API Gateway Deployment Without Access Log Setting

  • Query id: 06ec63e3-9f72-4fe2-a218-2eb9200b8db5
  • Query name: API Gateway Deployment Without Access Log Setting
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Observability
  • CWE: Ongoing
  • URL: Github

Description

API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "ApiGateway"
Resources:
  GreetingApiProdStage:
    DependsOn:
    - ApiGatewayAccount
    Type: AWS::ApiGateway::Stage
    Properties:
      DeploymentId:
        Ref: ApiDeployment
      MethodSettings:
      - DataTraceEnabled: true
        HttpMethod: "*"
        LoggingLevel: INFO
        ResourcePath: "/*"
      RestApiId:
        Ref: GreetingApi
      StageName: prod
      Variables:
        LambdaAlias: PROD
  ApiDeployment:
    Type: AWS::ApiGateway::Deployment
    DependsOn:
    - GreetingRequest
    Properties:
      RestApiId:
        Ref: GreetingApi
      StageName: DummyStage
      StageDescription:
        CacheClusterEnabled: false
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "ApiGateway"
Resources:
  GreetingApiProdStage1:
    DependsOn:
    - ApiGatewayAccount
    Type: AWS::ApiGateway::Stage
    Properties:
      DeploymentId:
        Ref: ApiDeployment
      MethodSettings:
      - DataTraceEnabled: true
        HttpMethod: "*"
        LoggingLevel: INFO
        ResourcePath: "/*"
      RestApiId:
        Ref: GreetingApi
      StageName: prod
      Variables:
        LambdaAlias: PROD
  ApiDeployment1:
    Type: AWS::ApiGateway::Deployment
    DependsOn:
    - GreetingRequest
    Properties:
      RestApiId:
        Ref: GreetingApi
      StageName: DummyStage
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "ApiGateway"
Resources:
  GreetingApiProdStage2:
    DependsOn:
    - ApiGatewayAccount
    Type: AWS::ApiGateway::Stage
    Properties:
      DeploymentId:
        Ref: ApiDeployment
      MethodSettings:
      - DataTraceEnabled: true
        HttpMethod: "*"
        LoggingLevel: INFO
        ResourcePath: "/*"
      RestApiId:
        Ref: GreetingApi
      StageName: prod
      Variables:
        LambdaAlias: PROD
  ApiDeployment2:
    Type: AWS::ApiGateway::Deployment
    DependsOn:
    - GreetingRequest
    Properties:
      RestApiId:
        Ref: GreetingApi
      StageName: DummyStage

Positive test num. 4 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "ApiGateway",
  "Resources": {
    "ApiDeployment": {
      "Type": "AWS::ApiGateway::Deployment",
      "DependsOn": [
        "GreetingRequest"
      ],
      "Properties": {
        "RestApiId": {
          "Ref": "GreetingApi"
        },
        "StageName": "DummyStage",
        "StageDescription": {
          "CacheClusterEnabled": false
        }
      }
    },
    "GreetingApiProdStage": {
      "DependsOn": [
        "ApiGatewayAccount"
      ],
      "Type": "AWS::ApiGateway::Stage",
      "Properties": {
        "StageName": "prod",
        "Variables": {
          "LambdaAlias": "PROD"
        },
        "DeploymentId": {
          "Ref": "ApiDeployment"
        },
        "MethodSettings": [
          {
            "HttpMethod": "*",
            "LoggingLevel": "INFO",
            "ResourcePath": "/*",
            "DataTraceEnabled": true
          }
        ],
        "RestApiId": {
          "Ref": "GreetingApi"
        }
      }
    }
  }
}
Positive test num. 5 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "ApiGateway",
  "Resources": {
    "GreetingApiProdStage1": {
      "DependsOn": [
        "ApiGatewayAccount"
      ],
      "Type": "AWS::ApiGateway::Stage",
      "Properties": {
        "DeploymentId": {
          "Ref": "ApiDeployment"
        },
        "MethodSettings": [
          {
            "LoggingLevel": "INFO",
            "ResourcePath": "/*",
            "DataTraceEnabled": true,
            "HttpMethod": "*"
          }
        ],
        "RestApiId": {
          "Ref": "GreetingApi"
        },
        "StageName": "prod",
        "Variables": {
          "LambdaAlias": "PROD"
        }
      }
    },
    "ApiDeployment1": {
      "Type": "AWS::ApiGateway::Deployment",
      "DependsOn": [
        "GreetingRequest"
      ],
      "Properties": {
        "RestApiId": {
          "Ref": "GreetingApi"
        },
        "StageName": "DummyStage"
      }
    }
  }
}
Positive test num. 6 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "ApiGateway",
  "Resources": {
    "GreetingApiProdStage2": {
      "DependsOn": [
        "ApiGatewayAccount"
      ],
      "Type": "AWS::ApiGateway::Stage",
      "Properties": {
        "MethodSettings": [
          {
            "DataTraceEnabled": true,
            "HttpMethod": "*",
            "LoggingLevel": "INFO",
            "ResourcePath": "/*"
          }
        ],
        "RestApiId": {
          "Ref": "GreetingApi"
        },
        "StageName": "prod",
        "Variables": {
          "LambdaAlias": "PROD"
        },
        "DeploymentId": {
          "Ref": "ApiDeployment"
        }
      }
    },
    "ApiDeployment2": {
      "Type": "AWS::ApiGateway::Deployment",
      "DependsOn": [
        "GreetingRequest"
      ],
      "Properties": {
        "RestApiId": {
          "Ref": "GreetingApi"
        },
        "StageName": "DummyStage"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "ApiGateway"
Resources:
  GreetingApiProdStage:
    DependsOn:
    - ApiGatewayAccount
    Type: AWS::ApiGateway::Stage
    Properties:
      DeploymentId:
        Ref: ApiDeployment
      MethodSettings:
      - DataTraceEnabled: true
        HttpMethod: "*"
        LoggingLevel: INFO
        ResourcePath: "/*"
      RestApiId:
        Ref: GreetingApi
      StageName: prod
      Variables:
        LambdaAlias: PROD
  ApiDeployment:
    Type: AWS::ApiGateway::Deployment
    DependsOn:
    - GreetingRequest
    Properties:
      RestApiId:
        Ref: GreetingApi
      StageName: DummyStage
      StageDescription:
        AccessLogSetting:
          DestinationArn: "dest"
          Format: "format"
Negative test num. 2 - json file
{
  "Resources": {
    "GreetingApiProdStage": {
      "DependsOn": [
        "ApiGatewayAccount"
      ],
      "Type": "AWS::ApiGateway::Stage",
      "Properties": {
        "Variables": {
          "LambdaAlias": "PROD"
        },
        "DeploymentId": {
          "Ref": "ApiDeployment"
        },
        "MethodSettings": [
          {
            "HttpMethod": "*",
            "LoggingLevel": "INFO",
            "ResourcePath": "/*",
            "DataTraceEnabled": true
          }
        ],
        "RestApiId": {
          "Ref": "GreetingApi"
        },
        "StageName": "prod"
      }
    },
    "ApiDeployment": {
      "Type": "AWS::ApiGateway::Deployment",
      "DependsOn": [
        "GreetingRequest"
      ],
      "Properties": {
        "RestApiId": {
          "Ref": "GreetingApi"
        },
        "StageName": "DummyStage",
        "StageDescription": {
          "AccessLogSetting": {
            "DestinationArn": "dest",
            "Format": "format"
          }
        }
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "ApiGateway"
}