Merge branch 'master' of https://github.com/Checkmarx/kics

nikitakoselev · Aug 23, 2022 · 8984384 · 8984384
2 parents 98b34b9 + 3417f48
commit 8984384
Show file tree

Hide file tree

Showing 109 changed files with 415 additions and 218 deletions.
diff --git a/.github/scripts/report/e2e-html.go b/.github/scripts/report/e2e-html.go
@@ -51,6 +51,7 @@ func includeCSS(name string) template.HTML {
 	if err != nil {
 		return ""
 	}
+	/* #nosec */
 	return template.HTML("<style>" + cssMinified + "</style>") //nolint
 }
 
@@ -61,6 +62,7 @@ func includeJS(name string) template.HTML {
 	if err != nil {
 		return ""
 	}
+	/* #nosec */
 	return template.HTML("<script>" + jsMinified + "</script>") //nolint
 }
 

diff --git a/.github/scripts/report/main.go b/.github/scripts/report/main.go
@@ -64,7 +64,7 @@ func main() {
 	flag.Parse()
 
 	// Read TestLog (NDJSON)
-	jsonTestsOutput, err := os.Open(filepath.Join(filepath.ToSlash(testPath), testName))
+	jsonTestsOutput, err := os.Open(filepath.Clean(filepath.Join(filepath.ToSlash(testPath), testName)))
 	if err != nil {
 		fmt.Printf("Error when trying to open: %v\n", filepath.Join(filepath.ToSlash(testPath), testName))
 		os.Exit(1)
@@ -112,7 +112,7 @@ func main() {
 
 	// Parse Output from Failed Tests
 	if hasFailures {
-		jsonTestsOutputClean, err := os.Open(filepath.Join(filepath.ToSlash(testPath), testName))
+		jsonTestsOutputClean, err := os.Open(filepath.Clean(filepath.Join(filepath.ToSlash(testPath), testName)))
 		if err != nil {
 			fmt.Printf("Error when trying to open: %v\n", filepath.Join(filepath.ToSlash(testPath), testName))
 			os.Exit(1)
@@ -121,7 +121,11 @@ func main() {
 		decoder2 := json.NewDecoder(jsonTestsOutputClean)
 		for decoder2.More() {
 			var log TestLog
-			decoder2.Decode(&log)
+			errDecoder := decoder2.Decode(&log)
+			if errDecoder != nil {
+				fmt.Printf("Error when decoding: %w\n", log)
+				os.Exit(1)
+			}
 
 			if log.Action != "output" {
 				continue

diff --git a/assets/libraries/common.rego b/assets/libraries/common.rego
@@ -339,11 +339,11 @@ get_tag_name_if_exists(resource) = name {
 	name := resource.tags.Name
 } else = name {
 	tag := resource.Properties.Tags[_]
-    tag.Key == "Name"
+	tag.Key == "Name"
 	name := tag.Value
 } else = name {
 	tag := resource.Properties.FileSystemTags[_]
-    tag.Key == "Name"
+	tag.Key == "Name"
 	name := tag.Value
 } else = name {
 	tag := resource.Properties.Tags[key]
@@ -493,14 +493,14 @@ has_wildcard(statement, typeAction) {
 get_nested_values_info(object, array_vals) = return_value {
 	arr := [x |
 		some i, _ in array_vals
-		path := array.slice(array_vals, 0, i+1)
+		path := array.slice(array_vals, 0, i + 1)
 		walk(object, [path, _]) # evaluates to false if path is not in object
 		x := path[i]
 	]
 
 	return_value := {
 		"valid": count(array_vals) == count(arr),
-		"searchKey": concat(".", arr)
+		"searchKey": concat(".", arr),
 	}
 }
 
@@ -541,6 +541,25 @@ is_aws_ebs_optimized_by_default(instanceType) {
 	inArray(data.common_lib.aws_ebs_optimized_by_default, instanceType)
 }
 
