bug: HIPAA.Security-RDSInBackupPlan not recognizing Serverless Postgres Cluster Instances

[jessebs]

What is the problem?

I have an Aurora Serverless cluster that I added to my BackupPlan

When running HIPAASecurityChecks, I get the following error for my writer and readers:

HIPAA.Security-RDSInBackupPlan: The RDS DB instance is not in an AWS Backup plan - (Control IDs: 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B)). To help with data back-up processes, ensure your Amazon Relational Database Service (Amazon RDS) instances are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.

Reproduction Steps

import { Aspects, aws_backup, aws_ec2, aws_rds, Duration, StackProps } from "aws-cdk-lib"
import * as cdk from "aws-cdk-lib"
import {  HIPAASecurityChecks } from "cdk-nag"
import { Construct } from "constructs"
import { Schedule } from "aws-cdk-lib/aws-events"
import { DBClusterStorageType } from "aws-cdk-lib/aws-rds"
import { BackupResource } from "aws-cdk-lib/aws-backup"

const app = new cdk.App()

export class TestStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id)

    const backupPlan = new aws_backup.BackupPlan(this, "BackupPlan", {
      backupPlanRules: [
        {
          props: {
            ruleName: "DailyBackup",
            scheduleExpression: Schedule.rate(Duration.days(1))
          }
        }
      ]
    })

    const vpc = new aws_ec2.Vpc(this, "VPC")

    const cluster = new aws_rds.DatabaseCluster(this, "DatabaseCluster", {
      engine: aws_rds.DatabaseClusterEngine.auroraPostgres({ version: aws_rds.AuroraPostgresEngineVersion.VER_15_4 }),
      storageType: DBClusterStorageType.AURORA,
      writer: aws_rds.ClusterInstance.serverlessV2("writer", { publiclyAccessible: false }),
      readers: [aws_rds.ClusterInstance.serverlessV2(`reader`, { publiclyAccessible: false, scaleWithWriter: true })],
      vpc
    })

    backupPlan.addSelection("DBBackup", {
      resources: [BackupResource.fromRdsServerlessCluster(cluster)]
    })
  }
}

new TestStack(app, "TestStack")

Aspects.of(app).add(new HIPAASecurityChecks({ verbose: true }))

What did you expect to happen?

No HIPAA.Security-RDSInBackupPlan errors

What actually happened?

I get multiple RDS Backup Plan Errors

[Error at /TestStack/DatabaseCluster/writer/Resource] HIPAA.Security-RDSInBackupPlan: The RDS DB instance is not in an AWS Backup plan - (Control IDs: 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B)). To help with data back-up processes, ensure your Amazon Relational Database Service (Amazon RDS) instances are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.

[Error at /TestStack/DatabaseCluster/reader/Resource] HIPAA.Security-RDSInBackupPlan: The RDS DB instance is not in an AWS Backup plan - (Control IDs: 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B)). To help with data back-up processes, ensure your Amazon Relational Database Service (Amazon RDS) instances are a part of an AWS Backup plan. AWS Backup is a fully managed backup service with a policy-based backup solution. This solution simplifies your backup management and enables you to meet your business and regulatory backup compliance requirements.

cdk-nag version

2.28.62

Language

Typescript

Other information

No response

[dontirun]

I'm am currently unsure whether this is cdk bug or cdk-nag bug

The Backup Plan CloudFormation generated by the example (below) does not include each of the individual DB instances (which the rule checks for), but it includes the Aurora Serverless Cluster.

1. If the Cluster needs to be in the plan, and not the individual instances this needs to be fixed in cdk-nag
2. If the Instances need to be in the plan and not the Cluster, then this needs to be fixed in the ecdk

This needs further research.

 "BackupPlanDBBackup4C23F628": {
   "Type": "AWS::Backup::BackupSelection",
   "Properties": {
    "BackupPlanId": {
     "Fn::GetAtt": [
      "BackupPlanA8F64793",
      "BackupPlanId"
     ]
    },
    "BackupSelection": {
     "IamRoleArn": {
      "Fn::GetAtt": [
       "BackupPlanDBBackupRoleF8772229",
       "Arn"
      ]
     },
     "Resources": [
      {
       "Fn::Join": [
        "",
        [
         "arn:",
         {
          "Ref": "AWS::Partition"
         },
         ":rds:",
         {
          "Ref": "AWS::Region"
         },
         ":",
         {
          "Ref": "AWS::AccountId"
         },
         ":cluster:",
         {
          "Ref": "DatabaseCluster68FC2945"
         }
        ]
       ]
      }
     ],
     "SelectionName": "DBBackup"
    }
   },
   "Metadata": {
    "aws:cdk:path": "TestStack/BackupPlan/DBBackup/Resource"
   }
  },