API Gateway Cache Encrypted Disabled

  • Query id: 37cca703-b74c-48ba-ac81-595b53398e9b
  • Query name: API Gateway Cache Encrypted Disabled
  • Platform: CloudFormation
  • Severity: High
  • Category: Encryption
  • CWE: 316
  • URL: Github

Description

'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  Deployment:
    Type: 'AWS::ApiGateway::Deployment'
    Properties:
      RestApiId: !Ref MyApi
      Description: My deployment
      StageName: DummyStage
      StageDescription:
        CachingEnabled: true
Positive test num. 2 - json file
{
  "Resources": {
    "Deployment": {
      "Type": "AWS::ApiGateway::Deployment",
      "Properties": {
        "RestApiId": {
          "Ref": "MyApi"
        },
        "Description": "My deployment",
        "StageName": "DummyStage",
        "StageDescription": {
          "CachingEnabled": true
        }
      }
    }
  }
}
Positive test num. 3 - yaml file
Resources:
  Deployment:
    Type: 'AWS::ApiGateway::Deployment'
    Properties:
      RestApiId: !Ref MyApi
      Description: My deployment
      StageName: DummyStage
      StageDescription:
        CacheDataEncrypted: false
        CachingEnabled: true

Positive test num. 4 - json file 
{
  "Resources": {
    "Deployment": {
      "Type": "AWS::ApiGateway::Deployment",
      "Properties": {
        "RestApiId": {
          "Ref": "MyApi"
        },
        "Description": "My deployment",
        "StageName": "DummyStage",
        "StageDescription": {
          "CacheDataEncrypted": false,
          "CachingEnabled": true
        }
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Resources:
  Deployment:
    Type: 'AWS::ApiGateway::Deployment'
    Properties:
      RestApiId: !Ref MyApi
      Description: My deployment
      StageName: DummyStage
      StageDescription:
        CacheDataEncrypted: true
        CachingEnabled: true
Negative test num. 2 - json file
{
  "Resources": {
    "Deployment": {
      "Type": "AWS::ApiGateway::Deployment",
      "Properties": {
        "RestApiId": {
          "Ref": "MyApi"
        },
        "Description": "My deployment",
        "StageName": "DummyStage",
        "StageDescription": {
          "CacheDataEncrypted": true,
          "CachingEnabled": true
        }
      }
    }
  }
}