AWS SAM framework configuration scanning

Checkov supports the evaluation of policies on your SAM templates files. When using checkov to scan a directory that contains a SAM template it will validate if the file is compliant with AWS best practices such as having logging and auditing enabled, making sure S3 buckets are encrypted, HTTPS is being used, and more.

Full list of SAM policies checks can be found here. The SAM scanning is utilizing checks that are part of the Cloudformation scanning implementation of checkov since SAM resource definition extends the Cloudformation definition.

Example misconfigured SAM framework

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31

Resources:
  Enabled:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod
      TracingEnabled: true
      CacheClusterEnabled: true
      AccessLogSetting:
        DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'

  Default:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod

Running in CLI

checkov -d . --framework cloudformation

Example output


      _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
By Prisma Cloud | version: x.x.x 


cloudformation scan results:

Passed checks: 3, Failed checks: 3, Skipped checks: 0

Check: CKV_AWS_120: "Ensure API Gateway caching is enabled"
	PASSED for resource: AWS::Serverless::Api.Enabled
	File: /sam.yaml:5-12

Check: CKV_AWS_73: "Ensure API Gateway has X-Ray Tracing enabled"
	PASSED for resource: AWS::Serverless::Api.Enabled
	File: /sam.yaml:5-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-15

Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
	PASSED for resource: AWS::Serverless::Api.Enabled
	File: /sam.yaml:5-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-17

Check: CKV_AWS_120: "Ensure API Gateway caching is enabled"
	FAILED for resource: AWS::Serverless::Api.Default
	File: /sam.yaml:14-17

		14 |   Default:
		15 |     Type: AWS::Serverless::Api
		16 |     Properties:
		17 |       StageName: prod


Check: CKV_AWS_73: "Ensure API Gateway has X-Ray Tracing enabled"
	FAILED for resource: AWS::Serverless::Api.Default
	File: /sam.yaml:14-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-15

		14 |   Default:
		15 |     Type: AWS::Serverless::Api
		16 |     Properties:
		17 |       StageName: prod


Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
	FAILED for resource: AWS::Serverless::Api.Default
	File: /sam.yaml:14-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-17

		14 |   Default:
		15 |     Type: AWS::Serverless::Api
		16 |     Properties:
		17 |       StageName: prod