diff --git a/RULES.md b/RULES.md index 4408266f81..afde25efed 100644 --- a/RULES.md +++ b/RULES.md @@ -250,6 +250,7 @@ The [Operational Best Practices for HIPAA Security](https://docs.aws.amazon.com/ | [HIPAA.Security-SageMakerNotebookNoDirectInternetAccess](https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-no-direct-internet-access.html) | The SageMaker notebook does not disable direct internet access. | By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users. | 164.308(a)(3)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(C), 164.312(a)(1), 164.312(e)(1) | | [HIPAA.Security-SecretsManagerRotationEnabled](https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-rotation-enabled-check.html) | The secret does not have automatic rotation scheduled. | Rotating secrets on a regular schedule can shorten the period a secret is active, and potentially reduce the business impact if the secret is compromised. | 164.308(a)(4)(ii)(B) | | [HIPAA.Security-SecretsManagerUsingKMSKey](https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-using-cmk.html) | The secret is not encrypted with a KMS Customer managed key. | To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for AWS Secrets Manager secrets. Because sensitive data can exist at rest in Secrets Manager secrets, enable encryption at rest to help protect that data. | 164.312(a)(2)(iv), 164.312(e)(2)(ii) | +| [HIPAA.Security-SNSEncryptedKMS](https://docs.aws.amazon.com/config/latest/developerguide/sns-encrypted-kms.html) | The SNS topic does not have KMS encryption enabled. | To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data. | 164.308(a)(1)(ii)(B), 164.312(a)(2)(iv), 164.312(e)(2)(ii), 164.314(b)(2)(i) | | [HIPAA.Security-VPCFlowLogsEnabled](https://docs.aws.amazon.com/config/latest/developerguide/vpc-flow-logs-enabled.html) | The VPC does not have an associated Flow Log. | The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon Virtual Private Cloud (Amazon VPC). By default, the flow log record includes values for the different components of the IP flow, including the source, destination, and protocol. | 164.308(a)(3)(ii)(A), 164.312(b) | | [HIPAA.Security-VPCNoUnrestrictedRouteToIGW](https://docs.aws.amazon.com/config/latest/developerguide/no-unrestricted-route-to-igw.html) | The route table may contain one or more unrestricted route(s) to an IGW ('0.0.0.0/0' or '::/0'). | Ensure Amazon EC2 route tables do not have unrestricted routes to an internet gateway. Removing or limiting the access to the internet for workloads within Amazon VPCs can reduce unintended access within your environment. | 164.312(e)(1) | | [HIPAA.Security-VPCSubnetAutoAssignPublicIpDisabled](https://docs.aws.amazon.com/config/latest/developerguide/subnet-auto-assign-public-ip-disabled.html) | The subnet auto-assigns public IP addresses. | Manage access to the AWS Cloud by ensuring Amazon Virtual Private Cloud (VPC) subnets are not automatically assigned a public IP address. Amazon Elastic Compute Cloud (EC2) instances that are launched into subnets that have this attribute enabled have a public IP address assigned to their primary network interface. | 164.308(a)(3)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(C), 164.312(a)(1), 164.312(e)(1) | @@ -377,6 +378,7 @@ The [Operational Best Practices for NIST 800-53 rev 4](https://docs.aws.amazon.c | [NIST.800.53.R4-SageMakerEndpointConfigurationKMSKeyConfigured](https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-endpoint-configuration-kms-key-configured.html) | The SageMaker resource endpoint is not encrypted with a KMS key. | Because sensitive data can exist at rest in SageMaker endpoint, enable encryption at rest to help protect