in src/packs/aws-solutions.ts [914:1086]
private checkAnalytics(node: CfnResource): void {
this.applyRule({
ruleSuffixOverride: 'ATH1',
info: 'The Athena workgroup does not encrypt query results.',
explanation:
'Encrypting query results stored in S3 helps secure data to meet compliance requirements for data-at-rest encryption.',
level: NagMessageLevel.ERROR,
rule: AthenaWorkgroupEncryptedQueryResults,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'EMR2',
info: 'The EMR cluster does not have S3 logging enabled.',
explanation:
'Uploading logs to S3 enables the system to keep the logging data for historical purposes or to track and analyze the clusters behavior.',
level: NagMessageLevel.ERROR,
rule: EMRS3AccessLogging,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'EMR6',
info: 'The EMR cluster does not implement authentication via an EC2 Key Pair or Kerberos.',
explanation:
'SSH clients can use an EC2 key pair to authenticate to cluster instances. Alternatively, with EMR release version 5.10.0 or later, solutions can configure Kerberos to authenticate users and SSH connections to the master node.',
level: NagMessageLevel.ERROR,
rule: EMRAuthEC2KeyPairOrKerberos,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'KDA3',
info: 'The Kinesis Data Analytics Flink Application does not have checkpointing enabled.',
explanation:
'Checkpoints are backups of application state that KDA automatically creates periodically and uses to restore from faults.',
level: NagMessageLevel.WARN,
rule: KinesisDataAnalyticsFlinkCheckpointing,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'KDF1',
info: 'The Kinesis Data Firehose delivery stream does have server-side encryption enabled.',
explanation:
'This allows the system to meet strict regulatory requirements and enhance the security of system data.',
level: NagMessageLevel.ERROR,
rule: KinesisDataFirehoseSSE,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'KDS1',
info: 'The Kinesis Data Stream does not has server-side encryption enabled.',
explanation:
"Data is encrypted before it's written to the Kinesis stream storage layer, and decrypted after it’s retrieved from storage. This allows the system to meet strict regulatory requirements and enhance the security of system data.",
level: NagMessageLevel.ERROR,
rule: KinesisDataStreamSSE,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'KDS3',
info: 'The Kinesis Data Stream specifies server-side encryption and does not use the "aws/kinesis" key.',
explanation:
'Customer Managed Keys can incur additional costs that scale with the amount of consumers and producers. Ensure that Customer Managed Keys are required for compliance before using them (https://docs.aws.amazon.com/streams/latest/dev/costs-performance.html).',
level: NagMessageLevel.WARN,
rule: KinesisDataStreamDefaultKeyWhenSSE,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'MSK2',
info: 'The MSK cluster uses plaintext communication between clients and brokers.',
explanation:
'TLS only communication secures data-in-transit by encrypting the connection between the clients and brokers.',
level: NagMessageLevel.ERROR,
rule: MSKClientToBrokerTLS,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'MSK3',
info: 'The MSK cluster uses plaintext communication between brokers.',
explanation:
'TLS communication secures data-in-transit by encrypting the connection between brokers.',
level: NagMessageLevel.ERROR,
rule: MSKBrokerToBrokerTLS,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'MSK6',
info: 'The MSK cluster does not send broker logs to a supported destination.',
explanation:
'Broker logs enable operators to troubleshoot Apache Kafka applications and to analyze their communications with the MSK cluster. The cluster can deliver logs to the following resources: a CloudWatch log group, an S3 bucket, a Kinesis Data Firehose delivery stream.',
level: NagMessageLevel.ERROR,
rule: MSKBrokerLogging,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'OS1',
info: 'The OpenSearch Service domain is not provisioned inside a VPC.',
explanation:
'Provisioning the domain within a VPC enables better flexibility and control over the clusters access and security as this feature keeps all traffic between the VPC and OpenSearch domains within the AWS network instead of going over the public Internet.',
level: NagMessageLevel.ERROR,
rule: OpenSearchInVPCOnly,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'OS2',
info: 'The OpenSearch Service domain does not have node-to-node encryption enabled.',
explanation:
'Enabling the node-to-node encryption feature adds an extra layer of data protection on top of the existing ES security features such as HTTPS client to cluster encryption and data-at-rest encryption.',
level: NagMessageLevel.ERROR,
rule: OpenSearchNodeToNodeEncryption,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'OS3',
info: 'The OpenSearch Service domain does not only grant access via allowlisted IP addresses.',
explanation:
'Using allowlisted IP addresses helps protect the domain against unauthorized access.',
level: NagMessageLevel.ERROR,
rule: OpenSearchAllowlistedIPs,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'OS4',
info: 'The OpenSearch Service domain does not use dedicated master nodes.',
explanation:
'Using dedicated master nodes helps improve environmental stability by offloading all the management tasks from the data nodes.',
level: NagMessageLevel.ERROR,
rule: OpenSearchDedicatedMasterNode,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'OS5',
info: 'The OpenSearch Service domain does not allow for unsigned requests or anonymous access.',
explanation:
'Restricting public access helps prevent unauthorized access and prevents any unsigned requests to be made to the resources.',
level: NagMessageLevel.ERROR,
rule: OpenSearchNoUnsignedOrAnonymousAccess,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'OS7',
info: 'The OpenSearch Service domain does not have Zone Awareness enabled.',
explanation:
'Enabling cross-zone replication (Zone Awareness) increases the availability of the OpenSearch Service domain by allocating the nodes and replicate the data across two AZs in the same region in order to prevent data loss and minimize downtime in the event of node or AZ failure.',
level: NagMessageLevel.ERROR,
rule: OpenSearchZoneAwareness,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'OS8',
info: 'The OpenSearch Service domain does not have encryption at rest enabled.',
explanation:
'Encrypting data-at-rest protects data confidentiality and prevents unauthorized users from accessing sensitive information.',
level: NagMessageLevel.ERROR,
rule: OpenSearchEncryptedAtRest,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'OS9',
info: 'The OpenSearch Service domain does not minimally publish SEARCH_SLOW_LOGS and INDEX_SLOW_LOGS to CloudWatch Logs.',
explanation:
'These logs enable operators to gain full insight into the performance of these operations.',
level: NagMessageLevel.ERROR,
rule: OpenSearchSlowLogsToCloudWatch,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'QS1',
info: 'The Quicksight data sources connection is not configured to use SSL.',
explanation:
'SSL secures communications to data sources, especially when using public networks. Using SSL with QuickSight requires the use of certificates signed by a publicly-recognized certificate authority.',
level: NagMessageLevel.ERROR,
rule: QuicksightSSLConnections,
node: node,
});
}