{
    "Behavior": "PROACTIVE",
    "ComplianceFrameworkMappings": [
        {
            "ComplianceFramework": "NIST 800-53 Rev 5",
            "Ids": [
                "AC-2(4)",
                "AC-4(26)",
                "AC-6(9)",
                "AU-10",
                "AU-12",
                "AU-2",
                "AU-3",
                "AU-6(3)",
                "AU-6(4)",
                "CA-7",
                "SC-7(10)",
                "SC-7(9)",
                "SI-3(8)",
                "SI-4(20)",
                "SI-7(8)"
            ]
        },
        {
            "ComplianceFramework": "PCI DSS version 3.2.1",
            "Ids": [
                "10.1",
                "10.2.1",
                "10.2.2",
                "10.2.3",
                "10.2.4",
                "10.2.5",
                "10.2.6",
                "10.2.7",
                "10.3.1",
                "10.3.2",
                "10.3.3",
                "10.3.4",
                "10.3.5",
                "10.3.6"
            ]
        }
    ],
    "ConfigRuleIdentifier": "RDS_LOGGING_ENABLED",
    "ControlOwner": "AWS Control Tower",
    "DeploymentMechanism": "AWS CloudFormation Hook",
    "DeploymentOwner": "AWS Control Tower",
    "Description": "This control checks whether an RDS DB cluster parameter group requires Transport Layer Security (TLS) connections for supported engine types.",
    "DisplayName": "Require an Amazon RDS DB cluster parameter group to require Transport Layer Security (TLS) connections for supported engine types",
    "DocumentationReferences": [
        {
            "DisplayName": "Security with Amazon Aurora MySQL",
            "Type": "AWS Documentation",
            "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Security.html"
        },
        {
            "DisplayName": "Security with Amazon Aurora PostgreSQL",
            "Type": "AWS Documentation",
            "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Security.html"
        },
        {
            "DisplayName": "Requiring SSL/TLS for all connections to a MySQL DB instance",
            "Type": "AWS Documentation",
            "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/mysql-ssl-connections.html"
        },
        {
            "DisplayName": "Using SSL with a PostgreSQL DB instance",
            "Type": "AWS Documentation",
            "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.html"
        }
    ],
    "EvaluatedResourceTypes": [
        "AWS::RDS::DBClusterParameterGroup"
    ],
    "EvaluatedServices": [
        "Amazon RDS"
    ],
    "Groups": [
        "digital-sovereignty"
    ],
    "Guidance": "Elective",
    "Id": "CT.RDS.PR.27",
    "ImplementationType": "CloudFormation guard rule",
    "MinimumSupportedRuntimeVersion": "2.1",
    "Objectives": [
        {
            "Id": "CO.3",
            "Name": "Encrypt data in transit"
        }
    ],
    "RegionalPreference": "REGIONAL",
    "ReleaseDate": "2023-11-27",
    "RemediationMessage": "For RDS DB cluster parameter groups with 'aurora-mysql' and 'mysql' families, in the Parameters property, set the value of 'require_secure_transport' to true. For RDS DB cluster parameter groups with 'aurora-postgresql' amd 'postgres' families, in  the Parameters property, set the value of 'rds.force_ssl' to true.",
    "Severity": "MEDIUM",
    "SupportedRegions": [
        "af-south-1",
        "ap-east-1",
        "ap-northeast-1",
        "ap-northeast-2",
        "ap-northeast-3",
        "ap-south-1",
        "ap-south-2",
        "ap-southeast-1",
        "ap-southeast-2",
        "ap-southeast-3",
        "ap-southeast-4",
        "ca-central-1",
        "eu-central-1",
        "eu-central-2",
        "eu-north-1",
        "eu-south-1",
        "eu-south-2",
        "eu-west-1",
        "eu-west-2",
        "eu-west-3",
        "il-central-1",
        "me-central-1",
        "me-south-1",
        "sa-east-1",
        "us-east-1",
        "us-east-2",
        "us-west-1",
        "us-west-2"
    ],
    "TargetOuType": "CUSTOM",
    "Version": "1",
    "Visibility": "PUBLIC"
}