refactor(checks): migrate AWS apigateway, cloudfront, cloudwatch to Rego

Signed-off-by: Nikita Pivkin <[email protected]>

avd_docs/aws/apigateway/AVD-AWS-0001/docs.md

@@ -1,8 +1,9 @@
 
 API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.
 
+
 ### Impact
-Logging provides vital information about access and usage
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/apigateway/AVD-AWS-0002/docs.md

@@ -1,8 +1,9 @@
 
 Method cache encryption ensures that any sensitive data in the cache is not vulnerable to compromise in the event of interception
 
+
 ### Impact
-Data stored in the cache that is unencrypted may be vulnerable to compromise
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/apigateway/AVD-AWS-0003/docs.md

@@ -1,8 +1,9 @@
 
 X-Ray tracing enables end-to-end debugging and analysis of all API Gateway HTTP requests.
 
+
 ### Impact
-Without full tracing enabled it is difficult to trace the flow of logs
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/apigateway/AVD-AWS-0004/docs.md

@@ -1,8 +1,9 @@
 
 API Gateway methods should generally be protected by authorization or api key. OPTION verb calls can be used without authorization
 
+
 ### Impact
-API gateway methods can be accessed without authorization.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/apigateway/AVD-AWS-0005/docs.md

@@ -1,8 +1,9 @@
 
 You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
 
+
 ### Impact
-Outdated SSL policies increase exposure to known vulnerabilities
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/apigateway/AVD-AWS-0190/docs.md

@@ -1,8 +1,9 @@
 
 A REST API in API Gateway is a collection of resources and methods that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services. You can enable API caching in Amazon API Gateway to cache your endpoint responses. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API.
 
+
 ### Impact
-Reduce the number of calls made to your API endpoint and also improve the latency of requests to your API with response caching.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/cloudfront/AVD-AWS-0010/docs.md

@@ -1,8 +1,9 @@
 
 You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives
 
+
 ### Impact
-Logging provides vital information about access and usage
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/cloudfront/AVD-AWS-0011/docs.md

@@ -1,8 +1,9 @@
 
 You should configure a Web Application Firewall in front of your CloudFront distribution. This will mitigate many types of attacks on your web application.
 
+
 ### Impact
-Complex web application attacks can more easily be performed without a WAF
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/cloudfront/AVD-AWS-0012/docs.md

@@ -1,10 +1,10 @@
 
 Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth.
-
 You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.
 
+
 ### Impact
-CloudFront is available through an unencrypted connection
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/cloudfront/AVD-AWS-0013/docs.md

@@ -1,12 +1,12 @@
 
 You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
-
-Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name). 
-If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s. 
+Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
+If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
 The only option when using the cloudfront.net domain name is to ignore this rule.
 
+
 ### Impact
-Outdated SSL policies increase exposure to known vulnerabilities
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/cloudwatch/AVD-AWS-0017/docs.md

@@ -1,8 +1,9 @@
 
 CloudWatch log groups are encrypted by default, however, to get the full benefit of controlling key rotation and other KMS aspects a KMS CMK should be used.
 
+
 ### Impact
-Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/cloudwatch/AVD-AWS-0147/docs.md

@@ -1,10 +1,10 @@
 
 You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. You can have more than one VPC in an account, and you can create a peer connection between two VPCs, enabling network traffic to route between VPCs.
-
 CIS recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact.
 
+
 ### Impact
-Unauthorized API Calls may be attempted without being notified. CloudTrail logs these actions but without the alarm you aren't actively notified.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/cloudwatch/AVD-AWS-0148/docs.md

@@ -1,10 +1,10 @@
 
-You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.   
-                                                                              
-  CIS recommends that you create a metric filter and alarm console logins that  aren't protected by MFA. Monitoring for single-factor console logins increases visibility into accounts that aren't protected by MFA.
+You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
+CIS recommends that you create a metric filter and alarm console logins that  aren't protected by MFA. Monitoring for single-factor console logins increases visibility into accounts that aren't protected by MFA.
+
 
 ### Impact
-Not alerting on logins with no MFA allows the risk to go un-notified.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/cloudwatch/AVD-AWS-0149/docs.md

@@ -1,10 +1,10 @@
 
- You can do real-time monitoring of API calls directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.   
-
+You can do real-time monitoring of API calls directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
 CIS recommends that you create a metric filter and alarm for root user login attempts. Monitoring for root user logins provides visibility into the use of a fully privileged account and an opportunity to reduce the use of it.
 
+
 ### Impact
-The root user has significant permissions and should not be used for day to day tasks.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/cloudwatch/AVD-AWS-0150/docs.md

@@ -1,10 +1,10 @@
 
-  You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.   
-
+You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
 CIS recommends that you create a metric filter and alarm for changes made to IAM policies. Monitoring these changes helps ensure that authentication and authorization controls remain intact.
 
+
 ### Impact
-IAM Policy changes could lead to excessive permissions and may have been performed maliciously.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/cloudwatch/AVD-AWS-0151/docs.md

@@ -1,10 +1,10 @@
 
-You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.   
-
+You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
 CIS recommends that you create a metric filter and alarm for changes to CloudTrail configuration settings. Monitoring these changes helps ensure sustained visibility to activities in the account.
 
+
 ### Impact
-CloudTrail tracks all changes through the API, attempts to change the configuration may indicate malicious activity. Without alerting on changes, visibility of this activity is reduced.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/cloudwatch/AVD-AWS-0152/docs.md

@@ -1,10 +1,10 @@
 
-You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.   
-
+You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
 CIS recommends that you create a metric filter and alarm for failed console authentication attempts. Monitoring failed console logins might decrease lead time to detect an attempt to brute-force a credential, which might provide an indicator, such as source IP, that you can use in other event correlations.
 
