diff --git a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/metadata.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/metadata.json similarity index 86% rename from assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/metadata.json rename to assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/metadata.json index 57dad70cc26..a03ede50be7 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/metadata.json +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/metadata.json @@ -1,6 +1,6 @@ { "id": "80d45af4-4920-4236-a56e-b7ef419d1941", - "queryName": "API Gateway Stage Access Logging Settings Not Defined", + "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "category": "Observability", "descriptionText": "API Gateway Stage should have Access Logging Settings defined", diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/query.rego b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/query.rego new file mode 100644 index 00000000000..5eb70e348cb --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/query.rego @@ -0,0 +1,170 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.cloudformation as cf_lib + +CxPolicy[result] { + document := input.document + resource = document[i].Resources[name] + resource.Type == "AWS::ApiGatewayV2::Stage" + + properties := resource.Properties + searchKeyValid := validNonEmptyKey(properties, "DefaultRouteSettings") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.Type, + "resourceName": cf_lib.get_resource_name(resource, name), + "searchKey": sprintf("Resources.%s.Properties%s", [name, searchKeyValid]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("Resources.%s.Properties.DefaultRouteSettings should be defined and not null", [name]), + "keyActualValue": sprintf("Resources.%s.Properties.DefaultRouteSettings are undefined or null", [name]), + } +} + +CxPolicy[result] { + document := input.document + resource = document[i].Resources[name] + resource.Type == "AWS::ApiGatewayV2::Stage" + + properties := resource.Properties + defaultRouteSettings := properties.DefaultRouteSettings + searchKeyValid := validNonEmptyKey(defaultRouteSettings, "LoggingLevel") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.Type, + "resourceName": cf_lib.get_resource_name(resource, name), + "searchKey": sprintf("Resources.%s.Properties.DefaultRouteSettings%s", [name, searchKeyValid]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel should be defined and not null", [name]), + "keyActualValue": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel are undefined or null", [name]), + } +} + +CxPolicy[result] { + document := input.document + resource = document[i].Resources[name] + resource.Type == "AWS::ApiGatewayV2::Stage" + + properties := resource.Properties + loggingLevel := properties.DefaultRouteSettings.LoggingLevel + loggingLevel == "OFF" + + result := { + "documentId": input.document[i].id, + "resourceType": resource.Type, + "resourceName": cf_lib.get_resource_name(resource, name), + "searchKey": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel should not be set to OFF", [name]), + "keyActualValue": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel is OFF", [name]), + } +} + +CxPolicy[result] { + document := input.document + resource = document[i].Resources[name] + resource.Type == "AWS::ApiGateway::Stage" + + properties := resource.Properties + searchKeyValid := validNonEmptyKey(properties, "MethodSettings") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.Type, + "resourceName": cf_lib.get_resource_name(resource, name), + "searchKey": sprintf("Resources.%s.Properties%s", [name, searchKeyValid]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings should be defined and not null", [name]), + "keyActualValue": sprintf("Resources.%s.Properties.MethodSettings are undefined or null", [name]), + } +} + +CxPolicy[result] { + document := input.document + resource = document[i].Resources[name] + resource.Type == "AWS::ApiGateway::Stage" + + properties := resource.Properties + methodSettings := properties.MethodSettings + searchKeyValid := validNonEmptyKey(methodSettings, "LoggingLevel") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.Type, + "resourceName": cf_lib.get_resource_name(resource, name), + "searchKey": sprintf("Resources.%s.Properties.MethodSettings%s", [name, searchKeyValid]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel should be defined and not null", [name]), + "keyActualValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel are undefined or null", [name]), + } +} + +CxPolicy[result] { + document := input.document + resource = document[i].Resources[name] + resource.Type == "AWS::ApiGateway::Stage" + + properties := resource.Properties + loggingLevel := properties.MethodSettings.LoggingLevel + loggingLevel == "OFF" + + result := { + "documentId": input.document[i].id, + "resourceType": resource.Type, + "resourceName": cf_lib.get_resource_name(resource, name), + "searchKey": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel should not be set to OFF", [name]), + "keyActualValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel is OFF", [name]), + } +} + +CxPolicy[result] { + doc := input.document[i] + resource := doc.Resources[stage] + resource.Type == "AWS::ApiGatewayV2::Stage" + properties := resource.Properties + + not properties.AccessLogSettings + + result := { + "documentId": doc.id, + "issueType": "MissingAttribute", + "keyExpectedValue": "'AccessLogSettings' should be defined", + "keyActualValue": "'AccessLogSettings' is not defined", + "resourceType": resource.Type, + "resourceName": cf_lib.get_resource_name(resource, stage), + "searchKey": sprintf("Resources.