Skip to content

Commit

Permalink
feat(HIPAA Security): Add 3 EC2 checks (#317)
Browse files Browse the repository at this point in the history 
closes #189 
closes #191 
closes #239 
----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
@maafk
maafk authored Aug 23, 2021
1 parent e83e33e commit 9a6732b
Show file tree
Hide file tree
Showing 7 changed files with 355 additions and 17 deletions.
13 changes: 8 additions & 5 deletions RULES.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,11 +136,14 @@ There are currently no warnings for this rule pack.

### Errors

| Rule ID | Cause | Explanation | Relevant Control ID(s) |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ |
| [HIPAA.Security-CloudTrailCloudWatchLogsEnabled](https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-cloud-watch-logs-enabled.html) | The trail does not have CloudWatch logs enabled. | Use Amazon CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides details of API call activity within your AWS account. | 164.308(a)(3)(ii)(A), 164.312(b) |
| [HIPAA.Security-CloudTrailEncryptionEnabled](https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-encryption-enabled.html) | The trail does not have encryption enabled. | Because sensitive data may exist and to help protect data at rest, ensure encryption is enabled for your AWS CloudTrail trails. | 164.312(a)(2)(iv), 164.312(e)(2)(ii) |
| [HIPAA.Security-CloudTrailLogFileValidationEnabled](https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-log-file-validation-enabled.html) | The trail does not have log file validation enabled. | Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. | 164.312(c)(1), 164.312(c)(2) |
| Rule ID | Cause | Explanation | Relevant Control ID(s) |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------ |
| [HIPAA.Security-CloudTrailCloudWatchLogsEnabled](https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-cloud-watch-logs-enabled.html) | The trail does not have CloudWatch logs enabled. | Use Amazon CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides details of API call activity within your AWS account. | 164.308(a)(3)(ii)(A), 164.312(b) |
| [HIPAA.Security-CloudTrailEncryptionEnabled](https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-encryption-enabled.html) | The trail does not have encryption enabled. | Because sensitive data may exist and to help protect data at rest, ensure encryption is enabled for your AWS CloudTrail trails. | 164.312(a)(2)(iv), 164.312(e)(2)(ii) |
| [HIPAA.Security-CloudTrailLogFileValidationEnabled](https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-log-file-validation-enabled.html) | The trail does not have log file validation enabled. | Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. | 164.312(c)(1), 164.312(c)(2) |
| [HIPAA.Security-EC2InstanceDetailedMonitoringEnabled](https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-detailed-monitoring-enabled.html) | The EC2 instance does not have detailed monitoring enabled. | Enable this rule to help improve Amazon Elastic Compute Cloud (Amazon EC2) instance monitoring on the Amazon EC2 console, which displays monitoring graphs with a 1-minute period for the instance. | 164.312(b) |
| [HIPAA.Security-EC2InstanceNoPublicIp](https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-no-public-ip.html) | The EC2 instance is associated with a public IP address. | Manage access to the AWS Cloud by ensuring Amazon Elastic Compute Cloud (Amazon EC2) instances cannot be publicly accessed. Amazon EC2 instances can contain sensitive information and access control is required for such accounts. | 164.308(a)(3)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(C), 164.312(a)(1), 164.312(e)(1) |
| [HIPAA.Security-EC2InstancesInVPC](https://docs.aws.amazon.com/config/latest/developerguide/ec2-instances-in-vpc.html) | The EC2 instance is not within a VPC. | Deploy Amazon Elastic Compute Cloud (Amazon EC2) instances within an Amazon Virtual Private Cloud (Amazon VPC) to enable secure communication between an instance and other services within the amazon VPC, without requiring an internet gateway, NAT device, or VPN connection. All traffic remains securely within the AWS Cloud. Because of their logical isolation, domains that reside within anAmazon VPC have an extra layer of security when compared to domains that use public endpoints. Assign Amazon EC2 instances to an Amazon VPC to properly manage access. | 164.308(a)(3)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(C), 164.312(a)(1), 164.312(e)(1) |

### Excluded Rules

Expand Down
73 changes: 61 additions & 12 deletions src/HIPAA-Security/hipaa-security.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,12 @@ import {
hipaaSecurityCloudTrailLogFileValidationEnabled,
} from './rules/cloudtrail/index';

import {
hipaaSecurityEC2InstanceDetailedMonitoringEnabled,
hipaaSecurityEC2InstancesInVPC,
hipaaSecurityEC2InstanceNoPublicIp,
} from './rules/ec2/index';

/**
* Check for HIPAA Security compliance.
* Based on the HIPAA Security AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-hipaa_security.html
Expand All @@ -27,7 +33,7 @@ export class HIPAASecurityChecks extends NagPack {
// this.checkCodeBuild(node, ignores);
// this.checkDMS(node, ignores);
// this.checkDynamoDB(node, ignores);
// this.checkEC2(node, ignores);
this.checkEC2(node, ignores);
// this.checkECS(node, ignores);
// this.checkEFS(node, ignores);
// this.checkElastiCache(node, ignores);
Expand Down Expand Up @@ -61,11 +67,11 @@ export class HIPAASecurityChecks extends NagPack {
// */
// private checkAutoScaling(node: CfnResource, ignores: any): void {}

// /**
// * Check CloudTrail Resources
// * @param node the IConstruct to evaluate
// * @param ignores list of ignores for the resource
// */
/**
* Check CloudTrail Resources
* @param node the IConstruct to evaluate
* @param ignores list of ignores for the resource
*/
private checkCloudTrail(node: CfnResource, ignores: any): void {
if (
!this.ignoreRule(
Expand Down Expand Up @@ -142,12 +148,55 @@ export class HIPAASecurityChecks extends NagPack {
// */
// private checkDynamoDB(node: CfnResource, ignores: any): void {}

