prowler-cloud 5.12.3__py3-none-any.whl → 5.13.0__py3-none-any.whl

prowler/providers/aws/services/apigateway/apigateway_restapi_authorizers_enabled/apigateway_restapi_authorizers_enabled.metadata.json

@@ -1,35 +1,42 @@
 {
   "Provider": "aws",
   "CheckID": "apigateway_restapi_authorizers_enabled",
-  "CheckTitle": "Check if API Gateway has configured authorizers at api or method level.",
-  "CheckAliases": [
-    "apigateway_authorizers_enabled"
-  ],
+  "CheckTitle": "API Gateway REST API has an authorizer at API level or all methods are authorized",
   "CheckType": [
-    "IAM"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "TTPs/Initial Access"
   ],
   "ServiceName": "apigateway",
-  "SubServiceName": "rest_api",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsApiGatewayRestApi",
-  "Description": "Check if API Gateway has configured authorizers at api or method level.",
-  "Risk": "If no authorizer is enabled anyone can use the service.",
+  "Description": "**API Gateway REST APIs** are evaluated for **access control**: an **API-level authorizer** is present, or all resource methods use an authorization mechanism. Methods marked `NONE` indicate unauthenticated access.",
+  "Risk": "**Unauthenticated API methods** enable:\n- Arbitrary reads exposing data (**confidentiality**)\n- Unauthorized actions against backends (**integrity**)\n- Abuse and high traffic causing cost spikes or outages (**availability**)\n\nAttackers can enumerate endpoints and invoke integrations without tokens.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "https://docs.prowler.com/checks/aws/public-policies/public_6-api-gateway-authorizer-set#cloudformation",
-      "Other": "",
-      "Terraform": "https://docs.prowler.com/checks/aws/public-policies/public_6-api-gateway-authorizer-set#terraform"
+      "NativeIaC": "```yaml\n# CloudFormation: set method authorization so it's not public\nResources:\n  <example_resource_name>:\n    Type: AWS::ApiGateway::Method\n    Properties:\n      RestApiId: <example_resource_id>\n      ResourceId: <example_resource_id>\n      HttpMethod: GET\n      AuthorizationType: AWS_IAM  # Critical: authorizes the method (not NONE)\n```",
+      "Other": "1. In the AWS Console, go to API Gateway > APIs (REST) and select your API\n2. Open Resources, select a resource, then select a method (e.g., GET)\n3. Click Method Request\n4. Set Authorization to AWS_IAM (or an existing Cognito/Lambda authorizer)\n5. Repeat for every method so none show Authorization = NONE\n6. Deploy the API to apply changes",
+      "Terraform": "```hcl\n# Terraform: set method authorization so it's not public\nresource \"aws_api_gateway_method\" \"<example_resource_name>\" {\n  rest_api_id  = \"<example_resource_id>\"\n  resource_id  = \"<example_resource_id>\"\n  http_method  = \"GET\"\n  authorization = \"AWS_IAM\" # Critical: authorizes the method (not NONE)\n}\n```"
     },
     "Recommendation": {
-      "Text": "Implement Amazon Cognito or a Lambda function to control access to your API.",
-      "Url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html"
+      "Text": "Require **authentication** on every method: use **Cognito user pools**, **Lambda authorizers**, or **IAM**; avoid `NONE`.\n- Enforce **least privilege** with scoped policies\n- Use **private endpoints** or resource policies for internal APIs\n- Add **rate limiting** and **WAF** for defense in depth",
+      "Url": "https://hub.prowler.com/check/apigateway_restapi_authorizers_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": ""
+  "Notes": "",
+  "CheckAliases": [
+    "apigateway_authorizers_enabled"
+  ]
 }

prowler/providers/aws/services/apigateway/apigateway_restapi_cache_encrypted/apigateway_restapi_cache_encrypted.metadata.json