%s.Properties", [stage]), + } +} + +CxPolicy[result] { + doc := input.document[i] + resource := doc.Resources[stage] + resource.Type == "AWS::ApiGateway::Stage" + properties := resource.Properties + + not properties.AccessLogSetting + + result := { + "documentId": doc.id, + "issueType": "MissingAttribute", + "keyExpectedValue": "'AccessLogSetting' should be defined", + "keyActualValue": "'AccessLogSetting' is not defined", + "resourceType": resource.Type, + "resourceName": cf_lib.get_resource_name(resource, stage), + "searchKey": sprintf("Resources.%s.Properties", [stage]), + } +} + +validNonEmptyKey(field, key) = output { + not common_lib.valid_key(field, key) + output = "" +} else = output { + keyObj := field[key] + is_object(keyObj) + count(keyObj) == 0 + output := concat(".", ["", key]) +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/negative1.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative1.yaml similarity index 100% rename from assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/negative1.yaml rename to assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative1.yaml diff --git a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/negative2.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative2.json similarity index 100% rename from assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/negative2.json rename to assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative2.json diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative3.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative3.json new file mode 100644 index 00000000000..9d769ca6ee0 --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative3.json @@ -0,0 +1,29 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "MyStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "StageName": "Prod", + "Description": "Prod Stage", + "AccessLogSetting": { + "DestinationArn": "dest", + "Format": "format" + }, + "DeploymentId": { + "Ref": "MyDeployment" + }, + "MethodSettings": { + "DetailedMetricsEnabled": true, + "LoggingLevel": "INFO", + "DataTraceEnabled": false, + "ThrottlingBurstLimit": 10, + "ThrottlingRateLimit": 10 + }, + "RestApiId": { + "Ref": "CFNWebSocket" + } + } + } + } +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative4.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative4.yaml new file mode 100644 index 00000000000..1785d620fae --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative4.yaml @@ -0,0 +1,14 @@ +Resources: + Prod: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: "" + MethodSettings: + LoggingLevel: "ON" + AccessLogSetting: + DestinationArn: "dest" + Format: "format" \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/positive1.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive1.yaml similarity index 89% rename from assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/positive1.yaml rename to assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive1.yaml index d030372417c..4942cc4d81a 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/positive1.yaml +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive1.yaml @@ -4,6 +4,9 @@ Resources: Properties: StageName: Prod Description: Prod Stage + AccessLogSetting: + DestinationArn: "dest" + Format: "format" RestApiId: !Ref MyRestApi DeploymentId: !Ref TestDeployment DocumentationVersion: "" diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive10.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive10.json new file mode 100644 index 00000000000..8dd532335a1 --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive10.json @@ -0,0 +1,24 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "MyStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "StageName": "Prod", + "Description": "Prod Stage", + "AccessLogSetting": { + "DestinationArn": "dest", + "Format": "format" + }, + "DeploymentId": { + "Ref": "MyDeployment" + }, + "RestApiId": { + "Ref": "CFNWebSocket" + }, + "MethodSettings": { + } + } + } + } +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive11.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive11.yaml new file mode 100644 index 00000000000..4adf05d2a6c --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive11.yaml @@ -0,0 +1,13 @@ +Resources: + Prod: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + AccessLogSetting: + DestinationArn: "dest" + Format: "format" + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: "" + MethodSettings: \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive12.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive12.json new file mode 100644 index 00000000000..3bbd4b22c77 --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive12.json @@ -0,0 +1,29 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "MyStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "StageName": "Prod", + "Description": "Prod Stage", + "AccessLogSetting": { + "DestinationArn": "dest", + "Format": "format" + }, + "DeploymentId": { + "Ref": "MyDeployment" + }, + "RestApiId": { + "Ref": "CFNWebSocket" + }, + "MethodSettings": { + "DetailedMetricsEnabled": true, + "LoggingLevel": "OFF", + "DataTraceEnabled": false, + "ThrottlingBurstLimit": 10, + "ThrottlingRateLimit": 10 + } + } + } + } +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive13.