that data. | SC-13, SC-28 | | [NIST.800.53.R4-SageMakerNotebookInstanceKMSKeyConfigured](https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-instance-kms-key-configured.html) | The SageMaker notebook is not encrypted with a KMS key. | Because sensitive data can exist at rest in SageMaker notebook, enable encryption at rest to help protect that data. | SC-13, SC-28 | | [NIST.800.53.R4-SageMakerNotebookNoDirectInternetAccess](https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-no-direct-internet-access.html) | The SageMaker notebook does not disable direct internet access. | By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users. | AC-3, AC-4, AC-6, AC-21(b), SC-7, SC-7(3) | +| [NIST.800.53.R4-SNSEncryptedKMS](https://docs.aws.amazon.com/config/latest/developerguide/sns-encrypted-kms.html) | The SNS topic does not have KMS encryption enabled. | To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data. | SC-13, SC-28 | | [NIST.800.53.R4-VPCFlowLogsEnabled](https://docs.aws.amazon.com/config/latest/developerguide/vpc-flow-logs-enabled.html) | The VPC does not have an associated Flow Log. | The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon Virtual Private Cloud (Amazon VPC). By default, the flow log record includes values for the different components of the IP flow, including the source, destination, and protocol. | AU-2(a)(d), AU-3, AU-12(a)(c) | | [NIST.800.53.R4-WAFv2LoggingEnabled](https://docs.aws.amazon.com/config/latest/developerguide/wafv2-logging-enabled.html) | The WAFv2 web ACL does not have logging enabled. | AWS WAF logging provides detailed information about the traffic that is analyzed by your web ACL. The logs record the time that AWS WAF received the request from your AWS resource, information about the request, and an action for the rule that each request matched. | AU-2(a)(d), AU-3, AU-12(a)(c), SC-7, SI-4(a)(b)(c) | @@ -516,6 +518,7 @@ The [Operational Best Practices for NIST 800-53 rev 5](https://docs.aws.amazon.c | [NIST.800.53.R5-SageMakerNotebookNoDirectInternetAccess](https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-no-direct-internet-access.html) | The SageMaker notebook does not disable direct internet access. | By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users. | AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25 | | [NIST.800.53.R5-SecretsManagerRotationEnabled](https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-rotation-enabled-check.html) | The secret does not have automatic rotation scheduled. | Rotating secrets on a regular schedule can shorten the period a secret is active, and potentially reduce the business impact if the secret is compromised. | AC-2(1), AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-24, CM-5(1)(a), SC-23(3) | | [NIST.800.53.R5-SecretsManagerUsingKMSKey](https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-using-cmk.html) | The secret is not encrypted with a KMS Customer managed key. | To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for AWS Secrets Manager secrets. Because sensitive data can exist at rest in Secrets Manager secrets, enable encryption at rest to help protect that data. | AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4) | +| [NIST.800.53.R5-SNSEncryptedKMS](https://docs.aws.amazon.com/config/latest/developerguide/sns-encrypted-kms.html) | The SNS topic does not have KMS encryption enabled. | To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data. | CA-9(1), CM-3(6), SC-7(10), SC-13, SC-28(1), SC-28, SI-7(6) | | [NIST.800.53.R5-VPCFlowLogsEnabled](https://docs.aws.amazon.com/config/latest/developerguide/vpc-flow-logs-enabled.html) | The VPC does not have an associated Flow