+#aurora is equivelent to mysql 5.6 https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html#UsingWithRDS.IAMDBAuth.Availability
+#all aurora-postgresql versions that do not support IAM auth are deprecated Source:console.aws (launch rds instance) 
+valid_for_iam_engine_and_version_check(resource, engineVar, engineVersionVar, instanceClassVar) {
+	resource[engineVar] == "mariadb"
+	startswith(resource[engineVersionVar], "10.6")
+} else {
+	engines_that_supports_iam := ["aurora-postgresql", "postgres", "mysql", "mariadb"]
+	resource[engineVar] == engines_that_supports_iam[_]
+	not valid_key(resource, engineVersionVar)
+} else {
+	engines_that_supports_iam := ["aurora-postgresql", "postgres", "mysql"]
+	resource[engineVar] == engines_that_supports_iam[_]
+} else {
+	aurora_mysql_engines := ["aurora", "aurora-mysql"]
+	resource[engineVar]== aurora_mysql_engines[_]
+	invalid_classes := ["db.t2.small", "db.t3.small"]
+	not inArray(invalid_classes, resource[instanceClassVar])
+}
+
 get_group_from_policy_attachment(attachment) = group {
 	group := split(attachment.groups[_], ".")[1]
 } else = group {

diff --git a/assets/queries/ansible/aws/ec2_instance_has_public_ip/query.rego b/assets/queries/ansible/aws/ec2_instance_has_public_ip/query.rego
@@ -1,13 +1,15 @@
 package Cx
 
 import data.generic.ansible as ansLib
+import data.generic.common as common_lib
 
 CxPolicy[result] {
 	task := ansLib.tasks[id][t]
 	modules := {"amazon.aws.ec2", "ec2"}
 	ec2 := task[modules[m]]
 	checkState(ec2)
 
+	not common_lib.valid_key(ec2, "network_interfaces")
 	ansLib.isAnsibleTrue(ec2.assign_public_ip)
 
 	# There is no default value for assign_public_ip

diff --git a/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/negative.yaml b/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/negative.yaml
@@ -10,3 +10,17 @@
     image_id: ami-04b762b4289fba92b
     key_name: my_ssh_key
     instance_type: t2.micro
+- name: Create an ec2 launch template
+  community.aws.ec2_launch_template:
+    name: "my_template"
+    image_id: "ami-04b762b4289fba92b"
+    key_name: my_ssh_key
+    instance_type: t2.micro
+    network_interfaces:
+      - interface_type: interface
+        ipv6_addresses: []
+        mac_address: '0 e: 0 e: 36: 60: 67: cf'
+        network_interface_id: eni - 061 dee20eba3b445a
+        owner_id: '721066863947'
+        source_dest_check: true
+        status: " in -use"
diff --git a/assets/queries/ansible/aws/iam_database_auth_not_enabled/metadata.json b/assets/queries/ansible/aws/iam_database_auth_not_enabled/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "IAM Database Auth Not Enabled",
   "severity": "HIGH",
   "category": "Encryption",
-  "descriptionText": "IAM Database Auth Enabled must be configured to true",
+  "descriptionText": "IAM Database Auth Enabled should be configured to true when using compatible engine and version",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html",
   "platform": "Ansible",
   "descriptionID": "952e08fc",

diff --git a/assets/queries/ansible/aws/iam_database_auth_not_enabled/query.rego b/assets/queries/ansible/aws/iam_database_auth_not_enabled/query.rego
@@ -10,8 +10,10 @@ CxPolicy[result] {
 	rds_instance := task[modules[m]]
 	ansLib.checkState(rds_instance)
 
+	common_lib.valid_for_iam_engine_and_version_check(rds_instance,"engine", "engine_version", "instance_type")
 	ansLib.isAnsibleFalse(rds_instance.enable_iam_database_authentication)
 
+
 	result := {
 		"documentId": id,
 		"resourceType": modules[m],
@@ -28,6 +30,7 @@ CxPolicy[result] {
 	rds_instance := task[modules[m]]
 	ansLib.checkState(rds_instance)
 