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive13.yaml new file mode 100644 index 00000000000..860851c6626 --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive13.yaml @@ -0,0 +1,14 @@ +Resources: + Prod: + Type: AWS::ApiGatewayV2::Stage + Properties: + StageName: Prod + Description: Prod Stage + AccessLogSettings: + DestinationArn: "dest" + Format: "format" + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: "" + ApiId: "teste" + DefaultRouteSettings: \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive14.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive14.yaml new file mode 100644 index 00000000000..91e68e12d8f --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive14.yaml @@ -0,0 +1,14 @@ +Resources: + Prod: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + AccessLogSetting: + DestinationArn: "dest" + Format: "format" + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: "" + MethodSettings: + LoggingLevel: "OFF" \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive15.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive15.yaml new file mode 100644 index 00000000000..c5de550b2a9 --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive15.yaml @@ -0,0 +1,15 @@ +Resources: + Prod: + Type: AWS::ApiGatewayV2::Stage + Properties: + StageName: Prod + Description: Prod Stage + AccessLogSettings: + DestinationArn: "dest" + Format: "format" + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: "" + ApiId: "teste" + DefaultRouteSettings: + LoggingLevel: "OFF" \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive16.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive16.yaml new file mode 100644 index 00000000000..11ebeedb967 --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive16.yaml @@ -0,0 +1,11 @@ +Resources: + Prod: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: "" + MethodSettings: + LoggingLevel: "ON" \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive17.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive17.yaml new file mode 100644 index 00000000000..e75aeb6159b --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive17.yaml @@ -0,0 +1,12 @@ +Resources: + Prod: + Type: AWS::ApiGatewayV2::Stage + Properties: + StageName: Prod + Description: Prod Stage + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: "" + ApiId: "teste" + DefaultRouteSettings: + LoggingLevel: "ON" \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/positive2.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive2.json similarity index 74% rename from assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/positive2.json rename to assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive2.json index ae196515b68..1798ea0f8e8 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/positive2.json +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive2.json @@ -6,6 +6,10 @@ "Type": "AWS::ApiGatewayV2::Stage", "Properties": { "Description": "Prod Stage", + "AccessLogSettings": { + "DestinationArn": "dest", + "Format": "format" + }, "DeploymentId": "MyDeployment", "ApiId": "CFNWebSocket", "StageName": "Prod" diff --git a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/positive3.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive3.json similarity index 84% rename from assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/positive3.json rename to assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive3.json index d175cb339de..dcc63234775 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/positive3.json +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive3.json @@ -6,6 +6,10 @@ "Properties": { "StageName": "Prod", "Description": "Prod Stage", + "AccessLogSettings": { + "DestinationArn": "dest", + "Format": "format" + }, "DeploymentId": { "Ref": "MyDeployment" }, diff --git a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/positive4.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive4.json similarity index 83% rename from assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/positive4.json rename to assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive4.json index 8b83dfe0073..0b8f2b89c0c 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/positive4.json +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive4.json @@ -6,6 +6,10 @@ "Properties": { "StageName": "Prod", "Description": "Prod Stage", + "AccessLogSettings": { + "DestinationArn": "dest", + "Format": "format" + }, "DeploymentId": { "Ref": "MyDeployment" }, diff --git a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/negative4.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive5.json similarity index 99% rename from assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/negative4.json rename to assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive5.json index e87044b5b6e..0b3f72e21f8 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/negative4.json +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive5.json @@ -22,4 +22,4 @@ } } } -} +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive6.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive6.json new file mode 100644 index 00000000000..2133df7f76a --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive6.json @@ -0,0 +1,25 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "MyStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "StageName": "Prod", + "Description": "Prod Stage", + "DeploymentId": { + "Ref": "MyDeployment" + }, + "MethodSettings": { + "DetailedMetricsEnabled": true, + "LoggingLevel": "INFO", + "DataTraceEnabled": false, + "ThrottlingBurstLimit": 10, + "ThrottlingRateLimit": 10 + }, + "RestApiId": { + "Ref": "CFNWebSocket" + } + } + } + } +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive7.