API Gateway Access Logging Disabled
- Query id: 1b6799eb-4a7a-4b04-9001-8cceb9999326
- Query name: API Gateway Access Logging Disabled
- Platform: Terraform
- Severity: Medium
- Category: Observability
- CWE: 778
- URL: Github
Description¶
API Gateway Stage should have Access Logging Settings defined
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_api_gateway_stage" "postive1" {
stage_name = "dev"
rest_api_id = "id"
}
resource "aws_api_gateway_method_settings" "all" {
stage_name = aws_api_gateway_stage.postive1.stage_name
method_path = "*/*"
settings {
logging_level = "ERROR"
}
}
resource "aws_apigatewayv2_stage" "postive2" {
stage_name = "dev"
rest_api_id = "id"
default_route_settings {
logging_level = "ERROR"
}
}
Positive test num. 2 - tf file
resource "aws_api_gateway_stage" "postive1" {
stage_name = "dev"
rest_api_id = "id"
access_log_settings {
destination_arn = "dest"
}
}
resource "aws_api_gateway_method_settings" "all" {
stage_name = aws_api_gateway_stage.postive1.stage_name
method_path = "*/*"
settings {
logging_level = ""
}
}
resource "aws_apigatewayv2_stage" "postive2" {
stage_name = "dev"
rest_api_id = "id"
access_log_settings {
destination_arn = "dest"
}
default_route_settings {
logging_level = ""
}
}
Positive test num. 3 - tf file
resource "aws_api_gateway_stage" "postive1" {
stage_name = "dev"
rest_api_id = "id"
access_log_settings {
destination_arn = "dest"
}
}
resource "aws_api_gateway_method_settings" "all" {
stage_name = aws_api_gateway_stage.postive1.stage_name
method_path = "*/*"
settings {
metrics_enabled = true
}
}
resource "aws_apigatewayv2_stage" "postive2" {
stage_name = "dev"
rest_api_id = "id"
access_log_settings {
destination_arn = "dest"
}
default_route_settings {
data_trace_enabled = "true"
}
}
Positive test num. 4 - tf file
resource "aws_api_gateway_stage" "postive1" {
stage_name = "dev"
rest_api_id = "id"
access_log_settings {
destination_arn = "dest"
}
}
resource "aws_api_gateway_method_settings" "all" {
stage_name = aws_api_gateway_stage.postive1.stage_name
method_path = "*/*"
}
resource "aws_apigatewayv2_stage" "postive2" {
stage_name = "dev"
rest_api_id = "id"
access_log_settings {
destination_arn = "dest"
}
}
Positive test num. 5 - tf file
resource "aws_api_gateway_stage" "postive1" {
stage_name = "dev"
rest_api_id = "id"
access_log_settings {
destination_arn = "dest"
}
}
resource "aws_api_gateway_method_settings" "all" {
stage_name = aws_api_gateway_stage.postive1.stage_name
method_path = "*/*"
settings {
logging_level = "OFF"
}
}
resource "aws_apigatewayv2_stage" "postive2" {
stage_name = "dev"
rest_api_id = "id"
access_log_settings {
destination_arn = "dest"
}
default_route_settings {
logging_level = "OFF"
}
}
Positive test num. 6 - tf file
resource "aws_api_gateway_stage" "postive1" {
stage_name = "dev"
rest_api_id = "id"
access_log_settings {
destination_arn = "dest"
}
}
resource "aws_api_gateway_method_settings" "all" {
stage_name = aws_api_gateway_stage.postive1.stage_name
method_path = "*/*"
settings {
}
}
resource "aws_apigatewayv2_stage" "postive2" {
stage_name = "dev"
rest_api_id = "id"
access_log_settings {
destination_arn = "dest"
}
default_route_settings {
}
}
Positive test num. 7 - tf file
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_api_gateway_stage" "negative1" {
stage_name = "dev"
rest_api_id = "id"
access_log_settings {
destination_arn = "dest"
}
}
resource "aws_api_gateway_method_settings" "all" {
stage_name = aws_api_gateway_stage.negative1.stage_name
method_path = "*/*"
settings {
metrics_enabled = true
logging_level = "ERROR"
}
}
resource "aws_apigatewayv2_stage" "negative2" {
stage_name = "dev"
rest_api_id = "id"
access_log_settings {
destination_arn = "dest"
}
default_route_settings {
logging_level = "ERROR"
}
}