Serverless API Without Content Encoding
- Query id: a2f2800e-614b-4bc8-89e6-fec8afd24800
- Query name: Serverless API Without Content Encoding
- Platform: CloudFormation
- Severity: Medium
- Category: Encryption
- URL: Github
Description¶
AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
ApiGatewayApi:
Type: AWS::Serverless::Api
Properties:
StageName: prod
TracingEnabled: true
CacheClusterEnabled: true
AccessLogSetting:
DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'
Format: >-
{"requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
"caller":"$context.identity.caller",
"user":"$context.identity.user","requestTime":"$context.requestTime",
"eventType":"$context.eventType","routeKey":"$context.routeKey",
"status":"$context.status","connectionId":"$context.connectionId"}
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
ApiGatewayApi2:
Type: AWS::Serverless::Api
Properties:
StageName: prod
TracingEnabled: true
CacheClusterEnabled: true
AccessLogSetting:
DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'
Format: >-
{"requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
"caller":"$context.identity.caller",
"user":"$context.identity.user","requestTime":"$context.requestTime",
"eventType":"$context.eventType","routeKey":"$context.routeKey",
"status":"$context.status","connectionId":"$context.connectionId"}
MinimumCompressionSize: -1
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
ApiGatewayApi3:
Type: AWS::Serverless::Api
Properties:
StageName: prod
TracingEnabled: true
CacheClusterEnabled: true
AccessLogSetting:
DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'
Format: >-
{"requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
"caller":"$context.identity.caller",
"user":"$context.identity.user","requestTime":"$context.requestTime",
"eventType":"$context.eventType","routeKey":"$context.routeKey",
"status":"$context.status","connectionId":"$context.connectionId"}
MinimumCompressionSize: 11485759
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
ApiGatewayApi4:
Type: AWS::Serverless::Api
Properties:
StageName: prod
TracingEnabled: true
CacheClusterEnabled: true
AccessLogSetting:
DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'
Format: >-
{"requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
"caller":"$context.identity.caller",
"user":"$context.identity.user","requestTime":"$context.requestTime",
"eventType":"$context.eventType","routeKey":"$context.routeKey",
"status":"$context.status","connectionId":"$context.connectionId"}
MinimumCompressionSize: 114