Skip to content

Commit

Permalink
Merge branch 'master' into M/Aws/Api-gateway-v2-access-logging
Browse files Browse the repository at this point in the history
  • Loading branch information
alphadev4 authored Jun 20, 2024
2 parents b135816 + 3284f67 commit 9274552
Show file tree
Hide file tree
Showing 57 changed files with 4,403 additions and 6 deletions.
28 changes: 27 additions & 1 deletion exports.js
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ module.exports = {
'apigatewayAuthorization' : require(__dirname + '/plugins/aws/apigateway/apigatewayAuthorization.js'),
'apigatewayV2Authorization' : require(__dirname + '/plugins/aws/apigateway/apigatewayV2Authorization.js'),
'apigatewayV2AccessLogging' : require(__dirname + '/plugins/aws/apigateway/apigatewayV2AccessLogging.js'),
'apigatewayRequestValidation' : require(__dirname + '/plugins/aws/apigateway/apigatewayRequestValidation.js'),

'restrictExternalTraffic' : require(__dirname + '/plugins/aws/appmesh/restrictExternalTraffic.js'),
'appmeshTLSRequired' : require(__dirname + '/plugins/aws/appmesh/appmeshTLSRequired.js'),
Expand Down Expand Up @@ -598,6 +599,7 @@ module.exports = {
's3ProtectionEnabled' : require(__dirname + '/plugins/aws/guardduty/s3ProtectionEnabled.js'),
'rdsProtectionEnabled' : require(__dirname + '/plugins/aws/guardduty/rdsProtectionEnabled.js'),
'exportedFindingsEncrypted' : require(__dirname + '/plugins/aws/guardduty/exportedFindingsEncrypted.js'),
'lambdaProtectionEnabled' : require(__dirname + '/plugins/aws/guardduty/lambdaProtectionEnabled.js'),

'workspacesVolumeEncryption' : require(__dirname + '/plugins/aws/workspaces/workspacesVolumeEncryption.js'),
'workSpacesHealthyInstances' : require(__dirname + '/plugins/aws/workspaces/workSpacesHealthyInstances.js'),
Expand All @@ -610,13 +612,16 @@ module.exports = {

'codebuildValidSourceProviders' : require(__dirname + '/plugins/aws/codebuild/codebuildValidSourceProviders.js'),
'projectArtifactsEncrypted' : require(__dirname + '/plugins/aws/codebuild/projectArtifactsEncrypted.js'),
'buildProjectEnvPriviligedMode' : require(__dirname + '/plugins/aws/codebuild/buildProjectEnvPriviligedMode.js'),
'codebuildProjectLoggingEnabled': require(__dirname + '/plugins/aws/codebuild/codebuildProjectLoggingEnabled.js'),

'codestarValidRepoProviders' : require(__dirname + '/plugins/aws/codestar/codestarValidRepoProviders.js'),
'codestarHasTags' : require(__dirname + '/plugins/aws/codestar/codestarHasTags.js'),

'pipelineArtifactsEncrypted' : require(__dirname + '/plugins/aws/codepipeline/pipelineArtifactsEncrypted.js'),

'dataStoreEncrypted' : require(__dirname + '/plugins/aws/healthlake/dataStoreEncrypted.js'),
'dataStoreHasTags' : require(__dirname + '/plugins/aws/healthlake/dataStoreHasTags.js'),

'codeartifactDomainEncrypted' : require(__dirname + '/plugins/aws/codeartifact/codeartifactDomainEncrypted.js'),

Expand All @@ -637,6 +642,8 @@ module.exports = {
'docDbHasTags' : require(__dirname + '/plugins/aws/documentDB/docDbHasTags.js'),
'docdbDeletionProtectionEnabled': require(__dirname + '/plugins/aws/documentDB/docdbDeletionProtectionEnabled.js'),
'docdbClusterBackupRetention' : require(__dirname + '/plugins/aws/documentDB/docdbClusterBackupRetention.js'),
'docdbCertificateRotated' : require(__dirname + '/plugins/aws/documentDB/docdbCertificateRotated.js'),
'docdbClusterProfilerEnabled' : require(__dirname + '/plugins/aws/documentDB/docdbClusterProfilerEnabled.js'),