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive7.json new file mode 100644 index 00000000000..1d2171c4ac8 --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive7.json @@ -0,0 +1,19 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Router53", + "Resources": { + "MyStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "Description": "Prod Stage", + "AccessLogSetting": { + "DestinationArn": "dest", + "Format": "format" + }, + "DeploymentId": "MyDeployment", + "RestApiId": "CFNWebSocket", + "StageName": "Prod" + } + } + } +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive8.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive8.yaml new file mode 100644 index 00000000000..ff2587b2c87 --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive8.yaml @@ -0,0 +1,12 @@ +Resources: + Prod: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + AccessLogSetting: + DestinationArn: "dest" + Format: "format" + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: "" \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive9.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive9.yaml new file mode 100644 index 00000000000..cde2ef542eb --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive9.yaml @@ -0,0 +1,13 @@ +Resources: + Prod: + Type: AWS::ApiGatewayV2::Stage + Properties: + StageName: Prod + Description: Prod Stage + AccessLogSettings: + DestinationArn: "dest" + Format: "format" + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: "" + ApiId: "teste" \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json new file mode 100644 index 00000000000..3d2c5cc87e8 --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json @@ -0,0 +1,122 @@ +[ + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 16, + "fileName": "positive1.yaml" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 7, + "fileName": "positive2.json" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 21, + "fileName": "positive3.json" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 19, + "fileName": "positive4.json" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 6, + "fileName": "positive5.json" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 6, + "fileName": "positive6.json" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 7, + "fileName": "positive7.json" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 4, + "fileName": "positive8.yaml" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 4, + "fileName": "positive9.yaml" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 19, + "fileName": "positive10.json" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 19, + "fileName": "positive10.json" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 4, + "fileName": "positive11.yaml" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 13, + "fileName": "positive11.yaml" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 21, + "fileName": "positive12.json" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 4, + "fileName": "positive13.yaml" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 14, + "fileName": "positive13.yaml" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 14, + "fileName": "positive14.yaml" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 15, + "fileName": "positive15.yaml" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 4, + "fileName": "positive16.yaml" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 4, + "fileName": "positive17.yaml" + } +] diff --git a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/query.rego b/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/query.rego deleted file mode 100644 index 82370615d74..00000000000 --- a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/query.rego +++ /dev/null @@ -1,128 +0,0 @@ -package Cx - -import data.generic.common as common_lib -import data.generic.cloudformation as cf_lib - -CxPolicy[result] { - document := input.document - resource = document[i].Resources[name] - resource.Type == "AWS::ApiGatewayV2::Stage" - - properties := resource.Properties - not common_lib.valid_key(resource.Properties, "AccessLogSettings") - not common_lib.valid_key(resource.Properties, "DefaultRouteSettings") - - result := { - "documentId": input.document[i].id, - "resourceType": resource.Type, - "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("Resources.%s.Properties", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("Resources.%s.Properties.AccessLogSettings or Resources.%s.Properties.DefaultRouteSettings should be defined and not null", [name]), - "keyActualValue": sprintf("Resources.%s.Properties.AccessLogSettings and Resources.%s.Properties.DefaultRouteSettings are undefined or null", [name]), - } -} - -CxPolicy[result] { - document := input.document - resource = document[i].Resources[name] - resource.Type == "AWS::ApiGatewayV2::Stage" - - properties := resource.Properties - not common_lib.valid_key(resource.Properties, "AccessLogSettings") - defaultRouteSettings := resource.Properties.DefaultRouteSettings - not common_lib.valid_key(defaultRouteSettings, "LoggingLevel") - - result := { - "documentId": input.document[i].id, - "resourceType": resource.Type, - "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("Resources.