github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/apigateway/use_secure_tls_policy.go (about) 1 package apigateway 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckUseSecureTlsPolicy = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-AWS-0005", 14 Provider: providers.AWSProvider, 15 Service: "api-gateway", 16 ShortCode: "use-secure-tls-policy", 17 Summary: "API Gateway domain name uses outdated SSL/TLS protocols.", 18 Impact: "Outdated SSL policies increase exposure to known vulnerabilities", 19 Resolution: "Use the most modern TLS/SSL policies available", 20 Explanation: `You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.`, 21 Links: []string{ 22 "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html", 23 }, 24 Terraform: &scan.EngineMetadata{ 25 GoodExamples: terraformUseSecureTlsPolicyGoodExamples, 26 BadExamples: terraformUseSecureTlsPolicyBadExamples, 27 Links: terraformUseSecureTlsPolicyLinks, 28 RemediationMarkdown: terraformUseSecureTlsPolicyRemediationMarkdown, 29 }, 30 Severity: severity.High, 31 }, 32 func(s *state.State) (results scan.Results) { 33 for _, domain := range s.AWS.APIGateway.V1.DomainNames { 34 if domain.SecurityPolicy.NotEqualTo("TLS_1_2") { 35 results.Add( 36 "Domain name is configured with an outdated TLS policy.", 37 domain.SecurityPolicy, 38 ) 39 } else { 40 results.AddPassed(&domain) 41 } 42 } 43 for _, domain := range s.AWS.APIGateway.V2.DomainNames { 44 if domain.SecurityPolicy.NotEqualTo("TLS_1_2") { 45 results.Add( 46 "Domain name is configured with an outdated TLS policy.", 47 domain.SecurityPolicy, 48 ) 49 } else { 50 results.AddPassed(&domain) 51 } 52 } 53 return 54 }, 55 )