Skip to content

Latest commit

 

History

History
106 lines (80 loc) · 3.25 KB

AWS SAM.md

File metadata and controls

106 lines (80 loc) · 3.25 KB
layout published title nav_order
default
true
AWS SAM configuration scanning
20

AWS SAM framework configuration scanning

Checkov supports the evaluation of policies on your SAM templates files. When using checkov to scan a directory that contains a SAM template it will validate if the file is compliant with AWS best practices such as having logging and auditing enabled, making sure S3 buckets are encrypted, HTTPS is being used, and more.

Full list of SAM policies checks can be found here. The SAM scanning is utilizing checks that are part of the Cloudformation scanning implementation of checkov since SAM resource definition extends the Cloudformation definition.

Example misconfigured SAM framework

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31

Resources:
  Enabled:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod
      TracingEnabled: true
      CacheClusterEnabled: true
      AccessLogSetting:
        DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'

  Default:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod

Running in CLI

checkov -d . --framework cloudformation

Example output

      _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
By Prisma Cloud | version: x.x.x 


cloudformation scan results:

Passed checks: 3, Failed checks: 3, Skipped checks: 0

Check: CKV_AWS_120: "Ensure API Gateway caching is enabled"
	PASSED for resource: AWS::Serverless::Api.Enabled
	File: /sam.yaml:5-12

Check: CKV_AWS_73: "Ensure API Gateway has X-Ray Tracing enabled"
	PASSED for resource: AWS::Serverless::Api.Enabled
	File: /sam.yaml:5-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-15

Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
	PASSED for resource: AWS::Serverless::Api.Enabled
	File: /sam.yaml:5-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-17

Check: CKV_AWS_120: "Ensure API Gateway caching is enabled"
	FAILED for resource: AWS::Serverless::Api.Default
	File: /sam.yaml:14-17

		14 |   Default:
		15 |     Type: AWS::Serverless::Api
		16 |     Properties:
		17 |       StageName: prod


Check: CKV_AWS_73: "Ensure API Gateway has X-Ray Tracing enabled"
	FAILED for resource: AWS::Serverless::Api.Default
	File: /sam.yaml:14-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-15

		14 |   Default:
		15 |     Type: AWS::Serverless::Api
		16 |     Properties:
		17 |       StageName: prod


Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
	FAILED for resource: AWS::Serverless::Api.Default
	File: /sam.yaml:14-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-17

		14 |   Default:
		15 |     Type: AWS::Serverless::Api
		16 |     Properties:
		17 |       StageName: prod