feat(aws): enhance metadata for apigatewayv2 service (#8719)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>

Author: puchy22

prowler/CHANGELOG.md

@@ -12,8 +12,10 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Add explicit "name" field for each compliance framework and include "FRAMEWORK" and "NAME" in CSV output [(#7920)](https://github.com/prowler-cloud/prowler/pull/7920)
 
 ### Changed
+
 - Update AWS Neptune service metadata to new format [(#8494)](https://github.com/prowler-cloud/prowler/pull/8494)
 - Update AWS Config service metadata to new format [(#8641)](https://github.com/prowler-cloud/prowler/pull/8641)
+- Update AWS Api Gateway V2 service metadata to new format [(#8719)](https://github.com/prowler-cloud/prowler/pull/8719)
 - Update AWS AppSync service metadata to new format [(#8721)](https://github.com/prowler-cloud/prowler/pull/8721)
 - HTML output now properly renders markdown syntax in Risk and Recommendation fields [(#8727)](https://github.com/prowler-cloud/prowler/pull/8727)
 - Update `moto` dependency from 5.0.28 to 5.1.11 [(#7100)](https://github.com/prowler-cloud/prowler/pull/7100)

prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_access_logging_enabled/apigatewayv2_api_access_logging_enabled.metadata.json

@@ -1,31 +1,37 @@
 {
   "Provider": "aws",
   "CheckID": "apigatewayv2_api_access_logging_enabled",
-  "CheckTitle": "Ensure API Gateway V2 has Access Logging enabled.",
+  "CheckTitle": "API Gateway V2 API stage has access logging enabled",
   "CheckAliases": [
     "apigatewayv2_access_logging_enabled"
   ],
   "CheckType": [
-    "IAM"
+    "Software and Configuration Checks/AWS Security Best Practices"
   ],
   "ServiceName": "apigatewayv2",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "AwsApiGatewayV2Api",
-  "Description": "Ensure API Gateway V2 has Access Logging enabled.",
-  "Risk": "If no authorizer is enabled anyone can use the service.",
+  "ResourceType": "AwsApiGatewayV2Stage",
+  "Description": "**API Gateway v2** stages have **access logging** configured to capture request details and deliver them to a logging destination (e.g., CloudWatch Logs or Firehose). The evaluation looks for logging being enabled at each API stage.",
+  "Risk": "Without access logs, API calls lack traceability, making it hard to spot credential misuse, route abuse, or anomalous traffic.\n\nThis reduces confidentiality and integrity through undetected data access or manipulation, and impacts availability by slowing incident response.",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/apigateway/latest/developerguide/security-monitoring.html",
+    "https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html",
+    "https://support.icompaas.com/support/solutions/articles/62000229562-ensure-api-gateway-v2-has-access-logging-enabled",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/APIGateway/api-gateway-stage-access-logging.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://docs.prowler.com/checks/aws/logging-policies/bc_aws_logging_30#aws-console",
-      "Terraform": "https://docs.prowler.com/checks/aws/logging-policies/bc_aws_logging_30#cloudformation"
+      "CLI": "aws apigatewayv2 update-stage --api-id <API_ID> --stage-name <STAGE_NAME> --access-log-settings DestinationArn=<LOG_GROUP_ARN>,Format='{\"requestId\":\"$context.requestId\"}'",
+      "NativeIaC": "```yaml\n# CloudFormation: Enable access logging on API Gateway V2 stage\nResources:\n  <example_resource_name>:\n    Type: AWS::ApiGatewayV2::Stage\n    Properties:\n      ApiId: <example_resource_id>\n      StageName: <example_resource_name>\n      AccessLogSettings: # Critical: enables access logging for the stage\n        DestinationArn: <example_log_group_arn> # CloudWatch Logs log group ARN\n        Format: '{\"requestId\":\"$context.requestId\"}' # Minimal required format\n```",
+      "Other": "1. In the AWS Console, go to API Gateway > your HTTP/WebSocket API\n2. Open Stages and select the target stage\n3. In Access logging, enable Access logging\n4. Set Log destination ARN to your CloudWatch log group (or Firehose stream)\n5. Set Log format to: {\"requestId\":\"$context.requestId\"}\n6. Click Save",
+      "Terraform": "```hcl\n# Terraform: Enable access logging on API Gateway V2 stage\nresource \"aws_apigatewayv2_stage\" \"<example_resource_name>\" {\n  api_id = \"<example_resource_id>\"\n  name   = \"<example_resource_name>\"\n\n  access_log_settings { # Critical: enables access logging for the stage\n    destination_arn = \"<example_log_group_arn>\"\n    format          = \"{\\\"requestId\\\":\\\"$context.requestId\\\"}\"\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Monitoring is an important part of maintaining the reliability, availability and performance of API Gateway and your AWS solutions. You should collect monitoring data from all of the parts of your AWS solution. CloudTrail provides a record of actions taken by a user, role, or an AWS service in API Gateway. Using the information collected by CloudTrail, you can determine the request that was made to API Gateway, the IP address from which the request was made, who made the request, etc.",
-      "Url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/security-monitoring.html"
+      "Text": "Enable **stage-level access logging** to a centralized destination and use structured formats. Apply appropriate retention and restrict log access per **least privilege**. Integrate logs with monitoring and alerts to detect anomalies, and complement with **defense in depth** controls.",
+      "Url": "https://hub.prowler.com/check/apigatewayv2_api_access_logging_enabled"
     }
   },
   "Categories": [

prowler/providers/aws/services/apigatewayv2/apigatewayv2_api_authorizers_enabled/apigatewayv2_api_authorizers_enabled.metadata.json