Log. | The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon Virtual Private Cloud (Amazon VPC). By default, the flow log record includes values for the different components of the IP flow, including the source, destination, and protocol. | AC-4(26), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), CM-6a, CM-9b, IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SI-4(17), SI-7(8) | | [NIST.800.53.R5-VPCNoUnrestrictedRouteToIGW](https://docs.aws.amazon.com/config/latest/developerguide/no-unrestricted-route-to-igw.html) | The route table may contain one or more unrestricted route(s) to an IGW ('0.0.0.0/0' or '::/0'). | Ensure Amazon EC2 route tables do not have unrestricted routes to an internet gateway. Removing or limiting the access to the internet for workloads within Amazon VPCs can reduce unintended access within your environment. | AC-4(21), CM-7b | | [NIST.800.53.R5-VPCSubnetAutoAssignPublicIpDisabled](https://docs.aws.amazon.com/config/latest/developerguide/subnet-auto-assign-public-ip-disabled.html) | The subnet auto-assigns public IP addresses. | Manage access to the AWS Cloud by ensuring Amazon Virtual Private Cloud (VPC) subnets are not automatically assigned a public IP address. Amazon Elastic Compute Cloud (EC2) instances that are launched into subnets that have this attribute enabled have a public IP address assigned to their primary network interface. | AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25 | @@ -643,6 +646,7 @@ The [Operational Best Practices for PCI DSS 3.2.1](https://docs.aws.amazon.com/c | [PCI.DSS.321-SageMakerNotebookInstanceKMSKeyConfigured](https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-instance-kms-key-configured.html) | The SageMaker notebook is not encrypted with a KMS key. | Because sensitive data can exist at rest in SageMaker notebook, enable encryption at rest to help protect that data. | 3.4, 8.2.1 | | [PCI.DSS.321-SageMakerNotebookNoDirectInternetAccess](https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-no-direct-internet-access.html) | The SageMaker notebook does not disable direct internet access. | By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users. | 1.2, 1.2.1, 1.3, 1.3.1, 1.3.2, 1.3.4, 1.3.6, 2.2.2 | | [PCI.DSS.321-SecretsManagerUsingKMSKey](https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-using-cmk.html) | The secret is not encrypted with a KMS Customer managed key. | To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for AWS Secrets Manager secrets. Because sensitive data can exist at rest in Secrets Manager secrets, enable encryption at rest to help protect that data. | 3.4, 8.2.1 | +| [PCI.DSS.321-SNSEncryptedKMS](https://docs.aws.amazon.com/config/latest/developerguide/sns-encrypted-kms.html) | The SNS topic does not have KMS encryption enabled. | To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data. | 3.4, 8.2.1 | | [PCI.DSS.321-VPCFlowLogsEnabled](https://docs.aws.amazon.com/config/latest/developerguide/vpc-flow-logs-enabled.html) | The VPC does not have an associated Flow Log. | The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon Virtual Private Cloud (Amazon VPC). By default, the flow log record includes values for the different components of the IP flow, including the source, destination, and protocol. | 2.2, 10.