HIPAA Security - Implement s3-bucket-policy-grantee-check config rule

[dontirun]

Summary

As a developer

I would like to implement the s3-bucket-policy-grantee-check config rule

So that I can check if qualified resources in my CDK app conforms to the following HIPAA Security control(s): 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.312(a)(1)

Details

ruleId: HIPAA.Security-S3BucketPolicyGrantee

info: The S3 Bucket is not restricted by any of the provided AWS principals, federated users, service principals, IP addresses, or VPCs - (Control IDs: 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.312(a)(1))

Given Reason: Manage access to the AWS Cloud by enabling s3_ bucket_policy_grantee_check. This rule checks that the access granted by the Amazon S3 bucket is restricted by any of the AWS principals, federated users, service principals, IP addresses, or Amazon Virtual Private Cloud (Amazon VPC) IDs that you provide.

Acceptance Criteria

If the rule can be implemented

Given a CDK app with a non-compliant resource

• When HIPAA Security Pack is enabled
• Then the CDK stack does not deploy and the user receives an ERROR with relevant Control ID information about the non compliant resource

Given a CDK app with a compliant resource

• When HIPAA Security Pack is enabled
• Then the CDK stack deploys and the user does not receive an ERROR about the compliant resource

Given the cdk-nag RULES file

• When the HIPAA.Security-S3BucketPolicyGrantee rule is added to the rule pack
• Then the HIPAA Security Errors section is updated with the rule information

If the rule cannot be implemented

Given the cdk-nag RULES file

• When the s3-bucket-policy-grantee-check check is not added to the rule pack
• Then the HIPAA Security Excluded Rules section is updated with the check information