github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/sam/enable_state_machine_logging.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/sam/enable_state_machine_logging.go (about)

     1  package sam
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckEnableStateMachineLogging = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-AWS-0119",
    14  		Provider:    providers.AWSProvider,
    15  		Service:     "sam",
    16  		ShortCode:   "enable-state-machine-logging",
    17  		Summary:     "SAM State machine must have logging enabled",
    18  		Impact:      "Without logging enabled it is difficult to identify suspicious activity",
    19  		Resolution:  "Enable logging",
    20  		Explanation: `Logging enables end-to-end debugging and analysis of all state machine activities.`,
    21  		Links: []string{
    22  			"https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-statemachine.html#sam-statemachine-logging",
    23  		},
    24  		Severity: severity.Low,
    25  	},
    26  	func(s *state.State) (results scan.Results) {
    27  		for _, stateMachine := range s.AWS.SAM.StateMachines {
    28  			if stateMachine.Metadata.IsUnmanaged() {
    29  				continue
    30  			}
    31  
    32  			if stateMachine.LoggingConfiguration.LoggingEnabled.IsFalse() {
    33  				results.Add(
    34  					"Logging is not enabled,",
    35  					stateMachine.LoggingConfiguration.LoggingEnabled,
    36  				)
    37  			} else {
    38  				results.AddPassed(&stateMachine)
    39  			}
    40  		}
    41  		return
    42  	},
    43  )