@@ -1,28 +1,38 @@
 {
   "Provider": "aws",
   "CheckID": "apigateway_restapi_cache_encrypted",
-  "CheckTitle": "Check if API Gateway REST API cache data is encrypted at rest.",
+  "CheckTitle": "API Gateway REST API stage cache data is encrypted at rest",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "apigateway",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:apigateway:region:account-id:/restapis/restapi-id/stages/stage-name",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsApiGatewayStage",
-  "Description": "This control checks whether all methods in API Gateway REST API stages that have cache enabled are encrypted. The control fails if any method in an API Gateway REST API stage is configured to cache and the cache is not encrypted.",
-  "Risk": "Without encryption, cached data in API Gateway REST APIs may be vulnerable to unauthorized access, potentially exposing sensitive information to users not authenticated to AWS.",
-  "RelatedUrl": "https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html#enable-api-gateway-caching",
+  "Description": "API Gateway REST API stages with caching have **cache data encrypted at rest**. The evaluation targets stages where caching is enabled and verifies that stored responses are protected via the `Encrypt cache data` setting.",
+  "Risk": "Unencrypted cache contents can expose response payloads, tokens, or PII if cache storage, backups, or admin tooling are accessed outside normal controls, harming **confidentiality** and enabling replay or session hijacking.\n\nDisclosure also reveals API patterns, aiding **lateral movement** and targeted abuse.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.clouddefense.ai/compliance-rules/nist-800-53-5/au/apigateway-stage-cache-encryption-at-rest-enabled",
+    "https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html#enable-api-gateway-caching",
+    "https://support.icompaas.com/support/solutions/articles/62000233641-ensure-api-gateway-rest-api-cache-data-is-encrypted-at-rest",
+    "https://docs.fortifyfox.com/docs/aws-foundational-security-best-practices/apigateway/api-gw-cache-encrypted/index.html",
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html#apigateway-5",
+    "https://www.clouddefense.ai/compliance-rules/aws-fs-practices/apigateway/foundational-security-apigateway-5",
+    "https://www.cloudanix.com/docs/aws/audit/apigatewaymonitoring/rules/apigateway_enable_encryption_api_cache"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "aws apigateway update-stage --rest-api-id <restapi-id> --stage-name <stage-name> --patch-operations op=replace,path=/<resourcePath>/<httpMethod>/caching/enabled,value=true op=replace,path=/<resourcePath>/<httpMethod>/caching/dataEncrypted,value=true",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html#apigateway-5",
-      "Terraform": ""
+      "CLI": "aws apigateway update-stage --rest-api-id <restapi-id> --stage-name <stage-name> --patch-operations op=replace,path=/*/*/caching/dataEncrypted,value=true",
+      "NativeIaC": "```yaml\n# CloudFormation: enable encryption for all cached methods in a stage\nResources:\n  <example_resource_name>:\n    Type: AWS::ApiGateway::Stage\n    Properties:\n      StageName: <example_resource_name>\n      RestApiId: <example_resource_id>\n      DeploymentId: <example_resource_id>\n      MethodSettings:\n        - ResourcePath: /*\n          HttpMethod: \"*\"\n          CacheDataEncrypted: true  # Critical: encrypt cached responses at rest for all methods\n```",
+      "Other": "1. Open the AWS Console and go to API Gateway\n2. Select your REST API, then click Stages and choose the affected stage\n3. In Method overrides (or Cache settings), enable Encrypt cache data\n4. Save changes",
+      "Terraform": "```hcl\n# Enable encryption for all cached methods in the stage\nresource \"aws_api_gateway_stage\" \"<example_resource_name>\" {\n  rest_api_id   = \"<example_resource_id>\"\n  stage_name    = \"<example_resource_name>\"\n  deployment_id = \"<example_resource_id>\"\n\n  method_settings {\n    resource_path        = \"/*\"\n    http_method          = \"*\"\n    cache_data_encrypted = true  # Critical: encrypt cached responses at rest\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure that API Gateway REST API cache data is encrypted at rest by enabling the 'Encrypt cache data' setting in the API Gateway stage configuration.",
-      "Url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html#enable-api-gateway-caching"
+      "Text": "- Enable **encryption at rest** for any cached stage (`Encrypt cache data`).\n- Apply **least privilege** to stage administration and cache invalidation.\n- Avoid caching sensitive endpoints; use short TTLs and scheduled cache flushes for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/apigateway_restapi_cache_encrypted"
     }
   },
   "Categories": [

prowler/providers/aws/services/apigateway/apigateway_restapi_client_certificate_enabled/apigateway_restapi_client_certificate_enabled.metadata.json