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6 | | [PCI.DSS.321-VPCNoUnrestrictedRouteToIGW](https://docs.aws.amazon.com/config/latest/developerguide/no-unrestricted-route-to-igw.html) | The route table may contain one or more unrestricted route(s) to an IGW ('0.0.0.0/0' or '::/0'). | Ensure Amazon EC2 route tables do not have unrestricted routes to an internet gateway. Removing or limiting the access to the internet for workloads within Amazon VPCs can reduce unintended access within your environment. | 1.2, 1.2.1, 1.3, 1.3.1, 1.3.2, 2.2.2 | | [PCI.DSS.321-VPCSubnetAutoAssignPublicIpDisabled](https://docs.aws.amazon.com/config/latest/developerguide/subnet-auto-assign-public-ip-disabled.html) | The subnet auto-assigns public IP addresses. | Manage access to the AWS Cloud by ensuring Amazon Virtual Private Cloud (VPC) subnets are not automatically assigned a public IP address. Amazon Elastic Compute Cloud (EC2) instances that are launched into subnets that have this attribute enabled have a public IP address assigned to their primary network interface. | 1.2, 1.2.1, 1.3, 1.3.1, 1.3.2, 1.3.4, 1.3.6, 2.2.2 | diff --git a/src/packs/hipaa-security.ts b/src/packs/hipaa-security.ts index ba0d31fb89..7af5bcab4f 100644 --- a/src/packs/hipaa-security.ts +++ b/src/packs/hipaa-security.ts @@ -124,6 +124,7 @@ import { SecretsManagerRotationEnabled, SecretsManagerUsingKMSKey, } from '../rules/secretsmanager'; +import { SNSEncryptedKMS } from '../rules/sns'; import { VPCDefaultSecurityGroupClosed, VPCFlowLogsEnabled, @@ -166,6 +167,7 @@ export class HIPAASecurityChecks extends NagPack { this.checkS3(node); this.checkSageMaker(node); this.checkSecretsManager(node); + this.checkSNS(node); this.checkVPC(node); this.checkWAF(node); } @@ -1020,6 +1022,22 @@ export class HIPAASecurityChecks extends NagPack { }); } + /** + * Check Amazon SNS Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkSNS(node: CfnResource): void { + this.applyRule({ + info: 'The SNS topic does not have KMS encryption enabled - (Control IDs: 164.312(a)(2)(iv), 164.312(e)(2)(ii)).', + explanation: + 'Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data.', + level: NagMessageLevel.ERROR, + rule: SNSEncryptedKMS, + node: node, + }); + } + /** * Check VPC Resources * @param node the CfnResource to check diff --git a/src/packs/nist-800-53-r4.ts b/src/packs/nist-800-53-r4.ts index 6dd4b89357..9cca0e52d6 100644 --- a/src/packs/nist-800-53-r4.ts +++ b/src/packs/nist-800-53-r4.ts @@ -100,6 +100,7 @@ import { SageMakerNotebookInstanceKMSKeyConfigured, SageMakerNotebookNoDirectInternetAccess, } from '../rules/sagemaker'; +import { SNSEncryptedKMS } from '../rules/sns'; import { VPCDefaultSecurityGroupClosed, VPCFlowLogsEnabled, @@ -138,6 +139,7 @@ export class NIST80053R4Checks extends NagPack { this.checkRedshift(node); this.checkS3(node); this.checkSageMaker(node); + this.checkSNS(node); this.checkVPC(node); this.checkWAF(node); } @@ -836,6 +838,22 @@ export class NIST80053R4Checks extends NagPack { }); } + /** + * Check Amazon SNS Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkSNS(node: CfnResource): void { + this.applyRule({ + info: 'The SNS topic does not have KMS encryption enabled - (Control IDs: SC-13, SC-28).', + explanation: + 'Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data.', + level: NagMessageLevel.ERROR, + rule: SNSEncryptedKMS, + node: node, + }); + } + /** * Check VPC Resources * @param node the CfnResource to check diff --git a/src/packs/nist-800-53-r5.ts b/src/packs/nist-800-53-r5.ts index 2d1309433f..79af7ce3d3 100644 --- a/src/packs/nist-800-53-r5.ts +++ b/src/packs/nist-800-53-r5.ts @@ -117,6 +117,7 @@ import { SecretsManagerRotationEnabled, SecretsManagerUsingKMSKey, } from '../rules/secretsmanager'; +import { SNSEncryptedKMS } from '../rules/sns'; import { VPCDefaultSecurityGroupClosed, VPCFlowLogsEnabled, @@ -157,6 +158,7 @@ export class NIST80053R5Checks extends NagPack { this.checkS3(node); this.checkSageMaker(node); this.checkSecretsManager(node); + this.checkSNS(node); this.checkVPC(node); this.checkWAF(node); } @@ -963,6 +965,22 @@ export class NIST80053R5Checks