@@ -1,34 +1,43 @@
 {
   "Provider": "aws",
   "CheckID": "apigatewayv2_api_authorizers_enabled",
-  "CheckTitle": "Checks if API Gateway V2 has configured authorizers.",
+  "CheckTitle": "API Gateway V2 API has an authorizer configured",
   "CheckAliases": [
     "apigatewayv2_authorizers_enabled"
   ],
   "CheckType": [
-    "Logging and Monitoring"
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "TTPs/Initial Access",
+    "Effects/Data Exposure"
   ],
   "ServiceName": "apigatewayv2",
   "SubServiceName": "",
-  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
   "ResourceType": "AwsApiGatewayV2Api",
-  "Description": "Checks if API Gateway V2 has configured authorizers.",
-  "Risk": "If no authorizer is enabled anyone can use the service.",
+  "Description": "**API Gateway v2 APIs** use **authorizers** (JWT/Cognito or Lambda) to authenticate requests. This evaluates whether an API has an authorizer configured to control access to its routes.",
+  "Risk": "Without an authorizer, anyone can invoke routes.\n- Confidentiality: exposure of data and metadata\n- Integrity: unauthorized state changes or actions\n- Availability/Cost: automated abuse of backends, traffic spikes, and unexpected spend",
   "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html",
+    "https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-lambda-authorizer.html",
+    "https://support.icompaas.com/support/solutions/articles/62000127114-ensure-api-gateway-has-configured-authorizers"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws apigatewayv2 create-authorizer --api-id <API_ID> --authorizer-type REQUEST --name <example_resource_name> --authorizer-uri arn:aws:apigateway:<REGION>:lambda:path/2015-03-31/functions/<LAMBDA_FUNCTION_ARN>/invocations --identity-source '$request.header.Authorization'",
+      "NativeIaC": "```yaml\n# CloudFormation: create a minimal Lambda authorizer for API Gateway v2\nResources:\n  <example_resource_name>:\n    Type: AWS::ApiGatewayV2::Authorizer\n    Properties:\n      ApiId: <example_resource_id>\n      AuthorizerType: REQUEST  # Critical: enables a Lambda REQUEST authorizer on the API\n      AuthorizerUri: arn:aws:apigateway:<REGION>:lambda:path/2015-03-31/functions/<LAMBDA_FUNCTION_ARN>/invocations  # Critical: Lambda authorizer function to invoke\n      IdentitySource:  # Critical: where to read the auth token from\n        - \"$request.header.Authorization\"\n      Name: <example_resource_name>\n```",
+      "Other": "1. In the AWS Console, go to API Gateway > APIs and select your HTTP/WebSocket API\n2. In the left nav, click Authorizers > Create authorizer\n3. Choose Lambda as the authorizer type and select your Lambda function\n4. Set Identity source to: $request.header.Authorization\n5. Click Create to add the authorizer",
+      "Terraform": "```hcl\n# Minimal AWS API Gateway v2 Lambda authorizer\nresource \"aws_apigatewayv2_authorizer\" \"<example_resource_name>\" {\n  api_id           = \"<example_resource_id>\"\n  name             = \"<example_resource_name>\"\n  authorizer_type  = \"REQUEST\"  # Critical: creates a Lambda REQUEST authorizer\n  authorizer_uri   = \"arn:aws:apigateway:<REGION>:lambda:path/2015-03-31/functions/<LAMBDA_FUNCTION_ARN>/invocations\"  # Critical: Lambda to invoke\n  identity_sources = [\"$request.header.Authorization\"]  # Critical: identity source for authorization\n}\n```"
     },
     "Recommendation": {
-      "Text": "Implement Amazon Cognito or a Lambda function to control access to your API",
-      "Url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html"
+      "Text": "Enable an **authorizer** (JWT/Cognito or Lambda) so only authenticated principals can invoke routes.\n- Enforce **least privilege** with scopes/claims or policy decisions\n- Apply **defense in depth** with resource policies, throttling, and WAF\n- Avoid public routes unless explicitly required",
+      "Url": "https://hub.prowler.com/check/apigatewayv2_api_authorizers_enabled"
     }
   },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
   "DependsOn": [],
   "RelatedTo": [],
   "Notes": ""