fix: RDSLoggingEnabled (#760)

cdklabs · Apr 4, 2022 · 4362458 · 4362458
1 parent 9481361
commit 4362458
Show file tree

Hide file tree

Showing 7 changed files with 121 additions and 18 deletions.
diff --git a/RULES.md b/RULES.md
diff --git a/src/packs/hipaa-security.ts b/src/packs/hipaa-security.ts
@@ -797,7 +797,7 @@ export class HIPAASecurityChecks extends NagPack {
       node: node,
     });
     this.applyRule({
-      info: 'The RDS DB instance does not have all CloudWatch log types exported - (Control IDs: 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C)).',
+      info: 'The non-Aurora RDS DB instance or Aurora cluster does not have all CloudWatch log types exported - (Control IDs: 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C)).',
       explanation:
         'To help with logging and monitoring within your environment, ensure Amazon Relational Database Service (Amazon RDS) logging is enabled. With Amazon RDS logging, you can capture events such as connections, disconnections, queries, or tables queried.' +
         "This is a granular rule that returns individual findings that can be suppressed with 'appliesTo'. The findings are in the format 'LogExport::<log>' for exported logs. Example: appliesTo: ['LogExport::audit'].",

diff --git a/src/packs/nist-800-53-r4.ts b/src/packs/nist-800-53-r4.ts
@@ -662,7 +662,7 @@ export class NIST80053R4Checks extends NagPack {
       node: node,
     });
     this.applyRule({
-      info: 'The RDS DB instance does not have all CloudWatch log types exported - (Control IDs: AC-2(4), AC-2(g), AU-2(a)(d), AU-3, AU-12(a)(c)).',
+      info: 'The non-Aurora RDS DB instance or Aurora cluster does not have all CloudWatch log types exported - (Control IDs: AC-2(4), AC-2(g), AU-2(a)(d), AU-3, AU-12(a)(c)).',
       explanation:
         'To help with logging and monitoring within your environment, ensure Amazon Relational Database Service (Amazon RDS) logging is enabled. With Amazon RDS logging, you can capture events such as connections, disconnections, queries, or tables queried.' +
         "This is a granular rule that returns individual findings that can be suppressed with 'appliesTo'. The findings are in the format 'LogExport::<log>' for exported logs. Example: appliesTo: ['LogExport::audit'].",

diff --git a/src/packs/nist-800-53-r5.ts b/src/packs/nist-800-53-r5.ts
@@ -732,7 +732,7 @@ export class NIST80053R5Checks extends NagPack {
       node: node,
     });
     this.applyRule({
-      info: 'The RDS DB Instance does not have all CloudWatch log types exported - (Control IDs: AC-2(4), AC-3(1), AC-3(10), AC-4(26), AC-6(9), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-1(1)(c), SI-3(8)(b), SI-4(2), SI-4(17), SI-4(20), SI-7(8), SI-10(1)(c)).',
+      info: 'The non-Aurora RDS DB instance or Aurora cluster does not have all CloudWatch log types exported - (Control IDs: AC-2(4), AC-3(1), AC-3(10), AC-4(26), AC-6(9), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-1(1)(c), SI-3(8)(b), SI-4(2), SI-4(17), SI-4(20), SI-7(8), SI-10(1)(c)).',
       explanation:
         'To help with logging and monitoring within your environment, ensure Amazon Relational Database Service (Amazon RDS) logging is enabled. With Amazon RDS logging, you can capture events such as connections, disconnections, queries, or tables queried.' +
         "This is a granular rule that returns individual findings that can be suppressed with 'appliesTo'. The findings are in the format 'LogExport::<log>' for exported logs. Example: appliesTo: ['LogExport::audit'].",

diff --git a/src/packs/pci-dss-321.ts b/src/packs/pci-dss-321.ts
@@ -611,7 +611,7 @@ export class PCIDSS321Checks extends NagPack {
       node: node,
     });
     this.applyRule({
-      info: 'The RDS DB Instance does not have all CloudWatch log types exported - (Control IDs: 10.1, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6).',
+      info: 'The non-Aurora RDS DB instance or Aurora cluster does not have all CloudWatch log types exported - (Control IDs: 10.1, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6).',
       explanation:
         'To help with logging and monitoring within your environment, ensure Amazon Relational Database Service (Amazon RDS) logging is enabled. With Amazon RDS logging, you can capture events such as connections, disconnections, queries, or tables queried.' +
         "This is a granular rule that returns individual findings that can be suppressed with 'appliesTo'. The findings are in the format 'LogExport::<log>' for exported logs. Example: appliesTo: ['LogExport::audit'].",

diff --git a/src/rules/rds/RDSLoggingEnabled.ts b/src/rules/rds/RDSLoggingEnabled.ts
@@ -3,7 +3,7 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 SPDX-License-Identifier: Apache-2.0
 */
 import { parse } from 'path';
-import { CfnDBInstance } from '@aws-cdk/aws-rds';
+import { CfnDBCluster, CfnDBInstance } from '@aws-cdk/aws-rds';
 import { CfnResource, Stack } from '@aws-cdk/core';
 import {
   NagRuleCompliance,
@@ -13,7 +13,7 @@ import {
 } from '../../nag-rules';
 
 /**
- * RDS DB instances are configured to export all possible log types to CloudWatch
+ * Non-Aurora RDS DB instances and Aurora clusters are configured to export all possible log types to CloudWatch
  * @param node the CfnResource to check
  */
 export default Object.defineProperty(
@@ -23,14 +23,38 @@ export default Object.defineProperty(
       const exports =
         Stack.of(node).resolve(node.enableCloudwatchLogsExports) ?? [];
       const needed: string[] = [];
-      if (dbType.includes('mariadb') || dbType.includes('mysql')) {
+      if (!dbType.includes('aurora')) {
+        if (dbType.includes('mariadb') || dbType.includes('mysql')) {
+          needed.push('audit', 'error', 'general', 'slowquery');
+        } else if (dbType.includes('postgres')) {
+          needed.push('postgresql', 'upgrade');
+        } else if (dbType.includes('oracle')) {
+          needed.push('audit', 'alert', 'listener', 'oemagent', 'trace');
+        } else if (dbType.includes('sqlserver')) {
+          needed.push('agent', 'error');
+        }
+        const findings: NagRuleFindings = needed
+          .filter((log) => !exports.includes(log))
+          .map((log) => `LogExport::${log}`);
+        return findings.length ? findings : NagRuleCompliance.COMPLIANT;
+      } else {
+        return NagRuleCompliance.NOT_APPLICABLE;
+      }
+    } else if (node instanceof CfnDBCluster) {
+      const engine = NagRules.resolveIfPrimitive(
+        node,
+        node.engine
+      ).toLowerCase();
+      const needed: string[] = [];
+      const exports =
+        Stack.of(node).resolve(node.enableCloudwatchLogsExports) ?? [];
+      if (
+        engine.toLowerCase() === 'aurora' ||
+        engine.toLowerCase() === 'aurora-mysql'
+      ) {
         needed.push('audit', 'error', 'general', 'slowquery');
-      } else if (dbType.includes('postgres')) {
-        needed.push('postgresql', 'upgrade');
-      } else if (dbType.includes('oracle')) {
-        needed.push('audit', 'alert', 'listener', 'oemagent', 'trace');
-      } else if (dbType.includes('sqlserver')) {
-        needed.push('agent', 'error');
+      } else if (engine.toLowerCase() === 'aurora-postgresql') {
+        needed.push('postgresql');
       }
       const findings: NagRuleFindings = needed
         .filter((log) => !exports.includes(log))

diff --git a/test/rules/RDS.test.ts b/test/rules/RDS.test.ts
@@ -20,6 +20,7 @@ import {
   CfnDBCluster,
   CfnDBSecurityGroup,
   CfnDBSecurityGroupIngress,
+  AuroraEngineVersion,
 } from '@aws-cdk/aws-rds';
 import { Aspects, Stack } from '@aws-cdk/core';
 import {
@@ -354,7 +355,7 @@ describe('Amazon Relational Database Service (RDS) and Amazon Aurora', () => {
     });
   });
 
