Start adding SAM support for cfsec (#30)

* Start adding SAM support for cfsec

- adding support for API

* Add more SAM checks

* update links

provider/aws/aws.go

@@ -30,6 +30,7 @@ import (
 	"github.com/aquasecurity/defsec/provider/aws/rds"
 	"github.com/aquasecurity/defsec/provider/aws/redshift"
 	"github.com/aquasecurity/defsec/provider/aws/s3"
+	"github.com/aquasecurity/defsec/provider/aws/sam"
 	"github.com/aquasecurity/defsec/provider/aws/sns"
 	"github.com/aquasecurity/defsec/provider/aws/sqs"
 	"github.com/aquasecurity/defsec/provider/aws/ssm"
@@ -66,6 +67,7 @@ type AWS struct {
 	Neptune       neptune.Neptune
 	RDS           rds.RDS
 	Redshift      redshift.Redshift
+	SAM           sam.SAM
 	S3            s3.S3
 	SNS           sns.SNS
 	SQS           sqs.SQS

provider/aws/sam/api.go

@@ -0,0 +1,68 @@
+package sam
+
+import "github.com/aquasecurity/defsec/types"
+
+type API struct {
+	types.Metadata
+	Name                types.StringValue
+	TracingEnabled      types.BoolValue
+	DomainConfiguration DomainConfiguration
+	AccessLogging       AccessLogging
+	RESTMethodSettings  RESTMethodSettings
+}
+
+type ApiAuth struct {
+	types.Metadata
+	ApiKeyRequired types.BoolValue
+}
+
+type AccessLogging struct {
+	types.Metadata
+	CloudwatchLogGroupARN types.StringValue
+}
+
+type DomainConfiguration struct {
+	types.Metadata
+	Name           types.StringValue
+	SecurityPolicy types.StringValue
+}
+
+type RESTMethodSettings struct {
+	types.Metadata
+	CacheDataEncrypted types.BoolValue
+	LoggingEnabled     types.BoolValue
+	DataTraceEnabled   types.BoolValue
+	MetricsEnabled     types.BoolValue
+}
+
+func (a *API) GetMetadata() *types.Metadata {
+	return &a.Metadata
+}
+
+func (a *API) GetRawValue() interface{} {
+	return nil
+}
+
+func (a *AccessLogging) GetMetadata() *types.Metadata {
+	return &a.Metadata
+}
+
+func (a *AccessLogging) GetRawValue() interface{} {
+	return nil
+}
+
+func (a *DomainConfiguration) GetMetadata() *types.Metadata {
+	return &a.Metadata
+}
+
+func (a *DomainConfiguration) GetRawValue() interface{} {
+	return nil
+}
+
+func (a *RESTMethodSettings) GetMetadata() *types.Metadata {
+	return &a.Metadata
+}
+
+func (a *RESTMethodSettings) GetRawValue() interface{} {
+	return nil
+}

provider/aws/sam/application.go

@@ -0,0 +1,31 @@
+package sam
+
+import "github.com/aquasecurity/defsec/types"
+
+type Application struct {
+	types.Metadata
+	LocationPath types.StringValue
+	Location     Location
+}
+
+type Location struct {
+	types.Metadata
+	ApplicationID   types.StringValue
+	SemanticVersion types.StringValue
+}
+
+func (a *Application) GetMetadata() *types.Metadata {
+	return &a.Metadata
+}
+
+func (a *Application) GetRawValue() interface{} {
+	return nil
+}
+
+func (a *Location) GetMetadata() *types.Metadata {
+	return &a.Metadata
+}
+
+func (a *Location) GetRawValue() interface{} {
+	return nil
+}

provider/aws/sam/function.go

@@ -0,0 +1,43 @@
+package sam
+
+import (
+	"github.com/aquasecurity/defsec/provider/aws/iam"
+	"github.com/aquasecurity/defsec/types"
+)
+
+type Function struct {
+	types.Metadata
+	FunctionName    types.StringValue
+	Tracing         types.StringValue
+	ManagedPolicies []types.StringValue
+	Policies        []iam.PolicyDocument
+}
+
+const (
+	TracingModePassThrough = "PassThrough"
+	TracingModeActive      = "Active"
+)
+
+
+type Permission struct {
+	types.Metadata
+	Principal types.StringValue
+	SourceARN types.StringValue
+}
+
+func (c *Function) GetMetadata() *types.Metadata {
+	return &c.Metadata
+}
+
+func (c *Function) GetRawValue() interface{} {
+	return nil
+}
+
+
+func (c *Permission) GetMetadata() *types.Metadata {
+	return &c.Metadata
+}
+
+func (c *Permission) GetRawValue() interface{} {
+	return nil
+}

provider/aws/sam/http_api.go

@@ -0,0 +1,34 @@
+package sam
+
+import "github.com/aquasecurity/defsec/types"
+
+type HttpAPI struct {
+	types.Metadata
+	Name                 types.StringValue
+	AccessLogging        AccessLogging
+	DefaultRouteSettings RouteSettings
+	DomainConfiguration  DomainConfiguration
+}
+
+type RouteSettings struct {
+	types.Metadata
+	LoggingEnabled         types.BoolValue
+	DataTraceEnabled       types.BoolValue
+	DetailedMetricsEnabled types.BoolValue
+}
+
+func (a *HttpAPI) GetMetadata() *types.Metadata {
+	return &a.Metadata
+}
+
+func (a *HttpAPI) GetRawValue() interface{} {
+	return nil
+}
+
+func (a *RouteSettings) GetMetadata() *types.Metadata {
+	return &a.Metadata
+}
+
+func (a *RouteSettings) GetRawValue() interface{} {
+	return nil
+}

provider/aws/sam/sam.go

@@ -0,0 +1,10 @@
+package sam
+
+type SAM struct {
+	APIs          []API
+	Applications  []Application
+	Functions     []Function
+	HttpAPIs      []HttpAPI
+	SimpleTables  []SimpleTable
+	StateMachines []StateMachine
+}

provider/aws/sam/state_machine.go

@@ -0,0 +1,49 @@
+package sam
+
+import (
+	"github.com/aquasecurity/defsec/provider/aws/iam"
+	"github.com/aquasecurity/defsec/types"
+)
+
+type StateMachine struct {
+	types.Metadata
+	Name                 types.StringValue
+	LoggingConfiguration LoggingConfiguration
+	ManagedPolicies      []types.StringValue
+	Policies             []iam.PolicyDocument
+	Tracing              TracingConfiguration
+}
+
+type LoggingConfiguration struct {
+	types.Metadata
+	LoggingEnabled types.BoolValue
+}
+
+type TracingConfiguration struct {
+	types.Metadata
+	Enabled types.BoolValue
+}
+
+func (a *StateMachine) GetMetadata() *types.Metadata {
+	return &a.Metadata
+}
+
+func (a *StateMachine) GetRawValue() interface{} {
+	return nil
+}
+
+func (a *LoggingConfiguration) GetMetadata() *types.Metadata {
+	return &a.Metadata
+}
+
+func (a *LoggingConfiguration) GetRawValue() interface{} {
+	return nil
+}
+
+func (a *TracingConfiguration) GetMetadata() *types.Metadata {
+	return &a.Metadata
+}
+
+func (a *TracingConfiguration) GetRawValue() interface{} {
+	return nil
+}

provider/aws/sam/table.go

@@ -0,0 +1,32 @@
+package sam
+
+import "github.com/aquasecurity/defsec/types"
+
+type SimpleTable struct {
+	types.Metadata
+	TableName        types.StringValue
+	SSESpecification SSESpecification
+}
+
+type SSESpecification struct {
+	types.Metadata
+
+	Enabled        types.BoolValue
+	KMSMasterKeyID types.StringValue
+}
+
+func (a *SimpleTable) GetMetadata() *types.Metadata {
+	return &a.Metadata
+}
+
+func (a *SimpleTable) GetRawValue() interface{} {
+	return nil
+}
+
+func (a *SSESpecification) GetMetadata() *types.Metadata {
+	return &a.Metadata
+}
+
+func (a *SSESpecification) GetRawValue() interface{} {
+	return nil
+}

