kics icon indicating copy to clipboard operation
kics copied to clipboard

Published 20 hours ago verified publisher icon Checkmarx

bug(cloudformation): api_gateway_access_logging_disabled not working for HTTP API Gateways

Open jonathannaguin opened this issue 11 months ago • 3 comments

A recent change in Kics https://github.com/Checkmarx/kics/commit/8ac0687178361a1655245f6c9cafcdcb4360ed5c introduced a check for DefaultRouteSettings on AWS::ApiGatewayV2::Stage. This check expects a value on Properties.DefaultRouteSettings.LoggingLevel which is a field that can be ONLY set for non-HTTP API Gateways. If we try to set it, then CloudFormation fails with an error:

Execution logs are not supported on protocolType HTTP

I believe the presence of Properties.DefaultRouteSettings.LoggingLevel is actually optional, we can enable logging by simply specifying AccessLogSettings.

Expected Behavior

HTTP API gateways with logging enabled should pass the Kics validation.

Actual Behavior

Kics requires a setting to be added on the CloudFormation template that is only compatible with WebSocket API Gateways.

Steps to Reproduce the Problem

The test on https://github.com/Checkmarx/kics/blob/master/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative1.yaml will only work for Web Sockets API Gateways.

Specifications

  • Version: KICS v1.7.13
  • Platform: any
  • Subsystem: any

jonathannaguin avatar Mar 08 '24 17:03 jonathannaguin

Is there any plans on getting this resolved? This is blocking us to use a more recent version of Kics.

jonathannaguin avatar May 24 '24 10:05 jonathannaguin

Any fix for this issue?

Sudarshan-TN avatar May 24 '24 10:05 Sudarshan-TN

Hi @jonathannaguin @Sudarshan-TN ,

Thanks for your inputs! We asked our internal AppSec team to provide you feedback on this. We will keep you updated asap.

(APPSEC-2729)

gabriel-cx avatar May 28 '24 15:05 gabriel-cx