'instanceMediaStreamsEncrypted' : require(__dirname + '/plugins/aws/connect/instanceMediaStreamsEncrypted.js'),
'instanceTranscriptsEncrypted' : require(__dirname + '/plugins/aws/connect/instanceTranscriptsEncrypted.js'),
Expand Down Expand Up @@ -690,7 +697,8 @@ module.exports = {
'opensearchCollectionCmkEncrypted': require(__dirname + '/plugins/aws/openSearchServerless/opensearchCollectionCmkEncrypted.js'),
'opensearchCollectionPublicAccess': require(__dirname + '/plugins/aws/openSearchServerless/opensearchCollectionPublicAccess.js'),

'securityHubEnabled' : require(__dirname + '/plugins/aws/securityhub/securityHubEnabled.js')
'securityHubEnabled' : require(__dirname + '/plugins/aws/securityhub/securityHubEnabled.js'),
'securityHubActiveFindings' : require(__dirname + '/plugins/aws/securityhub/securityHubActiveFindings.js'),
},
azure : {
'fileServiceEncryption' : require(__dirname + '/plugins/azure/storageaccounts/fileServiceEncryption.js'),
Expand Down Expand Up @@ -854,9 +862,14 @@ module.exports = {
'resourceAllowedLocations' : require(__dirname + '/plugins/azure/policyservice/resourceAllowedLocations.js'),
'resourceLocationMatch' : require(__dirname + '/plugins/azure/policyservice/resourceLocationMatch.js'),

'mysqlFlexibleServerHasTags' : require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerHasTags.js'),
'enforceMySQLSSLConnection' : require(__dirname + '/plugins/azure/mysqlserver/enforceMySQLSSLConnection.js'),
'mysqlFlexibleServersMinTls' : require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServersMinTls.js'),
'mysqlFlexibleServerVersion' : require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerVersion.js'),
'mysqlServerHasTags' : require(__dirname + '/plugins/azure/mysqlserver/mysqlServerHasTags.js'),
'mysqlFlexibleServerPublicAccess': require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerPublicAccess.js'),
'mysqlFlexibleServerDignosticLogs': require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerDignosticLogs.js'),
'mysqlFlexibleServerIdentity' : require(__dirname + '/plugins/azure/mysqlserver/mysqlFlexibleServerIdentity.js'),

'logRetentionDays' : require(__dirname + '/plugins/azure/postgresqlserver/logRetentionDays.js'),
'connectionThrottlingEnabled' : require(__dirname + '/plugins/azure/postgresqlserver/connectionThrottlingEnabled.js'),
Expand Down Expand Up @@ -1111,6 +1124,7 @@ module.exports = {

'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'),
'eventHubNamespaceHasTags' : require(__dirname + '/plugins/azure/eventhub/eventHubNamespaceHasTags.js'),
'eventHubNamespaceAutoInflate' : require(__dirname + '/plugins/azure/eventhub/eventHubNamespaceAutoInflate.js'),
'eventHubLocalAuthDisabled' : require(__dirname + '/plugins/azure/eventhub/eventHubLocalAuthDisabled.js'),
'eventHubPublicAccess' : require(__dirname + '/plugins/azure/eventhub/eventHubPublicAccess.js'),
'eventHubNamespaceCmkEncrypted' : require(__dirname + '/plugins/azure/eventhub/eventHubNamespaceCmkEncrypted.js'),
Expand Down Expand Up @@ -1183,6 +1197,9 @@ module.exports = {

'batchAccountCmkEncrypted' : require(__dirname + '/plugins/azure/batchAccounts/batchAccountCmkEncrypted.js'),
'batchAccountDiagnosticLogs' : require(__dirname + '/plugins/azure/batchAccounts/batchAccountDiagnosticLogs.js'),
'batchAccountsAADEnabled' : require(__dirname + '/plugins/azure/batchAccounts/batchAccountsAADEnabled.js'),
'batchAccountsHasTags' : require(__dirname + '/plugins/azure/batchAccounts/batchAccountsHasTags.js'),
'batchAccountsPublicAccess' : require(__dirname + '/plugins/azure/batchAccounts/batchAccountsPublicAccess.js'),

