** * Grants permission to retrieve the protection groups for the account * * Access Level: List * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_ListProtectionGroups.html */ toListProtectionGroups(): this; /** * Grants permission to list all existing protections * * Access Level: List * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_ListProtections.html */ toListProtections(): this; /** * Grants permission to retrieve the resources that are included in the protection group * * Access Level: List * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_ListResourcesInProtectionGroup.html */ toListResourcesInProtectionGroup(): this; /** * Grants permission to get information about AWS tags for a specified Amazon Resource Name (ARN) in AWS Shield * * Access Level: Read * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_ListTagsForResource.html */ toListTagsForResource(): this; /** * Grants permission to add or updates tags for a resource in AWS Shield * * Access Level: Tagging * * Possible conditions: * - .ifAwsRequestTag() * - .ifAwsTagKeys() * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_TagResource.html */ toTagResource(): this; /** * Grants permission to remove tags from a resource in AWS Shield * * Access Level: Tagging * * Possible conditions: * - .ifAwsTagKeys() * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_UntagResource.html */ toUntagResource(): this; /** * Grants permission to update application layer automatic response for Shield Advanced protection for a resource * * Access Level: Write * * Dependent actions: * - apprunner:DescribeWebAclForService * - cognito-idp:GetWebACLForResource * - ec2:GetVerifiedAccessInstanceWebAcl * - wafv2:GetWebACL * - wafv2:GetWebACLForResource * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_UpdateApplicationLayerAutomaticResponse.html */ toUpdateApplicationLayerAutomaticResponse(): this; /** * Grants permission to update the details of the list of email addresses that the DRT can use to contact you during a suspected attack * * Access Level: Write * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_UpdateEmergencyContactSettings.html */ toUpdateEmergencyContactSettings(): this; /** * Grants permission to update an existing protection group * * Access Level: Write * * Possible conditions: * - .ifAwsResourceTag() * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_UpdateProtectionGroup.html */ toUpdateProtectionGroup(): this; /** * Grants permission to update the details of an existing subscription * * Access Level: Write * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_UpdateSubscription.html */ toUpdateSubscription(): this; protected accessLevelList: AccessLevelList; /** * Adds a resource of type attack to the statement * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_AttackDetail.html * * @param id - Identifier for the id. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. */ onAttack(id: string, account?: string, partition?: string): this; /** * Adds a resource of type protection to the statement * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_Protection.html * * @param id - Identifier for the id. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. * * Possible conditions: * - .ifAwsResourceTag() */ onProtection(id: string, account?: string, partition?: string): this; /** * Adds a resource of type protection-group to the statement * * https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_ProtectionGroup.html * * @param id - Identifier for the id. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. * * Possible conditions: * - .ifAwsResourceTag() */ onProtectionGroup(id: string, account?: string, partition?: string): this; /** * Filters actions based on the presence of tag key-value pairs in the request * * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag * * Applies to actions: * - .toCreateProtection() * - .toCreateProtectionGroup() * - .toTagResource() * * @param tagKey The tag key to check * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifAwsRequestTag(tagKey: string, value: string | string[], operator?: Operator | string): this; /** * Filters actions based on tag key-value pairs attached to the resource * * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag * * Applies to actions: * - .toAssociateHealthCheck() * - .toDeleteProtection() * - .toDeleteProtectionGroup() * - .toDescribeProtection() * - .toDescribeProtectionGroup() * - .toDisassociateHealthCheck() * - .toUpdateProtectionGroup() * * Applies to resource types: * - protection * - protection-group * * @param tagKey The tag key to check * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifAwsResourceTag(tagKey: string, value: string | string[], operator?: Operator | string): this; /** * Filters actions based on the presence of tag keys in the request * * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys * * Applies to actions: * - .toCreateProtection() * - .toCreateProtectionGroup() * - .toTagResource() * - .toUntagResource() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifAwsTagKeys(value: string | string[], operator?: Operator | string): this; /** * Statement provider for service [shield](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsshield.html). * */ constructor(props?: iam.PolicyStatementProps); }