AWS Cloud Control v1.26.0, Mar 12 25

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.26.0 published on Wednesday, Mar 12, 2025 by Pulumi

pulumi/pulumi-aws-native

aws-native.iot.AccountAuditConfiguration

Explore with Pulumi AI

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.26.0 published on Wednesday, Mar 12, 2025 by Pulumi

pulumi/pulumi-aws-native

Create AccountAuditConfiguration Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new AccountAuditConfiguration(name: string, args: AccountAuditConfigurationArgs, opts?: CustomResourceOptions);

@overload
def AccountAuditConfiguration(resource_name: str,
                              args: AccountAuditConfigurationArgs,
                              opts: Optional[ResourceOptions] = None)

@overload
def AccountAuditConfiguration(resource_name: str,
                              opts: Optional[ResourceOptions] = None,
                              account_id: Optional[str] = None,
                              audit_check_configurations: Optional[AccountAuditConfigurationAuditCheckConfigurationsArgs] = None,
                              role_arn: Optional[str] = None,
                              audit_notification_target_configurations: Optional[AccountAuditConfigurationAuditNotificationTargetConfigurationsArgs] = None)

func NewAccountAuditConfiguration(ctx *Context, name string, args AccountAuditConfigurationArgs, opts ...ResourceOption) (*AccountAuditConfiguration, error)

public AccountAuditConfiguration(string name, AccountAuditConfigurationArgs args, CustomResourceOptions? opts = null)

public AccountAuditConfiguration(String name, AccountAuditConfigurationArgs args)
public AccountAuditConfiguration(String name, AccountAuditConfigurationArgs args, CustomResourceOptions options)

type: aws-native:iot:AccountAuditConfiguration
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args AccountAuditConfigurationArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args AccountAuditConfigurationArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args AccountAuditConfigurationArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args AccountAuditConfigurationArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args AccountAuditConfigurationArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

AccountAuditConfiguration Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The AccountAuditConfiguration resource accepts the following input properties:

AccountId string

Your 12-digit account ID (used as the primary identifier for the CloudFormation resource).

AuditCheckConfigurations Pulumi.AwsNative.IoT.Inputs.AccountAuditConfigurationAuditCheckConfigurations

Specifies which audit checks are enabled and disabled for this account.

Some data collection might start immediately when certain checks are enabled. When a check is disabled, any data collected so far in relation to the check is deleted. To disable a check, set the value of the Enabled: key to false .

If an enabled check is removed from the template, it will also be disabled.

You can't disable a check if it's used by any scheduled audit. You must delete the check from the scheduled audit or delete the scheduled audit itself to disable the check.

For more information on avialbe auidt checks see AWS::IoT::AccountAuditConfiguration AuditCheckConfigurations

RoleArn string

The ARN of the role that grants permission to AWS IoT to access information about your devices, policies, certificates and other items as required when performing an audit.

AuditNotificationTargetConfigurations Pulumi.AwsNative.IoT.Inputs.AccountAuditConfigurationAuditNotificationTargetConfigurations

Information about the targets to which audit notifications are sent.

AccountId string

Your 12-digit account ID (used as the primary identifier for the CloudFormation resource).

AuditCheckConfigurations AccountAuditConfigurationAuditCheckConfigurationsArgs

Specifies which audit checks are enabled and disabled for this account.

If an enabled check is removed from the template, it will also be disabled.

You can't disable a check if it's used by any scheduled audit. You must delete the check from the scheduled audit or delete the scheduled audit itself to disable the check.

For more information on avialbe auidt checks see AWS::IoT::AccountAuditConfiguration AuditCheckConfigurations

RoleArn string

The ARN of the role that grants permission to AWS IoT to access information about your devices, policies, certificates and other items as required when performing an audit.

AuditNotificationTargetConfigurations AccountAuditConfigurationAuditNotificationTargetConfigurationsArgs

Information about the targets to which audit notifications are sent.

accountId String

Your 12-digit account ID (used as the primary identifier for the CloudFormation resource).

auditCheckConfigurations AccountAuditConfigurationAuditCheckConfigurations

Specifies which audit checks are enabled and disabled for this account.

If an enabled check is removed from the template, it will also be disabled.

You can't disable a check if it's used by any scheduled audit. You must delete the check from the scheduled audit or delete the scheduled audit itself to disable the check.

