This repository has been archived by the owner on Jun 1, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Owen Rumney
committed
Dec 2, 2021
1 parent
fca3203
commit 4cf6011
Showing
11 changed files
with
762 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| --- | ||
| title: SAM API domain name uses outdated SSL/TLS protocols. | ||
| shortcode: api-use-secure-tls-policy | ||
| summary: SAM API domain name uses outdated SSL/TLS protocols. | ||
| permalink: /docs/sam/api-use-secure-tls-policy/ | ||
| --- | ||
|
|
||
| ### Explanation | ||
|
|
||
| You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+. | ||
|
|
||
| ### Possible Impact | ||
| Outdated SSL policies increase exposure to known vulnerabilities | ||
|
|
||
| ### Suggested Resolution | ||
| Use the most modern TLS/SSL policies available | ||
|
|
||
|
|
||
| ### Insecure Example | ||
|
|
||
| The following example will fail the AVD-AWS-0112 check. | ||
|
|
||
| ```yaml | ||
| --- | ||
| AWSTemplateFormatVersion: 2010-09-09 | ||
| Description: Bad Example of SAM API | ||
| Resources: | ||
| ApiGatewayApi: | ||
| Type: AWS::Serverless::Api | ||
| Properties: | ||
| Name: Bad SAM API example | ||
| StageName: Prod | ||
| TracingEnabled: false | ||
|
|
||
| ``` | ||
|
|
||
|
|
||
|
|
||
| ### Secure Example | ||
|
|
||
| The following example will pass the AVD-AWS-0112 check. | ||
|
|
||
| ```yaml | ||
| --- | ||
| AWSTemplateFormatVersion: 2010-09-09 | ||
| Description: Good Example of SAM API | ||
| Resources: | ||
| ApiGatewayApi: | ||
| Type: AWS::Serverless::Api | ||
| Properties: | ||
| Name: Good SAM API example | ||
| StageName: Prod | ||
| TracingEnabled: false | ||
| Domain: | ||
| SecurityPolicy: TLS_1_2 | ||
|
|
||
| ``` | ||
|
|
||
|
|
||
|
|
||
|
|
||
| ### Related Links | ||
|
|
||
|
|
||
| - [https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-api-domainconfiguration.html#sam-api-domainconfiguration-securitypolicy](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-api-domainconfiguration.html#sam-api-domainconfiguration-securitypolicy) | ||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| --- | ||
| title: SAM API stages for V1 and V2 should have access logging enabled | ||
| shortcode: enable-api-access-logging | ||
| summary: SAM API stages for V1 and V2 should have access logging enabled | ||
| permalink: /docs/sam/enable-api-access-logging/ | ||
| --- | ||
|
|
||
| ### Explanation | ||
|
|
||
| API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages. | ||
|
|
||
| ### Possible Impact | ||
| Logging provides vital information about access and usage | ||
|
|
||
| ### Suggested Resolution | ||
| Enable logging for API Gateway stages | ||
|
|
||
|
|
||
| ### Insecure Example | ||
|
|
||
| The following example will fail the AVD-AWS-0113 check. | ||
|
|
||
| ```yaml | ||
| --- | ||
| AWSTemplateFormatVersion: 2010-09-09 | ||
| Description: Bad Example of SAM API | ||
| Resources: | ||
| ApiGatewayApi: | ||
| Type: AWS::Serverless::Api | ||
| Properties: | ||
| Name: Bad SAM API example | ||
| StageName: Prod | ||
| TracingEnabled: false | ||
|
|
||
| ``` | ||
|
|
||
|
|
||
|
|
||
| ### Secure Example | ||
|
|
||
| The following example will pass the AVD-AWS-0113 check. | ||
|
|
||
| ```yaml | ||
| --- | ||
| AWSTemplateFormatVersion: 2010-09-09 | ||
| Description: Good Example of SAM API | ||
| Resources: | ||
| ApiGatewayApi: | ||
| Type: AWS::Serverless::Api | ||
| Properties: | ||
| Name: Good SAM API example | ||
| StageName: Prod | ||
| TracingEnabled: false | ||
| Domain: | ||
| SecurityPolicy: TLS_1_2 | ||
| AccessLogSetting: | ||
| DestinationArn: gateway-logging | ||
| Format: json | ||
|
|
||
| ``` | ||
|
|
||
|
|
||
|
|
||
|
|
||
| ### Related Links | ||
|
|
||
|
|
||
| - [https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-accesslogsetting](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-accesslogsetting) | ||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| --- | ||
| title: SAM API must have data cache enabled | ||
| shortcode: enable-api-cache-encryption | ||
| summary: SAM API must have data cache enabled | ||
| permalink: /docs/sam/enable-api-cache-encryption/ | ||
| --- | ||
|
|
||
| ### Explanation | ||
|
|
||
| Method cache encryption ensures that any sensitive data in the cache is not vulnerable to compromise in the event of interception | ||
|
|
||
| ### Possible Impact | ||
| Data stored in the cache that is unencrypted may be vulnerable to compromise | ||
|
|
||
| ### Suggested Resolution | ||
| Enable cache encryption | ||
|
|
||
|
|
||
| ### Insecure Example | ||
|
|
||
| The following example will fail the AVD-AWS-0110 check. | ||
|
|
||
| ```yaml | ||
| --- | ||
| AWSTemplateFormatVersion: 2010-09-09 | ||
| Description: Bad Example of SAM API | ||
