bug: ApplicationLoadBalancedFargateService not correctly detecting certificate with redirectHTTP

[jessebs]

What is the problem?

When I use ApplicationLoadBalancedFargateService with a certificate managed by AWS Certificate Manager and redirectHTTP: true, I get a HIPAA.Security-ELBv2ACMCertificateRequired error. If I remove redirectHTTP, I do not get the error.

Reproduction Steps

import { Aspects, aws_ecs, aws_ecs_patterns, aws_lambda, aws_route53, StackProps } from "aws-cdk-lib"
import * as cdk from "aws-cdk-lib"
import { HIPAASecurityChecks } from "cdk-nag"
import { Construct } from "constructs"
import { Certificate, CertificateValidation } from "aws-cdk-lib/aws-certificatemanager"
import { ApplicationProtocol } from "aws-cdk-lib/aws-elasticloadbalancingv2"

const app = new cdk.App()

export class TestStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, {
      env: {
        account: "111111111111",
        region: "us-east-1"
      }
    })

    const cluster = new aws_ecs.Cluster(this, "MyCluster", {})

    const hostedZone = aws_route53.HostedZone.fromLookup(this, "MyZone", {
      domainName: "example.com"
    })

    const certificate = new Certificate(this, "MyCertificate", {
      domainName: "my.example.com",
      validation: CertificateValidation.fromDns(hostedZone)
    })

    const service = new aws_ecs_patterns.ApplicationLoadBalancedFargateService(this, "MyService", {
      cluster,
      certificate,
      taskImageOptions: {
        image: aws_ecs.ContainerImage.fromRegistry("ecs-sample-image/amazon-ecs-sample")
      },
      redirectHTTP: true,
      protocol: ApplicationProtocol.HTTPS,
      domainName: "my.example.com",
      domainZone: hostedZone
    })
  }
}

new TestStack(app, "TestStack")

Aspects.of(app).add(new HIPAASecurityChecks({ verbose: true }))

What did you expect to happen?

No Error

What actually happened?

[Error at /TestStack/MyService/LB/PublicRedirectListener/Resource] HIPAA.Security-ELBv2ACMCertificateRequired: The ALB, NLB, or GLB listener does not utilize an SSL certificate provided by ACM (Amazon Certificate Manager) - (Control IDs: 164.312(a)(2)(iv), 164.312(e)(2)(ii)). Because sensitive data can exist and to help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing. Use AWS Certificate Manager to manage, provision and deploy public and private SSL/TLS certificates with AWS services and internal resources.

cdk-nag version

2.28.64

Language

Typescript

Other information

No response

[dontirun]

I believe this is functioning as intended.

The [AWS Config rule (https://docs.aws.amazon.com/config/latest/developerguide/elbv2-acm-certificate-required.html)that this check is derived from states

Checks if Application Load Balancers and Network Load Balancers have listeners that are configured to use certificates from AWS Certificate Manager (ACM). This rule is NON_COMPLIANT if at least 1 load balancer has at least 1 listener that is configured without a certificate from ACM or is configured with a certificate different from an ACM certificate.

The listener flagged by cdk-nag does not meet the requirement as it does not have an ACM certificate associated with it

  "MyServiceLBPublicRedirectListenerD6C5BCC4": {
   "Type": "AWS::ElasticLoadBalancingV2::Listener",
   "Properties": {
    "DefaultActions": [
     {
      "RedirectConfig": {
       "Port": "443",
       "Protocol": "HTTPS",
       "StatusCode": "HTTP_301"
      },
      "Type": "redirect"
     }
    ],
    "LoadBalancerArn": {
     "Ref": "MyServiceLBD9DA5706"
    },
    "Port": 80,
    "Protocol": "HTTP"
   },
   "Metadata": {
    "aws:cdk:path": "TestStack/MyService/LB/PublicRedirectListener/Resource"
   }
  },