Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckEnableAccessLogging = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0001", Provider: providers.AWSProvider, Service: "api-gateway", ShortCode: "enable-access-logging", Summary: "API Gateway stages for V1 and V2 should have access logging enabled", Impact: "Logging provides vital information about access and usage", Resolution: "Enable logging for API Gateway stages", Explanation: `API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.`, Links: []string{ "https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableAccessLoggingGoodExamples, BadExamples: terraformEnableAccessLoggingBadExamples, Links: terraformEnableAccessLoggingLinks, RemediationMarkdown: terraformEnableAccessLoggingRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableAccessLoggingGoodExamples, BadExamples: cloudFormationEnableAccessLoggingBadExamples, Links: cloudFormationEnableAccessLoggingLinks, RemediationMarkdown: cloudFormationEnableAccessLoggingRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, api := range s.AWS.APIGateway.V1.APIs { for _, stage := range api.Stages { if stage.Metadata.IsUnmanaged() { continue } if stage.AccessLogging.CloudwatchLogGroupARN.IsEmpty() { results.Add( "Access logging is not configured.", stage.AccessLogging.CloudwatchLogGroupARN, ) } else { results.AddPassed(&api) } } } for _, api := range s.AWS.APIGateway.V2.APIs { for _, stage := range api.Stages { if stage.Metadata.IsUnmanaged() { continue } if stage.AccessLogging.CloudwatchLogGroupARN.IsEmpty() { results.Add( "Access logging is not configured.", stage.AccessLogging.CloudwatchLogGroupARN, ) } else { results.AddPassed(&api) } } } return }, )
View Source
var CheckEnableCache = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0190", Provider: providers.AWSProvider, Service: "api-gateway", ShortCode: "enable-cache", Summary: "Ensure that response caching is enabled for your Amazon API Gateway REST APIs.", Impact: "Reduce the number of calls made to your API endpoint and also improve the latency of requests to your API with response caching.", Resolution: "Enable cache", Explanation: "A REST API in API Gateway is a collection of resources and methods that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services. You can enable API caching in Amazon API Gateway to cache your endpoint responses. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API.", Links: []string{"https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html"}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableCacheGoodExamples, BadExamples: terraformEnableCacheBadExamples, Links: terraformEnableCacheLinks, RemediationMarkdown: terraformEnableCacheRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, api := range s.AWS.APIGateway.V1.APIs { if api.Metadata.IsUnmanaged() { continue } for _, stage := range api.Stages { if stage.Metadata.IsUnmanaged() { continue } for _, settings := range stage.RESTMethodSettings { if settings.Metadata.IsUnmanaged() { continue } if settings.CacheEnabled.IsFalse() { results.Add( "Cache data is not enabled.", settings.CacheEnabled, ) } else { results.AddPassed(&settings) } } } } return }, )
View Source
var CheckEnableCacheEncryption = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0002", Provider: providers.AWSProvider, Service: "api-gateway", ShortCode: "enable-cache-encryption", Summary: "API Gateway must have cache enabled", Impact: "Data stored in the cache that is unencrypted may be vulnerable to compromise", Resolution: "Enable cache encryption", Explanation: `Method cache encryption ensures that any sensitive data in the cache is not vulnerable to compromise in the event of interception`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableCacheEncryptionGoodExamples, BadExamples: terraformEnableCacheEncryptionBadExamples, Links: terraformEnableCacheEncryptionLinks, RemediationMarkdown: terraformEnableCacheEncryptionRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, api := range s.AWS.APIGateway.V1.APIs { if api.Metadata.IsUnmanaged() { continue } for _, stage := range api.Stages { if stage.Metadata.IsUnmanaged() { continue } for _, settings := range stage.RESTMethodSettings { if settings.Metadata.IsUnmanaged() { continue } if settings.CacheEnabled.IsFalse() { continue } if settings.CacheDataEncrypted.IsFalse() { results.Add( "Cache data is not encrypted.", settings.CacheDataEncrypted, ) } else { results.AddPassed(&settings) } } } } return }, )