For more information on avialbe auidt checks see AWS::IoT::AccountAuditConfiguration AuditCheckConfigurations

roleArn String

The ARN of the role that grants permission to AWS IoT to access information about your devices, policies, certificates and other items as required when performing an audit.

auditNotificationTargetConfigurations AccountAuditConfigurationAuditNotificationTargetConfigurations

Information about the targets to which audit notifications are sent.

accountId string

Your 12-digit account ID (used as the primary identifier for the CloudFormation resource).

auditCheckConfigurations AccountAuditConfigurationAuditCheckConfigurations

Specifies which audit checks are enabled and disabled for this account.

If an enabled check is removed from the template, it will also be disabled.

You can't disable a check if it's used by any scheduled audit. You must delete the check from the scheduled audit or delete the scheduled audit itself to disable the check.

For more information on avialbe auidt checks see AWS::IoT::AccountAuditConfiguration AuditCheckConfigurations

roleArn string

The ARN of the role that grants permission to AWS IoT to access information about your devices, policies, certificates and other items as required when performing an audit.

auditNotificationTargetConfigurations AccountAuditConfigurationAuditNotificationTargetConfigurations

Information about the targets to which audit notifications are sent.

account_id str

Your 12-digit account ID (used as the primary identifier for the CloudFormation resource).

audit_check_configurations AccountAuditConfigurationAuditCheckConfigurationsArgs

Specifies which audit checks are enabled and disabled for this account.

If an enabled check is removed from the template, it will also be disabled.

You can't disable a check if it's used by any scheduled audit. You must delete the check from the scheduled audit or delete the scheduled audit itself to disable the check.

For more information on avialbe auidt checks see AWS::IoT::AccountAuditConfiguration AuditCheckConfigurations

role_arn str

The ARN of the role that grants permission to AWS IoT to access information about your devices, policies, certificates and other items as required when performing an audit.

audit_notification_target_configurations AccountAuditConfigurationAuditNotificationTargetConfigurationsArgs

Information about the targets to which audit notifications are sent.

accountId String

Your 12-digit account ID (used as the primary identifier for the CloudFormation resource).

auditCheckConfigurations Property Map

Specifies which audit checks are enabled and disabled for this account.

If an enabled check is removed from the template, it will also be disabled.

You can't disable a check if it's used by any scheduled audit. You must delete the check from the scheduled audit or delete the scheduled audit itself to disable the check.

For more information on avialbe auidt checks see AWS::IoT::AccountAuditConfiguration AuditCheckConfigurations

roleArn String

The ARN of the role that grants permission to AWS IoT to access information about your devices, policies, certificates and other items as required when performing an audit.

auditNotificationTargetConfigurations Property Map

Information about the targets to which audit notifications are sent.

Outputs

All input properties are implicitly available as output properties. Additionally, the AccountAuditConfiguration resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Supporting Types

AccountAuditConfigurationAuditCheckConfiguration, AccountAuditConfigurationAuditCheckConfigurationArgs

Enabled bool: True if the check is enabled.

Enabled bool: True if the check is enabled.

enabled Boolean: True if the check is enabled.

enabled boolean: True if the check is enabled.

enabled bool: True if the check is enabled.

enabled Boolean: True if the check is enabled.

AccountAuditConfigurationAuditCheckConfigurations, AccountAuditConfigurationAuditCheckConfigurationsArgs