@@ -1,35 +1,43 @@
 {
   "Provider": "aws",
   "CheckID": "apigateway_restapi_client_certificate_enabled",
-  "CheckTitle": "Check if API Gateway Stage has client certificate enabled to access your backend endpoint.",
-  "CheckAliases": [
-    "apigateway_client_certificate_enabled"
-  ],
+  "CheckTitle": "API Gateway REST API stage has client certificate enabled",
   "CheckType": [
-    "Data Protection"
+    "Software and Configuration Checks/AWS Security Best Practices/Encryption in Transit",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS",
+    "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)"
   ],
   "ServiceName": "apigateway",
-  "SubServiceName": "rest_api",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AwsApiGatewayRestApi",
-  "Description": "Check if API Gateway Stage has client certificate enabled to access your backend endpoint.",
-  "Risk": "Possible man in the middle attacks and other similar risks.",
+  "ResourceType": "AwsApiGatewayStage",
+  "Description": "**API Gateway stage** has a **client certificate** configured so HTTP/S integrations can perform **mutual TLS** and authenticate API Gateway to the backend",
+  "Risk": "Without client authentication to the backend, requests cannot be proven to originate from API Gateway. Direct calls to the backend may bypass gateway policies, enabling unauthorized access and data tampering. This degrades **integrity** and **confidentiality** and reduces auditability.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws apigateway update-stage --rest-api-id <REST_API_ID> --stage-name <STAGE_NAME> --patch-operations op=replace,path=/clientCertificateId,value=<CLIENT_CERT_ID>",
+      "NativeIaC": "```yaml\n# CloudFormation: attach a client certificate to a REST API stage\nResources:\n  ClientCert:\n    Type: AWS::ApiGateway::ClientCertificate\n\n  ApiStage:\n    Type: AWS::ApiGateway::Stage\n    Properties:\n      StageName: <example_resource_name>\n      RestApiId: <example_resource_id>\n      DeploymentId: <example_resource_id>\n      ClientCertificateId: !Ref ClientCert  # Critical: enables client certificate on the stage\n```",
+      "Other": "1. In the AWS Console, go to API Gateway > REST APIs and select your API\n2. In the left menu, click Client Certificates and create one (Generate)\n3. In the left menu, click Stages and select the target stage\n4. In Settings, find Client certificate and select the created certificate\n5. Click Save Changes",
+      "Terraform": "```hcl\n# Terraform: attach a client certificate to a REST API stage\nresource \"aws_api_gateway_client_certificate\" \"example\" {}\n\nresource \"aws_api_gateway_stage\" \"<example_resource_name>\" {\n  stage_name          = \"<example_resource_name>\"\n  rest_api_id         = \"<example_resource_id>\"\n  deployment_id       = \"<example_resource_id>\"\n  client_certificate_id = aws_api_gateway_client_certificate.example.id  # Critical: enables client certificate on the stage\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable client certificate. Mutual TLS is recommended and commonly used for business-to-business (B2B) applications. It is used in standards such as Open Banking. API Gateway now provides integrated mutual TLS authentication at no additional cost.",
-      "Url": "https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/"
+      "Text": "Enable **mutual TLS** from API Gateway to the backend with a **client certificate**, and configure the backend to trust only that identity. Apply **zero trust** and **least privilege**: block public access to the backend, restrict networks, rotate certificates, and monitor authentication failures.",
+      "Url": "https://hub.prowler.com/check/apigateway_restapi_client_certificate_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "encryption"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": ""
+  "Notes": "",
+  "CheckAliases": [
+    "apigateway_client_certificate_enabled"
+  ]
 }

prowler/providers/aws/services/apigateway/apigateway_restapi_logging_enabled/apigateway_restapi_logging_enabled.metadata.json