View Source
var CheckEnableTracing = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0003", Provider: providers.AWSProvider, Service: "api-gateway", ShortCode: "enable-tracing", Summary: "API Gateway must have X-Ray tracing enabled", Impact: "Without full tracing enabled it is difficult to trace the flow of logs", Resolution: "Enable tracing", Explanation: `X-Ray tracing enables end-to-end debugging and analysis of all API Gateway HTTP requests.`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableTracingGoodExamples, BadExamples: terraformEnableTracingBadExamples, Links: terraformEnableTracingLinks, RemediationMarkdown: terraformEnableTracingRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, api := range s.AWS.APIGateway.V1.APIs { if api.Metadata.IsUnmanaged() { continue } for _, stage := range api.Stages { if stage.Metadata.IsUnmanaged() { continue } if stage.XRayTracingEnabled.IsFalse() { results.Add( "X-Ray tracing is not enabled,", stage.XRayTracingEnabled, ) } else { results.AddPassed(&stage) } } } return }, )
View Source
var CheckNoPublicAccess = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0004", Provider: providers.AWSProvider, Service: "api-gateway", ShortCode: "no-public-access", Summary: "No unauthorized access to API Gateway methods", Impact: "API gateway methods can be accessed without authorization.", Resolution: "Use and authorization method or require API Key", Explanation: `API Gateway methods should generally be protected by authorization or api key. OPTION verb calls can be used without authorization`, Links: []string{}, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicAccessGoodExamples, BadExamples: terraformNoPublicAccessBadExamples, Links: terraformNoPublicAccessLinks, RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, api := range s.AWS.APIGateway.V1.APIs { if api.Metadata.IsUnmanaged() { continue } for _, resource := range api.Resources { for _, method := range resource.Methods { if method.HTTPMethod.EqualTo("OPTION") { continue } if method.APIKeyRequired.IsTrue() { continue } if method.AuthorizationType.EqualTo(v1.AuthorizationNone) { results.Add( "Authorization is not enabled for this method.", method.AuthorizationType, ) } else { results.AddPassed(&method) } } } } return }, )
View Source
var CheckUseSecureTlsPolicy = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0005", Provider: providers.AWSProvider, Service: "api-gateway", ShortCode: "use-secure-tls-policy", Summary: "API Gateway domain name uses outdated SSL/TLS protocols.", Impact: "Outdated SSL policies increase exposure to known vulnerabilities", Resolution: "Use the most modern TLS/SSL policies available", Explanation: `You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.`, Links: []string{ "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformUseSecureTlsPolicyGoodExamples, BadExamples: terraformUseSecureTlsPolicyBadExamples, Links: terraformUseSecureTlsPolicyLinks, RemediationMarkdown: terraformUseSecureTlsPolicyRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, domain := range s.AWS.APIGateway.V1.DomainNames { if domain.SecurityPolicy.NotEqualTo("TLS_1_2") { results.Add( "Domain name is configured with an outdated TLS policy.", domain.SecurityPolicy, ) } else { results.AddPassed(&domain) } } for _, domain := range s.AWS.APIGateway.V2.DomainNames { if domain.SecurityPolicy.NotEqualTo("TLS_1_2") { results.Add( "Domain name is configured with an outdated TLS policy.", domain.SecurityPolicy, ) } else { results.AddPassed(&domain) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files ¶
- enable_access_logging.cf.go
- enable_access_logging.go
- enable_access_logging.tf.go
- enable_cache.go
- enable_cache.tf.go
- enable_cache_encryption.go
- enable_cache_encryption.tf.go
- enable_tracing.go
- enable_tracing.tf.go
- no_public_access.go
- no_public_access.tf.go
- use_secure_tls_policy.go
- use_secure_tls_policy.tf.go
Click to show internal directories.
Click to hide internal directories.