extends NagPack { }); } + /** + * Check Amazon SNS Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkSNS(node: CfnResource): void { + this.applyRule({ + info: 'The SNS topic does not have KMS encryption enabled - (Control IDs: AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1)).', + explanation: + 'To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data.', + level: NagMessageLevel.ERROR, + rule: SNSEncryptedKMS, + node: node, + }); + } + /** * Check VPC Resources * @param node the CfnResource to check diff --git a/src/packs/pci-dss-321.ts b/src/packs/pci-dss-321.ts index 51740d84a5..460441dd62 100644 --- a/src/packs/pci-dss-321.ts +++ b/src/packs/pci-dss-321.ts @@ -98,6 +98,7 @@ import { SageMakerNotebookNoDirectInternetAccess, } from '../rules/sagemaker'; import { SecretsManagerUsingKMSKey } from '../rules/secretsmanager'; +import { SNSEncryptedKMS } from '../rules/sns'; import { VPCDefaultSecurityGroupClosed, VPCFlowLogsEnabled, @@ -137,6 +138,7 @@ export class PCIDSS321Checks extends NagPack { this.checkS3(node); this.checkSageMaker(node); this.checkSecretsManager(node); + this.checkSNS(node); this.checkVPC(node); this.checkWAF(node); } @@ -807,6 +809,22 @@ export class PCIDSS321Checks extends NagPack { }); } + /** + * Check Amazon SNS Resources + * @param node the CfnResource to check + * @param ignores list of ignores for the resource + */ + private checkSNS(node: CfnResource): void { + this.applyRule({ + info: 'The SNS topic does not have KMS encryption enabled - (Control ID: 8.2.1).', + explanation: + 'To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data.', + level: NagMessageLevel.ERROR, + rule: SNSEncryptedKMS, + node: node, + }); + } + /** * Check VPC Resources * @param node the CfnResource to check diff --git a/src/rules/sns/SNSEncryptedKMS.ts b/src/rules/sns/SNSEncryptedKMS.ts new file mode 100644 index 0000000000..2850a2724d --- /dev/null +++ b/src/rules/sns/SNSEncryptedKMS.ts @@ -0,0 +1,28 @@ +/* +Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +SPDX-License-Identifier: Apache-2.0 +*/ +import { parse } from 'path'; +import { CfnResource, Stack } from 'aws-cdk-lib'; +import { CfnTopic } from 'aws-cdk-lib/aws-sns'; +import { NagRuleCompliance } from '../../nag-rules'; + +/** + * SNS topics are encrypted via KMS + * @param node the CfnResource to check + */ +export default Object.defineProperty( + (node: CfnResource): NagRuleCompliance => { + if (node instanceof CfnTopic) { + const topicKey = Stack.of(node).resolve(node.kmsMasterKeyId); + if (topicKey == undefined) { + return NagRuleCompliance.NON_COMPLIANT; + } + return NagRuleCompliance.COMPLIANT; + } else { + return NagRuleCompliance.NOT_APPLICABLE; + } + }, + 'name', + { value: parse(__filename).name } +); diff --git a/src/rules/sns/index.ts b/src/rules/sns/index.ts index 4012537604..4d45acee84 100644 --- a/src/rules/sns/index.ts +++ b/src/rules/sns/index.ts @@ -2,4 +2,5 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: Apache-2.0 */ +export { default as SNSEncryptedKMS } from './SNSEncryptedKMS'; export { default as SNSTopicSSLPublishOnly } from './SNSTopicSSLPublishOnly'; diff --git a/test/Packs.test.ts b/test/Packs.test.ts index 42ddc3cbd7..38ab85bf13 100644 --- a/test/Packs.test.ts +++ b/test/Packs.test.ts @@ -288,6 +288,7 @@ describe('Check NagPack Details', () => { 'HIPAA.Security-SageMakerNotebookNoDirectInternetAccess', 'HIPAA.Security-SecretsManagerRotationEnabled', 'HIPAA.Security-SecretsManagerUsingKMSKey', + 'HIPAA.Security-SNSEncryptedKMS', 'HIPAA.Security-VPCFlowLogsEnabled', 'HIPAA.Security-VPCNoUnrestrictedRouteToIGW', 'HIPAA.Security-VPCSubnetAutoAssignPublicIpDisabled', @@ -391,6 +392,7 @@ describe('Check NagPack Details', () => { 