+
 ### Impact
-Failed attempts to log into the Management console may indicate an attempt to maliciously access an account. Failure to alert reduces visibility of this activity.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/cloudwatch/AVD-AWS-0153/docs.md

@@ -1,10 +1,10 @@
 
-You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.   
-                                                                              
-  CIS recommends that you create a metric filter and alarm for customer managed keys that have changed state to disabled or scheduled deletion. Data encrypted with disabled or deleted keys is no longer accessible. 
+You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
+CIS recommends that you create a metric filter and alarm for customer managed keys that have changed state to disabled or scheduled deletion. Data encrypted with disabled or deleted keys is no longer accessible.
+
 
 ### Impact
-CloudTrail tracks all changes through the API, attempts to change the configuration may indicate malicious activity. Without alerting on changes, visibility of this activity is reduced.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/cloudwatch/AVD-AWS-0154/docs.md

@@ -1,10 +1,10 @@
 
-You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.   
-
+You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
 CIS recommends that you create a metric filter and alarm for changes to S3 bucket policies. Monitoring these changes might reduce time to detect and correct permissive policies on sensitive S3 buckets.
 
+
 ### Impact
-Misconfigured policies on S3 buckets could lead to data leakage, without alerting visibility of this is reduced.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/cloudwatch/AVD-AWS-0155/docs.md

@@ -1,10 +1,10 @@
 
-You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.   
-
+You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
 CIS recommends that you create a metric filter and alarm for changes to AWS Config configuration settings. Monitoring these changes helps ensure sustained visibility of configuration items in the account.
 
+
 ### Impact
-Changes to the configuration of AWS Config may indicate malicious activity. Without alerting on changes, visibility of this activity is reduced.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/cloudwatch/AVD-AWS-0156/docs.md

@@ -1,11 +1,11 @@
 
-You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.   
-Security groups are a stateful packet filter that controls ingress and egress traffic in a VPC.                                                    
-
+You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
+Security groups are a stateful packet filter that controls ingress and egress traffic in a VPC.
 CIS recommends that you create a metric filter and alarm for changes to security groups. Monitoring these changes helps ensure that resources and services aren't unintentionally exposed.
 
+
 ### Impact
-Security groups control the ingress and egress, changes could be made to maliciously allow egress of data or external ingress. Without alerting, this could go unnoticed.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/cloudwatch/AVD-AWS-0157/docs.md

@@ -1,11 +1,11 @@
 
-You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.   
-NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets in a VPC.                                               
-
+You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
+NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets in a VPC.
 CIS recommends that you create a metric filter and alarm for changes to NACLs. Monitoring these changes helps ensure that AWS resources and services aren't unintentionally exposed.
 
+
 ### Impact
-Network ACLs control the ingress and egress, changes could be made to maliciously allow egress of data or external ingress. Without alerting, this could go unnoticed.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/cloudwatch/AVD-AWS-0158/docs.md

@@ -1,11 +1,11 @@
 
-You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.   
-Network gateways are required to send and receive traffic to a destination outside a VPC.                                                              
-
+You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
+Network gateways are required to send and receive traffic to a destination outside a VPC.
 CIS recommends that you create a metric filter and alarm for changes to network gateways. Monitoring these changes helps ensure that all ingress and egress traffic traverses the VPC border via a controlled path.
 
+
 ### Impact
-Network gateways control the ingress and egress, changes could be made to maliciously allow egress of data or external ingress. Without alerting, this could go unnoticed.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/cloudwatch/AVD-AWS-0159/docs.md

@@ -1,11 +1,11 @@
 
-You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.     
-Routing tables route network traffic between subnets and to network gateways.                                                                   
-
+You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
+Routing tables route network traffic between subnets and to network gateways.
 CIS recommends that you create a metric filter and alarm for changes to route tables. Monitoring these changes helps ensure that all VPC traffic flows through an expected path.
 
+
 ### Impact
-Route tables control the flow of network traffic, changes could be made to maliciously allow egress of data or external ingress. Without alerting, this could go unnoticed.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/cloudwatch/AVD-AWS-0160/docs.md

@@ -1,11 +1,11 @@
 
-You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.   
+You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
 You can have more than one VPC in an account, and you can create a peer connection between two VPCs, enabling network traffic to route between VPCs.
-                                                                              
-CIS recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact.  
+CIS recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact.
+
 
 ### Impact
-Route tables control the flow of network traffic, changes could be made to maliciously allow egress of data or external ingress. Without alerting, this could go unnoticed.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/cloudwatch/AVD-AWS-0174/docs.md

@@ -1,5 +1,4 @@
 
-
 Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or
 intentional modifications that may lead to unauthorized access or other security breaches.
 This monitoring technique helps you to ensure that any unexpected changes performed
@@ -8,7 +7,7 @@ rolled back.
 
 
 ### Impact
-Lack of observability into critical organisation changes
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

checks/cloud/aws/apigateway/enable_access_logging.go

@@ -33,7 +33,8 @@ var CheckEnableAccessLogging = rules.Register(
 			Links:               cloudFormationEnableAccessLoggingLinks,
 			RemediationMarkdown: cloudFormationEnableAccessLoggingRemediationMarkdown,
 		},
-		Severity: severity.Medium,
+		Severity:   severity.Medium,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, api := range s.AWS.APIGateway.V1.APIs {