-
Notifications
You must be signed in to change notification settings - Fork 116
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Start adding SAM support for cfsec (#30)
* Start adding SAM support for cfsec - adding support for API * Add more SAM checks * update links
- Loading branch information
Owen Rumney
authored
Dec 2, 2021
1 parent
4fa7660
commit 6ea3ebe
Showing
19 changed files
with
738 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
package sam | ||
|
||
import "github.com/aquasecurity/defsec/types" | ||
|
||
type API struct { | ||
types.Metadata | ||
Name types.StringValue | ||
TracingEnabled types.BoolValue | ||
DomainConfiguration DomainConfiguration | ||
AccessLogging AccessLogging | ||
RESTMethodSettings RESTMethodSettings | ||
} | ||
|
||
type ApiAuth struct { | ||
types.Metadata | ||
ApiKeyRequired types.BoolValue | ||
} | ||
|
||
type AccessLogging struct { | ||
types.Metadata | ||
CloudwatchLogGroupARN types.StringValue | ||
} | ||
|
||
type DomainConfiguration struct { | ||
types.Metadata | ||
Name types.StringValue | ||
SecurityPolicy types.StringValue | ||
} | ||
|
||
type RESTMethodSettings struct { | ||
types.Metadata | ||
CacheDataEncrypted types.BoolValue | ||
LoggingEnabled types.BoolValue | ||
DataTraceEnabled types.BoolValue | ||
MetricsEnabled types.BoolValue | ||
} | ||
|
||
func (a *API) GetMetadata() *types.Metadata { | ||
return &a.Metadata | ||
} | ||
|
||
func (a *API) GetRawValue() interface{} { | ||
return nil | ||
} | ||
|
||
func (a *AccessLogging) GetMetadata() *types.Metadata { | ||
return &a.Metadata | ||
} | ||
|
||
func (a *AccessLogging) GetRawValue() interface{} { | ||
return nil | ||
} | ||
|
||
func (a *DomainConfiguration) GetMetadata() *types.Metadata { | ||
return &a.Metadata | ||
} | ||
|
||
func (a *DomainConfiguration) GetRawValue() interface{} { | ||
return nil | ||
} | ||
|
||
func (a *RESTMethodSettings) GetMetadata() *types.Metadata { | ||
return &a.Metadata | ||
} | ||
|
||
func (a *RESTMethodSettings) GetRawValue() interface{} { | ||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
package sam | ||
|
||
import "github.com/aquasecurity/defsec/types" | ||
|
||
type Application struct { | ||
types.Metadata | ||
LocationPath types.StringValue | ||
Location Location | ||
} | ||
|
||
type Location struct { | ||
types.Metadata | ||
ApplicationID types.StringValue | ||
SemanticVersion types.StringValue | ||
} | ||
|
||
func (a *Application) GetMetadata() *types.Metadata { | ||
return &a.Metadata | ||
} | ||
|
||
func (a *Application) GetRawValue() interface{} { | ||
return nil | ||
} | ||
|
||
func (a *Location) GetMetadata() *types.Metadata { | ||
return &a.Metadata | ||
} | ||
|
||
func (a *Location) GetRawValue() interface{} { | ||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
package sam | ||
|
||
import ( | ||
"github.com/aquasecurity/defsec/provider/aws/iam" | ||
"github.com/aquasecurity/defsec/types" | ||
) | ||
|
||
type Function struct { | ||
types.Metadata | ||
FunctionName types.StringValue | ||
Tracing types.StringValue | ||
ManagedPolicies []types.StringValue | ||
Policies []iam.PolicyDocument | ||
} | ||
|
||
const ( | ||
TracingModePassThrough = "PassThrough" | ||
TracingModeActive = "Active" | ||
) | ||
|
||
|
||
type Permission struct { | ||
types.Metadata | ||
Principal types.StringValue | ||
SourceARN types.StringValue | ||
} | ||
|
||
func (c *Function) GetMetadata() *types.Metadata { | ||
return &c.Metadata | ||
} | ||
|
||
func (c *Function) GetRawValue() interface{} { | ||
return nil | ||
} | ||
|
||
|
||
func (c *Permission) GetMetadata() *types.Metadata { | ||
return &c.Metadata | ||
} | ||
|
||
func (c *Permission) GetRawValue() interface{} { | ||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
package sam | ||
|
||
import "github.com/aquasecurity/defsec/types" | ||
|
||
type HttpAPI struct { | ||
types.Metadata | ||
Name types.StringValue | ||
AccessLogging AccessLogging | ||
DefaultRouteSettings RouteSettings | ||
DomainConfiguration DomainConfiguration | ||
} | ||
|
||
type RouteSettings struct { | ||
types.Metadata | ||
LoggingEnabled types.BoolValue | ||
DataTraceEnabled types.BoolValue | ||
DetailedMetricsEnabled types.BoolValue | ||
} | ||
|
||
func (a *HttpAPI) GetMetadata() *types.Metadata { | ||
return &a.Metadata | ||
} | ||
|
||
func (a *HttpAPI) GetRawValue() interface{} { | ||
return nil | ||
} | ||
|
||
func (a *RouteSettings) GetMetadata() *types.Metadata { | ||
return &a.Metadata | ||
} | ||
|
||
func (a *RouteSettings) GetRawValue() interface{} { | ||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
package sam | ||
|
||
type SAM struct { | ||
APIs []API | ||
Applications []Application | ||
