Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckApiUseSecureTlsPolicy = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0112", Provider: providers.AWSProvider, Service: "sam", ShortCode: "api-use-secure-tls-policy", Summary: "SAM API domain name uses outdated SSL/TLS protocols.", Impact: "Outdated SSL policies increase exposure to known vulnerabilities", Resolution: "Use the most modern TLS/SSL policies available", Explanation: `You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.`, Links: []string{ "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-api-domainconfiguration.html#sam-api-domainconfiguration-securitypolicy", }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationApiUseSecureTlsPolicyGoodExamples, BadExamples: cloudFormationApiUseSecureTlsPolicyBadExamples, Links: cloudFormationApiUseSecureTlsPolicyLinks, RemediationMarkdown: cloudFormationApiUseSecureTlsPolicyRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, api := range s.AWS.SAM.APIs { if api.DomainConfiguration.SecurityPolicy.NotEqualTo("TLS_1_2") { results.Add( "Domain name is configured with an outdated TLS policy.", api.DomainConfiguration.SecurityPolicy, ) } else { results.AddPassed(&api) } } return }, )
View Source
var CheckEnableApiAccessLogging = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0113", Provider: providers.AWSProvider, Service: "sam", ShortCode: "enable-api-access-logging", Summary: "SAM API stages for V1 and V2 should have access logging enabled", Impact: "Logging provides vital information about access and usage", Resolution: "Enable logging for API Gateway stages", Explanation: `API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.`, Links: []string{ "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-accesslogsetting", }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableApiAccessLoggingGoodExamples, BadExamples: cloudFormationEnableApiAccessLoggingBadExamples, Links: cloudFormationEnableApiAccessLoggingLinks, RemediationMarkdown: cloudFormationEnableApiAccessLoggingRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, api := range s.AWS.SAM.APIs { if api.Metadata.IsUnmanaged() { continue } if api.AccessLogging.CloudwatchLogGroupARN.IsEmpty() { results.Add( "Access logging is not configured.", api.AccessLogging.CloudwatchLogGroupARN, ) } else { results.AddPassed(&api) } } return }, )
View Source
var CheckEnableApiCacheEncryption = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0110", Provider: providers.AWSProvider, Service: "sam", ShortCode: "enable-api-cache-encryption", Summary: "SAM API must have data cache enabled", Impact: "Data stored in the cache that is unencrypted may be vulnerable to compromise", Resolution: "Enable cache encryption", Explanation: `Method cache encryption ensures that any sensitive data in the cache is not vulnerable to compromise in the event of interception`, Links: []string{ "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-stage-methodsetting.html#cfn-apigateway-stage-methodsetting-cachedataencrypted", }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableApiCacheEncryptionGoodExamples, BadExamples: cloudFormationEnableApiCacheEncryptionBadExamples, Links: cloudFormationEnableApiCacheEncryptionLinks, RemediationMarkdown: cloudFormationEnableApiCacheEncryptionRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, api := range s.AWS.SAM.APIs { if api.Metadata.IsUnmanaged() { continue } if api.RESTMethodSettings.CacheDataEncrypted.IsFalse() { results.Add( "Cache data is not encrypted.", api.RESTMethodSettings.CacheDataEncrypted, ) } else { results.AddPassed(&api) } } return }, )
View Source
var CheckEnableApiTracing = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0111", Provider: providers.AWSProvider, Service: "sam", ShortCode: "enable-api-tracing", Summary: "SAM API must have X-Ray tracing enabled", Impact: "Without full tracing enabled it is difficult to trace the flow of logs", Resolution: "Enable tracing", Explanation: `X-Ray tracing enables end-to-end debugging and analysis of all API Gateway HTTP requests.`, Links: []string{ "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-tracingenabled", }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableApiTracingGoodExamples, BadExamples: cloudFormationEnableApiTracingBadExamples, Links: cloudFormationEnableApiTracingLinks, RemediationMarkdown: cloudFormationEnableApiTracingRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, api := range s.AWS.SAM.APIs { if api.Metadata.IsUnmanaged() { continue } if api.TracingEnabled.IsFalse() { results.Add( "X-Ray tracing is not enabled,", api.TracingEnabled, ) } else { results.AddPassed(&api) } } return }, )
