feat(aws): Add new check to ensure Aurora MySQL DB Clusters publish audit logs to CloudWatch logs

[danibarranqueroo]

Context

This new check verifies that Amazon Aurora MySQL DB clusters are configured to publish audit logs to Amazon CloudWatch Logs. Audit logs are vital for tracking database activity such as login attempts, data modifications, and schema changes. Configuring audit logs to publish to CloudWatch enables real-time analysis, durable storage of logs, and the creation of alarms and metrics for enhanced monitoring and compliance.

I have done this new check following the SH implementation, but there is an option of doing it as it’s done for instances, the option done is mirroring the existing AWS Security Hub control, focusing only on Aurora MySQL clusters, which have specific and robust support for audit log exports.
The other option would be doing as the RDS.9 control but for clusters, the problem here is that some clusters needs plugins to publish audit and they are not as complete as the Aurora MySQL ones.

So, in conclusion, I've done this check only for the Aurora MySQL clusters but the option of changing it is available and I’ll be open to listen any suggestion.

Description

Added new rds_cluster_integration_cloudwatch_logs check with its unit tests.

Checklist

• Are there new checks included in this PR? Yes / No
  • If so, do we need to update permissions for the provider? Please review this carefully.
• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 88.91%. Comparing base (163027a) to head (0f2e5f4).
Report is 46 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4916      +/-   ##
==========================================
- Coverage   89.03%   88.91%   -0.12%     
==========================================
  Files         937      947      +10     
  Lines       28709    29081     +372     
==========================================
+ Hits        25560    25857     +297     
- Misses       3149     3224      +75     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[MrCloudSec]

According to https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html, it is valid for:

Valid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters

The following values are valid for each DB engine:

Aurora MySQL - audit | error | general | slowquery

Aurora PostgreSQL - postgresql

RDS for MySQL - error | general | slowquery

RDS for PostgreSQL - postgresql | upgrade

Please, make the check look for these engines too.

[danibarranqueroo]

Done!

[MrCloudSec]

Suggested change

	report.status_extended = f"Aurora MySQL Cluster {db_cluster.id} is shipping {', '.join(db_cluster.cloudwatch_logs)} logs to CloudWatch Logs."
	report.status_extended = f"RDS Cluster {db_cluster.id} is shipping {', '.join(db_cluster.cloudwatch_logs)} logs to CloudWatch Logs."

[danibarranqueroo]

Done.

[MrCloudSec]

Suggested change

	report.status_extended = f"Aurora MySQL Cluster {db_cluster.id} does not have CloudWatch Logs enabled."
	report.status_extended = f"RDS Cluster {db_cluster.id} does not have CloudWatch Logs enabled."

[danibarranqueroo]

Done.

[MrCloudSec]

👏🏼