'accountCMKEncrypted' : require(__dirname + '/plugins/azure/openai/accountCMKEncrypted.js'),
'accountManagedIdentity' : require(__dirname + '/plugins/azure/openai/accountManagedIdentity.js'),
Expand All @@ -1196,6 +1213,13 @@ module.exports = {
'workspaceManagedServicesCmk' : require(__dirname + '/plugins/azure/databricks/workspaceManagedServicesCmk.js'),
'workspaceManagedDiskCmk' : require(__dirname + '/plugins/azure/databricks/workspaceManagedDiskCmk.js'),
'workspaceHasTags' : require(__dirname + '/plugins/azure/databricks/workspaceHasTags.js'),

'workspaceManagedIdentity' : require(__dirname + '/plugins/azure/synapse/workspaceManagedIdentity.js'),
'synapseWorkspaceAdAuthEnabled' : require(__dirname + '/plugins/azure/synapse/synapseWorkspaceAdAuthEnabled.js'),
'synapseWorkspacPrivateEndpoint': require(__dirname + '/plugins/azure/synapse/synapseWorkspacPrivateEndpoint.js'),

'apiInstanceManagedIdentity' : require(__dirname + '/plugins/azure/apiManagement/apiInstanceManagedIdentity.js'),
'apiInstanceHasTags' : require(__dirname + '/plugins/azure/apiManagement/apiInstanceHasTags.js'),

},
github: {
Expand Down Expand Up @@ -1554,8 +1578,10 @@ module.exports = {
'instanceNodeCount' : require(__dirname + '/plugins/google/spanner/instanceNodeCount.js'),

'httpTriggerRequireHttps' : require(__dirname + '/plugins/google/cloudfunctions/httpTriggerRequireHttps.js'),
'functionDefaultServiceAccount' : require(__dirname + '/plugins/google/cloudfunctions/functionDefaultServiceAccount.js'),
'ingressAllTrafficDisabled' : require(__dirname + '/plugins/google/cloudfunctions/ingressAllTrafficDisabled.js'),
'cloudFunctionLabelsAdded' : require(__dirname + '/plugins/google/cloudfunctions/cloudFunctionLabelsAdded.js'),
'cloudFunctionOldRuntime' : require(__dirname + '/plugins/google/cloudfunctions/cloudFunctionOldRuntime.js'),
'functionAllUsersPolicy' : require(__dirname + '/plugins/google/cloudfunctions/functionAllUsersPolicy.js'),

'serverlessVPCAccess' : require(__dirname + '/plugins/google/cloudfunctions/serverlessVPCAccess.js'),
Expand Down
9 changes: 9 additions & 0 deletions helpers/aws/api.js
Original file line number Diff line number Diff line change
Expand Up @@ -1559,6 +1559,9 @@ var calls = {
describeHub: {
property:'',
paginate: 'NextToken'
},
getFindings: {
paginate: 'NextToken'
}
},
SageMaker: {
Expand Down Expand Up @@ -1848,6 +1851,12 @@ var postcalls = [
reliesOnCall: 'getRestApis',
filterKey: 'restApiId',
filterValue: 'id'
},
getRequestValidators: {
reliesOnService: 'apigateway',
reliesOnCall: 'getRestApis',
filterKey: 'restApiId',
filterValue: 'id'
}
},
ApiGatewayV2: {
Expand Down
9 changes: 9 additions & 0 deletions helpers/aws/api_multipart.js
Original file line number Diff line number Diff line change
Expand Up @@ -1044,6 +1044,9 @@ var calls = [
describeHub: {
property: '',
paginate: 'NextToken'
},
getFindings: {
paginate: 'NextToken'
}
},
Transfer: {
Expand Down Expand Up @@ -1199,6 +1202,12 @@ var postcalls = [
reliesOnCall: 'getRestApis',
filterKey: 'restApiId',
filterValue: 'id'
},
getRequestValidators: {
reliesOnService: 'apigateway',
reliesOnCall: 'getRestApis',
filterKey: 'restApiId',
filterValue: 'id'
}
},
AppConfig: {
Expand Down
17 changes: 16 additions & 1 deletion helpers/azure/api.js
Original file line number Diff line number Diff line change
Expand Up @@ -530,6 +530,11 @@ var calls = {
url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Databricks/workspaces?api-version=2023-02-01'
}
},
apiManagementService: {
list: {
url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.ApiManagement/service?api-version=2022-08-01'
}
},
// For CIEM
aad: {
listRoleAssignments: {
Expand Down Expand Up @@ -564,6 +569,11 @@ var calls = {

