search

Checkmarx / kics

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
https://kics.io
Apache License 2.0
2.02k stars 297 forks source link

bug(cloudformation): api_gateway_access_logging_disabled not working for HTTP API Gateways #6944

Open jonathannaguin opened 6 months ago

jonathannaguin commented 6 months ago

A recent change in Kics https://github.com/Checkmarx/kics/commit/8ac0687178361a1655245f6c9cafcdcb4360ed5c introduced a check for DefaultRouteSettings on AWS::ApiGatewayV2::Stage. This check expects a value on Properties.DefaultRouteSettings.LoggingLevel which is a field that can be ONLY set for non-HTTP API Gateways. If we try to set it, then CloudFormation fails with an error:

Execution logs are not supported on protocolType HTTP

I believe the presence of Properties.DefaultRouteSettings.LoggingLevel is actually optional, we can enable logging by simply specifying AccessLogSettings.

Expected Behavior

HTTP API gateways with logging enabled should pass the Kics validation.

Actual Behavior

Kics requires a setting to be added on the CloudFormation template that is only compatible with WebSocket API Gateways.

Steps to Reproduce the Problem

The test on https://github.com/Checkmarx/kics/blob/master/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative1.yaml will only work for Web Sockets API Gateways.

Specifications

jonathannaguin commented 3 months ago

Is there any plans on getting this resolved? This is blocking us to use a more recent version of Kics.

Sudarshan-TN commented 3 months ago

Any fix for this issue?

gabriel-cx commented 3 months ago

Hi @jonathannaguin @Sudarshan-TN ,

Thanks for your inputs! We asked our internal AppSec team to provide you feedback on this. We will keep you updated asap.

(APPSEC-2729)