From 4cf6011959df7ed6a0b62075f48fd2da45dcac03 Mon Sep 17 00:00:00 2001 From: Owen Rumney Date: Thu, 2 Dec 2021 17:52:18 +0000 Subject: [PATCH] update the docs --- docs/checks/sam/api-use-secure-tls-policy.md | 67 +++++++++++++ docs/checks/sam/enable-api-access-logging.md | 70 ++++++++++++++ .../checks/sam/enable-api-cache-encryption.md | 69 +++++++++++++ docs/checks/sam/enable-api-tracing.md | 65 +++++++++++++ docs/checks/sam/enable-function-tracing.md | 76 +++++++++++++++ .../sam/enable-http-api-access-logging.md | 69 +++++++++++++ .../sam/enable-state-machine-tracing.md | 79 +++++++++++++++ docs/checks/sam/enable-table-encryption.md | 65 +++++++++++++ .../sam/no-function-policy-wildcards.md | 92 ++++++++++++++++++ .../sam/no-state-machine-policy-wildcards.md | 96 +++++++++++++++++++ mkdocs.yml | 16 +++- 11 files changed, 762 insertions(+), 2 deletions(-) create mode 100644 docs/checks/sam/api-use-secure-tls-policy.md create mode 100644 docs/checks/sam/enable-api-access-logging.md create mode 100644 docs/checks/sam/enable-api-cache-encryption.md create mode 100644 docs/checks/sam/enable-api-tracing.md create mode 100644 docs/checks/sam/enable-function-tracing.md create mode 100644 docs/checks/sam/enable-http-api-access-logging.md create mode 100644 docs/checks/sam/enable-state-machine-tracing.md create mode 100644 docs/checks/sam/enable-table-encryption.md create mode 100644 docs/checks/sam/no-function-policy-wildcards.md create mode 100644 docs/checks/sam/no-state-machine-policy-wildcards.md diff --git a/docs/checks/sam/api-use-secure-tls-policy.md b/docs/checks/sam/api-use-secure-tls-policy.md new file mode 100644 index 00000000..4048f167 --- /dev/null +++ b/docs/checks/sam/api-use-secure-tls-policy.md @@ -0,0 +1,67 @@ +--- +title: SAM API domain name uses outdated SSL/TLS protocols. +shortcode: api-use-secure-tls-policy +summary: SAM API domain name uses outdated SSL/TLS protocols. +permalink: /docs/sam/api-use-secure-tls-policy/ +--- + +### Explanation + +You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+. + +### Possible Impact +Outdated SSL policies increase exposure to known vulnerabilities + +### Suggested Resolution +Use the most modern TLS/SSL policies available + + +### Insecure Example + +The following example will fail the AVD-AWS-0112 check. + +```yaml +--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Bad Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + Name: Bad SAM API example + StageName: Prod + TracingEnabled: false + +``` + + + +### Secure Example + +The following example will pass the AVD-AWS-0112 check. + +```yaml +--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + Name: Good SAM API example + StageName: Prod + TracingEnabled: false + Domain: + SecurityPolicy: TLS_1_2 + +``` + + + + +### Related Links + + +- [https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-api-domainconfiguration.html#sam-api-domainconfiguration-securitypolicy](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-api-domainconfiguration.html#sam-api-domainconfiguration-securitypolicy) + + diff --git a/docs/checks/sam/enable-api-access-logging.md b/docs/checks/sam/enable-api-access-logging.md new file mode 100644 index 00000000..63264229 --- /dev/null +++ b/docs/checks/sam/enable-api-access-logging.md @@ -0,0 +1,70 @@ +--- +title: SAM API stages for V1 and V2 should have access logging enabled +shortcode: enable-api-access-logging +summary: SAM API stages for V1 and V2 should have access logging enabled +permalink: /docs/sam/enable-api-access-logging/ +--- + +### Explanation + +API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages. + +### Possible Impact +Logging provides vital information about access and usage + +### Suggested Resolution +Enable logging for API Gateway stages + + +### Insecure Example + +The following example will fail the AVD-AWS-0113 check. + +```yaml +--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Bad Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + Name: Bad SAM API example + StageName: Prod + TracingEnabled: false + +``` + + + +### Secure Example + +The following example will