Serverless API Access Logging Setting Undefined

  • Query id: 0a994e04-c6dc-471d-817e-d37451d18a3b
  • Query name: Serverless API Access Logging Setting Undefined
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Observability
  • CWE: 778
  • URL: Github

Description

AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  ApiGatewayApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod
      TracingEnabled: true
      CacheClusterEnabled: true
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  HttpApi:
      Type: AWS::Serverless::HttpApi
      Properties:
        StageName: !Ref StageName
        Tags:
          Tag: Value

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  ApiGatewayApi2:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod
      TracingEnabled: true
      CacheClusterEnabled: true
      AccessLogSetting:
        DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'
        Format: >-
          {"requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
          "caller":"$context.identity.caller",
          "user":"$context.identity.user","requestTime":"$context.requestTime",
          "eventType":"$context.eventType","routeKey":"$context.routeKey",
          "status":"$context.status","connectionId":"$context.connectionId"}
Negative test num. 2 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  HttpApi2:
      Type: AWS::Serverless::HttpApi
      Properties:
        StageName: !Ref StageName
        Tags:
          Tag: Value
        AccessLogSettings:
          DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'
          Format: >-
            {"requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
            "caller":"$context.identity.caller",
            "user":"$context.identity.user","requestTime":"$context.requestTime",
            "eventType":"$context.eventType","routeKey":"$context.routeKey",
            "status":"$context.status","connectionId":"$context.connectionId"}