'NIST.800.53.R4-SageMakerEndpointConfigurationKMSKeyConfigured', 'NIST.800.53.R4-SageMakerNotebookInstanceKMSKeyConfigured', 'NIST.800.53.R4-SageMakerNotebookNoDirectInternetAccess', + 'NIST.800.53.R4-SNSEncryptedKMS', 'NIST.800.53.R4-VPCFlowLogsEnabled', 'NIST.800.53.R4-WAFv2LoggingEnabled', ]; @@ -505,6 +507,7 @@ describe('Check NagPack Details', () => { 'NIST.800.53.R5-SageMakerNotebookNoDirectInternetAccess', 'NIST.800.53.R5-SecretsManagerRotationEnabled', 'NIST.800.53.R5-SecretsManagerUsingKMSKey', + 'NIST.800.53.R5-SNSEncryptedKMS', 'NIST.800.53.R5-VPCFlowLogsEnabled', 'NIST.800.53.R5-VPCNoUnrestrictedRouteToIGW', 'NIST.800.53.R5-VPCSubnetAutoAssignPublicIpDisabled', @@ -605,6 +608,7 @@ describe('Check NagPack Details', () => { 'PCI.DSS.321-SageMakerNotebookInstanceKMSKeyConfigured', 'PCI.DSS.321-SageMakerNotebookNoDirectInternetAccess', 'PCI.DSS.321-SecretsManagerUsingKMSKey', + 'PCI.DSS.321-SNSEncryptedKMS', 'PCI.DSS.321-VPCFlowLogsEnabled', 'PCI.DSS.321-VPCNoUnrestrictedRouteToIGW', 'PCI.DSS.321-VPCSubnetAutoAssignPublicIpDisabled', diff --git a/test/rules/SNS.test.ts b/test/rules/SNS.test.ts index e73e7afd58..9003e22f84 100644 --- a/test/rules/SNS.test.ts +++ b/test/rules/SNS.test.ts @@ -13,9 +13,9 @@ import { Key } from 'aws-cdk-lib/aws-kms'; import { CfnTopicPolicy, Topic } from 'aws-cdk-lib/aws-sns'; import { Aspects, Stack } from 'aws-cdk-lib/core'; import { validateStack, TestType, TestPack } from './utils'; -import { SNSTopicSSLPublishOnly } from '../../src/rules/sns'; +import { SNSEncryptedKMS, SNSTopicSSLPublishOnly } from '../../src/rules/sns'; -const testPack = new TestPack([SNSTopicSSLPublishOnly]); +const testPack = new TestPack([SNSEncryptedKMS, SNSTopicSSLPublishOnly]); let stack: Stack; beforeEach(() => { @@ -24,15 +24,27 @@ beforeEach(() => { }); describe('Amazon Simple Notification Service (Amazon SNS)', () => { + describe('SNSEncryptedKMS: SNS topics are encrypted via KMS', () => { + const ruleId = 'SNSEncryptedKMS'; + test('Noncompliance 1', () => { + new Topic(stack, 'Topic'); + validateStack(stack, ruleId, TestType.NON_COMPLIANCE); + }); + test('Compliance', () => { + new Topic(stack, 'Topic', { masterKey: new Key(stack, 'Key') }); + validateStack(stack, ruleId, TestType.COMPLIANCE); + }); + }); + describe('SNSTopicSSLPublishOnly: SNS topics require SSL requests for publishing', () => { const ruleId = 'SNSTopicSSLPublishOnly'; test('Noncompliance 1', () => { - new Topic(stack, 'rTopic'); + new Topic(stack, 'Topic'); validateStack(stack, ruleId, TestType.NON_COMPLIANCE); }); test('Noncompliance 2', () => { - new Topic(stack, 'rTopic', { topicName: 'foo' }); - new CfnTopicPolicy(stack, 'rTopicPolicy', { + new Topic(stack, 'Topic', { topicName: 'foo' }); + new CfnTopicPolicy(stack, 'TopicPolicy', { topics: ['foo'], policyDocument: new PolicyDocument({ statements: [ @@ -49,9 +61,9 @@ describe('Amazon Simple Notification Service (Amazon SNS)', () => { validateStack(stack, ruleId, TestType.NON_COMPLIANCE); }); test('Compliance', () => { - new Topic(stack, 'rTopic', { topicName: 'foo' }); - new Topic(stack, 'rTopic2', { masterKey: new Key(stack, 'rKey') }); - new Topic(stack, 'rTopic3').addToResourcePolicy( + new Topic(stack, 'Topic', { topicName: 'foo' }); + new Topic(stack, 'Topic2', { masterKey: new Key(stack, 'Key') }); + new Topic(stack, 'Topic3').addToResourcePolicy( new PolicyStatement({ actions: ['sns:publish', 'sns:subscribe'], effect: Effect.DENY, @@ -60,7 +72,7 @@ describe('Amazon Simple Notification Service (Amazon SNS)', () => { resources: ['foo'], }) ); - new CfnTopicPolicy(stack, 'rTopicPolicy', { + new CfnTopicPolicy(stack, 'TopicPolicy', { topics: ['foo'], policyDocument: new PolicyDocument({ statements: [