Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(cloudformation): api_gateway_access_logging_disabled not working for HTTP API Gateways #6944

Open
jonathannaguin opened this issue Mar 8, 2024 · 3 comments
Open

bug(cloudformation): api_gateway_access_logging_disabled not working for HTTP API Gateways #6944

jonathannaguin opened this issue Mar 8, 2024 · 3 comments
Labels
appsec aws PR related with AWS Cloud bug Something isn't working cloudformation CloudFormation query community Community contribution query New query feature

Comments

@jonathannaguin
Copy link

A recent change in Kics 8ac0687 introduced a check for DefaultRouteSettings on AWS::ApiGatewayV2::Stage. This check expects a value on Properties.DefaultRouteSettings.LoggingLevel which is a field that can be ONLY set for non-HTTP API Gateways.
If we try to set it, then CloudFormation fails with an error:

Execution logs are not supported on protocolType HTTP

I believe the presence of Properties.DefaultRouteSettings.LoggingLevel is actually optional, we can enable logging by simply specifying AccessLogSettings.

Expected Behavior

HTTP API gateways with logging enabled should pass the Kics validation.

Actual Behavior

Kics requires a setting to be added on the CloudFormation template that is only compatible with WebSocket API Gateways.

Steps to Reproduce the Problem

The test on https://github.com/Checkmarx/kics/blob/master/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative1.yaml will only work for Web Sockets API Gateways.

Specifications

  • Version: KICS v1.7.13
  • Platform: any
  • Subsystem: any
@jonathannaguin jonathannaguin added bug Something isn't working community Community contribution labels Mar 8, 2024
@github-actions github-actions bot added query New query feature cloudformation CloudFormation query aws PR related with AWS Cloud labels Mar 8, 2024
@gabriel-cx gabriel-cx changed the title bug(cloud formation): api_gateway_access_logging_disabled not working for HTTP API Gateways bug(cloudformation): api_gateway_access_logging_disabled not working for HTTP API Gateways Mar 8, 2024
@jonathannaguin
Copy link
Author

Is there any plans on getting this resolved? This is blocking us to use a more recent version of Kics.

@Sudarshan-TN
Copy link

Any fix for this issue?

@gabriel-cx
Copy link
Contributor

Hi @jonathannaguin @Sudarshan-TN ,

Thanks for your inputs!
We asked our internal AppSec team to provide you feedback on this.
We will keep you updated asap.

(APPSEC-2729)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
appsec aws PR related with AWS Cloud bug Something isn't working cloudformation CloudFormation query community Community contribution query New query feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jonathannaguin @Sudarshan-TN @gabriel-cx