AuthenticatedCognitoRoleOverlyPermissiveCheck Pulumi.AwsNative.IoT.Inputs.AccountAuditConfigurationAuditCheckConfiguration: Checks the permissiveness of an authenticated Amazon Cognito identity pool role. For this check, AWS IoT Device Defender audits all Amazon Cognito identity pools that have been used to connect to the AWS IoT message broker during the 31 days before the audit is performed.
CaCertificateExpiringCheck Pulumi.AwsNative.IoT.Inputs.AccountAuditConfigurationAuditCheckConfiguration: Checks if a CA certificate is expiring. This check applies to CA certificates expiring within 30 days or that have expired.
CaCertificateKeyQualityCheck Pulumi.AwsNative.IoT.Inputs.AccountAuditConfigurationAuditCheckConfiguration: Checks the quality of the CA certificate key. The quality checks if the key is in a valid format, not expired, and if the key meets a minimum required size. This check applies to CA certificates that are ACTIVE or PENDING_TRANSFER .
ConflictingClientIdsCheck Pulumi.AwsNative.IoT.Inputs.AccountAuditConfigurationAuditCheckConfiguration: Checks if multiple devices connect using the same client ID.
DeviceCertificateAgeCheck Pulumi.AwsNative.IoT.Inputs.AccountAuditConfigurationDeviceCertAgeAuditCheckConfiguration: Checks when a device certificate has been active for a number of days greater than or equal to the number you specify.
DeviceCertificateExpiringCheck Pulumi.AwsNative.IoT.Inputs.AccountAuditConfigurationDeviceCertExpirationAuditCheckConfiguration: Checks if a device certificate is expiring. By default, this check applies to device certificates expiring within 30 days or that have expired. You can modify this threshold by configuring the DeviceCertExpirationAuditCheckConfiguration.
DeviceCertificateKeyQualityCheck Pulumi.AwsNative.IoT.Inputs.AccountAuditConfigurationAuditCheckConfiguration: Checks the quality of the device certificate key. The quality checks if the key is in a valid format, not expired, signed by a registered certificate authority, and if the key meets a minimum required size.
DeviceCertificateSharedCheck Pulumi.AwsNative.IoT.Inputs.AccountAuditConfigurationAuditCheckConfiguration: Checks if multiple concurrent connections use the same X.509 certificate to authenticate with AWS IoT .
IntermediateCaRevokedForActiveDeviceCertificatesCheck Pulumi.AwsNative.IoT.Inputs.AccountAuditConfigurationAuditCheckConfiguration: Checks if device certificates are still active despite being revoked by an intermediate CA.
IoTPolicyPotentialMisConfigurationCheck Pulumi.AwsNative.IoT.Inputs.AccountAuditConfigurationAuditCheckConfiguration: Checks if an AWS IoT policy is potentially misconfigured. Misconfigured policies, including overly permissive policies, can cause security incidents like allowing devices access to unintended resources. This check is a warning for you to make sure that only intended actions are allowed before updating the policy.
IotPolicyOverlyPermissiveCheck Pulumi.AwsNative.IoT.Inputs.AccountAuditConfigurationAuditCheckConfiguration: Checks the permissiveness of a policy attached to an authenticated Amazon Cognito identity pool role.
IotRoleAliasAllowsAccessToUnusedServicesCheck Pulumi.AwsNative.IoT.Inputs.AccountAuditConfigurationAuditCheckConfiguration: Checks if a role alias has access to services that haven't been used for the AWS IoT device in the last year.
IotRoleAliasOverlyPermissiveCheck Pulumi.AwsNative.IoT.Inputs.AccountAuditConfigurationAuditCheckConfiguration: Checks if the temporary credentials provided by AWS IoT role aliases are overly permissive.
LoggingDisabledCheck Pulumi.AwsNative.IoT.Inputs.AccountAuditConfigurationAuditCheckConfiguration: Checks if AWS IoT logs are disabled.
RevokedCaCertificateStillActiveCheck Pulumi.AwsNative.IoT.Inputs.AccountAuditConfigurationAuditCheckConfiguration: Checks if a revoked CA certificate is still active.
RevokedDeviceCertificateStillActiveCheck Pulumi.AwsNative.IoT.Inputs.AccountAuditConfigurationAuditCheckConfiguration: Checks if a revoked device certificate is still active.
UnauthenticatedCognitoRoleOverlyPermissiveCheck Pulumi.AwsNative.IoT.Inputs.AccountAuditConfigurationAuditCheckConfiguration: Checks if policy attached to an unauthenticated Amazon Cognito identity pool role is too permissive.

AuthenticatedCognitoRoleOverlyPermissiveCheck AccountAuditConfigurationAuditCheckConfiguration: Checks the permissiveness of an authenticated Amazon Cognito identity pool role. For this check, AWS IoT Device Defender audits all Amazon Cognito identity pools that have been used to connect to the AWS IoT message broker during the 31 days before the audit is performed.
CaCertificateExpiringCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if a CA certificate is expiring. This check applies to CA certificates expiring within 30 days or that have expired.
CaCertificateKeyQualityCheck AccountAuditConfigurationAuditCheckConfiguration: Checks the quality of the CA certificate key. The quality checks if the key is in a valid format, not expired, and if the key meets a minimum required size. This check applies to CA certificates that are ACTIVE or PENDING_TRANSFER .
ConflictingClientIdsCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if multiple devices connect using the same client ID.
DeviceCertificateAgeCheck AccountAuditConfigurationDeviceCertAgeAuditCheckConfiguration: Checks when a device certificate has been active for a number of days greater than or equal to the number you specify.
DeviceCertificateExpiringCheck AccountAuditConfigurationDeviceCertExpirationAuditCheckConfiguration: Checks if a device certificate is expiring. By default, this check applies to device certificates expiring within 30 days or that have expired. You can modify this threshold by configuring the DeviceCertExpirationAuditCheckConfiguration.
DeviceCertificateKeyQualityCheck AccountAuditConfigurationAuditCheckConfiguration: Checks the quality of the device certificate key. The quality checks if the key is in a valid format, not expired, signed by a registered certificate authority, and if the key meets a minimum required size.
DeviceCertificateSharedCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if multiple concurrent connections use the same X.509 certificate to authenticate with AWS IoT .
IntermediateCaRevokedForActiveDeviceCertificatesCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if device certificates are still active despite being revoked by an intermediate CA.
IoTPolicyPotentialMisConfigurationCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if an AWS IoT policy is potentially misconfigured. Misconfigured policies, including overly permissive policies, can cause security incidents like allowing devices access to unintended resources. This check is a warning for you to make sure that only intended actions are allowed before updating the policy.
IotPolicyOverlyPermissiveCheck AccountAuditConfigurationAuditCheckConfiguration: Checks the permissiveness of a policy attached to an authenticated Amazon Cognito identity pool role.
IotRoleAliasAllowsAccessToUnusedServicesCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if a role alias has access to services that haven't been used for the AWS IoT device in the last year.
IotRoleAliasOverlyPermissiveCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if the temporary credentials provided by AWS IoT role aliases are overly permissive.
LoggingDisabledCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if AWS IoT logs are disabled.
RevokedCaCertificateStillActiveCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if a revoked CA certificate is still active.
RevokedDeviceCertificateStillActiveCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if a revoked device certificate is still active.
UnauthenticatedCognitoRoleOverlyPermissiveCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if policy attached to an unauthenticated Amazon Cognito identity pool role is too permissive.

