From c6f5ba72f110c9c169890db4737cfabea6719c66 Mon Sep 17 00:00:00 2001 From: Owen Rumney Date: Thu, 2 Dec 2021 13:57:57 +0000 Subject: [PATCH] Add the SAM API checks (#28) --- go.mod | 2 +- go.sum | 4 + internal/app/cfsec/adapter/aws/adapt.go | 4 +- internal/app/cfsec/adapter/aws/sam/api.go | 92 +++++++++++++++++++ internal/app/cfsec/adapter/aws/sam/sam.go | 22 +++++ internal/app/cfsec/loader/rule_loader.go | 1 + .../aws/sam/enable_access_logging_rule.go | 47 ++++++++++ .../sam/enable_access_logging_rule_test.go | 18 ++++ .../aws/sam/enable_cache_encryption_rule.go | 58 ++++++++++++ .../sam/enable_cache_encryption_rule_test.go | 18 ++++ .../rules/aws/sam/enable_tracing_rule.go | 51 ++++++++++ .../rules/aws/sam/enable_tracing_rule_test.go | 18 ++++ .../rules/aws/sam/use_secure_tls_rule.go | 44 +++++++++ .../rules/aws/sam/use_secure_tls_rule_test.go | 18 ++++ .../aquasecurity/defsec/provider/aws/aws.go | 2 + .../defsec/provider/aws/sam/api.go | 68 ++++++++++++++ .../defsec/provider/aws/sam/sam.go | 5 + .../rules/aws/sam/enable_access_logging.go | 44 +++++++++ .../rules/aws/sam/enable_cache_encryption.go | 41 +++++++++ .../defsec/rules/aws/sam/enable_tracing.go | 41 +++++++++ .../rules/aws/sam/use_secure_tls_policy.go | 39 ++++++++ vendor/modules.txt | 4 +- 22 files changed, 638 insertions(+), 3 deletions(-) create mode 100644 internal/app/cfsec/adapter/aws/sam/api.go create mode 100644 internal/app/cfsec/adapter/aws/sam/sam.go create mode 100644 internal/app/cfsec/rules/aws/sam/enable_access_logging_rule.go create mode 100644 internal/app/cfsec/rules/aws/sam/enable_access_logging_rule_test.go create mode 100644 internal/app/cfsec/rules/aws/sam/enable_cache_encryption_rule.go create mode 100644 internal/app/cfsec/rules/aws/sam/enable_cache_encryption_rule_test.go create mode 100644 internal/app/cfsec/rules/aws/sam/enable_tracing_rule.go create mode 100644 internal/app/cfsec/rules/aws/sam/enable_tracing_rule_test.go create mode 100644 internal/app/cfsec/rules/aws/sam/use_secure_tls_rule.go create mode 100644 internal/app/cfsec/rules/aws/sam/use_secure_tls_rule_test.go create mode 100644 vendor/github.com/aquasecurity/defsec/provider/aws/sam/api.go create mode 100644 vendor/github.com/aquasecurity/defsec/provider/aws/sam/sam.go create mode 100644 vendor/github.com/aquasecurity/defsec/rules/aws/sam/enable_access_logging.go create mode 100644 vendor/github.com/aquasecurity/defsec/rules/aws/sam/enable_cache_encryption.go create mode 100644 vendor/github.com/aquasecurity/defsec/rules/aws/sam/enable_tracing.go create mode 100644 vendor/github.com/aquasecurity/defsec/rules/aws/sam/use_secure_tls_policy.go diff --git a/go.mod b/go.mod index 90eeecb4..d05a43c1 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.16 require ( github.com/apparentlymart/go-cidr v1.1.0 - github.com/aquasecurity/defsec v0.0.37 + github.com/aquasecurity/defsec v0.0.38-0.20211202114943-52f01d551cdf github.com/liamg/jfather v0.0.2 github.com/liamg/tml v0.4.0 github.com/spf13/cobra v1.2.1 diff --git a/go.sum b/go.sum index a18a09e0..e52028d9 100644 --- a/go.sum +++ b/go.sum @@ -58,6 +58,10 @@ github.com/aquasecurity/defsec v0.0.36 h1:Dq0yRDd7ETN0zi2q+7yeGDSzSU32m2Vw5aMczx github.com/aquasecurity/defsec v0.0.36/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM= github.com/aquasecurity/defsec v0.0.37 