Skip to content

Commit

Permalink
feat(HIPAA Security): Elastic Beanstalk Check (#377)
Browse files Browse the repository at this point in the history 
Closes #248 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
@dontirun
dontirun authored Sep 25, 2021
1 parent 403efbd commit 8099ecd
Show file tree
Hide file tree
Showing 5 changed files with 177 additions and 1 deletion.
1 change: 1 addition & 0 deletions RULES.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,7 @@ There are currently no warnings for this rule pack.
| [HIPAA.Security-EFSEncrypted](https://docs.aws.amazon.com/config/latest/developerguide/efs-encrypted-check.html) | The EFS does not have encryption at rest enabled. | Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic File System (EFS). | 164.312(a)(2)(iv), 164.312(e)(2)(ii) |
| [HIPAA.Security-ElastiCacheRedisClusterAutomaticBackup](https://docs.aws.amazon.com/config/latest/developerguide/elasticache-redis-cluster-automatic-backup-check.html) | The ElastiCache Redis cluster does not retain automatic backups for at least 15 days. | Automatic backups can help guard against data loss. If a failure occurs, you can create a new cluster, which restores your data from the most recent backup. | 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B) |
| [HIPAA.Security-ElasticBeanstalkEnhancedHealthReportingEnabled](https://docs.aws.amazon.com/config/latest/developerguide/beanstalk-enhanced-health-reporting-enabled.html) | The Elastic Beanstalk environment does not have enhanced health reporting enabled. | AWS Elastic Beanstalk enhanced health reporting enables a more rapid response to changes in the health of the underlying infrastructure. These changes could result in a lack of availability of the application. Elastic Beanstalk enhanced health reporting provides a status descriptor to gauge the severity of the identified issues and identify possible causes to investigate. | 164.312(b) |
| [HIPAA.Security-ElasticBeanstalkManagedUpdatesEnabled](https://docs.aws.amazon.com/config/latest/developerguide/elastic-beanstalk-managed-updates-enabled.html) | The Elastic Beanstalk environment does not have managed updates enabled. | Enabling managed platform updates for an Amazon Elastic Beanstalk environment ensures that the latest available platform fixes, updates, and features for the environment are installed. Keeping up to date with patch installation is a best practice in securing systems. | 164.308(a)(5)(ii)(A) |
| [HIPAA.Security-ELBACMCertificateRequired](https://docs.aws.amazon.com/config/latest/developerguide/elb-acm-certificate-required.html) | The CLB does not utilize an SSL certificate provided by ACM (Amazon Certificate Manager). | Because sensitive data can exist and to help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing. Use AWS Certificate Manager to manage, provision and deploy public and private SSL/TLS certificates with AWS services and internal resources. | 164.312(a)(2)(iv), 164.312(e)(1), 164.312(e)(2)(i), 164.312(e)(2)(ii) |
| [HIPAA.Security-ELBCrossZoneBalancingEnabled](https://docs.aws.amazon.com/config/latest/developerguide/elb-cross-zone-load-balancing-enabled.html) | The CLB does not balance traffic between at least 2 Availability Zones. | Enable cross-zone load balancing for your Classic Load Balancers (CLBs) to help maintain adequate capacity and availability. The cross-zone load balancing reduces the need to maintain equivalent numbers of instances in each enabled availability zone. It also improves your application's ability to handle the loss of one or more instances. | 164.308(a)(7)(i), 164.308(a)(7)(ii)(C) |
| [HIPAA.Security-ELBDeletionProtectionEnabled](https://docs.aws.amazon.com/config/latest/developerguide/elb-deletion-protection-enabled.html) | The ALB, NLB, or GLB does not have deletion protection enabled. | This rule ensures that Elastic Load Balancing has deletion protection enabled. Use this feature to prevent your load balancer from being accidentally or maliciously deleted, which can lead to loss of availability for your applications. | 164.308(a)(7)(i), 164.308(a)(7)(ii)(C) |
Expand Down
21 changes: 20 additions & 1 deletion src/HIPAA-Security/hipaa-security.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,10 @@ import {
import { hipaaSecurityECSTaskDefinitionUserForHostMode } from './rules/ecs';
import { hipaaSecurityEFSEncrypted } from './rules/efs';
import { hipaaSecurityElastiCacheRedisClusterAutomaticBackup } from './rules/elasticache';
import { hipaaSecurityElasticBeanstalkEnhancedHealthReportingEnabled } from './rules/elasticbeanstalk';
import {
hipaaSecurityElasticBeanstalkEnhancedHealthReportingEnabled,
hipaaSecurityElasticBeanstalkManagedUpdatesEnabled,
} from './rules/elasticbeanstalk';
import {
hipaaSecurityALBHttpDropInvalidHeaderEnabled,
hipaaSecurityALBHttpToHttpsRedirection,
Expand Down Expand Up @@ -571,6 +574,22 @@ export class HIPAASecurityChecks extends NagPack {
this.createMessage(ruleId, info, explanation)
);
}
if (
!this.ignoreRule(
ignores,
'HIPAA.Security-ElasticBeanstalkManagedUpdatesEnabled'
) &&
!hipaaSecurityElasticBeanstalkManagedUpdatesEnabled(node)
) {
const ruleId = 'HIPAA.Security-ElasticBeanstalkManagedUpdatesEnabled';
const info =
'The Elastic Beanstalk environment does not have managed updates enabled - (Control ID: 164.308(a)(5)(ii)(A)).';
const explanation =
'Enabling managed platform updates for an Amazon Elastic Beanstalk environment ensures that the latest available platform fixes, updates, and features for the environment are installed. Keeping up to date with patch installation is a best practice in securing systems.';
Annotations.of(node).addError(
this.createMessage(ruleId, info, explanation)
);
}
}