@@ -1,38 +1,49 @@
 {
   "Provider": "aws",
   "CheckID": "apigateway_restapi_logging_enabled",
-  "CheckTitle": "Check if API Gateway Stage has logging enabled.",
-  "CheckAliases": [
-    "apigateway_logging_enabled"
-  ],
+  "CheckTitle": "API Gateway REST API stage has logging enabled",
   "CheckType": [
-    "Logging and Monitoring"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "TTPs/Defense Evasion"
   ],
   "ServiceName": "apigateway",
-  "SubServiceName": "rest_api",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AwsApiGatewayRestApi",
-  "Description": "Check if API Gateway Stage has logging enabled.",
-  "Risk": "If not enabled, monitoring of service use is not possible. Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.",
+  "ResourceType": "AwsApiGatewayStage",
+  "Description": "**API Gateway REST API stages** with **stage logging** enabled to emit execution or access logs to CloudWatch",
+  "Risk": "Without stage logging, API activity lacks visibility, hindering detection of abuse and incident response.\nAttackers can probe endpoints, exfiltrate data, or tamper integrations without traces, impacting confidentiality, integrity, and availability and blocking forensic investigation.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/apigateway/latest/developerguide/security-monitoring.html",
+    "https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-logging.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/APIGateway/cloudwatch-logs.html",
+    "https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html",
+    "https://repost.aws/knowledge-center/api-gateway-cloudwatch-logs",
+    "https://repost.aws/knowledge-center/api-gateway-missing-cloudwatch-logs",
+    "https://docs.aws.amazon.com/apigateway/latest/developerguide/view-cloudwatch-log-events-in-cloudwatch-console.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": "https://docs.prowler.com/checks/aws/logging-policies/ensure-api-gateway-stage-have-logging-level-defined-as-appropiate#terraform"
+      "CLI": "aws apigateway update-stage --rest-api-id <REST_API_ID> --stage-name <STAGE_NAME> --patch-operations op=replace,path='/*/*/logging/loglevel',value=ERROR",
+      "NativeIaC": "```yaml\n# CloudFormation: enable execution logging on a REST API stage\nResources:\n  <example_resource_name>:\n    Type: AWS::ApiGateway::Stage\n    Properties:\n      StageName: <example_resource_name>\n      RestApiId: <example_resource_id>\n      DeploymentId: <example_resource_id>\n      MethodSettings:\n        - ResourcePath: \"/*\"\n          HttpMethod: \"*\"\n          LoggingLevel: ERROR  # CRITICAL: turns on execution logging for all methods\n```",
+      "Other": "1. In the API Gateway console, open Settings and set CloudWatch log role ARN if prompted\n2. Go to APIs > select your REST API > Stages > select the stage\n3. Click Logs and tracing > CloudWatch Logs > choose Errors only (or Errors and info)\n4. Save changes",
+      "Terraform": "```hcl\n# Enable execution logging for all methods in a REST API stage\nresource \"aws_api_gateway_method_settings\" \"<example_resource_name>\" {\n  rest_api_id = \"<example_resource_id>\"\n  stage_name  = \"<example_resource_name>\"\n  method_path = \"*/*\"\n  settings {\n    logging_level = \"ERROR\"  # CRITICAL: enables stage execution logging\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Monitoring is an important part of maintaining the reliability, availability and performance of API Gateway and your AWS solutions. You should collect monitoring data from all of the parts of your AWS solution. CloudTrail provides a record of actions taken by a user, role, or an AWS service in API Gateway. Using the information collected by CloudTrail, you can determine the request that was made to API Gateway, the IP address from which the request was made, who made the request, etc.",
-      "Url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/security-monitoring.html"
+      "Text": "Enable **CloudWatch Logs** for all API Gateway stages, using `ERROR` or `INFO` as appropriate. Include request IDs (e.g., `$context.requestId`). Enforce **least privilege** on logs, set **retention** and **alerts** for anomalies. Avoid sensitive data in logs and use **defense in depth** with tracing.",
+      "Url": "https://hub.prowler.com/check/apigateway_restapi_logging_enabled"
     }
   },
   "Categories": [
-    "forensics-ready",
-    "logging"
+    "logging",
+    "forensics-ready"
   ],
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": ""
+  "Notes": "",
+  "CheckAliases": [
+    "apigateway_logging_enabled"
+  ]
 }

prowler/providers/aws/services/apigateway/apigateway_restapi_public/apigateway_restapi_public.metadata.json

@@ -1,31 +1,36 @@
 {
   "Provider": "aws",
   "CheckID": "apigateway_restapi_public",
-  "CheckTitle": "Check if API Gateway endpoint is public or private.",
-  "CheckAliases": [
-    "apigateway_public"
-  ],
+  "CheckTitle": "API Gateway REST API endpoint is private",
   "CheckType": [
-    "Infrastructure Security"
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
+    "TTPs/Initial Access"
   ],
   "ServiceName": "apigateway",
-  "SubServiceName": "rest_api",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsApiGatewayRestApi",
-  "Description": "Check if API Gateway endpoint is public or private.",
-  "Risk": "If accessible from internet without restrictions opens up attack / abuse surface for any malicious user.",
+  "Description": "**Amazon API Gateway REST APIs** are evaluated for endpoint exposure: **internet-accessible** endpoints versus **private VPC-only** access via interface VPC endpoints (`AWS PrivateLink`).",
+  "Risk": "Internet exposure increases attack surface:\n- **Confidentiality**: misconfigured or anonymous methods can leak data\n- **Integrity**: unauthorized calls can change backend state\n- **Availability/cost**: bots or DDoS can exhaust capacity and spike spend",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html",
+    "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html#apigateway-resource-policies-source-vpc-example",
+    "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html",
+    "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws apigateway update-rest-api --rest-api-id <REST_API_ID> --patch-operations op=replace,path=/endpointConfiguration/types/0,value=PRIVATE",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::ApiGateway::RestApi\n    Properties:\n      Name: <example_resource_name>\n      EndpointConfiguration:\n        Types:\n          - PRIVATE  # Critical: sets the REST API endpoint to Private, removing public access\n```",
+      "Other": "1. Open the AWS console and go to API Gateway\n2. Under REST APIs, select your API\n3. In the left menu, click Settings\n4. Set Endpoint Type to Private\n5. Click Save changes",
+      "Terraform": "```hcl\nresource \"aws_api_gateway_rest_api\" \"<example_resource_name>\" {\n  name = \"<example_resource_name>\"\n\n  endpoint_configuration {\n    types = [\"PRIVATE\"]  # Critical: makes the REST API private\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Verify that any public Api Gateway is protected and audited. Detective controls for common risks should be implemented.",
-      "Url": "https://d1.awsstatic.com/whitepapers/api-gateway-security.pdf?svrd_sip6"
+      "Text": "Prefer **private** REST APIs reachable via interface VPC endpoints (`PRIVATE`).\n\n*If public access is required*, apply **least privilege** and **defense in depth**:\n- Restrict with resource policies (`aws:SourceVpc`/`aws:SourceVpce`)\n- Enforce strong auth (IAM, Cognito, or authorizers)\n- Add AWS WAF, throttling, usage plans, and comprehensive logging",
+      "Url": "https://hub.prowler.com/check/apigateway_restapi_public"
     }
   },
   "Categories": [
@@ -33,5 +38,8 @@
   ],
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": ""
+  "Notes": "",
+  "CheckAliases": [
+    "apigateway_public"
+  ]
 }