}
},
synapse: {
listWorkspaces: {
url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Synapse/workspaces?api-version=2021-06-01'
}
}

};

Expand Down Expand Up @@ -1261,7 +1271,12 @@ var tertiarycalls = {
reliesOnPath: 'batchAccounts.list',
properties: ['id'],
url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview'
}
},
listByMysqlFlexibleServer: {
reliesOnPath: 'servers.listMysqlFlexibleServer',
properties: ['id'],
url: 'https://management.azure.com/{id}/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview'
},
},
backupShortTermRetentionPolicies: {
listByDatabase: {
Expand Down
4 changes: 3 additions & 1 deletion helpers/azure/locations.js
Original file line number Diff line number Diff line change
Expand Up @@ -134,5 +134,7 @@ module.exports = {
databricks: locations,
containerApps: locations,
batchAccounts: locations,
machineLearning: locations
machineLearning: locations,
apiManagementService: locations,
synapse: locations
};
4 changes: 3 additions & 1 deletion helpers/azure/locations_gov.js
Original file line number Diff line number Diff line change
Expand Up @@ -84,5 +84,7 @@ module.exports = {
publicIpAddresses: locations,
computeGalleries: locations,
databricks: locations,
containerApps: locations
containerApps: locations,
apiManagementService: locations,
synapse: locations
};
3 changes: 3 additions & 0 deletions helpers/azure/resources.js
Original file line number Diff line number Diff line change
Expand Up @@ -306,5 +306,8 @@ module.exports = {
},
machineLearning: {
listWorkspaces: 'id'
},
apiManagementService: {
list: 'id'
}
};
72 changes: 72 additions & 0 deletions plugins/aws/apigateway/apigatewayRequestValidation.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
var async = require('async');
var helpers = require('../../../helpers/aws');

module.exports = {
title: 'API Gateway Request Validation',
category: 'API Gateway',
domain: 'Availability',
severity: 'Medium',
description: 'Ensures that Amazon API Gateway method has request validation enabled.',
more_info: 'Enabling request validation for API Gateway allows to perform basic validation of an API request before proceeding with the integration request and publishes the validation results in CloudWatch Logs. When request validation fails, API Gateway immediately fails the request reducing unnecessary calls to the backend.',
recommended_action: 'Modify API Gateway configuration and ensure that appropriate request validators are set for each API.',
link: 'https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-method-request-validation.html',
apis: ['APIGateway:getRestApis', 'APIGateway:getRequestValidators'],
realtime_triggers: ['apigateway:CreateRestApi','apigateway:DeleteRestApi','apigateway:ImportRestApi','apigateway:CreateRequestValidator','apigateway:UpdateRequestValidator','apigateway:DeleteRequestValidator'],

run: function(cache, settings, callback) {
var results = [];
var source = {};
var regions = helpers.regions(settings);
var awsOrGov = helpers.defaultPartition(settings);

async.each(regions.apigateway, function(region, rcb){
var getRestApis = helpers.addSource(cache, source,
['apigateway', 'getRestApis', region]);

if (!getRestApis) return rcb();

if (getRestApis.err || !getRestApis.data) {
helpers.addResult(results, 3,
`Unable to query for API Gateway Rest APIs: ${helpers.addError(getRestApis)}`, region);
return rcb();
}

if (!getRestApis.data.length) {
helpers.addResult(results, 0, 'No API Gateway Rest APIs found', region);
return rcb();
}

getRestApis.data.forEach(api => {
if (!api.id) return;

var apiArn = `arn:${awsOrGov}:apigateway:${region}::/restapis/${api.id}`;

var getRequestValidators = helpers.addSource(cache, source,
['apigateway', 'getRequestValidators', region, api.id]);

if (!getRequestValidators || getRequestValidators.err || !getRequestValidators.data || !getRequestValidators.data.items) {
helpers.addResult(results, 3,
`Unable to query for API Gateway Request Validators: ${helpers.addError(getRequestValidators)}`,
region, apiArn);
return;
}

if (!getRequestValidators.data.items.length) {
helpers.addResult(results, 2,
'No request validators found for API Gateway Rest API',
region, apiArn);
} else {
helpers.addResult(results, 0,
'Request validators found for API Gateway Rest API',
region, apiArn);
}
});

rcb();
}, function() {
callback(null, results, source);
});
}
};


Loading

0 comments on commit 9274552

Please sign in to comment.