API Gateway deployment is configured for caching and cache is not enc…

…rypted. (#519) * #503 API Gateway stage is c onfigured for caching and cache is not encrypted. Only wan't to enforce encryption if cachig is enabled. * Update spec/custom_rules/ApiGatewayCacheEncryptedRule_spec.rb correct test message Co-authored-by: Kevin Formsma <kevin.formsma@gmail.com> * Update spec/custom_rules/ApiGatewayCacheEncryptedRule_spec.rb correct test message Co-authored-by: Kevin Formsma <kevin.formsma@gmail.com> * Update spec/custom_rules/ApiGatewayCacheEncryptedRule_spec.rb correct test message Co-authored-by: Kevin Formsma <kevin.formsma@gmail.com> Co-authored-by: Kevin Formsma <kevin.formsma@gmail.com>
stelligent · Feb 16, 2021 · ff23638 · ff23638
1 parent 170bb19
commit ff23638
Show file tree

Hide file tree

Showing 5 changed files with 117 additions and 0 deletions.
diff --git a/lib/cfn-nag/custom_rules/ApiGatewayCacheEncryptedRule.rb b/lib/cfn-nag/custom_rules/ApiGatewayCacheEncryptedRule.rb
@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class ApiGatewayCacheEncryptedRule < BaseRule
+  def rule_text
+    'ApiGateway Deployment should have cache data encryption enabled when caching is enabled' \
+    ' in StageDescription properties'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W87'
+  end
+
+  def audit_impl(cfn_model)
+    violating_deployments = cfn_model.resources_by_type('AWS::ApiGateway::Deployment').select do |deployment|
+      violating_deployment?(deployment)
+    end
+
+    violating_deployments.map(&:logical_resource_id)
+  end
+
+  private
+
+  def violating_deployment?(deployment)
+    !deployment.stageDescription.nil? && truthy?(deployment.stageDescription['CachingEnabled']) \
+    && !truthy?(deployment.stageDescription['CacheDataEncrypted'])
+  end
+end
diff --git a/spec/custom_rules/ApiGatewayCacheEncryptedRule_spec.rb b/spec/custom_rules/ApiGatewayCacheEncryptedRule_spec.rb
@@ -0,0 +1,39 @@
+require 'spec_helper'
+require 'cfn-model'
+require 'cfn-nag/custom_rules/ApiGatewayCacheEncryptedRule'
+
+describe ApiGatewayCacheEncryptedRule do
+  context 'Api Gateway has cache encryption enabled' do
+    it 'returns no violating resources' do
+      cfn_model = CfnParser.new.parse read_test_template('json/apigateway_cacheencrypted/apigateway_with_cache_encryption_enabled.json')
+
+      actual_logical_resource_ids = ApiGatewayCacheEncryptedRule.new.audit_impl cfn_model
+      expected_logical_resource_ids = %w[]
+
+      expect(actual_logical_resource_ids).to eq expected_logical_resource_ids
+    end
+  end
+
+  context 'Api Gateway has no cache configured' do
+    it 'returns no violating resources' do
+      cfn_model = CfnParser.new.parse read_test_template('json/apigateway_cacheencrypted/apigateway_with_no_cache_enabled_missing_stagedescription.json')
+
+      actual_logical_resource_ids = ApiGatewayCacheEncryptedRule.new.audit_impl cfn_model
+      expected_logical_resource_ids = %w[]
+
+      expect(actual_logical_resource_ids).to eq expected_logical_resource_ids
+    end
+  end
+
+  context 'Api Gateway with no cache encryption enabled' do
+    it 'returns violating resource ids' do
+      cfn_model = CfnParser.new.parse read_test_template('json/apigateway_cacheencrypted/apigateway_with_no_cache_encryption.json')
+
+      actual_logical_resource_ids = ApiGatewayCacheEncryptedRule.new.audit_impl cfn_model
+      expected_logical_resource_ids = %w[ApiGatewayWithCacheEncryptionDisabled ApiGatewayWithDefaultCacheEncryption]
+
+      expect(actual_logical_resource_ids).to eq expected_logical_resource_ids
+    end
+  end
+
+end
diff --git a/...st_templates/json/apigateway_cacheencrypted/apigateway_with_cache_encryption_enabled.json b/...st_templates/json/apigateway_cacheencrypted/apigateway_with_cache_encryption_enabled.json
@@ -0,0 +1,13 @@
+{
+	"Resources": {
+		"ApiGatewayWithCacheEncryption": {
+			"Type": "AWS::ApiGateway::Deployment",
+			"Properties": {
+				"StageDescription": {
+						"CachingEnabled": "true",
+						"CacheDataEncrypted": "true"
+				}
+			}
+		}
+	}
+}
diff --git a/.../apigateway_cacheencrypted/apigateway_with_no_cache_enabled_missing_stagedescription.json b/.../apigateway_cacheencrypted/apigateway_with_no_cache_enabled_missing_stagedescription.json
@@ -0,0 +1,10 @@
+{
+	"Resources": {
+		"ApiGatewayNoCacheEnabled": {
+			"Type": "AWS::ApiGateway::Deployment",
+			"Properties": {
+
+			}
+		}
+	}
+}
diff --git a/spec/test_templates/json/apigateway_cacheencrypted/apigateway_with_no_cache_encryption.json b/spec/test_templates/json/apigateway_cacheencrypted/apigateway_with_no_cache_encryption.json
@@ -0,0 +1,21 @@
+{
+	"Resources": {
+		"ApiGatewayWithCacheEncryptionDisabled": {
+			"Type": "AWS::ApiGateway::Deployment",
+			"Properties": {
+				"StageDescription": {
+						"CachingEnabled": "true",
+						"CacheDataEncrypted": "false"
+				}
+			}
+		},
+		"ApiGatewayWithDefaultCacheEncryption": {
+			"Type": "AWS::ApiGateway::Deployment",
+			"Properties": {
+				"StageDescription": {
+						"CachingEnabled": "true"
+				}
+			}
+		}
+	}
+}