HIPAA Security - Implement cw-loggroup-retention-period-check config rule

[dontirun]

Summary

As a developer

I would like to implement the cw-loggroup-retention-period-check config rule

So that I can check if qualified resources in my CDK app conforms to the following HIPAA Security control(s): 164.312(b)

Details

ruleId: HIPAA.Security-CloudWatchLogGroupRetentionPeriod

info: The CloudWatch Log Group does not have an explicit retention period configured - (Control IDs: 164.312(b))

Given Reason: Ensure a minimum duration of event log data is retained for your log groups to help with troubleshooting and forensics investigations. The lack of available past event log data makes it difficult to reconstruct and identify potentially malicious events.

Acceptance Criteria

If the rule can be implemented

Given a CDK app with a non-compliant resource

• When HIPAA Security Pack is enabled
• Then the CDK stack does not deploy and the user receives an ERROR with relevant Control ID information about the non compliant resource

Given a CDK app with a compliant resource

• When HIPAA Security Pack is enabled
• Then the CDK stack deploys and the user does not receive an ERROR about the compliant resource

Given the cdk-nag RULES file

• When the HIPAA.Security-CloudWatchLogGroupRetentionPeriod rule is added to the rule pack
• Then the HIPAA Security Errors section is updated with the rule information

If the rule cannot be implemented

Given the cdk-nag RULES file

• When the cw-loggroup-retention-period-check check is not added to the rule pack
• Then the HIPAA Security Excluded Rules section is updated with the check information