feat(HIPAA Security): EFS check (#346)

Closes #244 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
cdklabs · Sep 14, 2021 · ce04f57 · ce04f57
1 parent ab0f6d5
commit ce04f57
Show file tree

Hide file tree

Showing 6 changed files with 86 additions and 8 deletions.
diff --git a/RULES.md b/RULES.md
@@ -155,6 +155,7 @@ There are currently no warnings for this rule pack.
 | [HIPAA.Security-EC2InstanceNoPublicIp](https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-no-public-ip.html)                               | The EC2 instance is associated with a public IP address.                                                              | Manage access to the AWS Cloud by ensuring Amazon Elastic Compute Cloud (Amazon EC2) instances cannot be publicly accessed. Amazon EC2 instances can contain sensitive information and access control is required for such accounts.                                                                                                                                                                                                                                                                                                                                         | 164.308(a)(3)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(C), 164.312(a)(1), 164.312(e)(1) |
 | [HIPAA.Security-EC2InstancesInVPC](https://docs.aws.amazon.com/config/latest/developerguide/ec2-instances-in-vpc.html)                                        | The EC2 instance is not within a VPC.                                                                                 | Deploy Amazon Elastic Compute Cloud (Amazon EC2) instances within an Amazon Virtual Private Cloud (Amazon VPC) to enable secure communication between an instance and other services within the amazon VPC, without requiring an internet gateway, NAT device, or VPN connection. All traffic remains securely within the AWS Cloud. Because of their logical isolation, domains that reside within anAmazon VPC have an extra layer of security when compared to domains that use public endpoints. Assign Amazon EC2 instances to an Amazon VPC to properly manage access. | 164.308(a)(3)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(C), 164.312(a)(1), 164.312(e)(1) |
 | [HIPAA.Security-ECSTaskDefinitionUserForHostMode](https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-user-for-host-mode-check.html) | The ECS task definition is configured for host networking and has at least one container with definitions with 'privileged' set to false or empty or 'user' set to root or empty. | If a task definition has elevated privileges it is because you have specifically opted-in to those configurations. This rule checks for unexpected privilege escalation when a task definition has host networking enabled but the customer has not opted-in to elevated privileges.                                                                                                                                                                                                                                                                                         | 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(C), 164.312(a)(1) |
+| [HIPAA.Security-EFSEncrypted](https://docs.aws.amazon.com/config/latest/developerguide/efs-encrypted-check.html)                                              | The EFS does not have encryption at rest enabled.                                  | Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic File System (EFS).                                                                                                                                                                                                                                                                                                                                                                                                                                   | 164.312(a)(2)(iv), 164.312(e)(2)(ii)                                                       |
 
 ### Excluded Rules
 

diff --git a/src/HIPAA-Security/hipaa-security.ts b/src/HIPAA-Security/hipaa-security.ts
@@ -36,6 +36,7 @@ import {
   hipaaSecurityEC2InstanceNoPublicIp,
 } from './rules/ec2';
 import { hipaaSecurityECSTaskDefinitionUserForHostMode } from './rules/ecs';
+import { hipaaSecurityEFSEncrypted } from './rules/efs';
 
 /**
  * Check for HIPAA Security compliance.
@@ -56,7 +57,7 @@ export class HIPAASecurityChecks extends NagPack {
       this.checkDynamoDB(node, ignores);
       this.checkEC2(node, ignores);
       this.checkECS(node, ignores);
-      // this.checkEFS(node, ignores);
+      this.checkEFS(node, ignores);
       // this.checkElastiCache(node, ignores);
       // this.checkElasticBeanstalk(node, ignores);
       // this.checkElasticsearch(node, ignores);
@@ -423,12 +424,26 @@ export class HIPAASecurityChecks extends NagPack {
     }
   }
 
-  //   /**
-  //    * Check EFS Resources
-  //    * @param node the IConstruct to evaluate
-  //    * @param ignores list of ignores for the resource
-  //    */
-  //   private checkEFS(node: CfnResource, ignores: any): void {}
+  /**
+   * Check EFS Resources
+   * @param node the IConstruct to evaluate
+   * @param ignores list of ignores for the resource
+   */
+  private checkEFS(node: CfnResource, ignores: any) {
+    if (
+      !this.ignoreRule(ignores, 'HIPAA.Security-EFSEncrypted') &&
+      !hipaaSecurityEFSEncrypted(node)
+    ) {
+      const ruleId = 'HIPAA.Security-EFSEncrypted';
+      const info =
+        'The EFS does not have encryption at rest enabled - (Control IDs: 164.312(a)(2)(iv), 164.312(e)(2)(ii)).';
+      const explanation =
+        'Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic File System (EFS).';
+      Annotations.of(node).addError(
+        this.createMessage(ruleId, info, explanation)
+      );
+    }
+  }
 