| Resources: | ||
| ApiGatewayApi: | ||
| Type: AWS::Serverless::Api | ||
| Properties: | ||
| Name: Bad SAM API example | ||
| StageName: Prod | ||
| TracingEnabled: false | ||
|
|
||
| ``` | ||
|
|
||
|
|
||
|
|
||
| ### Secure Example | ||
|
|
||
| The following example will pass the AVD-AWS-0110 check. | ||
|
|
||
| ```yaml | ||
| --- | ||
| AWSTemplateFormatVersion: 2010-09-09 | ||
| Description: Good Example of SAM API | ||
| Resources: | ||
| ApiGatewayApi: | ||
| Type: AWS::Serverless::Api | ||
| Properties: | ||
| Name: Good SAM API example | ||
| StageName: Prod | ||
| TracingEnabled: false | ||
| Domain: | ||
| SecurityPolicy: TLS_1_2 | ||
| MethodSettings: | ||
| CacheDataEncrypted: true | ||
|
|
||
| ``` | ||
|
|
||
|
|
||
|
|
||
|
|
||
| ### Related Links | ||
|
|
||
|
|
||
| - [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-stage-methodsetting.html#cfn-apigateway-stage-methodsetting-cachedataencrypted](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-stage-methodsetting.html#cfn-apigateway-stage-methodsetting-cachedataencrypted) | ||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| --- | ||
| title: SAM API must have X-Ray tracing enabled | ||
| shortcode: enable-api-tracing | ||
| summary: SAM API must have X-Ray tracing enabled | ||
| permalink: /docs/sam/enable-api-tracing/ | ||
| --- | ||
|
|
||
| ### Explanation | ||
|
|
||
| X-Ray tracing enables end-to-end debugging and analysis of all API Gateway HTTP requests. | ||
|
|
||
| ### Possible Impact | ||
| Without full tracing enabled it is difficult to trace the flow of logs | ||
|
|
||
| ### Suggested Resolution | ||
| Enable tracing | ||
|
|
||
|
|
||
| ### Insecure Example | ||
|
|
||
| The following example will fail the AVD-AWS-0111 check. | ||
|
|
||
| ```yaml | ||
| --- | ||
| AWSTemplateFormatVersion: 2010-09-09 | ||
| Description: Bad Example of SAM API | ||
| Resources: | ||
| ApiGatewayApi: | ||
| Type: AWS::Serverless::Api | ||
| Properties: | ||
| Name: Bad SAM API example | ||
| StageName: Prod | ||
| TracingEnabled: false | ||
|
|
||
| ``` | ||
|
|
||
|
|
||
|
|
||
| ### Secure Example | ||
|
|
||
| The following example will pass the AVD-AWS-0111 check. | ||
|
|
||
| ```yaml | ||
| --- | ||
| AWSTemplateFormatVersion: 2010-09-09 | ||
| Description: Good Example of SAM API | ||
| Resources: | ||
| ApiGatewayApi: | ||
| Type: AWS::Serverless::Api | ||
| Properties: | ||
| Name: Good SAM API example | ||
| StageName: Prod | ||
| TracingEnabled: true | ||
|
|
||
| ``` | ||
|
|
||
|
|
||
|
|
||
|
|
||
| ### Related Links | ||
|
|
||
|
|
||
| - [https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-tracingenabled](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-tracingenabled) | ||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| --- | ||
| title: SAM Function must have X-Ray tracing enabled | ||
| shortcode: enable-function-tracing | ||
| summary: SAM Function must have X-Ray tracing enabled | ||
| permalink: /docs/sam/enable-function-tracing/ | ||
| --- | ||
|
|
||
| ### Explanation | ||
|
|
||
| X-Ray tracing enables end-to-end debugging and analysis of the function. | ||
|
|
||
| ### Possible Impact | ||
| Without full tracing enabled it is difficult to trace the flow of logs | ||
|
|
||
| ### Suggested Resolution | ||
| Enable tracing | ||
|
|
||
|
|
||
| ### Insecure Example | ||
|
|
||
| The following example will fail the AVD-AWS-0113 check. | ||
|
|
||
| ```yaml | ||
| --- | ||
| AWSTemplateFormatVersion: 2010-09-09 | ||
| Description: Bad Example of SAM Function | ||
| Resources: | ||
| BadFunction: | ||
| Type: AWS::Serverless::Function | ||
| Properties: | ||
| PackageType: Image | ||
| ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name | ||
| ImageConfig: | ||
| Command: | ||
| - "app.lambda_handler" | ||
| EntryPoint: | ||
| - "entrypoint1" | ||
| WorkingDirectory: "workDir" | ||
|
|
||
| ``` | ||
|
|
||
|
|
||
|
|
||
| ### Secure Example | ||
|
|
||
| The following example will pass the AVD-AWS-0113 check. | ||
|
|
||
| ```yaml | ||
| --- | ||
| AWSTemplateFormatVersion: 2010-09-09 | ||
| Description: Good Example of SAM Function | ||
| Resources: | ||
| GoodFunction: | ||
| Type: AWS::Serverless::Function | ||
| Properties: | ||
| PackageType: Image | ||
| ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name | ||
| ImageConfig: | ||
| Command: | ||
| - "app.lambda_handler" | ||
| EntryPoint: | ||
| - "entrypoint1" | ||
| WorkingDirectory: "workDir" | ||
| Tracing: Active | ||
|
|
||
| ``` | ||
|
|
||
|
|
||
|
|
||
|
|
||
| ### Related Links | ||
|
|
||
|
|
||
| - [https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-tracing](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-tracing) | ||
|
|
||
|
|
Oops, something went wrong.