CFN Nag Test Infrastructure Remediations

[malachi-constant]

Is your idea related to a problem? Please describe. Test infrastructure can be remediated to pass AWS standard security checks.

There is a work-in-progress PR to implement this as an automated check: https://github.com/awslabs/aws-data-wrangler/pull/1144 Describe the solution you'd like Running cfn_nag against the test infrastructure stacks. Yields the following report (warnings omitted):

[*] running cfn-nag for stack: base
------------------------------------------------------------
-
------------------------------------------------------------------------------------------------------------------------
| FAIL F19
|
| Resource: ["awsdatawranglerkey9E1BF2DA"]
| Line Numbers: [278]
|
| EnableKeyRotation should not be false or absent on KMS::Key resource
------------------------------------------------------------
Failures count: 1
[*] running cfn-nag for stack: lakeformation
------------------------------------------------------------
Failures count: 0
-----------------------------------------------------------------------------------------------------------
-
-------------
------------------------------------------------------------
| FAIL F26
|
| Resource: ["awsdatawranglerauroraclusterpostgresql765A3734", "awsdatawranglerauroraclustermysqlE948BF25"]
| Line Numbers: [399, 606]
|
| RDS DBCluster should have StorageEncrypted enabled
------------------------------------------------------------
| FAIL F24
|
| Resource: ["awsdatawranglersqlserverinstance425D4DFF"]
| Line Numbers: [834]
|
| RDS instance master username must not be a plaintext string or a Ref to a Parameter with a Default value.  Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
------------------------------------------------------------
| FAIL F27
|
| Resource: ["awsdatawranglersqlserverinstance425D4DFF"]
| Line Numbers: [834]
|
| RDS DBInstance should have StorageEncrypted enabled
------------------------------------------------------------
| FAIL F80
|
| Resource: ["awsdatawranglersqlserverinstance425D4DFF"]
| Line Numbers: [834]
|
| RDS instance should have deletion protection enabled
------------------------------------------------------------
| FAIL F22
|
| Resource: ["awsdatawranglerauroraclusterpostgresqlInstance1676DFD33", "awsdatawranglerauroraclustermysqlInstance109EC8885", "awsdatawranglersqlserverinstance425D4DFF"]
| Line Numbers: [438, 644, 834]
|
| RDS instance should not be publicly accessible
------------------------------------------------------------

Failures count: 8
[*] running cfn-nag for stack: opensearch
------------------------------------------------------------
Failures count: 0
~/work/aws-data-wrangler/aws-data-wrangler/test_infra/scripts

Need to determine which of these reports yields remediation and which warrants suppression.

P.S. Don't attach files. Please, prefer add code snippets directly in the message body.

[jaidisido]

My 2 cents:

• base stack

  • F19 (Remediate): should be remediated. It costs 1$/year to enable key rotation and has no impact on the current infra

• databases stack

  • F26 and F27 (Suppress): the purpose of these RDS instances should be limited to testing with mock data. Enabling storage encryption seems excessive imo
  • F80 (Suppress?): Can we investigate the impact of turning deletion protection on the retention policy in the stack. If turning it on would mean that deleting the stack would retain the cluster or would fail the stack, then I am in favor of suppressing as again no valuable data should be there in the first place
  • F24 (Suppress): Ideally we would want a "NoEcho Parameter without a Default" but that adds friction to the user experience of deploying these stacks
  • F22 (Remediate?): Not sure about this one. I suppose the instance security group is already blocking inbound public traffic from outside the VPC. So this would be redundant but at the same time cannot hurt?