github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/apigateway/enable_cache_encryption.go (about) 1 package apigateway 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckEnableCacheEncryption = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-AWS-0002", 14 Provider: providers.AWSProvider, 15 Service: "api-gateway", 16 ShortCode: "enable-cache-encryption", 17 Summary: "API Gateway must have cache enabled", 18 Impact: "Data stored in the cache that is unencrypted may be vulnerable to compromise", 19 Resolution: "Enable cache encryption", 20 Explanation: `Method cache encryption ensures that any sensitive data in the cache is not vulnerable to compromise in the event of interception`, 21 Links: []string{}, 22 Terraform: &scan.EngineMetadata{ 23 GoodExamples: terraformEnableCacheEncryptionGoodExamples, 24 BadExamples: terraformEnableCacheEncryptionBadExamples, 25 Links: terraformEnableCacheEncryptionLinks, 26 RemediationMarkdown: terraformEnableCacheEncryptionRemediationMarkdown, 27 }, 28 Severity: severity.Medium, 29 }, 30 func(s *state.State) (results scan.Results) { 31 for _, api := range s.AWS.APIGateway.V1.APIs { 32 if api.Metadata.IsUnmanaged() { 33 continue 34 } 35 for _, stage := range api.Stages { 36 if stage.Metadata.IsUnmanaged() { 37 continue 38 } 39 for _, settings := range stage.RESTMethodSettings { 40 if settings.Metadata.IsUnmanaged() { 41 continue 42 } 43 if settings.CacheEnabled.IsFalse() { 44 continue 45 } 46 if settings.CacheDataEncrypted.IsFalse() { 47 results.Add( 48 "Cache data is not encrypted.", 49 settings.CacheDataEncrypted, 50 ) 51 } else { 52 results.AddPassed(&settings) 53 } 54 } 55 } 56 } 57 return 58 }, 59 )