Functions []Function | ||
HttpAPIs []HttpAPI | ||
SimpleTables []SimpleTable | ||
StateMachines []StateMachine | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
package sam | ||
|
||
import ( | ||
"github.com/aquasecurity/defsec/provider/aws/iam" | ||
"github.com/aquasecurity/defsec/types" | ||
) | ||
|
||
type StateMachine struct { | ||
types.Metadata | ||
Name types.StringValue | ||
LoggingConfiguration LoggingConfiguration | ||
ManagedPolicies []types.StringValue | ||
Policies []iam.PolicyDocument | ||
Tracing TracingConfiguration | ||
} | ||
|
||
type LoggingConfiguration struct { | ||
types.Metadata | ||
LoggingEnabled types.BoolValue | ||
} | ||
|
||
type TracingConfiguration struct { | ||
types.Metadata | ||
Enabled types.BoolValue | ||
} | ||
|
||
func (a *StateMachine) GetMetadata() *types.Metadata { | ||
return &a.Metadata | ||
} | ||
|
||
func (a *StateMachine) GetRawValue() interface{} { | ||
return nil | ||
} | ||
|
||
func (a *LoggingConfiguration) GetMetadata() *types.Metadata { | ||
return &a.Metadata | ||
} | ||
|
||
func (a *LoggingConfiguration) GetRawValue() interface{} { | ||
return nil | ||
} | ||
|
||
func (a *TracingConfiguration) GetMetadata() *types.Metadata { | ||
return &a.Metadata | ||
} | ||
|
||
func (a *TracingConfiguration) GetRawValue() interface{} { | ||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
package sam | ||
|
||
import "github.com/aquasecurity/defsec/types" | ||
|
||
type SimpleTable struct { | ||
types.Metadata | ||
TableName types.StringValue | ||
SSESpecification SSESpecification | ||
} | ||
|
||
type SSESpecification struct { | ||
types.Metadata | ||
|
||
Enabled types.BoolValue | ||
KMSMasterKeyID types.StringValue | ||
} | ||
|
||
func (a *SimpleTable) GetMetadata() *types.Metadata { | ||
return &a.Metadata | ||
} | ||
|
||
func (a *SimpleTable) GetRawValue() interface{} { | ||
return nil | ||
} | ||
|
||
func (a *SSESpecification) GetMetadata() *types.Metadata { | ||
return &a.Metadata | ||
} | ||
|
||
func (a *SSESpecification) GetRawValue() interface{} { | ||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
package sam | ||
|
||
import ( | ||
"github.com/aquasecurity/defsec/provider" | ||
"github.com/aquasecurity/defsec/rules" | ||
"github.com/aquasecurity/defsec/severity" | ||
"github.com/aquasecurity/defsec/state" | ||
) | ||
|
||
var CheckEnableApiAccessLogging = rules.Register( | ||
rules.Rule{ | ||
AVDID: "AVD-AWS-0113", | ||
Provider: provider.AWSProvider, | ||
Service: "sam", | ||
ShortCode: "enable-api-access-logging", | ||
Summary: "SAM API stages for V1 and V2 should have access logging enabled", | ||
Impact: "Logging provides vital information about access and usage", | ||
Resolution: "Enable logging for API Gateway stages", | ||
Explanation: `API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.`, | ||
Links: []string{ | ||
"https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-accesslogsetting", | ||
}, | ||
Severity: severity.Medium, | ||
}, | ||
func(s *state.State) (results rules.Results) { | ||
for _, api := range s.AWS.SAM.APIs { | ||
if !api.IsManaged() { | ||
continue | ||
} | ||
|
||
if api.AccessLogging.CloudwatchLogGroupARN.IsEmpty() { | ||
results.Add( | ||
"Access logging is not configured.", | ||
&api, | ||
api.AccessLogging.CloudwatchLogGroupARN, | ||
) | ||
} else { | ||
results.AddPassed(&api) | ||
} | ||
} | ||
|
||
return | ||
}, | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
package sam | ||
|
||
import ( | ||
"github.com/aquasecurity/defsec/provider" | ||
"github.com/aquasecurity/defsec/rules" | ||
"github.com/aquasecurity/defsec/severity" | ||
"github.com/aquasecurity/defsec/state" | ||
) | ||
|
||
var CheckEnableApiTracing = rules.Register( | ||
rules.Rule{ | ||
AVDID: "AVD-AWS-0111", | ||
Provider: provider.AWSProvider, | ||
Service: "sam", | ||
ShortCode: "enable-api-tracing", | ||
Summary: "SAM API must have X-Ray tracing enabled", | ||
Impact: "Without full tracing enabled it is difficult to trace the flow of logs", | ||
Resolution: "Enable tracing", | ||
Explanation: `X-Ray tracing enables end-to-end debugging and analysis of all API Gateway HTTP requests.`, | ||
Links: []string{ | ||
"https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-tracingenabled", | ||
}, | ||
Severity: severity.Low, | ||
}, | ||
func(s *state.State) (results rules.Results) { | ||
for _, api := range s.AWS.SAM.APIs { | ||
if !api.IsManaged() { | ||
continue | ||
} | ||
|
||
if api.TracingEnabled.IsFalse() { | ||
results.Add( | ||
"X-Ray tracing is not enabled,", | ||
&api, | ||
api.TracingEnabled, | ||
) | ||
} else { | ||
results.AddPassed(&api) | ||
} | ||
} | ||
return | ||
}, | ||
) |
Oops, something went wrong.