API Gateway Deployment Without Access Log Setting
- Query id: 625abc0e-f980-4ac9-a775-f7519ee34296
- Query name: API Gateway Deployment Without Access Log Setting
- Platform: Terraform
- Severity: Medium
- Category: Observability
- CWE: 778
- URL: Github
Description¶
API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_api_gateway_deployment" "examplee" {
rest_api_id = "some rest api id"
stage_name = "some name"
tags {
project = "ProjectName"
}
}
resource "aws_api_gateway_stage" "example00" {
deployment_id = aws_api_gateway_deployment.example.id
rest_api_id = aws_api_gateway_rest_api.example.id
stage_name = "example"
}
Positive test num. 2 - tf file
resource "aws_api_gateway_deployment" "example3" {
rest_api_id = "some rest api id"
stage_name = "some name"
tags {
project = "ProjectName"
}
}
resource "aws_api_gateway_stage" "example000" {
deployment_id = aws_api_gateway_deployment.example3.id
rest_api_id = aws_api_gateway_rest_api.example.id
stage_name = "example"
}
Positive test num. 3 - tf file
resource "aws_api_gateway_deployment" "example4" {
rest_api_id = "some rest api id"
stage_name = "some name"
tags {
project = "ProjectName"
}
}
resource "aws_api_gateway_stage" "example0000" {
deployment_id = aws_api_gateway_deployment.example4.id
rest_api_id = aws_api_gateway_rest_api.example.id
stage_name = "example"
access_log_settings {
destination_arn = "dest"
format = "format"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_api_gateway_deployment" "example5" {
rest_api_id = "some rest api id"
stage_name = "some name"
stage_description = "some description"
tags {
project = "ProjectName"
}
}
resource "aws_api_gateway_stage" "example0" {
deployment_id = aws_api_gateway_deployment.example5.id
rest_api_id = aws_api_gateway_rest_api.example.id
stage_name = "example"
access_log_settings {
destination_arn = "dest"
format = "format"
}
}