authenticatedCognitoRoleOverlyPermissiveCheck AccountAuditConfigurationAuditCheckConfiguration: Checks the permissiveness of an authenticated Amazon Cognito identity pool role. For this check, AWS IoT Device Defender audits all Amazon Cognito identity pools that have been used to connect to the AWS IoT message broker during the 31 days before the audit is performed.
caCertificateExpiringCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if a CA certificate is expiring. This check applies to CA certificates expiring within 30 days or that have expired.
caCertificateKeyQualityCheck AccountAuditConfigurationAuditCheckConfiguration: Checks the quality of the CA certificate key. The quality checks if the key is in a valid format, not expired, and if the key meets a minimum required size. This check applies to CA certificates that are ACTIVE or PENDING_TRANSFER .
conflictingClientIdsCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if multiple devices connect using the same client ID.
deviceCertificateAgeCheck AccountAuditConfigurationDeviceCertAgeAuditCheckConfiguration: Checks when a device certificate has been active for a number of days greater than or equal to the number you specify.
deviceCertificateExpiringCheck AccountAuditConfigurationDeviceCertExpirationAuditCheckConfiguration: Checks if a device certificate is expiring. By default, this check applies to device certificates expiring within 30 days or that have expired. You can modify this threshold by configuring the DeviceCertExpirationAuditCheckConfiguration.
deviceCertificateKeyQualityCheck AccountAuditConfigurationAuditCheckConfiguration: Checks the quality of the device certificate key. The quality checks if the key is in a valid format, not expired, signed by a registered certificate authority, and if the key meets a minimum required size.
deviceCertificateSharedCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if multiple concurrent connections use the same X.509 certificate to authenticate with AWS IoT .
intermediateCaRevokedForActiveDeviceCertificatesCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if device certificates are still active despite being revoked by an intermediate CA.
ioTPolicyPotentialMisConfigurationCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if an AWS IoT policy is potentially misconfigured. Misconfigured policies, including overly permissive policies, can cause security incidents like allowing devices access to unintended resources. This check is a warning for you to make sure that only intended actions are allowed before updating the policy.
iotPolicyOverlyPermissiveCheck AccountAuditConfigurationAuditCheckConfiguration: Checks the permissiveness of a policy attached to an authenticated Amazon Cognito identity pool role.
iotRoleAliasAllowsAccessToUnusedServicesCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if a role alias has access to services that haven't been used for the AWS IoT device in the last year.
iotRoleAliasOverlyPermissiveCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if the temporary credentials provided by AWS IoT role aliases are overly permissive.
loggingDisabledCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if AWS IoT logs are disabled.
revokedCaCertificateStillActiveCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if a revoked CA certificate is still active.
revokedDeviceCertificateStillActiveCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if a revoked device certificate is still active.
unauthenticatedCognitoRoleOverlyPermissiveCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if policy attached to an unauthenticated Amazon Cognito identity pool role is too permissive.