prowler/providers/aws/services/apigateway/apigateway_restapi_public_with_authorizer/apigateway_restapi_public_with_authorizer.metadata.json

@@ -1,37 +1,50 @@
 {
   "Provider": "aws",
   "CheckID": "apigateway_restapi_public_with_authorizer",
-  "CheckTitle": "Check if API Gateway public endpoint has an authorizer configured.",
-  "CheckAliases": [
-    "apigateway_public_with_authorizer"
-  ],
+  "CheckTitle": "API Gateway REST API with a public endpoint has an authorizer configured",
   "CheckType": [
-    "Infrastructure Security"
+    "Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
+    "TTPs/Initial Access/Unauthorized Access",
+    "Effects/Data Exposure"
   ],
   "ServiceName": "apigateway",
-  "SubServiceName": "rest_api",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsApiGatewayRestApi",
-  "Description": "Check if API Gateway public endpoint has an authorizer configured.",
-  "Risk": "If accessible from internet without restrictions opens up attack / abuse surface for any malicious user.",
-  "RelatedUrl": "https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-endpoint-types.html",
+  "Description": "**API Gateway REST APIs** exposed to the Internet are evaluated for an attached **authorizer** that enforces caller identity (Lambda authorizer or Cognito user pool) on method invocations.\n\nFocus is on whether public endpoints require authenticated requests rather than accepting anonymous calls.",
+  "Risk": "Without an **authorizer** on a public API, anonymous callers can:\n- Read or alter data (confidentiality/integrity)\n- Trigger backend actions, impacting systems\n- Abuse traffic, degrading availability and inflating costs\n\nEndpoint enumeration also enables broader discovery and lateral movement.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.icompaas.com/support/solutions/articles/62000233640-check-if-api-gateway-public-endpoint-has-an-authorizer-configured",
+    "https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-endpoint-types.html",
+    "https://api7.ai/blog/secure-rest-api-in-aws-api-gateway",
+    "https://supertokens.com/blog/lambda-authorizers",
+    "https://clerk.com/blog/how-to-secure-api-gateway-using-jwt-and-lambda-authorizers-with-clerk",
+    "https://aws.plainenglish.io/6-rest-api-security-best-practices-you-can-achieve-with-amazon-api-gateway-2-authentication-62b5171989bd",
+    "https://stackoverflow.com/questions/68512642/how-to-configure-aws-api-gateway-without-authorizer",
+    "https://auth0.com/docs/customize/integrations/aws/aws-api-gateway-custom-authorizers"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws apigateway create-authorizer --rest-api-id <rest_api_id> --name <example_resource_name> --type TOKEN --authorizer-uri arn:aws:apigateway:<region>:lambda:path/2015-03-31/functions/arn:aws:lambda:<region>:<account-id>:function:<example_resource_name>/invocations --identity-source 'method.request.header.Authorization'",
+      "NativeIaC": "```yaml\n# CloudFormation: Create a minimal Lambda TOKEN authorizer for a public REST API\nResources:\n  <example_resource_name>:\n    Type: AWS::ApiGateway::Authorizer\n    Properties:\n      Name: <example_resource_name>\n      RestApiId: <example_resource_id>\n      Type: TOKEN  # Critical: adds an authorizer to the REST API\n      IdentitySource: method.request.header.Authorization  # Critical: header to read token from\n      AuthorizerUri: arn:aws:apigateway:<region>:lambda:path/2015-03-31/functions/arn:aws:lambda:<region>:<account-id>:function/<example_resource_name>/invocations  # Critical: Lambda authorizer function URI\n```",
+      "Other": "1. In the AWS Console, open API Gateway and select your REST API\n2. In the left pane, click Authorizers > Create authorizer\n3. Choose Lambda (TOKEN) or Cognito User Pool\n4. For Lambda: select the function and set Identity source to method.request.header.Authorization; for Cognito: select the user pool\n5. Click Create authorizer to add it to the API",
+      "Terraform": "```hcl\n# Terraform: Minimal Lambda TOKEN authorizer for API Gateway REST API\nresource \"aws_api_gateway_authorizer\" \"<example_resource_name>\" {\n  name            = \"<example_resource_name>\"\n  rest_api_id     = \"<example_resource_id>\"\n  type            = \"TOKEN\"  # Critical: enables a Lambda authorizer on the REST API\n  identity_source = \"method.request.header.Authorization\"  # Critical: header to read token\n  authorizer_uri  = \"arn:aws:apigateway:<region>:lambda:path/2015-03-31/functions/arn:aws:lambda:<region>:<account-id>:function/<example_resource_name>/invocations\"  # Critical: Lambda authorizer function URI\n}\n```"
     },
     "Recommendation": {
-      "Text": "Verify that any public API Gateway is protected and audited. Detective controls for common risks should be implemented.",
-      "Url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-endpoint-types.html"
+      "Text": "Enforce **authentication** on all Internet-facing APIs by attaching an **authorizer** (Cognito user pool or Lambda) that validates tokens and scopes.\n\nApply defense in depth:\n- Restrictive resource policies and IP controls\n- WAF, throttling, quotas, rate limits\n- Least-privilege backend access and comprehensive logging",
+      "Url": "https://hub.prowler.com/check/apigateway_restapi_public_with_authorizer"
     }
   },
   "Categories": [
-    "internet-exposed"
+    "internet-exposed",
+    "identity-access"
   ],
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": ""
+  "Notes": "",
+  "CheckAliases": [
+    "apigateway_public_with_authorizer"
+  ]
 }

