feat(HIPAA Security, NIST 800 53 rev 4, NIST 800 53 rev 5, PCI DSS 32…

…1): implemented some previously excluded rules (#450)

* feat(PCI DSS 3.2.1): CodeBuild checks

* feat(PCI DSS 3.2.1): ELB check

* feat(HIPAA Security): DynamoDB Checks

* feat(HIPAA Security): EBS Check

* feat(HIPAA Security): EFS Check

* feat(HIPAA Security): IAM Check

* feat(HIPAA Security): RDS Check

* feat(HIPAA Security): Redshift Check

* feat(HIPAA Security): Secrets Manager Check

* feat(HIPAA Security): VPC Check

* feat(HIPAA Security): WAFv2 Check

* feat(NIST 800-53 rev 4): ELB Check

* feat(NIST 800-53 rev 4): KMS Check

* feat(NIST 800-53 rev 4): DynamoDB Check

* feat(NIST 800-53 rev 4): EC2 Check

* feat(NIST 800-53 rev 4): EFS Check

* feat(NIST 800-53 rev 4): IAM Check

* feat(NIST 800-53 rev 4): RDS Check

* feat(NIST 800-53 rev 4): Redshift Check

* feat(NIST 800-53 rev 4): VPC Check

* feat(NIST 800-53 rev 4): WAF Check

* feat(NIST 800-53 rev 4): DynamoDB Check

* feat(NIST 800-53 rev 4): CloudWatch Check

* feat(NIST 800-53 rev 5):ELB Check

* feat(NIST 800-53 rev 5):KMS Check

* feat(NIST 800-53 rev 5): API GW Check

* feat(NIST 800-53 rev 5): DynamoDB Checks

* feat(NIST 800-53 rev 5): EC2, EFS, RDS Checks

* feat(NIST 800-53 rev 5): Redshift Check

* feat(NIST 800-53 rev 5): Secrets Manager Check

* feat(NIST 800-53 rev 5):VPC Check

* feat(NIST 800-53 rev 5): WAF Check

* feat(PCI DSS 3.2.1): ELB Check

* feat(PCI DSS 3.2.1): KMS Check

* feat(PCI DSS 3.2.1): API GW Check

* feat(PCI DSS 3.2.1): IAM Check

* feat(PCI DSS 3.2.1): Redshift Check

* feat(PCI DSS 3.2.1): VPC Check

* feat(PCI DSS 3.2.1): WAF Check

* docs: gramatical fix

* docs: fixing errors with Control IDs

.projenrc.js

@@ -21,9 +21,11 @@ const project = new AwsCdkConstructLibrary({
     '@aws-cdk/aws-apigatewayv2',
     '@aws-cdk/aws-apigatewayv2-authorizers',
     '@aws-cdk/aws-apigatewayv2-integrations',
+    '@aws-cdk/aws-applicationautoscaling',
     '@aws-cdk/aws-appsync',
     '@aws-cdk/aws-athena',
     '@aws-cdk/aws-autoscaling',
+    '@aws-cdk/aws-backup',
     '@aws-cdk/aws-certificatemanager',
     '@aws-cdk/aws-codebuild',
     '@aws-cdk/aws-cloud9',