authenticatedCognitoRoleOverlyPermissiveCheck AccountAuditConfigurationAuditCheckConfiguration: Checks the permissiveness of an authenticated Amazon Cognito identity pool role. For this check, AWS IoT Device Defender audits all Amazon Cognito identity pools that have been used to connect to the AWS IoT message broker during the 31 days before the audit is performed.
caCertificateExpiringCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if a CA certificate is expiring. This check applies to CA certificates expiring within 30 days or that have expired.
caCertificateKeyQualityCheck AccountAuditConfigurationAuditCheckConfiguration: Checks the quality of the CA certificate key. The quality checks if the key is in a valid format, not expired, and if the key meets a minimum required size. This check applies to CA certificates that are ACTIVE or PENDING_TRANSFER .
conflictingClientIdsCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if multiple devices connect using the same client ID.
deviceCertificateAgeCheck AccountAuditConfigurationDeviceCertAgeAuditCheckConfiguration: Checks when a device certificate has been active for a number of days greater than or equal to the number you specify.
deviceCertificateExpiringCheck AccountAuditConfigurationDeviceCertExpirationAuditCheckConfiguration: Checks if a device certificate is expiring. By default, this check applies to device certificates expiring within 30 days or that have expired. You can modify this threshold by configuring the DeviceCertExpirationAuditCheckConfiguration.
deviceCertificateKeyQualityCheck AccountAuditConfigurationAuditCheckConfiguration: Checks the quality of the device certificate key. The quality checks if the key is in a valid format, not expired, signed by a registered certificate authority, and if the key meets a minimum required size.
deviceCertificateSharedCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if multiple concurrent connections use the same X.509 certificate to authenticate with AWS IoT .
intermediateCaRevokedForActiveDeviceCertificatesCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if device certificates are still active despite being revoked by an intermediate CA.
ioTPolicyPotentialMisConfigurationCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if an AWS IoT policy is potentially misconfigured. Misconfigured policies, including overly permissive policies, can cause security incidents like allowing devices access to unintended resources. This check is a warning for you to make sure that only intended actions are allowed before updating the policy.
iotPolicyOverlyPermissiveCheck AccountAuditConfigurationAuditCheckConfiguration: Checks the permissiveness of a policy attached to an authenticated Amazon Cognito identity pool role.
iotRoleAliasAllowsAccessToUnusedServicesCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if a role alias has access to services that haven't been used for the AWS IoT device in the last year.
iotRoleAliasOverlyPermissiveCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if the temporary credentials provided by AWS IoT role aliases are overly permissive.
loggingDisabledCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if AWS IoT logs are disabled.
revokedCaCertificateStillActiveCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if a revoked CA certificate is still active.
revokedDeviceCertificateStillActiveCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if a revoked device certificate is still active.
unauthenticatedCognitoRoleOverlyPermissiveCheck AccountAuditConfigurationAuditCheckConfiguration: Checks if policy attached to an unauthenticated Amazon Cognito identity pool role is too permissive.

authenticated_cognito_role_overly_permissive_check AccountAuditConfigurationAuditCheckConfiguration: Checks the permissiveness of an authenticated Amazon Cognito identity pool role. For this check, AWS IoT Device Defender audits all Amazon Cognito identity pools that have been used to connect to the AWS IoT message broker during the 31 days before the audit is performed.
ca_certificate_expiring_check AccountAuditConfigurationAuditCheckConfiguration: Checks if a CA certificate is expiring. This check applies to CA certificates expiring within 30 days or that have expired.
ca_certificate_key_quality_check AccountAuditConfigurationAuditCheckConfiguration: Checks the quality of the CA certificate key. The quality checks if the key is in a valid format, not expired, and if the key meets a minimum required size. This check applies to CA certificates that are ACTIVE or PENDING_TRANSFER .
conflicting_client_ids_check AccountAuditConfigurationAuditCheckConfiguration: Checks if multiple devices connect using the same client ID.
device_certificate_age_check AccountAuditConfigurationDeviceCertAgeAuditCheckConfiguration: Checks when a device certificate has been active for a number of days greater than or equal to the number you specify.
device_certificate_expiring_check AccountAuditConfigurationDeviceCertExpirationAuditCheckConfiguration: Checks if a device certificate is expiring. By default, this check applies to device certificates expiring within 30 days or that have expired. You can modify this threshold by configuring the DeviceCertExpirationAuditCheckConfiguration.
device_certificate_key_quality_check AccountAuditConfigurationAuditCheckConfiguration: Checks the quality of the device certificate key. The quality checks if the key is in a valid format, not expired, signed by a registered certificate authority, and if the key meets a minimum required size.
device_certificate_shared_check AccountAuditConfigurationAuditCheckConfiguration: Checks if multiple concurrent connections use the same X.509 certificate to authenticate with AWS IoT .
intermediate_ca_revoked_for_active_device_certificates_check AccountAuditConfigurationAuditCheckConfiguration: Checks if device certificates are still active despite being revoked by an intermediate CA.
io_t_policy_potential_mis_configuration_check AccountAuditConfigurationAuditCheckConfiguration: Checks if an AWS IoT policy is potentially misconfigured. Misconfigured policies, including overly permissive policies, can cause security incidents like allowing devices access to unintended resources. This check is a warning for you to make sure that only intended actions are allowed before updating the policy.
iot_policy_overly_permissive_check AccountAuditConfigurationAuditCheckConfiguration: Checks the permissiveness of a policy attached to an authenticated Amazon Cognito identity pool role.
iot_role_alias_allows_access_to_unused_services_check AccountAuditConfigurationAuditCheckConfiguration: Checks if a role alias has access to services that haven't been used for the AWS IoT device in the last year.
iot_role_alias_overly_permissive_check AccountAuditConfigurationAuditCheckConfiguration: Checks if the temporary credentials provided by AWS IoT role aliases are overly permissive.
logging_disabled_check AccountAuditConfigurationAuditCheckConfiguration: Checks if AWS IoT logs are disabled.
revoked_ca_certificate_still_active_check AccountAuditConfigurationAuditCheckConfiguration: Checks if a revoked CA certificate is still active.
revoked_device_certificate_still_active_check AccountAuditConfigurationAuditCheckConfiguration: Checks if a revoked device certificate is still active.
unauthenticated_cognito_role_overly_permissive_check AccountAuditConfigurationAuditCheckConfiguration: Checks if policy attached to an unauthenticated Amazon Cognito identity pool role is too permissive.