/**
Expand Down
51 changes: 51 additions & 0 deletions ...PAA-Security/rules/elasticbeanstalk/hipaaSecurityElasticBeanstalkManagedUpdatesEnabled.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
/*
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/
import { CfnEnvironment } from '@aws-cdk/aws-elasticbeanstalk';
import { CfnResource, Stack } from '@aws-cdk/core';

/**
* Elastic Beanstalk environments have managed updates enabled - (Control ID: 164.308(a)(5)(ii)(A))
* https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html#command-options-general-elasticbeanstalkmanagedactions
* @param node the CfnResource to check
*/
export default function (node: CfnResource): boolean {
if (node instanceof CfnEnvironment) {
const optionSettings = Stack.of(node).resolve(node.optionSettings);
if (optionSettings == undefined) {
return false;
}
let foundEnabled = false;
let foundLevel = false;
for (const optionSetting of optionSettings) {
const resolvedOptionSetting = Stack.of(node).resolve(optionSetting);
const namespace = resolvedOptionSetting.namespace;
const optionName = resolvedOptionSetting.optionName;
const value = resolvedOptionSetting.value;
if (
namespace === 'aws:elasticbeanstalk:managedactions' &&
optionName === 'ManagedActionsEnabled' &&
(value === undefined || value === 'true')
) {
foundEnabled = true;
if (foundLevel) {
break;
}
} else if (
namespace === 'aws:elasticbeanstalk:managedactions:platformupdate' &&
optionName === 'UpdateLevel' &&
(value === 'minor' || value === 'patch')
) {
foundLevel = true;
if (foundEnabled) {
break;
}
}
}
if (!foundEnabled || !foundLevel) {
return false;
}
}
return true;
}
1 change: 1 addition & 0 deletions src/HIPAA-Security/rules/elasticbeanstalk/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,4 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/
export { default as hipaaSecurityElasticBeanstalkEnhancedHealthReportingEnabled } from './hipaaSecurityElasticBeanstalkEnhancedHealthReportingEnabled';
export { default as hipaaSecurityElasticBeanstalkManagedUpdatesEnabled } from './hipaaSecurityElasticBeanstalkManagedUpdatesEnabled';
104 changes: 104 additions & 0 deletions test/HIPAA-Security/HIPAA-Security-ElasticBeanstalk.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,4 +70,108 @@ describe('Amazon ElastiCache', () => {
})
);
});

test('HIPAA.Security-ElasticBeanstalkManagedUpdatesEnabled: - Elastic Beanstalk environments have managed updates enabled - (Control ID: 164.308(a)(5)(ii)(A))', () => {
const nonCompliant = new Stack();
Aspects.of(nonCompliant).add(new HIPAASecurityChecks());
new CfnEnvironment(nonCompliant, 'rBeanstalk', {
applicationName: 'foo',
});
const messages = SynthUtils.synthesize(nonCompliant).messages;
expect(messages).toContainEqual(
expect.objectContaining({
entry: expect.objectContaining({
data: expect.stringContaining(
'HIPAA.Security-ElasticBeanstalkManagedUpdatesEnabled:'
),
}),
})
);

const nonCompliant2 = new Stack();
Aspects.of(nonCompliant2).add(new HIPAASecurityChecks());
new CfnEnvironment(nonCompliant2, 'rBeanstalk', {
applicationName: 'foo',
optionSettings: [
{
namespace: 'aws:elasticbeanstalk:managedactions',
optionName: 'ManagedActionsEnabled',
value: 'false',
},
],
});
const messages2 = SynthUtils.synthesize(nonCompliant2).messages;
expect(messages2).toContainEqual(
expect.objectContaining({
entry: expect.objectContaining({
data: expect.stringContaining(
'HIPAA.Security-ElasticBeanstalkManagedUpdatesEnabled:'
),
}),
})
);

const nonCompliant3 = new Stack();
Aspects.of(nonCompliant3).add(new HIPAASecurityChecks());
new CfnEnvironment(nonCompliant3, 'rBeanstalk', {
applicationName: 'foo',
optionSettings: [
{
namespace: 'aws:elasticbeanstalk:managedactions',
optionName: 'ManagedActionsEnabled',
},
{
namespace: 'aws:elasticbeanstalk:managedactions',
optionName: 'PreferredStartTime',
value: 'Tue:09:00',
},
{
namespace: 'aws:elasticbeanstalk:managedactions:platformupdate',
optionName: 'UpdateLevel',
},
],
});
const messages3 = SynthUtils.synthesize(nonCompliant3).messages;
expect(messages3).toContainEqual(
expect.objectContaining({
entry: expect.objectContaining({
data: expect.stringContaining(
'HIPAA.Security-ElasticBeanstalkManagedUpdatesEnabled:'
),
}),
})
);

const compliant = new Stack();
Aspects.of(compliant).add(new HIPAASecurityChecks());
new CfnEnvironment(compliant, 'rBeanstalk', {
applicationName: 'foo',
optionSettings: [
{
namespace: 'aws:elasticbeanstalk:managedactions',
optionName: 'ManagedActionsEnabled',
},
{
namespace: 'aws:elasticbeanstalk:managedactions',
optionName: 'PreferredStartTime',
value: 'Tue:09:00',
},
{
namespace: 'aws:elasticbeanstalk:managedactions:platformupdate',
optionName: 'UpdateLevel',
value: 'minor',
},
],
});
const messages4 = SynthUtils.synthesize(compliant).messages;
expect(messages4).not.toContainEqual(
expect.objectContaining({
entry: expect.objectContaining({
data: expect.stringContaining(
'HIPAA.Security-ElasticBeanstalkManagedUpdatesEnabled:'
),
}),
})
);
});
});

0 comments on commit 8099ecd

Please sign in to comment.