-
Notifications
You must be signed in to change notification settings - Fork 116
/
enable_state_machine_logging.go
42 lines (39 loc) · 1.26 KB
/
enable_state_machine_logging.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
package sam
import (
"github.com/aquasecurity/defsec/providers"
"github.com/aquasecurity/defsec/rules"
"github.com/aquasecurity/defsec/severity"
"github.com/aquasecurity/defsec/state"
)
var CheckEnableStateMachineLogging = rules.Register(
rules.Rule{
AVDID: "AVD-AWS-0119",
Provider: providers.AWSProvider,
Service: "sam",
ShortCode: "enable-state-machine-logging",
Summary: "SAM State machine must have logging enabled",
Impact: "Without logging enabled it is difficult to identify suspicious activity",
Resolution: "Enable logging",
Explanation: `Logging enables end-to-end debugging and analysis of all state machine activities.`,
Links: []string{
"https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-statemachine.html#sam-statemachine-logging",
},
Severity: severity.Low,
},
func(s *state.State) (results rules.Results) {
for _, stateMachine := range s.AWS.SAM.StateMachines {
if stateMachine.IsUnmanaged() {
continue
}
if stateMachine.LoggingConfiguration.LoggingEnabled.IsFalse() {
results.Add(
"Logging is not enabled,",
stateMachine.LoggingConfiguration.LoggingEnabled,
)
} else {
results.AddPassed(&stateMachine)
}
}
return
},
)