github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/sam/enable_http_api_access_logging.go (about) 1 package sam 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckEnableHttpApiAccessLogging = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-AWS-0116", 14 Provider: providers.AWSProvider, 15 Service: "sam", 16 ShortCode: "enable-http-api-access-logging", 17 Summary: "SAM HTTP API stages for V1 and V2 should have access logging enabled", 18 Impact: "Logging provides vital information about access and usage", 19 Resolution: "Enable logging for API Gateway stages", 20 Explanation: `API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.`, 21 Links: []string{ 22 "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-httpapi.html#sam-httpapi-accesslogsettings", 23 }, 24 CloudFormation: &scan.EngineMetadata{ 25 GoodExamples: cloudFormationEnableHttpApiAccessLoggingGoodExamples, 26 BadExamples: cloudFormationEnableHttpApiAccessLoggingBadExamples, 27 Links: cloudFormationEnableHttpApiAccessLoggingLinks, 28 RemediationMarkdown: cloudFormationEnableHttpApiAccessLoggingRemediationMarkdown, 29 }, 30 Severity: severity.Medium, 31 }, 32 func(s *state.State) (results scan.Results) { 33 for _, api := range s.AWS.SAM.HttpAPIs { 34 if api.Metadata.IsUnmanaged() { 35 continue 36 } 37 38 if api.AccessLogging.CloudwatchLogGroupARN.IsEmpty() { 39 results.Add( 40 "Access logging is not configured.", 41 api.AccessLogging.CloudwatchLogGroupARN, 42 ) 43 } else { 44 results.AddPassed(&api) 45 } 46 } 47 48 return 49 }, 50 )