-  describe('RDSLoggingEnabled: RDS DB instances are configured to export all possible log types to CloudWatch', () => {
+  describe('RDSLoggingEnabled: Non-Aurora RDS DB instances and Aurora clusters are configured to export all possible log types to CloudWatch', () => {
     const ruleId = 'RDSLoggingEnabled';
     test('Noncompliance 1: expect finding for all logs for MariaDB based engines', () => {
       new DatabaseInstance(stack, 'rDbInstance', {
@@ -444,6 +445,57 @@ describe('Amazon Relational Database Service (RDS) and Amazon Aurora', () => {
         );
       });
     });
+    test('Noncompliance 6: expect finding for all logs for all Aurora MySQL 5.6 based clusters', () => {
+      new CfnDBCluster(stack, 'rDbCluster', {
+        engine: 'aurora-mysql',
+        scalingConfiguration: {
+          maxCapacity: 42,
+          minCapacity: 7,
+        },
+      });
+      const needed = ['audit', 'error', 'general', 'slowquery'];
+      needed.forEach((log) => {
+        validateStack(
+          stack,
+          `${ruleId}[LogExport::${log}]`,
+          TestType.NON_COMPLIANCE
+        );
+      });
+    });
+    test('Noncompliance 7: expect finding for all logs for all Aurora MySQL 5.7 based clusters', () => {
+      new CfnDBCluster(stack, 'rDbCluster', {
+        engine: 'aurora-mysql',
+        scalingConfiguration: {
+          maxCapacity: 42,
+          minCapacity: 7,
+        },
+      });
+      const needed = ['audit', 'error', 'general', 'slowquery'];
+      needed.forEach((log) => {
+        validateStack(
+          stack,
+          `${ruleId}[LogExport::${log}]`,
+          TestType.NON_COMPLIANCE
+        );
+      });
+    });
+    test('Noncompliance 7: expect finding for all logs for all Aurora PostgreSQL based clusters', () => {
+      new CfnDBCluster(stack, 'rDbCluster', {
+        engine: 'aurora-postgresql',
+        scalingConfiguration: {
+          maxCapacity: 42,
+          minCapacity: 7,
+        },
+      });
+      const needed = ['postgresql'];
+      needed.forEach((log) => {
+        validateStack(
+          stack,
+          `${ruleId}[LogExport::${log}]`,
+          TestType.NON_COMPLIANCE
+        );
+      });
+    });
     test('Compliance', () => {
       new DatabaseInstance(stack, 'rDbInstance', {
         engine: DatabaseInstanceEngine.mariaDb({
@@ -495,6 +547,33 @@ describe('Amazon Relational Database Service (RDS) and Amazon Aurora', () => {
           'oemagent',
         ],
       });
+      new DatabaseCluster(stack, 'rDbCluster1', {
+        engine: DatabaseClusterEngine.aurora({
+          version: AuroraEngineVersion.VER_1_17_9,
+        }),
+        instanceProps: {
+          vpc: new Vpc(stack, 'rVpc6'),
+        },
+        cloudwatchLogsExports: ['audit', 'error', 'general', 'slowquery'],
+      });
+      new DatabaseCluster(stack, 'rDbCluster2', {
+        engine: DatabaseClusterEngine.auroraMysql({
+          version: AuroraMysqlEngineVersion.VER_2_03_2,
+        }),
+        instanceProps: {
+          vpc: new Vpc(stack, 'rVpc7'),
+        },
+        cloudwatchLogsExports: ['audit', 'error', 'general', 'slowquery'],
+      });
+      new DatabaseCluster(stack, 'rDbCluster3', {
+        engine: DatabaseClusterEngine.auroraPostgres({
+          version: AuroraPostgresEngineVersion.VER_9_6_8,
+        }),
+        instanceProps: {
+          vpc: new Vpc(stack, 'rVpc8'),
+        },
+        cloudwatchLogsExports: ['postgresql'],
+      });
       validateStack(stack, ruleId, TestType.COMPLIANCE);
     });
   });