src/AwsSolutions/aws-solutions.ts

@@ -278,7 +278,7 @@ export class AwsSolutionsChecks extends NagPack {
       ruleId: 'AwsSolutions-ELB1',
       info: 'The CLB is used for incoming HTTP/HTTPS traffic. Use ALBs instead.',
       explanation:
-        'HTTP/HTTPS applications (monolithic or containerized) should use the ALB instead of The CLB for enhanced incoming traffic distribution, better performance and lower costs.',
+        'HTTP/HTTPS applications (monolithic or containerized) should use the ALB instead of the CLB for enhanced incoming traffic distribution, better performance and lower costs.',
       level: NagMessageLevel.ERROR,
       rule: awsSolutionsElb1,
       node: node,
@@ -784,7 +784,7 @@ export class AwsSolutionsChecks extends NagPack {
     });
     this.applyRule({
       ruleId: 'AwsSolutions-APIG2',
-      info: 'The Rest API does not have request validation enabled.',
+      info: 'The REST API does not have request validation enabled.',
       explanation:
         'The API should have basic request validation enabled. If the API is integrated with custom source (Lambda, ECS, etc..) in the backend, deeper input validation should be considered for implementation.',
       level: NagMessageLevel.ERROR,
@@ -793,7 +793,7 @@ export class AwsSolutionsChecks extends NagPack {
     });
     this.applyRule({
       ruleId: 'AwsSolutions-APIG3',
-      info: 'The Rest API stage is not associated with AWS WAFv2 web ACL.',
+      info: 'The REST API stage is not associated with AWS WAFv2 web ACL.',
       explanation:
         'AWS WAFv2 is a web application firewall that helps protect web applications and APIs from attacks by allowing configured rules to allow, block, or monitor (count) web requests based on customizable rules and conditions that are defined.',
       level: NagMessageLevel.WARN,
@@ -1140,16 +1140,16 @@ export class AwsSolutionsChecks extends NagPack {
     });
     this.applyRule({
       ruleId: 'AwsSolutions-KMS5',
-      info: 'The KMS Symmetric key does not have Key Rotation enabled.',
+      info: 'The KMS Symmetric key does not have automatic key rotation enabled.',
       explanation:
-        'KMS Key Rotation allow a system to set an yearly rotation schedule for a KMS key so when a AWS KMS key is required to encrypt new data, the KMS service can automatically use the latest version of the HSA backing key to perform the encryption.',
+        'KMS key rotation allow a system to set an yearly rotation schedule for a KMS key so when a AWS KMS key is required to encrypt new data, the KMS service can automatically use the latest version of the HSA backing key to perform the encryption.',
       level: NagMessageLevel.ERROR,
       rule: awsSolutionsKms5,
       node: node,
     });
     this.applyRule({
       ruleId: 'AwsSolutions-SMG4',
-      info: 'The Secret does not have automatic rotation scheduled.',
+      info: 'The secret does not have automatic rotation scheduled.',
       explanation:
         'AWS Secrets Manager can be configured to automatically rotate the secret for a secured service or database.',
       level: NagMessageLevel.ERROR,

src/AwsSolutions/rules/network_and_delivery/APIG2.ts

@@ -32,7 +32,7 @@ export default function (node: CfnResource): boolean {
 /**
  * Helper function to check whether a given Request Validator is associated with the given Rest API
  * @param node the CfnRequestValidator to check
- * @param apiLogicalId the Cfn Logical ID of the Rest API
+ * @param apiLogicalId the Cfn Logical ID of the REST API
  * returns whether the CfnRequestValidator is associated with the given Rest API
  */
 function isMatchingRequestValidator(

src/AwsSolutions/rules/network_and_delivery/APIG3.ts

@@ -42,9 +42,9 @@ export default function (node: CfnResource): boolean {
 /**
  * Helper function to check whether a given Web ACL Association is associated with the given Rest API
  * @param node the CfnWebACLAssociation to check
- * @param stageLogicalId the Cfn Logical ID of the Rest API Stage
- * @param stageName the name of the Rest API Stage
- * @param restApiId the ID or Cfn Resource ID of the Rest API associated with the Stage
+ * @param stageLogicalId the Cfn Logical ID of the REST API Stage
+ * @param stageName the name of the REST API Stage
+ * @param restApiId the ID or Cfn Resource ID of the REST API associated with the Stage
  * returns whether the CfnWebACLAssociation is associates with the given Rest API
  */
 function isMatchingWebACLAssociation(
@@ -57,9 +57,9 @@ function isMatchingWebACLAssociation(
     Stack.of(node).resolve(node.resourceArn)
   );
   const regexes = Array<string>();
-  regexes.push(`${restApiId}.+${stageLogicalId}`);
+  regexes.push(`${restApiId}.+${stageLogicalId}(?![\\w])`);
   if (stageName !== undefined) {
-    regexes.push(`${restApiId}.+${stageName}`);
+    regexes.push(`${restApiId}.+${stageName}(?![\\w])`);
   }
   const regex = new RegExp(regexes.join('|'), 'gm');
   if (regex.test(resourceLogicalId)) {

src/AwsSolutions/rules/security_and_compliance/KMS5.ts

@@ -7,7 +7,7 @@ import { CfnResource, Stack } from '@aws-cdk/core';
 import { resolveIfPrimitive } from '../../../nag-pack';
 
 /**
- * KMS Symmetric keys have Key Rotation enabled
+ * KMS Symmetric keys have automatic key rotation enabled
  * @param node the CfnResource to check
  */
 export default function (node: CfnResource): boolean {

src/AwsSolutions/rules/security_and_compliance/SMG4.ts

@@ -8,7 +8,7 @@ import { CfnResource, Stack } from '@aws-cdk/core';
 import { resolveResourceFromInstrinsic } from '../../../nag-pack';
 
 /**
- * Secrets are automatically rotated
+ * Secrets have automatic rotation scheduled
  * @param node the CfnResource to check
  */
 export default function (node: CfnResource): boolean {