prowler/providers/aws/services/apigateway/apigateway_restapi_tracing_enabled/apigateway_restapi_tracing_enabled.metadata.json

@@ -1,31 +1,39 @@
 {
   "Provider": "aws",
   "CheckID": "apigateway_restapi_tracing_enabled",
-  "CheckTitle": "Check if AWS X-Ray tracing is enabled for API Gateway REST API stages.",
+  "CheckTitle": "API Gateway REST API stage has X-Ray tracing enabled",
   "CheckType": [
-    "Software and Configuration Checks/AWS Security Best Practices"
+    "Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "apigateway",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:apigateway:region:account-id:/restapis/restapi-id/stages/stage-name",
+  "ResourceIdTemplate": "",
   "Severity": "low",
   "ResourceType": "AwsApiGatewayStage",
-  "Description": "This control checks whether AWS X-Ray active tracing is enabled for your Amazon API Gateway REST API stages.",
-  "Risk": "Without X-Ray active tracing, it may be difficult to quickly identify and respond to performance issues that could lead to decreased availability or degradation of the API's performance.",
-  "RelatedUrl": "https://docs.aws.amazon.com/xray/latest/devguide/xray-services-apigateway.html",
+  "Description": "**API Gateway REST API stages** have **AWS X-Ray active tracing** enabled to sample incoming requests and produce distributed traces across connected services.",
+  "Risk": "Without X-Ray tracing, you lose end-to-end visibility, hindering detection of timeouts, errors, and anomalous latency.\n\nThis delays incident response and root-cause analysis, increasing MTTR and risking partial outages (availability) and undetected integration failures (integrity).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html#apigateway-3",
+    "https://docs.aws.amazon.com/xray/latest/devguide/xray-services-apigateway.html",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/APIGateway/tracing.html"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "aws apigateway update-stage --rest-api-id <restapi-id> --stage-name <stage-name> --patch-operations op=replace,path=/tracingEnabled,value=true",
-      "NativeIaC": "",
-      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/apigateway-controls.html#apigateway-3",
-      "Terraform": ""
+      "NativeIaC": "```yaml\n# CloudFormation: Enable X-Ray tracing on an API Gateway REST API stage\nResources:\n  <example_resource_name>:\n    Type: AWS::ApiGateway::Stage\n    Properties:\n      RestApiId: <example_resource_id>\n      DeploymentId: <example_resource_id>\n      StageName: <example_resource_name>\n      TracingEnabled: true  # Critical: enables AWS X-Ray tracing for this stage\n```",
+      "Other": "1. Open the AWS Console and go to API Gateway\n2. Select your REST API and choose Stages\n3. Select the target stage\n4. Open the Logs/Tracing tab, check Enable X-Ray Tracing\n5. Click Save",
+      "Terraform": "```hcl\n# Enable X-Ray tracing on an API Gateway REST API stage\nresource \"aws_api_gateway_stage\" \"example\" {\n  rest_api_id = \"<example_resource_id>\"\n  deployment_id = \"<example_resource_id>\"\n  stage_name  = \"<example_resource_name>\"\n  xray_tracing_enabled = true  # Critical: enables AWS X-Ray tracing for this stage\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable AWS X-Ray tracing for API Gateway REST API stages to monitor and analyze performance in real time.",
-      "Url": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/APIGateway/tracing.html"
+      "Text": "Enable **X-Ray active tracing** on all API Gateway stages and propagate trace context through downstream services.\n\nUse prudent sampling, correlate traces with logs/metrics, and alert on errors/latency. Apply **least privilege** to X-Ray access and use **defense in depth** for observability.",
+      "Url": "https://hub.prowler.com/check/apigateway_restapi_tracing_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "logging"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""

