HIPAA Security - Implement elasticache-redis-cluster-automatic-backup-check config rule

[dontirun]

Summary

As a developer

I would like to implement the elasticache-redis-cluster-automatic-backup-check config rule

So that I can check if qualified resources in my CDK app conforms to the following HIPAA Security control(s): 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B)

Details

ruleId: HIPAA.Security-ElasticacheRedisClusterAutomaticBackup

info: The�ElastiCache�Redis�cluster�does�not�retain�automatic�backups�for�at�least�15�days - (Control IDs: 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B))

Given Reason: When automatic backups are enabled, Amazon ElastiCache creates a backup of the cluster on a daily basis. The backup can be retained for a number of days as specified by your organization. Automatic backups can help guard against data loss. If a failure occurs, you can create a new cluster, which restores your data from the most recent backup.

Acceptance Criteria

If the rule can be implemented

Given a CDK app with a non-compliant resource

• When HIPAA Security Pack is enabled
• Then the CDK stack does not deploy and the user receives an ERROR with relevant Control ID information about the non compliant resource

Given a CDK app with a compliant resource

• When HIPAA Security Pack is enabled
• Then the CDK stack deploys and the user does not receive an ERROR about the compliant resource

Given the cdk-nag RULES file

• When the HIPAA.Security-ElasticacheRedisClusterAutomaticBackup rule is added to the rule pack
• Then the HIPAA Security Errors section is updated with the rule information

If the rule cannot be implemented

Given the cdk-nag RULES file

• When the elasticache-redis-cluster-automatic-backup-check check is not added to the rule pack
• Then the HIPAA Security Excluded Rules section is updated with the check information