github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/apigateway/enable_access_logging.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/apigateway/enable_access_logging.go (about)

     1  package apigateway
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckEnableAccessLogging = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-AWS-0001",
    14  		Provider:    providers.AWSProvider,
    15  		Service:     "api-gateway",
    16  		ShortCode:   "enable-access-logging",
    17  		Summary:     "API Gateway stages for V1 and V2 should have access logging enabled",
    18  		Impact:      "Logging provides vital information about access and usage",
    19  		Resolution:  "Enable logging for API Gateway stages",
    20  		Explanation: `API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.`,
    21  		Links: []string{
    22  			"https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html",
    23  		},
    24  		Terraform: &scan.EngineMetadata{
    25  			GoodExamples:        terraformEnableAccessLoggingGoodExamples,
    26  			BadExamples:         terraformEnableAccessLoggingBadExamples,
    27  			Links:               terraformEnableAccessLoggingLinks,
    28  			RemediationMarkdown: terraformEnableAccessLoggingRemediationMarkdown,
    29  		},
    30  		CloudFormation: &scan.EngineMetadata{
    31  			GoodExamples:        cloudFormationEnableAccessLoggingGoodExamples,
    32  			BadExamples:         cloudFormationEnableAccessLoggingBadExamples,
    33  			Links:               cloudFormationEnableAccessLoggingLinks,
    34  			RemediationMarkdown: cloudFormationEnableAccessLoggingRemediationMarkdown,
    35  		},
    36  		Severity: severity.Medium,
    37  	},
    38  	func(s *state.State) (results scan.Results) {
    39  		for _, api := range s.AWS.APIGateway.V1.APIs {
    40  			for _, stage := range api.Stages {
    41  				if stage.Metadata.IsUnmanaged() {
    42  					continue
    43  				}
    44  				if stage.AccessLogging.CloudwatchLogGroupARN.IsEmpty() {
    45  					results.Add(
    46  						"Access logging is not configured.",
    47  						stage.AccessLogging.CloudwatchLogGroupARN,
    48  					)
    49  				} else {
    50  					results.AddPassed(&api)
    51  				}
    52  			}
    53  		}
    54  		for _, api := range s.AWS.APIGateway.V2.APIs {
    55  			for _, stage := range api.Stages {
    56  				if stage.Metadata.IsUnmanaged() {
    57  					continue
    58  				}
    59  				if stage.AccessLogging.CloudwatchLogGroupARN.IsEmpty() {
    60  					results.Add(
    61  						"Access logging is not configured.",
    62  						stage.AccessLogging.CloudwatchLogGroupARN,
    63  					)
    64  				} else {
    65  					results.AddPassed(&api)
    66  				}
    67  			}
    68  		}
    69  		return
    70  	},
    71  )