View Source
var CheckEnableFunctionTracing = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0125", Provider: providers.AWSProvider, Service: "sam", ShortCode: "enable-function-tracing", Summary: "SAM Function must have X-Ray tracing enabled", Impact: "Without full tracing enabled it is difficult to trace the flow of logs", Resolution: "Enable tracing", Explanation: `X-Ray tracing enables end-to-end debugging and analysis of the function.`, Links: []string{ "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-tracing", }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableFunctionTracingGoodExamples, BadExamples: cloudFormationEnableFunctionTracingBadExamples, Links: cloudFormationEnableFunctionTracingLinks, RemediationMarkdown: cloudFormationEnableFunctionTracingRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, function := range s.AWS.SAM.Functions { if function.Metadata.IsUnmanaged() { continue } if function.Tracing.NotEqualTo(sam.TracingModeActive) { results.Add( "X-Ray tracing is not enabled,", function.Tracing, ) } else { results.AddPassed(&function) } } return }, )
View Source
var CheckEnableHttpApiAccessLogging = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0116", Provider: providers.AWSProvider, Service: "sam", ShortCode: "enable-http-api-access-logging", Summary: "SAM HTTP API stages for V1 and V2 should have access logging enabled", Impact: "Logging provides vital information about access and usage", Resolution: "Enable logging for API Gateway stages", Explanation: `API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.`, Links: []string{ "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-httpapi.html#sam-httpapi-accesslogsettings", }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableHttpApiAccessLoggingGoodExamples, BadExamples: cloudFormationEnableHttpApiAccessLoggingBadExamples, Links: cloudFormationEnableHttpApiAccessLoggingLinks, RemediationMarkdown: cloudFormationEnableHttpApiAccessLoggingRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, api := range s.AWS.SAM.HttpAPIs { if api.Metadata.IsUnmanaged() { continue } if api.AccessLogging.CloudwatchLogGroupARN.IsEmpty() { results.Add( "Access logging is not configured.", api.AccessLogging.CloudwatchLogGroupARN, ) } else { results.AddPassed(&api) } } return }, )
View Source
var CheckEnableStateMachineLogging = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0119", Provider: providers.AWSProvider, Service: "sam", ShortCode: "enable-state-machine-logging", Summary: "SAM State machine must have logging enabled", Impact: "Without logging enabled it is difficult to identify suspicious activity", Resolution: "Enable logging", Explanation: `Logging enables end-to-end debugging and analysis of all state machine activities.`, Links: []string{ "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-statemachine.html#sam-statemachine-logging", }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, stateMachine := range s.AWS.SAM.StateMachines { if stateMachine.Metadata.IsUnmanaged() { continue } if stateMachine.LoggingConfiguration.LoggingEnabled.IsFalse() { results.Add( "Logging is not enabled,", stateMachine.LoggingConfiguration.LoggingEnabled, ) } else { results.AddPassed(&stateMachine) } } return }, )
View Source
var CheckEnableStateMachineTracing = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0117", Provider: providers.AWSProvider, Service: "sam", ShortCode: "enable-state-machine-tracing", Summary: "SAM State machine must have X-Ray tracing enabled", Impact: "Without full tracing enabled it is difficult to trace the flow of logs", Resolution: "Enable tracing", Explanation: `X-Ray tracing enables end-to-end debugging and analysis of all state machine activities.`, Links: []string{ "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-statemachine.html#sam-statemachine-tracing", }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableStateMachineTracingGoodExamples, BadExamples: cloudFormationEnableStateMachineTracingBadExamples, Links: cloudFormationEnableStateMachineTracingLinks, RemediationMarkdown: cloudFormationEnableStateMachineTracingRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, stateMachine := range s.AWS.SAM.StateMachines { if stateMachine.Metadata.IsUnmanaged() { continue } if stateMachine.Tracing.Enabled.IsFalse() { results.Add( "X-Ray tracing is not enabled,", stateMachine.Tracing.Enabled, ) } else { results.AddPassed(&stateMachine) } } return }, )
View Source