pass the AVD-AWS-0113 check. + +```yaml +--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + Name: Good SAM API example + StageName: Prod + TracingEnabled: false + Domain: + SecurityPolicy: TLS_1_2 + AccessLogSetting: + DestinationArn: gateway-logging + Format: json + +``` + + + + +### Related Links + + +- [https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-accesslogsetting](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-accesslogsetting) + + diff --git a/docs/checks/sam/enable-api-cache-encryption.md b/docs/checks/sam/enable-api-cache-encryption.md new file mode 100644 index 00000000..4c5a59d5 --- /dev/null +++ b/docs/checks/sam/enable-api-cache-encryption.md @@ -0,0 +1,69 @@ +--- +title: SAM API must have data cache enabled +shortcode: enable-api-cache-encryption +summary: SAM API must have data cache enabled +permalink: /docs/sam/enable-api-cache-encryption/ +--- + +### Explanation + +Method cache encryption ensures that any sensitive data in the cache is not vulnerable to compromise in the event of interception + +### Possible Impact +Data stored in the cache that is unencrypted may be vulnerable to compromise + +### Suggested Resolution +Enable cache encryption + + +### Insecure Example + +The following example will fail the AVD-AWS-0110 check. + +```yaml +--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Bad Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + Name: Bad SAM API example + StageName: Prod + TracingEnabled: false + +``` + + + +### Secure Example + +The following example will pass the AVD-AWS-0110 check. + +```yaml +--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + Name: Good SAM API example + StageName: Prod + TracingEnabled: false + Domain: + SecurityPolicy: TLS_1_2 + MethodSettings: + CacheDataEncrypted: true + +``` + + + + +### Related Links + + +- [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-stage-methodsetting.html#cfn-apigateway-stage-methodsetting-cachedataencrypted](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-stage-methodsetting.html#cfn-apigateway-stage-methodsetting-cachedataencrypted) + + diff --git a/docs/checks/sam/enable-api-tracing.md b/docs/checks/sam/enable-api-tracing.md new file mode 100644 index 00000000..719f271b --- /dev/null +++ b/docs/checks/sam/enable-api-tracing.md @@ -0,0 +1,65 @@ +--- +title: SAM API must have X-Ray tracing enabled +shortcode: enable-api-tracing +summary: SAM API must have X-Ray tracing enabled +permalink: /docs/sam/enable-api-tracing/ +--- + +### Explanation + +X-Ray tracing enables end-to-end debugging and analysis of all API Gateway HTTP requests. + +### Possible Impact +Without full tracing enabled it is difficult to trace the flow of logs + +### Suggested Resolution +Enable tracing + + +### Insecure Example + +The following example will fail the AVD-AWS-0111 check. + +```yaml +--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Bad Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + Name: Bad SAM API example + StageName: Prod + TracingEnabled: false + +``` + + + +### Secure Example + +The following example will pass the AVD-AWS-0111 check. + +```yaml +--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + Name: Good SAM API example + StageName: Prod + TracingEnabled: true + +``` + + + + +### Related Links + + +- [https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-tracingenabled](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-tracingenabled) + + diff --git a/docs/checks/sam/enable-function-tracing.md b/docs/checks/sam/enable-function-tracing.md new file mode 100644 index 00000000..e2e6e505 --- /dev/null +++ b/docs/checks/sam/enable-function-tracing.md @@ -0,0 +1,76 @@ +--- +title: SAM Function must have X-Ray tracing enabled +shortcode: enable-function-tracing +summary: SAM Function must have X-Ray tracing enabled +permalink: /docs/sam/enable-function-tracing/ +--- + +### Explanation + +X-Ray tracing enables end-to-end debugging and analysis of the function. + +### Possible Impact +Without full tracing enabled it is difficult to trace the flow of logs + +### Suggested Resolution +Enable tracing + + +### Insecure Example + +The following example will fail the AVD-AWS-0113 check. + +```yaml +--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Bad Example of SAM Function +Resources: + BadFunction: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - "app.lambda_handler" + EntryPoint: + - "entrypoint1" + WorkingDirectory: "workDir" + +``` + + + +### Secure Example + +The following example will pass the AVD-AWS-0113 check. + +```yaml +--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM Function +Resources: + GoodFunction: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - "app.lambda_handler" + EntryPoint: + - "entrypoint1" + WorkingDirectory: "workDir" + Tracing: Active + +``` + + + + +### Related Links + + +- [https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-tracing](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-tracing) + + diff --git a/docs/checks/sam/enable-http-api-access-logging.md b/docs/checks/sam/enable-http-api-access-logging.md new file mode 100644 index 00000000..dc02e43c --- /dev/null +++ b/docs/checks/sam/enable-http-api-access-logging.md @@ -0,0 +1,69 @@ +--- +title: SAM HTTP API stages for V1 and V2 should have access logging enabled +shortcode: enable-http-api-access-logging +summary: SAM HTTP API stages for V1 and V2 should have access logging enabled +permalink: /docs/sam/enable-http-api-access-logging/ +--- + +### Explanation + +API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages. + +### Possible Impact +Logging provides vital information about access and usage + +### Suggested Resolution +Enable logging for API Gateway stages + + +### Insecure Example + +The following example will fail the AVD-AWS-0116 check. + +```yaml +--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Bad Example of SAM API +Resources: + HttpApi: + Type: AWS::Serverless::HttpApi + Properties: + Properties: + Name: Good SAM API example + StageName: Prod + Tracing: Passthrough + +``` + + + +### Secure Example + +The following example will pass the AVD-AWS-0116 check. + +```yaml +--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::HttpApi + Properties: + Name: Good SAM API example + StageName: Prod + Tracing: Activey + AccessLogSetting: + DestinationArn: gateway-logging + Format: json + +``` + + + + +### Related Links + + +- [https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-httpapi.html#sam-httpapi-accesslogsettings](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-httpapi.html#sam-httpapi-accesslogsettings) + + diff --git a/docs/checks/sam/enable-state-machine-tracing.md b/docs/checks/sam/enable-state-machine-tracing.md new file mode 100644 index 00000000..41b09541 --- /dev/null +++ b/docs/checks/sam/enable-state-machine-tracing.md @@ -0,0 +1,79 @@ +--- +title: SAM State machine must have X-Ray tracing enabled +shortcode: enable-state-machine-tracing +summary: SAM State machine must have X-Ray tracing enabled +permalink: /docs/sam/enable-state-machine-tracing/ +--- + +### Explanation + +X-Ray tracing enables end-to-end debugging and analysis of all state machine activities. + +### Possible Impact +Without full tracing enabled it is difficult to trace the flow of logs + +### Suggested Resolution +Enable tracing + + +### Insecure Example + +The following example will fail the AVD-AWS-0117 check. + +```yaml +--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Bad Example of SAM API +Resources: + BadStateMachine: + Type: AWS::Serverless::StateMachine + Properties: + Definition: + StartAt: MyLambdaState + States: + MyLambdaState: + Type: Task + Resource: arn:aws:lambda:us-east-1:123456123456:function:my-sample-lambda-app + End: true + Role: arn:aws:iam::123456123456:role/service-role/my-sample-role + Tracing: + Enabled: false + +``` + + + +### Secure Example + +The following example will pass the AVD-AWS-0117 check. + +```yaml +--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM API +Resources: + GoodStateMachine: + Type: AWS::Serverless::StateMachine + Properties: + Definition: + StartAt: MyLambdaState + States: + MyLambdaState: + Type: Task + Resource: arn:aws:lambda:us-east-1:123456123456:function:my-sample-lambda-app + End: true + Role: arn:aws:iam::123456123456:role/service-role/my-sample-role + Tracing: + Enabled: true + +``` + + + + +### Related Links + + +- [https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-statemachine.html#sam-statemachine-tracing](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-statemachine.html#sam-statemachine-tracing) + + diff --git a/docs/checks/sam/enable-table-encryption.md b/docs/checks/sam/enable-table-encryption.md new file mode 100644 index 00000000..4b974fae --- /dev/null +++ b/docs/checks/sam/enable-table-encryption.md @@ -0,0 +1,65 @@ +--- +title: SAM Simple table must have server side encryption enabled. +shortcode: enable-table-encryption +summary: SAM Simple table must have server side encryption enabled. +permalink: /docs/sam/enable-table-encryption/ +--- + +### Explanation + +Encryption should be enabled at all available levels to ensure that data is protected if compromised. + +### Possible Impact +Data stored in the table that is unencrypted may be vulnerable to compromise + +### Suggested Resolution +Enable server side encryption + + +### Insecure Example + +The following example will fail the AVD-AWS-0121 check. + +```yaml +--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Bad Example of SAM Table +Resources: + BadFunction: + Type: AWS::Serverless::SimpleTable + Properties: + TableName: Bad Table + SSESpecification: + SSEEnabled: false + +``` + + + +### Secure Example + +The following example will pass the AVD-AWS-0121 check. + +```yaml +--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM Table +Resources: + GoodFunction: + Type: AWS::Serverless::SimpleTable + Properties: + TableName: GoodTable + SSESpecification: + SSEEnabled: true + +``` + + + + +### Related Links + + +- [https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-simpletable.html#sam-simpletable-ssespecification](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-simpletable.html#sam-simpletable-ssespecification) + + diff --git a/docs/checks/sam/no-function-policy-wildcards.md b/docs/checks/sam/no-function-policy-wildcards.md new file mode 100644 index 00000000..dee85d98 --- /dev/null +++ b/docs/checks/sam/no-function-policy-wildcards.md @@ -0,0 +1,92 @@ +--- +title: Function policies should avoid use of wildcards and instead apply the principle of least privilege +shortcode: no-function-policy-wildcards +summary: Function policies should avoid use of wildcards and instead apply the principle of least privilege +permalink: /docs/sam/no-function-policy-wildcards/ +--- + +### Explanation + +You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals. + +### Possible Impact +Overly permissive policies may grant access to sensitive resources + +### Suggested Resolution +Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + +### Insecure Example + +The following example will fail the AVD-AWS-0114 check. + +```yaml +--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Bad Example of SAM Function +Resources: + BadFunction: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - "app.lambda_handler" + EntryPoint: + - "entrypoint1" + WorkingDirectory: "workDir" + Policies: + - AWSLambdaExecute + - Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - s3:* + Resource: 'arn:aws:s3:::my-bucket/*' + +``` + + + +### Secure Example + +The following example will pass the AVD-AWS-0114 check. + +```yaml +--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM Function +Resources: + GoodFunction: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - "app.lambda_handler" + EntryPoint: + - "entrypoint1" + WorkingDirectory: "workDir" + Policies: + - AWSLambdaExecute + - Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - s3:GetObject + - s3:GetObjectACL + Resource: 'arn:aws:s3:::my-bucket/*' + +``` + + + + +### Related Links + + +- [https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-policies](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-policies) + + diff --git a/docs/checks/sam/no-state-machine-policy-wildcards.md b/docs/checks/sam/no-state-machine-policy-wildcards.md new file mode 100644 index 00000000..ed604fe7 --- /dev/null +++ b/docs/checks/sam/no-state-machine-policy-wildcards.md @@ -0,0 +1,96 @@ +--- +title: State machine policies should avoid use of wildcards and instead apply the principle of least privilege +shortcode: no-state-machine-policy-wildcards +summary: State machine policies should avoid use of wildcards and instead apply the principle of least privilege +permalink: /docs/sam/no-state-machine-policy-wildcards/ +--- + +### Explanation + +You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals. + +### Possible Impact +Overly permissive policies may grant access to sensitive resources + +### Suggested Resolution +Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + + +### Insecure Example + +The following example will fail the AVD-AWS-0120 check. + +```yaml +--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Bad Example of SAM Function +Resources: + BadFunction: + Type: AWS::Serverless::StateMachine + Properties: + Definition: + StartAt: MyLambdaState + States: + MyLambdaState: + Type: Task + Resource: arn:aws:lambda:us-east-1:123456123456:function:my-sample-lambda-app + End: true + Role: arn:aws:iam::123456123456:role/service-role/my-sample-role + Tracing: + Enabled: true + Policies: + - AWSLambdaExecute + - Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - s3:* + Resource: 'arn:aws:s3:::my-bucket/*' + +``` + + + +### Secure Example + +The following example will pass the AVD-AWS-0120 check. + +```yaml +--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM Function +Resources: + GoodFunction: + Type: AWS::Serverless::StateMachine + Properties: + Definition: + StartAt: MyLambdaState + States: + MyLambdaState: + Type: Task + Resource: arn:aws:lambda:us-east-1:123456123456:function:my-sample-lambda-app + End: true + Role: arn:aws:iam::123456123456:role/service-role/my-sample-role + Tracing: + Enabled: true + Policies: + - AWSLambdaExecute + - Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - s3:GetObject + - s3:GetObjectACL + Resource: 'arn:aws:s3:::my-bucket/*' + +``` + + + + +### Related Links + + +- [https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-statemachine.html#sam-statemachine-policies](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-statemachine.html#sam-statemachine-policies) + + diff --git a/mkdocs.yml b/mkdocs.yml index 7f631f51..f41f49a4 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -2,7 +2,8 @@ site_name: cfsec site_url: https://aquasecurity.github.io/cfsec/ -site_description: A static analysis security scanner for your yaml and json CloudFormation code +site_description: A static analysis security scanner for your yaml and json CloudFormation + code docs_dir: docs/ @@ -30,7 +31,7 @@ nav: - Parameters: getting-started/usage.md - Credits: getting-started/credit.md - GitHub Actions: - - GitHub Action: getting-started/configuration/github-actions/github-action.md + - GitHub Action: getting-started/configuration/github-actions/github-action.md - Checks: - api-gateway: - enable-access-logging: checks/api-gateway/enable-access-logging.md @@ -128,6 +129,17 @@ nav: - no-public-access-with-acl: checks/s3/no-public-access-with-acl.md - no-public-buckets: checks/s3/no-public-buckets.md - specify-public-access-block: checks/s3/specify-public-access-block.md + - sam: + - api-use-secure-tls-policy: checks/sam/api-use-secure-tls-policy.md + - enable-api-access-logging: checks/sam/enable-api-access-logging.md + - enable-api-cache-encryption: checks/sam/enable-api-cache-encryption.md + - enable-api-tracing: checks/sam/enable-api-tracing.md + - enable-function-tracing: checks/sam/enable-function-tracing.md + - enable-http-api-access-logging: checks/sam/enable-http-api-access-logging.md + - enable-state-machine-tracing: checks/sam/enable-state-machine-tracing.md + - enable-table-encryption: checks/sam/enable-table-encryption.md + - no-function-policy-wildcards: checks/sam/no-function-policy-wildcards.md + - no-state-machine-policy-wildcards: checks/sam/no-state-machine-policy-wildcards.md - sns: - enable-topic-encryption: checks/sns/enable-topic-encryption.md - sqs: