Merge pull request Checkmarx#6863 from Checkmarx/kics-1145

feat(query): cloud formation api gateway access logging disabled

assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/metadata.json → assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/metadata.json

@@ -1,6 +1,6 @@
 {
   "id": "80d45af4-4920-4236-a56e-b7ef419d1941",
-  "queryName": "API Gateway Stage Access Logging Settings Not Defined",
+  "queryName": "API Gateway Access Logging Disabled",
   "severity": "MEDIUM",
   "category": "Observability",
   "descriptionText": "API Gateway Stage should have Access Logging Settings defined",

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/query.rego

@@ -0,0 +1,170 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.cloudformation as cf_lib
+
+CxPolicy[result] {
+	document := input.document
+	resource = document[i].Resources[name]
+	resource.Type == "AWS::ApiGatewayV2::Stage"
+
+	properties := resource.Properties
+	searchKeyValid := validNonEmptyKey(properties, "DefaultRouteSettings")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("Resources.%s.Properties%s", [name, searchKeyValid]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.DefaultRouteSettings should be defined and not null", [name]),
+		"keyActualValue": sprintf("Resources.%s.Properties.DefaultRouteSettings are undefined or null", [name]),
+	}
+}
+
+CxPolicy[result] {
+	document := input.document
+	resource = document[i].Resources[name]
+	resource.Type == "AWS::ApiGatewayV2::Stage"
+
+	properties := resource.Properties
+	defaultRouteSettings := properties.DefaultRouteSettings
+	searchKeyValid := validNonEmptyKey(defaultRouteSettings, "LoggingLevel")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("Resources.%s.Properties.DefaultRouteSettings%s", [name, searchKeyValid]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel should be defined and not null", [name]),
+		"keyActualValue": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel are undefined or null", [name]),
+	}
+}
+
+CxPolicy[result] {
+	document := input.document
+	resource = document[i].Resources[name]
+	resource.Type == "AWS::ApiGatewayV2::Stage"
+
+	properties := resource.Properties
+	loggingLevel := properties.DefaultRouteSettings.LoggingLevel
+	loggingLevel == "OFF"
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel should not be set to OFF", [name]),
+		"keyActualValue": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel is OFF", [name]),
+	}
+}
+
+CxPolicy[result] {
+	document := input.document
+	resource = document[i].Resources[name]
+	resource.Type == "AWS::ApiGateway::Stage"
+
+	properties := resource.Properties
+	searchKeyValid := validNonEmptyKey(properties, "MethodSettings")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("Resources.%s.Properties%s", [name, searchKeyValid]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings should be defined and not null", [name]),
+		"keyActualValue": sprintf("Resources.%s.Properties.MethodSettings are undefined or null", [name]),
+	}
+}
+
+CxPolicy[result] {
+	document := input.document
+	resource = document[i].Resources[name]
+	resource.Type == "AWS::ApiGateway::Stage"
+
+	properties := resource.Properties
+	methodSettings := properties.MethodSettings
+	searchKeyValid := validNonEmptyKey(methodSettings, "LoggingLevel")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("Resources.%s.Properties.MethodSettings%s", [name, searchKeyValid]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel should be defined and not null", [name]),
+		"keyActualValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel are undefined or null", [name]),
+	}
+}
+
+CxPolicy[result] {
+	document := input.document
+	resource = document[i].Resources[name]
+	resource.Type == "AWS::ApiGateway::Stage"
+
+	properties := resource.Properties
+	loggingLevel := properties.MethodSettings.LoggingLevel
+	loggingLevel == "OFF"
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel should not be set to OFF", [name]),
+		"keyActualValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel is OFF", [name]),
+	}
+}
+
+CxPolicy[result] {
+	doc := input.document[i]
+	resource := doc.Resources[stage]
+	resource.Type == "AWS::ApiGatewayV2::Stage"
+	properties := resource.Properties
+
+	not properties.AccessLogSettings
+
+	result := {
+		"documentId": doc.id,
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "'AccessLogSettings' should be defined",
+		"keyActualValue": "'AccessLogSettings' is not defined",
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, stage),
+		"searchKey": sprintf("Resources.%s.Properties", [stage]),
+	}
+}
+
+CxPolicy[result] {
+	doc := input.document[i]
+	resource := doc.Resources[stage]
+	resource.Type == "AWS::ApiGateway::Stage"
+	properties := resource.Properties
+
+	not properties.AccessLogSetting
+
+	result := {
+		"documentId": doc.id,
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "'AccessLogSetting' should be defined",
+		"keyActualValue": "'AccessLogSetting' is not defined",
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, stage),
+		"searchKey": sprintf("Resources.%s.Properties", [stage]),
+	}
+}
+
+validNonEmptyKey(field, key) = output {
+	not common_lib.valid_key(field, key)
+	output = ""
+} else = output {
+	keyObj := field[key]
+	is_object(keyObj)
+	count(keyObj) == 0
+	output := concat(".", ["", key])
+}

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative3.json

@@ -0,0 +1,29 @@
+{
+    "AWSTemplateFormatVersion": "2010-09-09",
+    "Resources": {
+        "MyStage": {
+            "Type": "AWS::ApiGateway::Stage",
+            "Properties": {
+                "StageName": "Prod",
+                "Description": "Prod Stage",
+                "AccessLogSetting": {
+                    "DestinationArn": "dest",
+                    "Format": "format"
+                },
+                "DeploymentId": {
+                    "Ref": "MyDeployment"
+                },
+                "MethodSettings": {
+                  "DetailedMetricsEnabled": true,
+                  "LoggingLevel": "INFO",
+                  "DataTraceEnabled": false,
+                  "ThrottlingBurstLimit": 10,
+                  "ThrottlingRateLimit": 10
+                },
+                "RestApiId": {
+                    "Ref": "CFNWebSocket"
+                }
+            }
+        }
+    }
+}

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative4.yaml

@@ -0,0 +1,14 @@
+Resources:
+  Prod:
+    Type: AWS::ApiGateway::Stage
+    Properties:
+      StageName: Prod
+      Description: Prod Stage
+      RestApiId: !Ref MyRestApi
+      DeploymentId: !Ref TestDeployment
+      DocumentationVersion: ""
+      MethodSettings:
+        LoggingLevel: "ON"
+      AccessLogSetting:
+        DestinationArn: "dest"
+        Format: "format"

assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/positive1.yaml → assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive1.yaml

@@ -4,6 +4,9 @@ Resources:
     Properties:
       StageName: Prod
       Description: Prod Stage
+      AccessLogSetting: 
+        DestinationArn: "dest"
+        Format: "format"
       RestApiId: !Ref MyRestApi
       DeploymentId: !Ref TestDeployment
       DocumentationVersion: ""

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive10.json

@@ -0,0 +1,24 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Resources": {
+    "MyStage": {
+      "Type": "AWS::ApiGateway::Stage",
+      "Properties": {
+        "StageName": "Prod",
+        "Description": "Prod Stage",
+        "AccessLogSetting": {
+            "DestinationArn": "dest",
+            "Format": "format"
+        },
+        "DeploymentId": {
+          "Ref": "MyDeployment"
+        },
+        "RestApiId": {
+          "Ref": "CFNWebSocket"
+        },
+        "MethodSettings": {
+        }
+      }
+    }
+  }
+}

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive11.yaml

@@ -0,0 +1,13 @@
+Resources:
+  Prod:
+    Type: AWS::ApiGateway::Stage
+    Properties:
+      StageName: Prod
+      Description: Prod Stage
+      AccessLogSetting: 
+        DestinationArn: "dest"
+        Format: "format"
+      RestApiId: !Ref MyRestApi
+      DeploymentId: !Ref TestDeployment
+      DocumentationVersion: ""
+      MethodSettings:

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive12.json

@@ -0,0 +1,29 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Resources": {
+    "MyStage": {
+      "Type": "AWS::ApiGateway::Stage",
+      "Properties": {
+        "StageName": "Prod",
+        "Description": "Prod Stage",
+        "AccessLogSetting": {
+            "DestinationArn": "dest",
+            "Format": "format"
+        },
+        "DeploymentId": {
+          "Ref": "MyDeployment"
+        },
+        "RestApiId": {
+          "Ref": "CFNWebSocket"
+        },
+        "MethodSettings": {
+          "DetailedMetricsEnabled": true,
+          "LoggingLevel": "OFF",
+          "DataTraceEnabled": false,
+          "ThrottlingBurstLimit": 10,
+          "ThrottlingRateLimit": 10
+        }
+      }
+    }
+  }
+}

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive13.yaml

@@ -0,0 +1,14 @@
+Resources:
+  Prod:
+    Type: AWS::ApiGatewayV2::Stage
+    Properties:
+      StageName: Prod
+      Description: Prod Stage
+      AccessLogSettings: 
+        DestinationArn: "dest"
+        Format: "format"
+      RestApiId: !Ref MyRestApi
+      DeploymentId: !Ref TestDeployment
+      DocumentationVersion: ""
+      ApiId: "teste"
+      DefaultRouteSettings:

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive14.yaml

@@ -0,0 +1,14 @@
+Resources:
+  Prod:
+    Type: AWS::ApiGateway::Stage
+    Properties:
+      StageName: Prod
+      Description: Prod Stage
+      AccessLogSetting: 
+        DestinationArn: "dest"
+        Format: "format"
+      RestApiId: !Ref MyRestApi
+      DeploymentId: !Ref TestDeployment
+      DocumentationVersion: ""
+      MethodSettings:
+        LoggingLevel: "OFF"

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive15.yaml

@@ -0,0 +1,15 @@
+Resources:
+  Prod:
+    Type: AWS::ApiGatewayV2::Stage
+    Properties:
+      StageName: Prod
+      Description: Prod Stage
+      AccessLogSettings: 
+        DestinationArn: "dest"
+        Format: "format"
+      RestApiId: !Ref MyRestApi
+      DeploymentId: !Ref TestDeployment
+      DocumentationVersion: ""
+      ApiId: "teste"
+      DefaultRouteSettings:
+        LoggingLevel: "OFF"

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive16.yaml

@@ -0,0 +1,11 @@
+Resources:
+  Prod:
+    Type: AWS::ApiGateway::Stage
+    Properties:
+      StageName: Prod
+      Description: Prod Stage
+      RestApiId: !Ref MyRestApi
+      DeploymentId: !Ref TestDeployment
+      DocumentationVersion: ""
+      MethodSettings:
+        LoggingLevel: "ON"

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive17.yaml

@@ -0,0 +1,12 @@
+Resources:
+  Prod:
+    Type: AWS::ApiGatewayV2::Stage
+    Properties:
+      StageName: Prod
+      Description: Prod Stage
+      RestApiId: !Ref MyRestApi
+      DeploymentId: !Ref TestDeployment
+      DocumentationVersion: ""
+      ApiId: "teste"
+      DefaultRouteSettings:
+        LoggingLevel: "ON"

assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/positive2.json → assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive2.json

@@ -6,6 +6,10 @@
       "Type": "AWS::ApiGatewayV2::Stage",
       "Properties": {
         "Description": "Prod Stage",
+        "AccessLogSettings": {
+            "DestinationArn": "dest",
+            "Format": "format"
+        },
         "DeploymentId": "MyDeployment",
         "ApiId": "CFNWebSocket",
         "StageName": "Prod"