API Gateway Deployment Without Access Log Setting
- Query id: 06ec63e3-9f72-4fe2-a218-2eb9200b8db5
- Query name: API Gateway Deployment Without Access Log Setting
- Platform: CloudFormation
- Severity: Medium
- Category: Observability
- CWE: 778
- URL: Github
Description¶
API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "ApiGateway"
Resources:
GreetingApiProdStage:
DependsOn:
- ApiGatewayAccount
Type: AWS::ApiGateway::Stage
Properties:
DeploymentId:
Ref: ApiDeployment
MethodSettings:
- DataTraceEnabled: true
HttpMethod: "*"
LoggingLevel: INFO
ResourcePath: "/*"
RestApiId:
Ref: GreetingApi
StageName: prod
Variables:
LambdaAlias: PROD
ApiDeployment:
Type: AWS::ApiGateway::Deployment
DependsOn:
- GreetingRequest
Properties:
RestApiId:
Ref: GreetingApi
StageName: DummyStage
StageDescription:
CacheClusterEnabled: false
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "ApiGateway"
Resources:
GreetingApiProdStage1:
DependsOn:
- ApiGatewayAccount
Type: AWS::ApiGateway::Stage
Properties:
DeploymentId:
Ref: ApiDeployment
MethodSettings:
- DataTraceEnabled: true
HttpMethod: "*"
LoggingLevel: INFO
ResourcePath: "/*"
RestApiId:
Ref: GreetingApi
StageName: prod
Variables:
LambdaAlias: PROD
ApiDeployment1:
Type: AWS::ApiGateway::Deployment
DependsOn:
- GreetingRequest
Properties:
RestApiId:
Ref: GreetingApi
StageName: DummyStage
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "ApiGateway"
Resources:
GreetingApiProdStage2:
DependsOn:
- ApiGatewayAccount
Type: AWS::ApiGateway::Stage
Properties:
DeploymentId:
Ref: ApiDeployment
MethodSettings:
- DataTraceEnabled: true
HttpMethod: "*"
LoggingLevel: INFO
ResourcePath: "/*"
RestApiId:
Ref: GreetingApi
StageName: prod
Variables:
LambdaAlias: PROD
ApiDeployment2:
Type: AWS::ApiGateway::Deployment
DependsOn:
- GreetingRequest
Properties:
RestApiId:
Ref: GreetingApi
StageName: DummyStage
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "ApiGateway",
"Resources": {
"ApiDeployment": {
"Type": "AWS::ApiGateway::Deployment",
"DependsOn": [
"GreetingRequest"
],
"Properties": {
"RestApiId": {
"Ref": "GreetingApi"
},
"StageName": "DummyStage",
"StageDescription": {
"CacheClusterEnabled": false
}
}
},
"GreetingApiProdStage": {
"DependsOn": [
"ApiGatewayAccount"
],
"Type": "AWS::ApiGateway::Stage",
"Properties": {
"StageName": "prod",
"Variables": {
"LambdaAlias": "PROD"
},
"DeploymentId": {
"Ref": "ApiDeployment"
},
"MethodSettings": [
{
"HttpMethod": "*",
"LoggingLevel": "INFO",
"ResourcePath": "/*",
"DataTraceEnabled": true
}
],
"RestApiId": {
"Ref": "GreetingApi"
}
}
}
}
}
Positive test num. 5 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "ApiGateway",
"Resources": {
"GreetingApiProdStage1": {
"DependsOn": [
"ApiGatewayAccount"
],
"Type": "AWS::ApiGateway::Stage",
"Properties": {
"DeploymentId": {
"Ref": "ApiDeployment"
},
"MethodSettings": [
{
"LoggingLevel": "INFO",
"ResourcePath": "/*",
"DataTraceEnabled": true,
"HttpMethod": "*"
}
],
"RestApiId": {
"Ref": "GreetingApi"
},
"StageName": "prod",
"Variables": {
"LambdaAlias": "PROD"
}
}
},
"ApiDeployment1": {
"Type": "AWS::ApiGateway::Deployment",
"DependsOn": [
"GreetingRequest"
],
"Properties": {
"RestApiId": {
"Ref": "GreetingApi"
},
"StageName": "DummyStage"
}
}
}
}
Positive test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "ApiGateway",
"Resources": {
"GreetingApiProdStage2": {
"DependsOn": [
"ApiGatewayAccount"
],
"Type": "AWS::ApiGateway::Stage",
"Properties": {
"MethodSettings": [
{
"DataTraceEnabled": true,
"HttpMethod": "*",
"LoggingLevel": "INFO",
"ResourcePath": "/*"
}
],
"RestApiId": {
"Ref": "GreetingApi"
},
"StageName": "prod",
"Variables": {
"LambdaAlias": "PROD"
},
"DeploymentId": {
"Ref": "ApiDeployment"
}
}
},
"ApiDeployment2": {
"Type": "AWS::ApiGateway::Deployment",
"DependsOn": [
"GreetingRequest"
],
"Properties": {
"RestApiId": {
"Ref": "GreetingApi"
},
"StageName": "DummyStage"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "ApiGateway"
Resources:
GreetingApiProdStage:
DependsOn:
- ApiGatewayAccount
Type: AWS::ApiGateway::Stage
Properties:
DeploymentId:
Ref: ApiDeployment
MethodSettings:
- DataTraceEnabled: true
HttpMethod: "*"
LoggingLevel: INFO
ResourcePath: "/*"
RestApiId:
Ref: GreetingApi
StageName: prod
Variables:
LambdaAlias: PROD
ApiDeployment:
Type: AWS::ApiGateway::Deployment
DependsOn:
- GreetingRequest
Properties:
RestApiId:
Ref: GreetingApi
StageName: DummyStage
StageDescription:
AccessLogSetting:
DestinationArn: "dest"
Format: "format"
Negative test num. 2 - json file
{
"Resources": {
"GreetingApiProdStage": {
"DependsOn": [
"ApiGatewayAccount"
],
"Type": "AWS::ApiGateway::Stage",
"Properties": {
"Variables": {
"LambdaAlias": "PROD"
},
"DeploymentId": {
"Ref": "ApiDeployment"
},
"MethodSettings": [
{
"HttpMethod": "*",
"LoggingLevel": "INFO",
"ResourcePath": "/*",
"DataTraceEnabled": true
}
],
"RestApiId": {
"Ref": "GreetingApi"
},
"StageName": "prod"
}
},
"ApiDeployment": {
"Type": "AWS::ApiGateway::Deployment",
"DependsOn": [
"GreetingRequest"
],
"Properties": {
"RestApiId": {
"Ref": "GreetingApi"
},
"StageName": "DummyStage",
"StageDescription": {
"AccessLogSetting": {
"DestinationArn": "dest",
"Format": "format"
}
}
}
}
},
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "ApiGateway"
}