Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckEnableAccessLogging = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0001", Provider: providers.AWSProvider, Service: "api-gateway", ShortCode: "enable-access-logging", Summary: "API Gateway stages for V1 and V2 should have access logging enabled", Impact: "Logging provides vital information about access and usage", Resolution: "Enable logging for API Gateway stages", Explanation: `API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.`, Links: []string{ "https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableAccessLoggingGoodExamples, BadExamples: terraformEnableAccessLoggingBadExamples, Links: terraformEnableAccessLoggingLinks, RemediationMarkdown: terraformEnableAccessLoggingRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableAccessLoggingGoodExamples, BadExamples: cloudFormationEnableAccessLoggingBadExamples, Links: cloudFormationEnableAccessLoggingLinks, RemediationMarkdown: cloudFormationEnableAccessLoggingRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, api := range s.AWS.APIGateway.V1.APIs { for _, stage := range api.Stages { if stage.Metadata.IsUnmanaged() { continue } if stage.AccessLogging.CloudwatchLogGroupARN.IsEmpty() { results.Add( "Access logging is not configured.", stage.AccessLogging.CloudwatchLogGroupARN, ) } else { results.AddPassed(&api) } } } for _, api := range s.AWS.APIGateway.V2.APIs { for _, stage := range api.Stages { if stage.Metadata.IsUnmanaged() { continue } if stage.AccessLogging.CloudwatchLogGroupARN.IsEmpty() { results.Add( "Access logging is not configured.", stage.AccessLogging.CloudwatchLogGroupARN, ) } else { results.AddPassed(&api) } } } return }, )
View Source
var CheckEnableCacheEncryption = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0002", Provider: providers.AWSProvider, Service: "api-gateway", ShortCode: "enable-cache-encryption", Summary: "API Gateway must have cache enabled", Impact: "Data stored in the cache that is unencrypted may be vulnerable to compromise", Resolution: "Enable cache encryption", Explanation: `Method cache encryption ensures that any sensitive data in the cache is not vulnerable to compromise in the event of interception`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableCacheEncryptionGoodExamples, BadExamples: terraformEnableCacheEncryptionBadExamples, Links: terraformEnableCacheEncryptionLinks, RemediationMarkdown: terraformEnableCacheEncryptionRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, api := range s.AWS.APIGateway.V1.APIs { if api.Metadata.IsUnmanaged() { continue } for _, stage := range api.Stages { if stage.Metadata.IsUnmanaged() { continue } for _, settings := range stage.RESTMethodSettings { if settings.Metadata.IsUnmanaged() { continue } if settings.CacheEnabled.IsFalse() { continue } if settings.CacheDataEncrypted.IsFalse() { results.Add( "Cache data is not encrypted.", settings.CacheDataEncrypted, ) } else { results.AddPassed(&settings) } } } } return }, )
View Source
var CheckEnableTracing = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0003", Provider: providers.AWSProvider, Service: "api-gateway", ShortCode: "enable-tracing", Summary: "API Gateway must have X-Ray tracing enabled", Impact: "Without full tracing enabled it is difficult to trace the flow of logs", Resolution: "Enable tracing", Explanation: `X-Ray tracing enables end-to-end debugging and analysis of all API Gateway HTTP requests.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableTracingGoodExamples, BadExamples: terraformEnableTracingBadExamples, Links: terraformEnableTracingLinks, RemediationMarkdown: terraformEnableTracingRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, api := range s.AWS.APIGateway.V1.APIs { if api.Metadata.IsUnmanaged() { continue } for _, stage := range api.Stages { if stage.Metadata.IsUnmanaged() { continue } if stage.XRayTracingEnabled.IsFalse() { results.Add( "X-Ray tracing is not enabled,", stage.XRayTracingEnabled, ) } else { results.AddPassed(&stage) } } } return }, )
View Source
var CheckNoPublicAccess = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0004", Provider: providers.AWSProvider, Service: "api-gateway", ShortCode: "no-public-access", Summary: "No unauthorized access to API Gateway methods", Impact: "API gateway methods can be accessed without authorization.", Resolution: "Use and authorization method or require API Key", Explanation: `API Gateway methods should generally be protected by authorization or api key. OPTION verb calls can be used without authorization`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicAccessGoodExamples, BadExamples: terraformNoPublicAccessBadExamples, Links: terraformNoPublicAccessLinks, RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, api := range s.AWS.APIGateway.V1.APIs { if api.Metadata.IsUnmanaged() { continue } for _, resource := range api.Resources { for _, method := range resource.Methods { if method.HTTPMethod.EqualTo("OPTION") { continue } if method.APIKeyRequired.IsTrue() { continue } if method.AuthorizationType.EqualTo(v1.AuthorizationNone) { results.Add( "Authorization is not enabled for this method.", method.AuthorizationType, ) } else { results.AddPassed(&method) } } } } return }, )
View Source
var CheckUseSecureTlsPolicy = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0005", Provider: providers.AWSProvider, Service: "api-gateway", ShortCode: "use-secure-tls-policy", Summary: "API Gateway domain name uses outdated SSL/TLS protocols.", Impact: "Outdated SSL policies increase exposure to known vulnerabilities", Resolution: "Use the most modern TLS/SSL policies available", Explanation: `You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.`, Links: []string{ "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformUseSecureTlsPolicyGoodExamples, BadExamples: terraformUseSecureTlsPolicyBadExamples, Links: terraformUseSecureTlsPolicyLinks, RemediationMarkdown: terraformUseSecureTlsPolicyRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, domain := range s.AWS.APIGateway.V1.DomainNames { if domain.SecurityPolicy.NotEqualTo("TLS_1_2") { results.Add( "Domain name is configured with an outdated TLS policy.", domain.SecurityPolicy, ) } else { results.AddPassed(&domain) } } for _, domain := range s.AWS.APIGateway.V2.DomainNames { if domain.SecurityPolicy.NotEqualTo("TLS_1_2") { results.Add( "Domain name is configured with an outdated TLS policy.", domain.SecurityPolicy, ) } else { results.AddPassed(&domain) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
¶
Click to show internal directories.
Click to hide internal directories.