var CheckEnableTableEncryption = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0121", Provider: providers.AWSProvider, Service: "sam", ShortCode: "enable-table-encryption", Summary: "SAM Simple table must have server side encryption enabled.", Impact: "Data stored in the table that is unencrypted may be vulnerable to compromise", Resolution: "Enable server side encryption", Explanation: `Encryption should be enabled at all available levels to ensure that data is protected if compromised.`, Links: []string{ "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-simpletable.html#sam-simpletable-ssespecification", }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableTableEncryptionGoodExamples, BadExamples: cloudFormationEnableTableEncryptionBadExamples, Links: cloudFormationEnableTableEncryptionLinks, RemediationMarkdown: cloudFormationEnableTableEncryptionRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, table := range s.AWS.SAM.SimpleTables { if table.SSESpecification.Enabled.IsFalse() { results.Add( "Domain name is configured with an outdated TLS policy.", table.SSESpecification.Enabled, ) } else { results.AddPassed(&table) } } return }, )
View Source
var CheckNoFunctionPolicyWildcards = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0114", Provider: providers.AWSProvider, Service: "sam", ShortCode: "no-function-policy-wildcards", Summary: "Function policies should avoid use of wildcards and instead apply the principle of least privilege", Impact: "Overly permissive policies may grant access to sensitive resources", Resolution: "Specify the exact permissions required, and to which resources they should apply instead of using wildcards.", Explanation: `You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.`, Links: []string{ "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-policies", }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationNoFunctionPolicyWildcardsGoodExamples, BadExamples: cloudFormationNoFunctionPolicyWildcardsBadExamples, Links: cloudFormationNoFunctionPolicyWildcardsLinks, RemediationMarkdown: cloudFormationNoFunctionPolicyWildcardsRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, function := range s.AWS.SAM.Functions { if function.Metadata.IsUnmanaged() { continue } for _, document := range function.Policies { policy := document.Document.Parsed statements, _ := policy.Statements() for _, statement := range statements { results = checkStatement(document.Document, statement, results) } } } return }, )
View Source
var CheckNoStateMachinePolicyWildcards = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0120", Provider: providers.AWSProvider, Service: "sam", ShortCode: "no-state-machine-policy-wildcards", Summary: "State machine policies should avoid use of wildcards and instead apply the principle of least privilege", Impact: "Overly permissive policies may grant access to sensitive resources", Resolution: "Specify the exact permissions required, and to which resources they should apply instead of using wildcards.", Explanation: `You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.`, Links: []string{ "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-statemachine.html#sam-statemachine-policies", }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationNoStateMachinePolicyWildcardsGoodExamples, BadExamples: cloudFormationNoStateMachinePolicyWildcardsBadExamples, Links: cloudFormationNoStateMachinePolicyWildcardsLinks, RemediationMarkdown: cloudFormationNoStateMachinePolicyWildcardsRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, stateMachine := range s.AWS.SAM.StateMachines { if stateMachine.Metadata.IsUnmanaged() { continue } for _, document := range stateMachine.Policies { policy := document.Document.Parsed statements, _ := policy.Statements() for _, statement := range statements { results = checkStatement(document.Document, statement, results) } } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
¶
- api_use_secure_tls_policy.cf.go
- api_use_secure_tls_policy.go
- enable_api_access_logging.cf.go
- enable_api_access_logging.go
- enable_api_cache_encryption.cf.go
- enable_api_cache_encryption.go
- enable_api_tracing.cf.go
- enable_api_tracing.go
- enable_function_tracing.cf.go
- enable_function_tracing.go
- enable_http_api_access_logging.cf.go
- enable_http_api_access_logging.go
- enable_state_machine_logging.go
- enable_state_machine_tracing.cf.go
- enable_state_machine_tracing.go
- enable_table_encryption.cf.go
- enable_table_encryption.go
- no_function_policy_wildcards.cf.go
- no_function_policy_wildcards.go
- no_state_machine_policy_wildcards.cf.go
- no_state_machine_policy_wildcards.go
Click to show internal directories.
Click to hide internal directories.