h1:zdZndlKrW257b8VLK1UwfmXiyPuDrNA+wzBilHRk1LA= github.com/aquasecurity/defsec v0.0.37/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM= +github.com/aquasecurity/defsec v0.0.38-0.20211202103545-b5b8849450c9 h1:fgGbzM/N67EfzgPZNQGVHNzeewHnBMJPqYt09fYhFuo= +github.com/aquasecurity/defsec v0.0.38-0.20211202103545-b5b8849450c9/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM= +github.com/aquasecurity/defsec v0.0.38-0.20211202114943-52f01d551cdf h1:HD/CwABWPR1iD18Zaf/wPENN6rMKUmyD4RVnlfNMMHQ= +github.com/aquasecurity/defsec v0.0.38-0.20211202114943-52f01d551cdf/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= diff --git a/internal/app/cfsec/adapter/aws/adapt.go b/internal/app/cfsec/adapter/aws/adapt.go index 74eceea4..cfd48424 100644 --- a/internal/app/cfsec/adapter/aws/adapt.go +++ b/internal/app/cfsec/adapter/aws/adapt.go @@ -29,6 +29,7 @@ import ( "github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/rds" "github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/redshift" "github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/s3" + "github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/sam" "github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/sns" "github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/sqs" "github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/ssm" @@ -69,10 +70,11 @@ func Adapt(cfFile parser.FileContext) aws.AWS { RDS: rds.Adapt(cfFile), Redshift: redshift.Adapt(cfFile), S3: s3.Adapt(cfFile), + SAM: sam.Adapt(cfFile), SNS: sns.Adapt(cfFile), SQS: sqs.Adapt(cfFile), SSM: ssm.Adapt(cfFile), VPC: vpc.Adapt(cfFile), WorkSpaces: workspaces.Adapt(cfFile), } -} \ No newline at end of file +} diff --git a/internal/app/cfsec/adapter/aws/sam/api.go b/internal/app/cfsec/adapter/aws/sam/api.go new file mode 100644 index 00000000..12a99c4f --- /dev/null +++ b/internal/app/cfsec/adapter/aws/sam/api.go @@ -0,0 +1,92 @@ +package sam + +import ( + "github.com/aquasecurity/cfsec/internal/app/cfsec/parser" + "github.com/aquasecurity/defsec/provider/aws/sam" + "github.com/aquasecurity/defsec/types" +) + +func getApis(cfFile parser.FileContext) (apis []sam.API) { + + apiResources := cfFile.GetResourceByType("AWS::Serverless::Api") + for _, r := range apiResources { + api := sam.API{ + Metadata: r.Metadata(), + Name: r.GetStringProperty("Name", ""), + TracingEnabled: r.GetBoolProperty("TracingEnabled"), + DomainConfiguration: getDomainConfiguration(r), + AccessLogging: getAccessLogging(r), + RESTMethodSettings: getRestMethodSettings(r), + } + + apis = append(apis, api) + } + + return apis +} + +func getRestMethodSettings(r *parser.Resource) (methodSettings sam.RESTMethodSettings) { + + settings := r.GetProperty("MethodSettings") + if settings.IsNil() { + return sam.RESTMethodSettings{ + Metadata: r.Metadata(), + CacheDataEncrypted: types.BoolDefault(false, r.Metadata()), + LoggingEnabled: types.BoolDefault(false, r.Metadata()), + DataTraceEnabled: types.BoolDefault(false, r.Metadata()), + MetricsEnabled: types.BoolDefault(false, r.Metadata()), + } + } + + loggingEnabled := types.BoolDefault(false, settings.Metadata()) + if settings.GetProperty("LoggingLevel").IsNotNil() { + loggingLevel := settings.GetProperty("LoggingLevel") + if settings.GetProperty("LoggingLevel").EqualTo("OFF", parser.IgnoreCase) { + loggingEnabled = types.BoolExplicit(false, loggingLevel.Metadata()) + } else { + loggingEnabled = types.BoolExplicit(true, loggingLevel.Metadata()) + } + + } + + return sam.RESTMethodSettings{ + Metadata: settings.Metadata(), + CacheDataEncrypted: settings.GetBoolProperty("CacheDataEncrypted"), + LoggingEnabled: loggingEnabled, + DataTraceEnabled: settings.GetBoolProperty("DataTraceEnabled"), + MetricsEnabled: settings.GetBoolProperty("MetricsEnabled"), + } + +} + +func getAccessLogging(r *parser.Resource) (accessLogging sam.AccessLogging) { + + access := r.GetProperty("AccessLogSetting") + if access.IsNil() { + return sam.AccessLogging{ + Metadata: r.Metadata(), + CloudwatchLogGroupARN: types.StringDefault("", r.Metadata()), + } + } + + return sam.AccessLogging{ + Metadata: access.Metadata(), + CloudwatchLogGroupARN: access.GetStringProperty("DestinationArn", ""), + } +} + +func getDomainConfiguration(r *parser.Resource) (domainConfig sam.DomainConfiguration) { + + domain := r.GetProperty("Domain") + if domain.IsNil() { + domainConfig.SecurityPolicy = types.StringDefault("TLS_1_0", r.Metadata()) + return domainConfig + } + + return sam.DomainConfiguration{ + Metadata: domain.Metadata(), + Name: domain.GetStringProperty("DomainName", ""), + SecurityPolicy: domain.GetStringProperty("SecurityPolicy", "TLS_1_0"), + } + +} diff --git a/internal/app/cfsec/adapter/aws/sam/sam.go b/internal/app/cfsec/adapter/aws/sam/sam.go new file mode 100644 index 00000000..8f2fdd3b --- /dev/null +++ b/internal/app/cfsec/adapter/aws/sam/sam.go @@ -0,0 +1,22 @@ +package sam + +import ( + "reflect" + + "github.com/aquasecurity/cfsec/internal/app/cfsec/debug" + "github.com/aquasecurity/cfsec/internal/app/cfsec/parser" + "github.com/aquasecurity/defsec/provider/aws/sam" +) + +// Adapt ... +func Adapt(cfFile parser.FileContext) (sam sam.SAM) { + defer func() { + if r := recover(); r != nil { + metadata := cfFile.Metadata() + debug.Log("There were errors adapting %s from %s", reflect.TypeOf(sam), metadata.Range().GetFilename()) + } + }() + + sam.APIs = getApis(cfFile) + return sam +} diff --git a/internal/app/cfsec/loader/rule_loader.go b/internal/app/cfsec/loader/rule_loader.go index df17a475..500d2cdf 100644 --- a/internal/app/cfsec/loader/rule_loader.go +++ b/internal/app/cfsec/loader/rule_loader.go @@ -28,6 +28,7 @@ import ( _ "github.com/aquasecurity/cfsec/internal/app/cfsec/rules/aws/rds" _ "github.com/aquasecurity/cfsec/internal/app/cfsec/rules/aws/redshift" _ "github.com/aquasecurity/cfsec/internal/app/cfsec/rules/aws/s3" + _ "github.com/aquasecurity/cfsec/internal/app/cfsec/rules/aws/sam" _ "github.com/aquasecurity/cfsec/internal/app/cfsec/rules/aws/sns" _ "github.com/aquasecurity/cfsec/internal/app/cfsec/rules/aws/sqs" _ "github.com/aquasecurity/cfsec/internal/app/cfsec/rules/aws/ssm" diff --git a/internal/app/cfsec/rules/aws/sam/enable_access_logging_rule.go b/internal/app/cfsec/rules/aws/sam/enable_access_logging_rule.go new file mode 100644 index 00000000..a981fcd2 --- /dev/null +++ b/internal/app/cfsec/rules/aws/sam/enable_access_logging_rule.go @@ -0,0 +1,47 @@ +package sam + +import ( + "github.com/aquasecurity/cfsec/internal/app/cfsec/rules" + "github.com/aquasecurity/cfsec/internal/app/cfsec/scanner" + "github.com/aquasecurity/defsec/rules/aws/sam" +) + +func init() { + scanner.RegisterCheckRule(rules.Rule{ + + BadExample: []string{ + `--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Bad Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + Name: Bad SAM API example + StageName: Prod + TracingEnabled: false +`, + }, + + GoodExample: []string{ + `--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + Name: Good SAM API example + StageName: Prod + TracingEnabled: false + Domain: + SecurityPolicy: TLS_1_2 + AccessLogSetting: + DestinationArn: gateway-logging + Format: json +`, + }, + + Base: sam.CheckEnableAccessLogging, + }) +} diff --git a/internal/app/cfsec/rules/aws/sam/enable_access_logging_rule_test.go b/internal/app/cfsec/rules/aws/sam/enable_access_logging_rule_test.go new file mode 100644 index 00000000..2efbffd7 --- /dev/null +++ b/internal/app/cfsec/rules/aws/sam/enable_access_logging_rule_test.go @@ -0,0 +1,18 @@ +package sam + +import ( + "github.com/aquasecurity/cfsec/internal/app/cfsec/test" + "github.com/aquasecurity/defsec/rules/aws/sam" + + "testing" +) + +func Test_CheckEnableAccessLogging_FailureExamples(t *testing.T) { + expectedCode := sam.CheckEnableAccessLogging.Rule().LongID() + test.RunFailureExamplesTest(t, expectedCode) +} + +func Test_CheckEnableAccessLogging_PassedExamples(t *testing.T) { + expectedCode := sam.CheckEnableAccessLogging.Rule().LongID() + test.RunPassingExamplesTest(t, expectedCode) +} diff --git a/internal/app/cfsec/rules/aws/sam/enable_cache_encryption_rule.go b/internal/app/cfsec/rules/aws/sam/enable_cache_encryption_rule.go new file mode 100644 index 00000000..3082e3fc --- /dev/null +++ b/internal/app/cfsec/rules/aws/sam/enable_cache_encryption_rule.go @@ -0,0 +1,58 @@ +package sam + +import ( + "github.com/aquasecurity/cfsec/internal/app/cfsec/rules" + "github.com/aquasecurity/cfsec/internal/app/cfsec/scanner" + "github.com/aquasecurity/defsec/rules/aws/sam" +) + +func init() { + scanner.RegisterCheckRule(rules.Rule{ + + BadExample: []string{ + `--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Bad Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + Name: Bad SAM API example + StageName: Prod + TracingEnabled: false +`, `--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Bad Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + Name: Bad SAM API example + StageName: Prod + TracingEnabled: false + MethodSettings: + CacheDataEncrypted: false +`, + }, + + GoodExample: []string{ + `--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + Name: Good SAM API example + StageName: Prod + TracingEnabled: false + Domain: + SecurityPolicy: TLS_1_2 + MethodSettings: + CacheDataEncrypted: true +`, + }, + + Base: sam.CheckEnableCacheEncryption, + }) +} diff --git a/internal/app/cfsec/rules/aws/sam/enable_cache_encryption_rule_test.go b/internal/app/cfsec/rules/aws/sam/enable_cache_encryption_rule_test.go new file mode 100644 index 00000000..3cde3f2b --- /dev/null +++ b/internal/app/cfsec/rules/aws/sam/enable_cache_encryption_rule_test.go @@ -0,0 +1,18 @@ +package sam + +import ( + "github.com/aquasecurity/cfsec/internal/app/cfsec/test" + sam "github.com/aquasecurity/defsec/rules/aws/sam" + + "testing" +) + +func Test_CheckEnableCacheEncryption_FailureExamples(t *testing.T) { + expectedCode := sam.CheckEnableCacheEncryption.Rule().LongID() + test.RunFailureExamplesTest(t, expectedCode) +} + +func Test_CheckEnableCacheEncryption_PassedExamples(t *testing.T) { + expectedCode := sam.CheckEnableCacheEncryption.Rule().LongID() + test.RunPassingExamplesTest(t, expectedCode) +} diff --git a/internal/app/cfsec/rules/aws/sam/enable_tracing_rule.go b/internal/app/cfsec/rules/aws/sam/enable_tracing_rule.go new file mode 100644 index 00000000..913b1ca5 --- /dev/null +++ b/internal/app/cfsec/rules/aws/sam/enable_tracing_rule.go @@ -0,0 +1,51 @@ +package sam + +import ( + "github.com/aquasecurity/cfsec/internal/app/cfsec/rules" + "github.com/aquasecurity/cfsec/internal/app/cfsec/scanner" + "github.com/aquasecurity/defsec/rules/aws/sam" +) + +func init() { + scanner.RegisterCheckRule(rules.Rule{ + + BadExample: []string{ + `--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Bad Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + Name: Bad SAM API example + StageName: Prod + TracingEnabled: false +`, `--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Bad Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + Name: Bad SAM API example + StageName: Prod +`, + }, + + GoodExample: []string{ + `--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + Name: Good SAM API example + StageName: Prod + TracingEnabled: true +`, + }, + + Base: sam.CheckEnableTracing, + }) +} diff --git a/internal/app/cfsec/rules/aws/sam/enable_tracing_rule_test.go b/internal/app/cfsec/rules/aws/sam/enable_tracing_rule_test.go new file mode 100644 index 00000000..74dbf732 --- /dev/null +++ b/internal/app/cfsec/rules/aws/sam/enable_tracing_rule_test.go @@ -0,0 +1,18 @@ +package sam + +import ( + "github.com/aquasecurity/cfsec/internal/app/cfsec/test" + sam "github.com/aquasecurity/defsec/rules/aws/sam" + + "testing" +) + +func Test_CheckEnableTracing_FailureExamples(t *testing.T) { + expectedCode := sam.CheckEnableTracing.Rule().LongID() + test.RunFailureExamplesTest(t, expectedCode) +} + +func Test_CheckEnableTracing_PassedExamples(t *testing.T) { + expectedCode := sam.CheckEnableTracing.Rule().LongID() + test.RunPassingExamplesTest(t, expectedCode) +} diff --git a/internal/app/cfsec/rules/aws/sam/use_secure_tls_rule.go b/internal/app/cfsec/rules/aws/sam/use_secure_tls_rule.go new file mode 100644 index 00000000..8dbd9185 --- /dev/null +++ b/internal/app/cfsec/rules/aws/sam/use_secure_tls_rule.go @@ -0,0 +1,44 @@ +package sam + +import ( + "github.com/aquasecurity/cfsec/internal/app/cfsec/rules" + "github.com/aquasecurity/cfsec/internal/app/cfsec/scanner" + "github.com/aquasecurity/defsec/rules/aws/sam" +) + +func init() { + scanner.RegisterCheckRule(rules.Rule{ + + BadExample: []string{ + `--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Bad Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + Name: Bad SAM API example + StageName: Prod + TracingEnabled: false +`, + }, + + GoodExample: []string{ + `--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + Name: Good SAM API example + StageName: Prod + TracingEnabled: false + Domain: + SecurityPolicy: TLS_1_2 +`, + }, + + Base: sam.CheckUseSecureTlsPolicy, + }) +} diff --git a/internal/app/cfsec/rules/aws/sam/use_secure_tls_rule_test.go b/internal/app/cfsec/rules/aws/sam/use_secure_tls_rule_test.go new file mode 100644 index 00000000..4bd10ed4 --- /dev/null +++ b/internal/app/cfsec/rules/aws/sam/use_secure_tls_rule_test.go @@ -0,0 +1,18 @@ +package sam + +import ( + "github.com/aquasecurity/cfsec/internal/app/cfsec/test" + sam "github.com/aquasecurity/defsec/rules/aws/sam" + + "testing" +) + +func Test_CheckUseSecureTlsPolicy_FailureExamples(t *testing.T) { + expectedCode := sam.CheckUseSecureTlsPolicy.Rule().LongID() + test.RunFailureExamplesTest(t, expectedCode) +} + +func Test_CheckUseSecureTlsPolicy_PassedExamples(t *testing.T) { + expectedCode := sam.CheckUseSecureTlsPolicy.Rule().LongID() + test.RunPassingExamplesTest(t, expectedCode) +} diff --git a/vendor/github.com/aquasecurity/defsec/provider/aws/aws.go b/vendor/github.com/aquasecurity/defsec/provider/aws/aws.go index c2ce07d9..b505e67d 100644 --- a/vendor/github.com/aquasecurity/defsec/provider/aws/aws.go +++ b/vendor/github.com/aquasecurity/defsec/provider/aws/aws.go @@ -30,6 +30,7 @@ import ( "github.com/aquasecurity/defsec/provider/aws/rds" "github.com/aquasecurity/defsec/provider/aws/redshift" "github.com/aquasecurity/defsec/provider/aws/s3" + "github.com/aquasecurity/defsec/provider/aws/sam" "github.com/aquasecurity/defsec/provider/aws/sns" "github.com/aquasecurity/defsec/provider/aws/sqs" "github.com/aquasecurity/defsec/provider/aws/ssm" @@ -66,6 +67,7 @@ type AWS struct { Neptune neptune.Neptune RDS rds.RDS Redshift redshift.Redshift + SAM sam.SAM S3 s3.S3 SNS sns.SNS SQS sqs.SQS diff --git a/vendor/github.com/aquasecurity/defsec/provider/aws/sam/api.go b/vendor/github.com/aquasecurity/defsec/provider/aws/sam/api.go new file mode 100644 index 00000000..d51d5f82 --- /dev/null +++ b/vendor/github.com/aquasecurity/defsec/provider/aws/sam/api.go @@ -0,0 +1,68 @@ +package sam + +import "github.com/aquasecurity/defsec/types" + +type API struct { + types.Metadata + Name types.StringValue + TracingEnabled types.BoolValue + DomainConfiguration DomainConfiguration + AccessLogging AccessLogging + RESTMethodSettings RESTMethodSettings +} + +type ApiAuth struct { + types.Metadata + ApiKeyRequired types.BoolValue +} + +type AccessLogging struct { + types.Metadata + CloudwatchLogGroupARN types.StringValue +} + +type DomainConfiguration struct { + types.Metadata + Name types.StringValue + SecurityPolicy types.StringValue +} + +type RESTMethodSettings struct { + types.Metadata + CacheDataEncrypted types.BoolValue + LoggingEnabled types.BoolValue + DataTraceEnabled types.BoolValue + MetricsEnabled types.BoolValue +} + +func (a *API) GetMetadata() *types.Metadata { + return &a.Metadata +} + +func (a *API) GetRawValue() interface{} { + return nil +} + +func (a *AccessLogging) GetMetadata() *types.Metadata { + return &a.Metadata +} + +func (a *AccessLogging) GetRawValue() interface{} { + return nil +} + +func (a *DomainConfiguration) GetMetadata() *types.Metadata { + return &a.Metadata +} + +func (a *DomainConfiguration) GetRawValue() interface{} { + return nil +} + +func (a *RESTMethodSettings) GetMetadata() *types.Metadata { + return &a.Metadata +} + +func (a *RESTMethodSettings) GetRawValue() interface{} { + return nil +} diff --git a/vendor/github.com/aquasecurity/defsec/provider/aws/sam/sam.go b/vendor/github.com/aquasecurity/defsec/provider/aws/sam/sam.go new file mode 100644 index 00000000..ca5516df --- /dev/null +++ b/vendor/github.com/aquasecurity/defsec/provider/aws/sam/sam.go @@ -0,0 +1,5 @@ +package sam + +type SAM struct { + APIs []API +} diff --git a/vendor/github.com/aquasecurity/defsec/rules/aws/sam/enable_access_logging.go b/vendor/github.com/aquasecurity/defsec/rules/aws/sam/enable_access_logging.go new file mode 100644 index 00000000..71b12dfa --- /dev/null +++ b/vendor/github.com/aquasecurity/defsec/rules/aws/sam/enable_access_logging.go @@ -0,0 +1,44 @@ +package sam + +import ( + "github.com/aquasecurity/defsec/provider" + "github.com/aquasecurity/defsec/rules" + "github.com/aquasecurity/defsec/severity" + "github.com/aquasecurity/defsec/state" +) + +var CheckEnableAccessLogging = rules.Register( + rules.Rule{ + AVDID: "AVD-AWS-0113", + Provider: provider.AWSProvider, + Service: "sam", + ShortCode: "enable-access-logging", + Summary: "SAM API stages for V1 and V2 should have access logging enabled", + Impact: "Logging provides vital information about access and usage", + Resolution: "Enable logging for API Gateway stages", + Explanation: `API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.`, + Links: []string{ + "https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html", + }, + Severity: severity.Medium, + }, + func(s *state.State) (results rules.Results) { + for _, api := range s.AWS.SAM.APIs { + if !api.IsManaged() { + continue + } + + if api.AccessLogging.CloudwatchLogGroupARN.IsEmpty() { + results.Add( + "Access logging is not configured.", + &api, + api.AccessLogging.CloudwatchLogGroupARN, + ) + } else { + results.AddPassed(&api) + } + } + + return + }, +) diff --git a/vendor/github.com/aquasecurity/defsec/rules/aws/sam/enable_cache_encryption.go b/vendor/github.com/aquasecurity/defsec/rules/aws/sam/enable_cache_encryption.go new file mode 100644 index 00000000..0551013f --- /dev/null +++ b/vendor/github.com/aquasecurity/defsec/rules/aws/sam/enable_cache_encryption.go @@ -0,0 +1,41 @@ +package sam + +import ( + "github.com/aquasecurity/defsec/provider" + "github.com/aquasecurity/defsec/rules" + "github.com/aquasecurity/defsec/severity" + "github.com/aquasecurity/defsec/state" +) + +var CheckEnableCacheEncryption = rules.Register( + rules.Rule{ + AVDID: "AVD-AWS-0110", + Provider: provider.AWSProvider, + Service: "sam", + ShortCode: "enable-cache-encryption", + Summary: "SAM API must have data cache enabled", + Impact: "Data stored in the cache that is unencrypted may be vulnerable to compromise", + Resolution: "Enable cache encryption", + Explanation: `Method cache encryption ensures that any sensitive data in the cache is not vulnerable to compromise in the event of interception`, + Links: []string{}, + Severity: severity.Medium, + }, + func(s *state.State) (results rules.Results) { + for _, api := range s.AWS.SAM.APIs { + if !api.IsManaged() { + continue + } + + if api.RESTMethodSettings.CacheDataEncrypted.IsFalse() { + results.Add( + "Cache data is not encrypted.", + &api, + api.RESTMethodSettings.CacheDataEncrypted, + ) + } else { + results.AddPassed(&api) + } + } + return + }, +) diff --git a/vendor/github.com/aquasecurity/defsec/rules/aws/sam/enable_tracing.go b/vendor/github.com/aquasecurity/defsec/rules/aws/sam/enable_tracing.go new file mode 100644 index 00000000..a32bb3c0 --- /dev/null +++ b/vendor/github.com/aquasecurity/defsec/rules/aws/sam/enable_tracing.go @@ -0,0 +1,41 @@ +package sam + +import ( + "github.com/aquasecurity/defsec/provider" + "github.com/aquasecurity/defsec/rules" + "github.com/aquasecurity/defsec/severity" + "github.com/aquasecurity/defsec/state" +) + +var CheckEnableTracing = rules.Register( + rules.Rule{ + AVDID: "AVD-AWS-0111", + Provider: provider.AWSProvider, + Service: "sam", + ShortCode: "enable-tracing", + Summary: "SAM API must have X-Ray tracing enabled", + Impact: "Without full tracing enabled it is difficult to trace the flow of logs", + Resolution: "Enable tracing", + Explanation: `X-Ray tracing enables end-to-end debugging and analysis of all API Gateway HTTP requests.