authenticatedCognitoRoleOverlyPermissiveCheck Property Map: Checks the permissiveness of an authenticated Amazon Cognito identity pool role. For this check, AWS IoT Device Defender audits all Amazon Cognito identity pools that have been used to connect to the AWS IoT message broker during the 31 days before the audit is performed.
caCertificateExpiringCheck Property Map: Checks if a CA certificate is expiring. This check applies to CA certificates expiring within 30 days or that have expired.
caCertificateKeyQualityCheck Property Map: Checks the quality of the CA certificate key. The quality checks if the key is in a valid format, not expired, and if the key meets a minimum required size. This check applies to CA certificates that are ACTIVE or PENDING_TRANSFER .
conflictingClientIdsCheck Property Map: Checks if multiple devices connect using the same client ID.
deviceCertificateAgeCheck Property Map: Checks when a device certificate has been active for a number of days greater than or equal to the number you specify.
deviceCertificateExpiringCheck Property Map: Checks if a device certificate is expiring. By default, this check applies to device certificates expiring within 30 days or that have expired. You can modify this threshold by configuring the DeviceCertExpirationAuditCheckConfiguration.
deviceCertificateKeyQualityCheck Property Map: Checks the quality of the device certificate key. The quality checks if the key is in a valid format, not expired, signed by a registered certificate authority, and if the key meets a minimum required size.
deviceCertificateSharedCheck Property Map: Checks if multiple concurrent connections use the same X.509 certificate to authenticate with AWS IoT .
intermediateCaRevokedForActiveDeviceCertificatesCheck Property Map: Checks if device certificates are still active despite being revoked by an intermediate CA.
ioTPolicyPotentialMisConfigurationCheck Property Map: Checks if an AWS IoT policy is potentially misconfigured. Misconfigured policies, including overly permissive policies, can cause security incidents like allowing devices access to unintended resources. This check is a warning for you to make sure that only intended actions are allowed before updating the policy.
iotPolicyOverlyPermissiveCheck Property Map: Checks the permissiveness of a policy attached to an authenticated Amazon Cognito identity pool role.
iotRoleAliasAllowsAccessToUnusedServicesCheck Property Map: Checks if a role alias has access to services that haven't been used for the AWS IoT device in the last year.
iotRoleAliasOverlyPermissiveCheck Property Map: Checks if the temporary credentials provided by AWS IoT role aliases are overly permissive.
loggingDisabledCheck Property Map: Checks if AWS IoT logs are disabled.
revokedCaCertificateStillActiveCheck Property Map: Checks if a revoked CA certificate is still active.
revokedDeviceCertificateStillActiveCheck Property Map: Checks if a revoked device certificate is still active.
unauthenticatedCognitoRoleOverlyPermissiveCheck Property Map: Checks if policy attached to an unauthenticated Amazon Cognito identity pool role is too permissive.

AccountAuditConfigurationAuditNotificationTarget, AccountAuditConfigurationAuditNotificationTargetArgs

Enabled bool: True if notifications to the target are enabled.
RoleArn string: The ARN of the role that grants permission to send notifications to the target.
TargetArn string: The ARN of the target (SNS topic) to which audit notifications are sent.

Enabled bool: True if notifications to the target are enabled.
RoleArn string: The ARN of the role that grants permission to send notifications to the target.
TargetArn string: The ARN of the target (SNS topic) to which audit notifications are sent.

enabled Boolean: True if notifications to the target are enabled.
roleArn String: The ARN of the role that grants permission to send notifications to the target.
targetArn String: The ARN of the target (SNS topic) to which audit notifications are sent.

enabled boolean: True if notifications to the target are enabled.
roleArn string: The ARN of the role that grants permission to send notifications to the target.
targetArn string: The ARN of the target (SNS topic) to which audit notifications are sent.

enabled bool: True if notifications to the target are enabled.
role_arn str: The ARN of the role that grants permission to send notifications to the target.
target_arn str: The ARN of the target (SNS topic) to which audit notifications are sent.

enabled Boolean: True if notifications to the target are enabled.
roleArn String: The ARN of the role that grants permission to send notifications to the target.
targetArn String: The ARN of the target (SNS topic) to which audit notifications are sent.

AccountAuditConfigurationAuditNotificationTargetConfigurations, AccountAuditConfigurationAuditNotificationTargetConfigurationsArgs

Sns Pulumi.AwsNative.IoT.Inputs.AccountAuditConfigurationAuditNotificationTarget: The Sns notification target.

Sns AccountAuditConfigurationAuditNotificationTarget: The Sns notification target.

sns AccountAuditConfigurationAuditNotificationTarget: The Sns notification target.

sns AccountAuditConfigurationAuditNotificationTarget: The Sns notification target.

sns AccountAuditConfigurationAuditNotificationTarget: The Sns notification target.

sns Property Map: The Sns notification target.

AccountAuditConfigurationCertAgeCheckCustomConfiguration, AccountAuditConfigurationCertAgeCheckCustomConfigurationArgs

CertAgeThresholdInDays string: The number of days that defines when a device certificate is considered to have aged. The check will report a finding if a certificate has been active for a number of days greater than or equal to this threshold value.

CertAgeThresholdInDays string: The number of days that defines when a device certificate is considered to have aged. The check will report a finding if a certificate has been active for a number of days greater than or equal to this threshold value.

certAgeThresholdInDays String: The number of days that defines when a device certificate is considered to have aged. The check will report a finding if a certificate has been active for a number of days greater than or equal to this threshold value.

certAgeThresholdInDays string: The number of days that defines when a device certificate is considered to have aged. The check will report a finding if a certificate has been active for a number of days greater than or equal to this threshold value.

cert_age_threshold_in_days str: The number of days that defines when a device certificate is considered to have aged. The check will report a finding if a certificate has been active for a number of days greater than or equal to this threshold value.

certAgeThresholdInDays String: The number of days that defines when a device certificate is considered to have aged. The check will report a finding if a certificate has been active for a number of days greater than or equal to this threshold value.

AccountAuditConfigurationCertExpirationCheckCustomConfiguration, AccountAuditConfigurationCertExpirationCheckCustomConfigurationArgs

CertExpirationThresholdInDays string: The number of days before expiration that defines when a device certificate is considered to be approaching expiration. The check will report a finding if a certificate will expire within this number of days.

CertExpirationThresholdInDays string: The number of days before expiration that defines when a device certificate is considered to be approaching expiration. The check will report a finding if a certificate will expire within this number of days.

certExpirationThresholdInDays String: The number of days before expiration that defines when a device certificate is considered to be approaching expiration. The check will report a finding if a certificate will expire within this number of days.

certExpirationThresholdInDays string: The number of days before expiration that defines when a device certificate is considered to be approaching expiration. The check will report a finding if a certificate will expire within this number of days.

cert_expiration_threshold_in_days str: The number of days before expiration that defines when a device certificate is considered to be approaching expiration. The check will report a finding if a certificate will expire within this number of days.

certExpirationThresholdInDays String: The number of days before expiration that defines when a device certificate is considered to be approaching expiration. The check will report a finding if a certificate will expire within this number of days.

AccountAuditConfigurationDeviceCertAgeAuditCheckConfiguration, AccountAuditConfigurationDeviceCertAgeAuditCheckConfigurationArgs

Configuration Pulumi.AwsNative.IoT.Inputs.AccountAuditConfigurationCertAgeCheckCustomConfiguration: Configuration settings for the device certificate age check, including the threshold in days for certificate age. This configuration is of type CertAgeCheckCustomConfiguration .
Enabled bool: True if the check is enabled.