prowler/providers/aws/services/apigateway/apigateway_restapi_waf_acl_attached/apigateway_restapi_waf_acl_attached.metadata.json

@@ -1,35 +1,41 @@
 {
   "Provider": "aws",
   "CheckID": "apigateway_restapi_waf_acl_attached",
-  "CheckTitle": "Check if API Gateway Stage has a WAF ACL attached.",
-  "CheckAliases": [
-    "apigateway_waf_acl_attached"
-  ],
+  "CheckTitle": "API Gateway stage has a WAF Web ACL attached",
   "CheckType": [
-    "Infrastructure Security"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
   ],
   "ServiceName": "apigateway",
-  "SubServiceName": "rest_api",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AwsApiGatewayRestApi",
-  "Description": "Check if API Gateway Stage has a WAF ACL attached.",
-  "Risk": "Potential attacks and / or abuse of service, more even for even for internet reachable services.",
+  "ResourceType": "AwsApiGatewayStage",
+  "Description": "**Amazon API Gateway (REST API)** stages are assessed for an associated **AWS WAF web ACL**. The finding reflects whether a `web ACL` is linked at the stage level.",
+  "Risk": "Absent a **WAF web ACL**, APIs are exposed to application-layer threats that impact CIA:\n- Confidentiality: data exfiltration via injection\n- Integrity: parameter tampering and path traversal\n- Availability: L7 floods, bot abuse, resource exhaustion\n*Public endpoints face heightened risk.*",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/apigateway/latest/developerguide/security-monitoring.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws wafv2 associate-web-acl --web-acl-arn <WEB_ACL_ARN> --resource-arn arn:aws:apigateway:<REGION>::/restapis/<REST_API_ID>/stages/<STAGE_NAME>",
+      "NativeIaC": "```yaml\n# CloudFormation: Attach a WAFv2 Web ACL to an API Gateway REST API stage\nResources:\n  <example_resource_name>:\n    Type: AWS::WAFv2::WebACLAssociation\n    Properties:\n      ResourceArn: arn:aws:apigateway:<example_region>::/restapis/<example_resource_id>/stages/<example_stage_name>  # CRITICAL: target API Gateway stage\n      WebACLArn: <example_resource_arn>  # CRITICAL: Web ACL to attach\n```",
+      "Other": "1. Open the AWS Console and go to WAF & Shield\n2. Select Web ACLs (Scope: Regional), choose your Web ACL\n3. Click Add AWS resource\n4. Select API Gateway, choose the REST API and the specific Stage\n5. Click Add/Associate to attach the Web ACL",
+      "Terraform": "```hcl\n# Attach a WAFv2 Web ACL to an API Gateway REST API stage\nresource \"aws_wafv2_web_acl_association\" \"<example_resource_name>\" {\n  resource_arn = \"arn:aws:apigateway:<example_region>::/restapis/<example_resource_id>/stages/<example_stage_name>\" # CRITICAL: target API Gateway stage\n  web_acl_arn  = \"<example_resource_arn>\" # CRITICAL: Web ACL to attach\n}\n```"
     },
     "Recommendation": {
-      "Text": "Use AWS WAF to protect your API Gateway API from common web exploits, such as SQL injection and cross-site scripting (XSS) attacks. These could affect API availability and performance, compromise security or consume excessive resources.",
-      "Url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/security-monitoring.html"
+      "Text": "Attach an **AWS WAF web ACL** to each exposed stage and apply **defense in depth**:\n- Use managed rule groups and tailored allow/deny lists\n- Apply rate limiting to throttle abuse\n- Enforce least-privilege network exposure\n- Continuously tune rules using logs and metrics\n*Validate changes to reduce false positives.*",
+      "Url": "https://hub.prowler.com/check/apigateway_restapi_waf_acl_attached"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "threat-detection"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
-  "Notes": ""
+  "Notes": "",
+  "CheckAliases": [
+    "apigateway_waf_acl_attached"
+  ]
 }

prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_access_logging_enabled/apigatewayv2_api_access_logging_enabled.metadata.json