`, + Links: []string{}, + Severity: severity.Low, + }, + func(s *state.State) (results rules.Results) { + for _, api := range s.AWS.SAM.APIs { + if !api.IsManaged(){ + continue + } + + if api.TracingEnabled.IsFalse() { + results.Add( + "X-Ray tracing is not enabled,", + &api, + api.TracingEnabled, + ) + } else { + results.AddPassed(&api) + } + } + return + }, +) diff --git a/vendor/github.com/aquasecurity/defsec/rules/aws/sam/use_secure_tls_policy.go b/vendor/github.com/aquasecurity/defsec/rules/aws/sam/use_secure_tls_policy.go new file mode 100644 index 00000000..a60fb09d --- /dev/null +++ b/vendor/github.com/aquasecurity/defsec/rules/aws/sam/use_secure_tls_policy.go @@ -0,0 +1,39 @@ +package sam + +import ( + "github.com/aquasecurity/defsec/provider" + "github.com/aquasecurity/defsec/rules" + "github.com/aquasecurity/defsec/severity" + "github.com/aquasecurity/defsec/state" +) + +var CheckUseSecureTlsPolicy = rules.Register( + rules.Rule{ + AVDID: "AVD-AWS-0112", + Provider: provider.AWSProvider, + Service: "sam", + ShortCode: "use-secure-tls-policy", + Summary: "SAM API domain name uses outdated SSL/TLS protocols.", + Impact: "Outdated SSL policies increase exposure to known vulnerabilities", + Resolution: "Use the most modern TLS/SSL policies available", + Explanation: `You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.`, + Links: []string{ + "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html", + }, + Severity: severity.High, + }, + func(s *state.State) (results rules.Results) { + for _, api := range s.AWS.SAM.APIs { + if api.DomainConfiguration.SecurityPolicy.NotEqualTo("TLS_1_2") { + results.Add( + "Domain name is configured with an outdated TLS policy.", + &api, + api.DomainConfiguration.SecurityPolicy, + ) + } else { + results.AddPassed(&api) + } + } + return + }, +) diff --git a/vendor/modules.txt b/vendor/modules.txt index 8b1954ad..29ae4ba0 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -20,7 +20,7 @@ github.com/acomagu/bufpipe # github.com/apparentlymart/go-cidr v1.1.0 ## explicit github.com/apparentlymart/go-cidr/cidr -# github.com/aquasecurity/defsec v0.0.37 +# github.com/aquasecurity/defsec v0.0.38-0.20211202114943-52f01d551cdf ## explicit github.com/aquasecurity/defsec/cidr github.com/aquasecurity/defsec/formatters @@ -55,6 +55,7 @@ github.com/aquasecurity/defsec/provider/aws/neptune github.com/aquasecurity/defsec/provider/aws/rds github.com/aquasecurity/defsec/provider/aws/redshift github.com/aquasecurity/defsec/provider/aws/s3 +github.com/aquasecurity/defsec/provider/aws/sam github.com/aquasecurity/defsec/provider/aws/sns github.com/aquasecurity/defsec/provider/aws/sqs github.com/aquasecurity/defsec/provider/aws/ssm @@ -122,6 +123,7 @@ github.com/aquasecurity/defsec/rules/aws/neptune github.com/aquasecurity/defsec/rules/aws/rds github.com/aquasecurity/defsec/rules/aws/redshift github.com/aquasecurity/defsec/rules/aws/s3 +github.com/aquasecurity/defsec/rules/aws/sam github.com/aquasecurity/defsec/rules/aws/sns github.com/aquasecurity/defsec/rules/aws/sqs github.com/aquasecurity/defsec/rules/aws/ssm