github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/apigateway/no_public_access.go (about) 1 package apigateway 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 v1 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/apigateway/v1" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckNoPublicAccess = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-AWS-0004", 15 Provider: providers.AWSProvider, 16 Service: "api-gateway", 17 ShortCode: "no-public-access", 18 Summary: "No unauthorized access to API Gateway methods", 19 Impact: "API gateway methods can be accessed without authorization.", 20 Resolution: "Use and authorization method or require API Key", 21 Explanation: `API Gateway methods should generally be protected by authorization or api key. OPTION verb calls can be used without authorization`, 22 Links: []string{}, 23 Terraform: &scan.EngineMetadata{ 24 GoodExamples: terraformNoPublicAccessGoodExamples, 25 BadExamples: terraformNoPublicAccessBadExamples, 26 Links: terraformNoPublicAccessLinks, 27 RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown, 28 }, 29 Severity: severity.Low, 30 }, 31 func(s *state.State) (results scan.Results) { 32 for _, api := range s.AWS.APIGateway.V1.APIs { 33 if api.Metadata.IsUnmanaged() { 34 continue 35 } 36 for _, resource := range api.Resources { 37 for _, method := range resource.Methods { 38 if method.HTTPMethod.EqualTo("OPTION") { 39 continue 40 } 41 if method.APIKeyRequired.IsTrue() { 42 continue 43 } 44 if method.AuthorizationType.EqualTo(v1.AuthorizationNone) { 45 results.Add( 46 "Authorization is not enabled for this method.", 47 method.AuthorizationType, 48 ) 49 } else { 50 results.AddPassed(&method) 51 } 52 } 53 } 54 } 55 return 56 }, 57 )