bug(cloudformation): api_gateway_access_logging_disabled not working for HTTP API Gateways #6944
Labels
aws
PR related with AWS Cloud
bug
Something isn't working
cloudformation
CloudFormation query
community
Community contribution
query
New query feature
Comments
jonathannaguin
added
bug
github-actions
bot
added
query
gabriel-cx
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A recent change in Kics 8ac0687 introduced a check for
DefaultRouteSettingsonAWS::ApiGatewayV2::Stage. This check expects a value onProperties.DefaultRouteSettings.LoggingLevelwhich is a field that can be ONLY set for non-HTTP API Gateways.If we try to set it, then CloudFormation fails with an error:
I believe the presence of
Properties.DefaultRouteSettings.LoggingLevelis actually optional, we can enable logging by simply specifyingAccessLogSettings.Expected Behavior
HTTP API gateways with logging enabled should pass the Kics validation.
Actual Behavior
Kics requires a setting to be added on the CloudFormation template that is only compatible with WebSocket API Gateways.
Steps to Reproduce the Problem
The test on https://github.com/Checkmarx/kics/blob/master/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative1.yaml will only work for Web Sockets API Gateways.
Specifications
The text was updated successfully, but these errors were encountered: