feat(HIPAA Security): EMR check (#358)

Closes #259 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

src/HIPAA-Security/hipaa-security.ts

@@ -49,6 +49,7 @@ import {
   hipaaSecurityELBTlsHttpsListenersOnly,
   hipaaSecurityELBv2ACMCertificateRequired,
 } from './rules/elb';
+import { hipaaSecurityEMRKerberosEnabled } from './rules/emr';
 import {
   hipaaSecurityOpenSearchEncryptedAtRest,
   hipaaSecurityOpenSearchInVPCOnly,
@@ -78,7 +79,7 @@ export class HIPAASecurityChecks extends NagPack {
       this.checkElastiCache(node, ignores);
       this.checkElasticBeanstalk(node, ignores);
       this.checkELB(node, ignores);
-      // this.checkEMR(node, ignores);
+      this.checkEMR(node, ignores);
       // this.checkIAM(node, ignores);
       // this.checkLambda(node, ignores);
       this.checkOpenSearch(node, ignores);
@@ -632,12 +633,26 @@ export class HIPAASecurityChecks extends NagPack {
     }
   }
 
-  //   /**
-  //    * Check EMR Resources
-  //    * @param node the IConstruct to evaluate
-  //    * @param ignores list of ignores for the resource
-  //    */
-  //   private checkEMR(node: CfnResource, ignores: any): void {}
+  /**
+   * Check EMR Resources
+   * @param node the IConstruct to evaluate
+   * @param ignores list of ignores for the resource
+   */
+  private checkEMR(node: CfnResource, ignores: any) {
+    if (
+      !this.ignoreRule(ignores, 'HIPAA.Security-EMRKerberosEnabled') &&
+      !hipaaSecurityEMRKerberosEnabled(node)
+    ) {
+      const ruleId = 'HIPAA.Security-EMRKerberosEnabled';
+      const info =
+        'The EMR cluster does not have Kerberos enabled - (Control IDs: 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.312(a)(1)).';
+      const explanation =
+        'The access permissions and authorizations can be managed and incorporated with the principles of least privilege and separation of duties, by enabling Kerberos for Amazon EMR clusters.';
+      Annotations.of(node).addError(
+        this.createMessage(ruleId, info, explanation)
+      );
+    }
+  }
 
   //   /**
   //    * Check IAM Resources

src/HIPAA-Security/rules/emr/hipaaSecurityEMRKerberosEnabled.ts

@@ -0,0 +1,20 @@
+/*
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0
+*/
+import { CfnCluster } from '@aws-cdk/aws-emr';
+import { IConstruct, Stack } from '@aws-cdk/core';
+
+/**
+ * EMR clusters have Kerberos enabled - (Control IDs: 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.312(a)(1))
+ * @param node the CfnResource to check
+ */
+export default function (node: IConstruct): boolean {
+  if (node instanceof CfnCluster) {
+    const kerberosAttributes = Stack.of(node).resolve(node.kerberosAttributes);
+    if (kerberosAttributes == undefined) {
+      return false;
+    }
+  }
+  return true;
+}

src/HIPAA-Security/rules/emr/index.ts

@@ -2,3 +2,4 @@
 Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 SPDX-License-Identifier: Apache-2.0
 */
+export { default as hipaaSecurityEMRKerberosEnabled } from './hipaaSecurityEMRKerberosEnabled';

src/NIST-800-53/rules/emr/nist80053EMRKerberosEnabled.ts

@@ -6,7 +6,7 @@ import { CfnCluster } from '@aws-cdk/aws-emr';
 import { IConstruct, Stack } from '@aws-cdk/core';
 
 /**
- * EMR clusters have Kerberos enabled - (Control IDs: AC-2(j), AC-3, AC-5c, and AC-6)
+ * EMR clusters have Kerberos enabled - (Control IDs: AC-2(j), AC-3, AC-5c, AC-6)
  * @param node the CfnResource to check
  */
 export default function (node: IConstruct): boolean {

test/HIPAA-Security/HIPAA-Security-EMR.test.ts

@@ -0,0 +1,50 @@
+/*
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0
+*/
+import { SynthUtils } from '@aws-cdk/assert';
+import { CfnCluster } from '@aws-cdk/aws-emr';
+import { Aspects, Stack } from '@aws-cdk/core';
+import { HIPAASecurityChecks } from '../../src';
+
+describe('Amazon EMR', () => {
+  test('HIPAA.Security-EMRKerberosEnabled: - EMR clusters have Kerberos enabled - (Control IDs: 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.312(a)(1)', () => {
+    const nonCompliant = new Stack();
+    Aspects.of(nonCompliant).add(new HIPAASecurityChecks());
+    new CfnCluster(nonCompliant, 'rEmrCluster', {
+      instances: {},
+      jobFlowRole: ' EMR_EC2_DefaultRole',
+      name: 'foo',
+      serviceRole: 'bar',
+    });
+    const messages = SynthUtils.synthesize(nonCompliant).messages;
+    expect(messages).toContainEqual(
+      expect.objectContaining({
+        entry: expect.objectContaining({
+          data: expect.stringContaining('HIPAA.Security-EMRKerberosEnabled:'),
+        }),
+      })
+    );
+
+    const compliant = new Stack();
+    Aspects.of(compliant).add(new HIPAASecurityChecks());
+    new CfnCluster(compliant, 'rEmrCluster', {
+      instances: {},
+      jobFlowRole: ' EMR_EC2_DefaultRole',
+      name: 'foo',
+      serviceRole: 'bar',
+      kerberosAttributes: {
+        kdcAdminPassword: 'baz',
+        realm: 'qux',
+      },
+    });
+    const messages2 = SynthUtils.synthesize(compliant).messages;
+    expect(messages2).not.toContainEqual(
+      expect.objectContaining({
+        entry: expect.objectContaining({
+          data: expect.stringContaining('HIPAA.Security-EMRKerberosEnabled:'),
+        }),
+      })
+    );
+  });
+});