%s.Properties.DefaultRouteSettings", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("Resources.%s.Properties.AccessLogSettings or Resources.%s.Properties.DefaultRouteSettings.LoggingLevel should be defined and not null", [name]), - "keyActualValue": sprintf("Resources.%s.Properties.AccessLogSettings and Resources.%s.Properties.DefaultRouteSettings.LoggingLevel are undefined or null", [name]), - } -} - -CxPolicy[result] { - document := input.document - resource = document[i].Resources[name] - resource.Type == "AWS::ApiGatewayV2::Stage" - - properties := resource.Properties - not common_lib.valid_key(resource.Properties, "AccessLogSettings") - loggingLevel := resource.Properties.DefaultRouteSettings.LoggingLevel - loggingLevel == "OFF" - - result := { - "documentId": input.document[i].id, - "resourceType": resource.Type, - "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("Resources.%s.Properties.AccessLogSettings should be defined and not null or Resources.%s.Properties.DefaultRouteSettings.LoggingLevel should not be set to OFF", [name]), - "keyActualValue": sprintf("Resources.%s.Properties.AccessLogSettings is undefined or null and Resources.%s.Properties.DefaultRouteSettings.LoggingLevel is OFF", [name]), - } -} - -CxPolicy[result] { - document := input.document - resource = document[i].Resources[name] - resource.Type == "AWS::ApiGateway::Stage" - - properties := resource.Properties - not common_lib.valid_key(resource.Properties, "AccessLogSettings") - not common_lib.valid_key(resource.Properties, "DefaultRouteSettings") - - result := { - "documentId": input.document[i].id, - "resourceType": resource.Type, - "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("Resources.%s.Properties", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("Resources.%s.Properties.AccessLogSettings or Resources.%s.Properties.DefaultRouteSettings should be defined and not null", [name]), - "keyActualValue": sprintf("Resources.%s.Properties.AccessLogSettings and Resources.%s.Properties.DefaultRouteSettings are undefined or null", [name]), - } -} - -CxPolicy[result] { - document := input.document - resource = document[i].Resources[name] - resource.Type == "AWS::ApiGateway::Stage" - - properties := resource.Properties - not common_lib.valid_key(resource.Properties, "AccessLogSettings") - defaultRouteSettings := resource.Properties.DefaultRouteSettings - not common_lib.valid_key(defaultRouteSettings, "LoggingLevel") - - result := { - "documentId": input.document[i].id, - "resourceType": resource.Type, - "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("Resources.%s.Properties.DefaultRouteSettings", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("Resources.%s.Properties.AccessLogSettings or Resources.%s.Properties.DefaultRouteSettings.LoggingLevel should be defined and not null", [name]), - "keyActualValue": sprintf("Resources.%s.Properties.AccessLogSettings and Resources.%s.Properties.DefaultRouteSettings.LoggingLevel are undefined or null", [name]), - } -} - -CxPolicy[result] { - document := input.document - resource = document[i].Resources[name] - resource.Type == "AWS::ApiGateway::Stage" - - properties := resource.Properties - not common_lib.valid_key(resource.Properties, "AccessLogSettings") - loggingLevel := resource.Properties.DefaultRouteSettings.LoggingLevel - loggingLevel == "OFF" - - result := { - "documentId": input.document[i].id, - "resourceType": resource.Type, - "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("Resources.%s.Properties.AccessLogSettings should be defined and not null or Resources.%s.Properties.DefaultRouteSettings.LoggingLevel should not be set to OFF", [name]), - "keyActualValue": sprintf("Resources.%s.Properties.AccessLogSettings is undefined or null and Resources.%s.Properties.DefaultRouteSettings.LoggingLevel is OFF", [name]), - } -} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/negative3.json b/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/negative3.json deleted file mode 100644 index e4c2eeb17b2..00000000000 --- a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/negative3.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "AWSTemplateFormatVersion": "2010-09-09", - "Description": "Router53", - "Resources": { - "MyStage": { - "Type": "AWS::ApiGatewayV2::Stage", - "Properties": { - "Description": "Prod Stage", - "DeploymentId": "MyDeployment", - "ApiId": "CFNWebSocket", - "DefaultRouteSettings": { - "ThrottlingBurstLimit": 10, - "ThrottlingRateLimit": 10, - "DetailedMetricsEnabled": true, - "LoggingLevel": "INFO", - "DataTraceEnabled": false - }, - "StageName": "Prod" - } - } - } -} diff --git a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/positive_expected_result.json deleted file mode 100644 index 6f8e54b5662..00000000000 --- a/assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/positive_expected_result.json +++ /dev/null @@ -1,26 +0,0 @@ -[ - { - "queryName": "API Gateway Stage Access Logging Settings Not Defined", - "severity": "MEDIUM", - "line": 4, - "fileName": "positive1.yaml" - }, - { - "queryName": "API Gateway Stage Access Logging Settings Not Defined", - "severity": "MEDIUM", - "line": 7, - "fileName": "positive2.json" - }, - { - "queryName": "API Gateway Stage Access Logging Settings Not Defined", - "severity": "MEDIUM", - "line": 15, - "fileName": "positive4.json" - }, - { - "queryName": "API Gateway Stage Access Logging Settings Not Defined", - "severity": "MEDIUM", - "line": 17, - "fileName": "positive3.json" - } -]