cdk-nag
cdk-nag copied to clipboard
cdklabs
bug: ApplicationLoadBalancedFargateService not correctly detecting certificate with redirectHTTP
What is the problem?
When I use ApplicationLoadBalancedFargateService with a certificate managed by AWS Certificate Manager and redirectHTTP: true, I get a HIPAA.Security-ELBv2ACMCertificateRequired error. If I remove redirectHTTP, I do not get the error.
Reproduction Steps
import { Aspects, aws_ecs, aws_ecs_patterns, aws_lambda, aws_route53, StackProps } from "aws-cdk-lib"
import * as cdk from "aws-cdk-lib"
import { HIPAASecurityChecks } from "cdk-nag"
import { Construct } from "constructs"
import { Certificate, CertificateValidation } from "aws-cdk-lib/aws-certificatemanager"
import { ApplicationProtocol } from "aws-cdk-lib/aws-elasticloadbalancingv2"
const app = new cdk.App()
export class TestStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, {
env: {
account: "111111111111",
region: "us-east-1"
}
})
const cluster = new aws_ecs.Cluster(this, "MyCluster", {})
const hostedZone = aws_route53.HostedZone.fromLookup(this, "MyZone", {
domainName: "example.com"
})
const certificate = new Certificate(this, "MyCertificate", {
domainName: "my.example.com",
validation: CertificateValidation.fromDns(hostedZone)
})
const service = new aws_ecs_patterns.ApplicationLoadBalancedFargateService(this, "MyService", {
cluster,
certificate,
taskImageOptions: {
image: aws_ecs.ContainerImage.fromRegistry("ecs-sample-image/amazon-ecs-sample")
},
redirectHTTP: true,
protocol: ApplicationProtocol.HTTPS,
domainName: "my.example.com",
domainZone: hostedZone
})
}
}
new TestStack(app, "TestStack")
Aspects.of(app).add(new HIPAASecurityChecks({ verbose: true }))
What did you expect to happen?
No Error
What actually happened?
[Error at /TestStack/MyService/LB/PublicRedirectListener/Resource] HIPAA.Security-ELBv2ACMCertificateRequired: The ALB, NLB, or GLB listener does not utilize an SSL certificate provided by ACM (Amazon Certificate Manager) - (Control IDs: 164.312(a)(2)(iv), 164.312(e)(2)(ii)). Because sensitive data can exist and to help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing. Use AWS Certificate Manager to manage, provision and deploy public and private SSL/TLS certificates with AWS services and internal resources.
cdk-nag version
2.28.64
Language
Typescript
Other information
No response
I believe this is functioning as intended.
The [AWS Config rule (https://docs.aws.amazon.com/config/latest/developerguide/elbv2-acm-certificate-required.html)that this check is derived from states
Checks if Application Load Balancers and Network Load Balancers have listeners that are configured to use certificates from AWS Certificate Manager (ACM). This rule is NON_COMPLIANT if at least 1 load balancer has at least 1 listener that is configured without a certificate from ACM or is configured with a certificate different from an ACM certificate.
The listener flagged by cdk-nag does not meet the requirement as it does not have an ACM certificate associated with it
"MyServiceLBPublicRedirectListenerD6C5BCC4": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"DefaultActions": [
{
"RedirectConfig": {
"Port": "443",
"Protocol": "HTTPS",
"StatusCode": "HTTP_301"
},
"Type": "redirect"
}
],
"LoadBalancerArn": {
"Ref": "MyServiceLBD9DA5706"
},
"Port": 80,
"Protocol": "HTTP"
},
"Metadata": {
"aws:cdk:path": "TestStack/MyService/LB/PublicRedirectListener/Resource"
}
},