rules/aws/iam/no_policy_wildcards.go

@@ -66,6 +66,9 @@ func checkStatement(document iam.PolicyDocument, statement iam.PolicyDocumentSta
 	}
 	for _, resource := range statement.Resource {
 		if strings.Contains(resource, "*") && !iam.IsWildcardAllowed(statement.Action...) {
+			if strings.HasSuffix(resource, "/*") && strings.HasPrefix(resource, "arn:aws:s3") {
+				continue
+			}
 			results.Add(
 				"IAM policy document uses wildcarded resource for sensitive action(s).",
 				document,

rules/aws/sam/enable_api_access_logging.go

@@ -0,0 +1,44 @@
+package sam
+
+import (
+	"github.com/aquasecurity/defsec/provider"
+	"github.com/aquasecurity/defsec/rules"
+	"github.com/aquasecurity/defsec/severity"
+	"github.com/aquasecurity/defsec/state"
+)
+
+var CheckEnableApiAccessLogging = rules.Register(
+	rules.Rule{
+		AVDID:       "AVD-AWS-0113",
+		Provider:    provider.AWSProvider,
+		Service:     "sam",
+		ShortCode:   "enable-api-access-logging",
+		Summary:     "SAM API stages for V1 and V2 should have access logging enabled",
+		Impact:      "Logging provides vital information about access and usage",
+		Resolution:  "Enable logging for API Gateway stages",
+		Explanation: `API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.`,
+		Links: []string{
+			"https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-accesslogsetting",
+		},
+		Severity: severity.Medium,
+	},
+	func(s *state.State) (results rules.Results) {
+		for _, api := range s.AWS.SAM.APIs {
+			if !api.IsManaged() {
+				continue
+			}
+
+			if api.AccessLogging.CloudwatchLogGroupARN.IsEmpty() {
+				results.Add(
+					"Access logging is not configured.",
+					&api,
+					api.AccessLogging.CloudwatchLogGroupARN,
+				)
+			} else {
+				results.AddPassed(&api)
+			}
+		}
+
+		return
+	},
+)

rules/aws/sam/enable_api_tracing.go

@@ -0,0 +1,43 @@
+package sam
+
+import (
+	"github.com/aquasecurity/defsec/provider"
+	"github.com/aquasecurity/defsec/rules"
+	"github.com/aquasecurity/defsec/severity"
+	"github.com/aquasecurity/defsec/state"
+)
+
+var CheckEnableApiTracing = rules.Register(
+	rules.Rule{
+		AVDID:       "AVD-AWS-0111",
+		Provider:    provider.AWSProvider,
+		Service:     "sam",
+		ShortCode:   "enable-api-tracing",
+		Summary:     "SAM API must have X-Ray tracing enabled",
+		Impact:      "Without full tracing enabled it is difficult to trace the flow of logs",
+		Resolution:  "Enable tracing",
+		Explanation: `X-Ray tracing enables end-to-end debugging and analysis of all API Gateway HTTP requests.`,
+		Links:       []string{
+			"https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-tracingenabled",
+		},
+		Severity:    severity.Low,
+	},
+	func(s *state.State) (results rules.Results) {
+		for _, api := range s.AWS.SAM.APIs {
+			if !api.IsManaged() {
+				continue
+			}
+
+			if api.TracingEnabled.IsFalse() {
+				results.Add(
+					"X-Ray tracing is not enabled,",
+					&api,
+					api.TracingEnabled,
+				)
+			} else {
+				results.AddPassed(&api)
+			}
+		}
+		return
+	},
+)