# ################################### ## Rule Specification ## ##################################### # # Rule Identifier: # rds_cluster_logging_enabled_check # # Description: # This control checks whether Amazon RDS database clusters have all available log types enabled for export to Amazon CloudWatch Logs. # # Reports on: # AWS::RDS::DBCluster # # Evaluates: # AWS CloudFormation, AWS CloudFormation hook # # Rule Parameters: # None # # Scenarios: # Scenario: 1 # Given: The input document is an AWS CloudFormation or CloudFormation hook document # And: The input document does not contain any RDS DB cluster resources # Then: SKIP # Scenario: 2 # Given: The input document is an AWS CloudFormation or CloudFormation hook document # And: The input document contains an RDS DB cluster Resource # And: 'Engine' is not one of 'aurora', 'aurora-mysql', 'aurora-postgresql', 'mysql' or 'postgres' # Then: SKIP # Scenario: 3 # Given: The input document is an AWS CloudFormation or CloudFormation hook document # And: The input document contains an RDS DB cluster resource # And: 'Engine' is one of 'aurora', 'aurora-mysql', 'aurora-postgresql', 'mysql' or 'postgres' # And: 'EnableCloudwatchLogsExports' has not been specified or has been specified as an empty list # Then: FAIL # Scenario: 4 # Given: The input document is an AWS CloudFormation or CloudFormation hook document # And: The input document contains an RDS DB cluster resource # And: 'Engine' is one of 'aurora', 'aurora-mysql', 'aurora-postgresql', 'mysql' or 'postgres' # And: 'EnableCloudwatchLogsExports' has been specified and is a non-empty list # And: One or more log types in 'EnableCloudwatchLogsExports' are not supported by the specified 'Engine' # Then: FAIL # Scenario: 5 # Given: The input document is an AWS CloudFormation or CloudFormation hook document # And: The input document contains an RDS DB cluster resource # And: 'Engine' is one of 'aurora', 'aurora-mysql', 'aurora-postgresql', 'mysql' or 'postgres' # And: 'EnableCloudwatchLogsExports' has been specified and is a non-empty list # And: 'EnableCloudwatchLogsExports' does not contain all log types supported by the specified 'Engine' # Then: FAIL # Scenario: 6 # Given: The input document is an AWS CloudFormation or CloudFormation hook document # And: The input document contains an RDS DB cluster resource # And: 'Engine' is one of 'aurora', 'aurora-mysql' or 'mysql' # And: 'EnableCloudwatchLogsExports' has been specified as a list with all supported log types # for the 'Engine' ('audit', 'error', 'general' and 'slowquery') # Then: PASS # Scenario: 7 # Given: The input document is an AWS CloudFormation or CloudFormation hook document # And: The input document contains an RDS DB cluster resource # And: 'Engine' is 'aurora-postgresql' # And: 'EnableCloudwatchLogsExports' has been specified as a list with all supported log types # for the 'Engine' ('postgresql') # Then: PASS # Scenario: 8 # Given: The input document is an AWS CloudFormation or CloudFormation hook document # And: The input document contains an RDS DB cluster resource # And: 'Engine' is 'postgres' # And: 'EnableCloudwatchLogsExports' has been specified as a list with all supported log types # for the 'Engine' ('postgresql', 'upgrade') # Then: PASS # # Constants # let RDS_DB_CLUSTER_TYPE = "AWS::RDS::DBCluster" let INPUT_DOCUMENT = this let SUPPORTED_RDS_CLUSTER_ENGINES = [ "aurora", "aurora-mysql", "aurora-postgresql", "mysql", "postgres" ] let MYSQL_ENGINE_SUBTYPES = [ "aurora", "aurora-mysql", "mysql" ] let AURORA_POSTGRES_ENGINE_SUBTYPES = [ "aurora-postgresql" ] let POSTGRES_ENGINE_SUBTYPES = [ "postgres" ] let MYSQL_SUPPORTED_LOG_TYPES = [ "audit", "error", "general", "slowquery" ] let AURORA_POSTGRES_SUPPORTED_LOG_TYPES = [ "postgresql" ] let POSTGRES_SUPPORTED_LOG_TYPES = [ "postgresql", "upgrade" ] # # Assignments # let rds_db_clusters = Resources.*[ Type == %RDS_DB_CLUSTER_TYPE ] # # Primary Rules # rule rds_cluster_logging_enabled_check when is_cfn_template(%INPUT_DOCUMENT) %rds_db_clusters not empty { check(%rds_db_clusters.Properties) << [CT.RDS.PR.25]: Require an Amazon RDS database cluster to have logging configured [FIX]: Specify 'EnableCloudwatchLogsExports' with a list of all supported log types for the Amazon RDS database cluster engine. >> } rule rds_cluster_logging_enabled_check when is_cfn_hook(%INPUT_DOCUMENT, %RDS_DB_CLUSTER_TYPE) { check(%INPUT_DOCUMENT.%RDS_DB_CLUSTER_TYPE.resourceProperties) << [CT.RDS.PR.25]: Require an Amazon RDS database cluster to have logging configured [FIX]: Specify 'EnableCloudwatchLogsExports' with a list of all supported log types for the Amazon RDS database cluster engine. >> } # # Parameterized Rules # rule check(rds_db_cluster) { %rds_db_cluster [ filter_engine(this) ] { # Scenario 3 EnableCloudwatchLogsExports exists check_is_list_and_not_empty(EnableCloudwatchLogsExports) # Scenario 4 and 6 when Engine IN %MYSQL_ENGINE_SUBTYPES { %MYSQL_SUPPORTED_LOG_TYPES.* IN EnableCloudwatchLogsExports[*] EnableCloudwatchLogsExports.* IN %MYSQL_SUPPORTED_LOG_TYPES[*] } # Scenario 4 and 7 when Engine IN %AURORA_POSTGRES_ENGINE_SUBTYPES { %AURORA_POSTGRES_SUPPORTED_LOG_TYPES.* IN EnableCloudwatchLogsExports[*] EnableCloudwatchLogsExports.* IN %AURORA_POSTGRES_SUPPORTED_LOG_TYPES[*] } # Scenario 4 and 8 when Engine IN %POSTGRES_ENGINE_SUBTYPES { %POSTGRES_SUPPORTED_LOG_TYPES.* in EnableCloudwatchLogsExports[*] EnableCloudwatchLogsExports.* IN %POSTGRES_SUPPORTED_LOG_TYPES[*] } } } rule filter_engine(db_properties) { %db_properties { # Scenario 2 Engine exists Engine in %SUPPORTED_RDS_CLUSTER_ENGINES } } # # Utility Rules # rule check_is_list_and_not_empty(value) { %value { this is_list this not empty } } rule is_cfn_template(doc) { %doc { AWSTemplateFormatVersion exists or Resources exists } } rule is_cfn_hook(doc, RESOURCE_TYPE) { %doc.%RESOURCE_TYPE.resourceProperties exists }