@@ -1,31 +1,37 @@
 {
   "Provider": "aws",
   "CheckID": "apigatewayv2_api_access_logging_enabled",
-  "CheckTitle": "Ensure API Gateway V2 has Access Logging enabled.",
+  "CheckTitle": "API Gateway V2 API stage has access logging enabled",
   "CheckAliases": [
     "apigatewayv2_access_logging_enabled"
   ],
   "CheckType": [
-    "IAM"
+    "Software and Configuration Checks/AWS Security Best Practices"
   ],
   "ServiceName": "apigatewayv2",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AwsApiGatewayV2Api",
-  "Description": "Ensure API Gateway V2 has Access Logging enabled.",
-  "Risk": "If no authorizer is enabled anyone can use the service.",
+  "ResourceType": "AwsApiGatewayV2Stage",
+  "Description": "**API Gateway v2** stages have **access logging** configured to capture request details and deliver them to a logging destination (e.g., CloudWatch Logs or Firehose). The evaluation looks for logging being enabled at each API stage.",
+  "Risk": "Without access logs, API calls lack traceability, making it hard to spot credential misuse, route abuse, or anomalous traffic.\n\nThis reduces confidentiality and integrity through undetected data access or manipulation, and impacts availability by slowing incident response.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/apigateway/latest/developerguide/security-monitoring.html",
+    "https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html",
+    "https://support.icompaas.com/support/solutions/articles/62000229562-ensure-api-gateway-v2-has-access-logging-enabled",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/APIGateway/api-gateway-stage-access-logging.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://docs.prowler.com/checks/aws/logging-policies/bc_aws_logging_30#aws-console",
-      "Terraform": "https://docs.prowler.com/checks/aws/logging-policies/bc_aws_logging_30#cloudformation"
+      "CLI": "aws apigatewayv2 update-stage --api-id <API_ID> --stage-name <STAGE_NAME> --access-log-settings DestinationArn=<LOG_GROUP_ARN>,Format='{\"requestId\":\"$context.requestId\"}'",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable access logging on API Gateway V2 stage\nResources:\n  <example_resource_name>:\n    Type: AWS::ApiGatewayV2::Stage\n    Properties:\n      ApiId: <example_resource_id>\n      StageName: <example_resource_name>\n      AccessLogSettings: # Critical: enables access logging for the stage\n        DestinationArn: <example_log_group_arn> # CloudWatch Logs log group ARN\n        Format: '{\"requestId\":\"$context.requestId\"}' # Minimal required format\n```",
+      "Other": "1. In the AWS Console, go to API Gateway > your HTTP/WebSocket API\n2. Open Stages and select the target stage\n3. In Access logging, enable Access logging\n4. Set Log destination ARN to your CloudWatch log group (or Firehose stream)\n5. Set Log format to: {\"requestId\":\"$context.requestId\"}\n6. Click Save",
+      "Terraform": "```hcl\n# Terraform: Enable access logging on API Gateway V2 stage\nresource \"aws_apigatewayv2_stage\" \"<example_resource_name>\" {\n  api_id = \"<example_resource_id>\"\n  name   = \"<example_resource_name>\"\n\n  access_log_settings { # Critical: enables access logging for the stage\n    destination_arn = \"<example_log_group_arn>\"\n    format          = \"{\\\"requestId\\\":\\\"$context.requestId\\\"}\"\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Monitoring is an important part of maintaining the reliability, availability and performance of API Gateway and your AWS solutions. You should collect monitoring data from all of the parts of your AWS solution. CloudTrail provides a record of actions taken by a user, role, or an AWS service in API Gateway. Using the information collected by CloudTrail, you can determine the request that was made to API Gateway, the IP address from which the request was made, who made the request, etc.",
-      "Url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/security-monitoring.html"
+      "Text": "Enable **stage-level access logging** to a centralized destination and use structured formats. Apply appropriate retention and restrict log access per **least privilege**. Integrate logs with monitoring and alerts to detect anomalies, and complement with **defense in depth** controls.",
+      "Url": "https://hub.prowler.com/check/apigatewayv2_api_access_logging_enabled"
     }
   },
   "Categories": [