// /**
// * Check EC2 Resources
// * @param node the IConstruct to evaluate
// * @param ignores list of ignores for the resource
// */
// private checkEC2(node: CfnResource, ignores: any): void {}
/**
* Check EC2 Resources
* @param node the IConstruct to evaluate
* @param ignores list of ignores for the resource
*/
private checkEC2(node: CfnResource, ignores: any): void {
if (
!this.ignoreRule(
ignores,
'HIPAA.Security-EC2InstanceDetailedMonitoringEnabled'
) &&
!hipaaSecurityEC2InstanceDetailedMonitoringEnabled(node)
) {
const ruleId = 'HIPAA.Security-C2InstanceDetailedMonitoringEnabled';
const info =
'The EC2 instance does not have detailed monitoring enabled - (Control IDs: 164.312(b)).';
const explanation =
'Detailed monitoring provides additional monitoring information (such as 1-minute period graphs) on the AWS console.';
Annotations.of(node).addError(
this.createMessage(ruleId, info, explanation)
);
}
if (
!this.ignoreRule(ignores, 'HIPAA.Security-EC2InstancesInVPC') &&
!hipaaSecurityEC2InstancesInVPC(node)
) {
const ruleId = 'HIPAA.Security-EC2InstancesInVPC';
const info =
'The EC2 instance is not within a VPC - (Control IDs: 164.308(a)(3)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(C), 164.312(a)(1), 164.312(e)(1)).';
const explanation =
'Because of their logical isolation, domains that reside within an Amazon VPC have an extra layer of security when compared to domains that use public endpoints.';
Annotations.of(node).addError(
this.createMessage(ruleId, info, explanation)
);
}
if (
!this.ignoreRule(ignores, 'HIPAA.Security-EC2CheckNoPublicIPs') &&
!hipaaSecurityEC2InstanceNoPublicIp(node)
) {
const ruleId = 'HIPAA.Security-EC2CheckNoPublicIPs';
const info =
'The EC2 instance is associated with a public IP address - (Control IDs: 164.308(a)(3)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(C), 164.312(a)(1), 164.312(e)(1)).';
const explanation =
'Amazon EC2 instances can contain sensitive information and access control is required for such resources.';
Annotations.of(node).addError(
this.createMessage(ruleId, info, explanation)
);
}
}

// /**
// * Check ECS Resources
Expand Down
27 changes: 27 additions & 0 deletions src/HIPAA-Security/rules/ec2/hipaaSecurityEC2InstanceDetailedMonitoringEnabled.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
/*
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/

import { CfnLaunchConfiguration } from '@aws-cdk/aws-autoscaling';
import { CfnInstance } from '@aws-cdk/aws-ec2';
import { IConstruct, Stack } from '@aws-cdk/core';

/**
* EC2 instances have detailed monitoring enabled - (Control IDs: 164.312(b))
* @param node the CfnResource to check
*/
export default function (node: IConstruct): boolean {
if (node instanceof CfnInstance) {
const monitoring = Stack.of(node).resolve(node.monitoring);
if (monitoring == undefined || monitoring == false) {
return false;
}
} else if (node instanceof CfnLaunchConfiguration) {
const monitoring = Stack.of(node).resolve(node.instanceMonitoring);
if (monitoring != undefined && monitoring == false) {
return false;
}
}
return true;
}
31 changes: 31 additions & 0 deletions src/HIPAA-Security/rules/ec2/hipaaSecurityEC2InstanceNoPublicIp.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
/*
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/

import { CfnInstance } from '@aws-cdk/aws-ec2';
import { IConstruct, Stack } from '@aws-cdk/core';

/**
* EC2 instances do not have public IPs - (Control IDs: 164.308(a)(3)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(C), 164.312(a)(1), 164.312(e)(1))
* @param node the CfnResource to check
*/
export default function (node: IConstruct): boolean {
if (node instanceof CfnInstance) {
const networkInterfaces = Stack.of(node).resolve(node.networkInterfaces);
if (networkInterfaces != undefined) {
//Iterate through network interfaces, checking if public IPs are enabled
for (const networkInterface of networkInterfaces) {
const resolvedInterface = Stack.of(node).resolve(networkInterface);
if (resolvedInterface.associatePublicIpAddress != undefined) {
if (resolvedInterface.associatePublicIpAddress == true) {
return false;
}
} else {
return false;
}
}
}
}
return true;
}
22 changes: 22 additions & 0 deletions src/HIPAA-Security/rules/ec2/hipaaSecurityEC2InstancesInVPC.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
/*
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/

import { CfnInstance } from '@aws-cdk/aws-ec2';
import { IConstruct, Stack } from '@aws-cdk/core';

/**
* EC2 instances are created within VPCs - (Control IDs: 164.308(a)(3)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(C), 164.312(a)(1), 164.312(e)(1))
* @param node the CfnResource to check
*/
export default function (node: IConstruct): boolean {
if (node instanceof CfnInstance) {
//If we are in a VPC, then we'll have a subnet
const subnetId = Stack.of(node).resolve(node.subnetId);
if (subnetId == undefined) {
return false;
}
}
return true;
}
3 changes: 3 additions & 0 deletions src/HIPAA-Security/rules/ec2/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,6 @@
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/
export { default as hipaaSecurityEC2InstanceDetailedMonitoringEnabled } from './hipaaSecurityEC2InstanceDetailedMonitoringEnabled';
export { default as hipaaSecurityEC2InstancesInVPC } from './hipaaSecurityEC2InstancesInVPC';
export { default as hipaaSecurityEC2InstanceNoPublicIp } from './hipaaSecurityEC2InstanceNoPublicIp';
Loading

0 comments on commit 9a6732b

Please sign in to comment.