Configuration AccountAuditConfigurationCertAgeCheckCustomConfiguration: Configuration settings for the device certificate age check, including the threshold in days for certificate age. This configuration is of type CertAgeCheckCustomConfiguration .
Enabled bool: True if the check is enabled.

configuration AccountAuditConfigurationCertAgeCheckCustomConfiguration: Configuration settings for the device certificate age check, including the threshold in days for certificate age. This configuration is of type CertAgeCheckCustomConfiguration .
enabled Boolean: True if the check is enabled.

configuration AccountAuditConfigurationCertAgeCheckCustomConfiguration: Configuration settings for the device certificate age check, including the threshold in days for certificate age. This configuration is of type CertAgeCheckCustomConfiguration .
enabled boolean: True if the check is enabled.

configuration AccountAuditConfigurationCertAgeCheckCustomConfiguration: Configuration settings for the device certificate age check, including the threshold in days for certificate age. This configuration is of type CertAgeCheckCustomConfiguration .
enabled bool: True if the check is enabled.

configuration Property Map: Configuration settings for the device certificate age check, including the threshold in days for certificate age. This configuration is of type CertAgeCheckCustomConfiguration .
enabled Boolean: True if the check is enabled.

AccountAuditConfigurationDeviceCertExpirationAuditCheckConfiguration, AccountAuditConfigurationDeviceCertExpirationAuditCheckConfigurationArgs

Configuration Pulumi.AwsNative.IoT.Inputs.AccountAuditConfigurationCertExpirationCheckCustomConfiguration: Configuration settings for the device certificate expiration check, including the threshold in days before expiration. This configuration is of type CertExpirationCheckCustomConfiguration
Enabled bool: True if the check is enabled.

Configuration AccountAuditConfigurationCertExpirationCheckCustomConfiguration: Configuration settings for the device certificate expiration check, including the threshold in days before expiration. This configuration is of type CertExpirationCheckCustomConfiguration
Enabled bool: True if the check is enabled.

configuration AccountAuditConfigurationCertExpirationCheckCustomConfiguration: Configuration settings for the device certificate expiration check, including the threshold in days before expiration. This configuration is of type CertExpirationCheckCustomConfiguration
enabled Boolean: True if the check is enabled.

configuration AccountAuditConfigurationCertExpirationCheckCustomConfiguration: Configuration settings for the device certificate expiration check, including the threshold in days before expiration. This configuration is of type CertExpirationCheckCustomConfiguration
enabled boolean: True if the check is enabled.

configuration AccountAuditConfigurationCertExpirationCheckCustomConfiguration: Configuration settings for the device certificate expiration check, including the threshold in days before expiration. This configuration is of type CertExpirationCheckCustomConfiguration
enabled bool: True if the check is enabled.

configuration Property Map: Configuration settings for the device certificate expiration check, including the threshold in days before expiration. This configuration is of type CertExpirationCheckCustomConfiguration
enabled Boolean: True if the check is enabled.

Package Details

Repository: AWS Native pulumi/pulumi-aws-native
License: Apache-2.0

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.26.0 published on Wednesday, Mar 12, 2025 by Pulumi

pulumi/pulumi-aws-native

aws-native.iot.AccountAuditConfiguration

On this page

On this page

Create AccountAuditConfiguration Resource

Constructor syntax

Parameters

AccountAuditConfiguration Resource Properties

Inputs

Outputs

Supporting Types

AccountAuditConfigurationAuditCheckConfiguration, AccountAuditConfigurationAuditCheckConfigurationArgs

AccountAuditConfigurationAuditCheckConfigurations, AccountAuditConfigurationAuditCheckConfigurationsArgs

AccountAuditConfigurationAuditNotificationTarget, AccountAuditConfigurationAuditNotificationTargetArgs

AccountAuditConfigurationAuditNotificationTargetConfigurations, AccountAuditConfigurationAuditNotificationTargetConfigurationsArgs

AccountAuditConfigurationCertAgeCheckCustomConfiguration, AccountAuditConfigurationCertAgeCheckCustomConfigurationArgs

AccountAuditConfigurationCertExpirationCheckCustomConfiguration, AccountAuditConfigurationCertExpirationCheckCustomConfigurationArgs

AccountAuditConfigurationDeviceCertAgeAuditCheckConfiguration, AccountAuditConfigurationDeviceCertAgeAuditCheckConfigurationArgs

AccountAuditConfigurationDeviceCertExpirationAuditCheckConfiguration, AccountAuditConfigurationDeviceCertExpirationAuditCheckConfigurationArgs

Package Details

On this page

On this page