   //   /**
   //    * Check ElastiCache Resources

diff --git a/src/HIPAA-Security/rules/efs/hipaaSecurityEFSEncrypted.ts b/src/HIPAA-Security/rules/efs/hipaaSecurityEFSEncrypted.ts
@@ -0,0 +1,20 @@
+/*
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0
+*/
+import { CfnFileSystem } from '@aws-cdk/aws-efs';
+import { IConstruct, Stack } from '@aws-cdk/core';
+
+/**
+ * Elastic File Systems are configured for encryption at rest - (Control IDs: 164.312(a)(2)(iv), 164.312(e)(2)(ii))
+ * @param node the CfnResource to check
+ */
+export default function (node: IConstruct): boolean {
+  if (node instanceof CfnFileSystem) {
+    const encrypted = Stack.of(node).resolve(node.encrypted);
+    if (encrypted === false) {
+      return false;
+    }
+  }
+  return true;
+}
diff --git a/src/HIPAA-Security/rules/efs/index.ts b/src/HIPAA-Security/rules/efs/index.ts
@@ -2,3 +2,4 @@
 Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 SPDX-License-Identifier: Apache-2.0
 */
+export { default as hipaaSecurityEFSEncrypted } from './hipaaSecurityEFSEncrypted';
diff --git a/test/HIPAA-Security/HIPAA-Security-EFS.test.ts b/test/HIPAA-Security/HIPAA-Security-EFS.test.ts
@@ -0,0 +1,41 @@
+/*
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0
+*/
+import { SynthUtils } from '@aws-cdk/assert';
+import { Vpc } from '@aws-cdk/aws-ec2';
+import { FileSystem } from '@aws-cdk/aws-efs';
+import { Aspects, Stack } from '@aws-cdk/core';
+import { HIPAASecurityChecks } from '../../src';
+
+describe('Amazon Elastic File System (Amazon EFS)', () => {
+  test('hipaaSecurityEFSEncrypted: - Elastic File Systems are configured for encryption at rest - (Control IDs: 164.312(a)(2)(iv), 164.312(e)(2)(ii))', () => {
+    const nonCompliant = new Stack();
+    Aspects.of(nonCompliant).add(new HIPAASecurityChecks());
+    new FileSystem(nonCompliant, 'rEFS', {
+      vpc: new Vpc(nonCompliant, 'rVpc'),
+      encrypted: false,
+    });
+    const messages = SynthUtils.synthesize(nonCompliant).messages;
+    expect(messages).toContainEqual(
+      expect.objectContaining({
+        entry: expect.objectContaining({
+          data: expect.stringContaining('HIPAA.Security-EFSEncrypted:'),
+        }),
+      })
+    );
+    const compliant = new Stack();
+    Aspects.of(compliant).add(new HIPAASecurityChecks());
+    new FileSystem(compliant, 'rEFS', {
+      vpc: new Vpc(compliant, 'rVpc'),
+    });
+    const messages2 = SynthUtils.synthesize(compliant).messages;
+    expect(messages2).not.toContainEqual(
+      expect.objectContaining({
+        entry: expect.objectContaining({
+          data: expect.stringContaining('HIPAA.Security-EFSEncrypted:'),
+        }),
+      })
+    );
+  });
+});
diff --git a/test/NIST-800-53/NIST-800-53-EFS.test.ts b/test/NIST-800-53/NIST-800-53-EFS.test.ts
@@ -6,7 +6,7 @@ import { SynthUtils } from '@aws-cdk/assert';
 import { Vpc } from '@aws-cdk/aws-ec2';
 import { FileSystem } from '@aws-cdk/aws-efs';
 import { Aspects, Stack } from '@aws-cdk/core';
-import { NIST80053Checks } from '../../src/NIST-800-53/nist-800-53';
+import { NIST80053Checks } from '../../src';
 
 describe('Amazon Elastic File System (Amazon EFS)', () => {
   test('nist80053EFSEncrypted: Elastic File Systems are encrypted', () => {