+	common_lib.valid_for_iam_engine_and_version_check(rds_instance,"engine", "engine_version", "instance_type")
 	not common_lib.valid_key(rds_instance, "enable_iam_database_authentication")
 
 	result := {

diff --git a/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/negative.yaml b/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/negative.yaml
@@ -34,3 +34,23 @@
     state: absent
     final_snapshot_identifier: '{{ snapshot_id }}'
     enable_iam_database_authentication: true
+
+- name: create minimal aurora instance in default VPC and default subnet group
+  community.aws.rds_instance:
+    engine: aurora
+    db_instance_identifier: ansible-test-aurora-db-instance
+    instance_type: db.t2.small
+    password: "{{ password }}"
+    username: "{{ username }}"
+    cluster_id: ansible-test-cluster
+    enable_iam_database_authentication: "No"
+
+- name: create minimal aurora instance in default VPC and default subnet group
+  community.aws.rds_instance:
+    engine: mariadb
+    engine_version: 10.2.43
+    db_instance_identifier: ansible-test-aurora-db-instance
+    instance_type: db.t2.small
+    password: "{{ password }}"
+    username: "{{ username }}"
+    cluster_id: ansible-test-cluster
diff --git a/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/positive.yaml b/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/positive.yaml
@@ -1,6 +1,6 @@
 - name: create minimal aurora instance in default VPC and default subnet group
   community.aws.rds_instance:
-    engine: aurora
+    engine: mysql
     db_instance_identifier: ansible-test-aurora-db-instance
     instance_type: db.t2.small
     password: "{{ password }}"

diff --git a/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/query.rego b/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/query.rego
@@ -14,7 +14,7 @@ CxPolicy[result] {
 		"resourceName": cf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("Resources.%s", [name]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("Resources.%s has a ConfigRule defining rotation period on AccessKeys.", [name]),
+		"keyExpectedValue": sprintf("Resources.%s should have a ConfigRule defining rotation period on AccessKeys.", [name]),
 		"keyActualValue": sprintf("Resources.%s doesn't have a ConfigRule defining rotation period on AccessKeys.", [name]),
 	}
 }
@@ -33,7 +33,7 @@ CxPolicy[result] {
 		"resourceName": cf_lib.get_resource_name(configRule, name),
 		"searchKey": sprintf("Resources.%s.Properties", [name]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("Resources.%s.InputParameters is defined and contains 'maxAccessKeyAge' key.", [name]),
+		"keyExpectedValue": sprintf("Resources.%s.InputParameters should be defined and contain 'maxAccessKeyAge' key.", [name]),
 		"keyActualValue": sprintf("Resources.%s.InputParameters is undefined.", [name]),
 	}
 }
@@ -54,7 +54,7 @@ CxPolicy[result] {
 		"resourceName": cf_lib.get_resource_name(configRule, name),
 		"searchKey": sprintf("Resources.%s.Properties.InputParameters.maxAccessKeyAge", [name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("Resources.%s.InputParameters.maxAccessKeyAge is less or equal to 90 (days)", [name]),
+		"keyExpectedValue": sprintf("Resources.%s.InputParameters.maxAccessKeyAge should be less or equal to 90 (days)", [name]),
 		"keyActualValue": sprintf("Resources.%s.InputParameters.maxAccessKeyAge is more than 90 (days).", [name]),
 	}
 }

diff --git a/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/query.rego b/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/query.rego
@@ -16,7 +16,7 @@ CxPolicy[result] {
 		"resourceName": cf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("Resources.%s", [name]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("'Resources.%s' does not have an 'internal' scheme and has a 'WebACLAssociation' associated", [name]),
+		"keyExpectedValue": sprintf("'Resources.%s' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", [name]),
 		"keyActualValue": sprintf("'Resources.%s' does not have an 'internal' scheme and a 'WebACLAssociation' associated", [name]),
 	}
 }

diff --git a/assets/queries/cloudFormation/aws/alb_listening_on_http/query.rego b/assets/queries/cloudFormation/aws/alb_listening_on_http/query.rego
@@ -15,7 +15,7 @@ CxPolicy[result] {
 		"resourceName": cf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("Resources.%s.Properties.Listeners.Protocol=HTTP", [name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("'Resources.%s.Listeners.Protocol' not equal to 'HTTP'", [name]),
+		"keyExpectedValue": sprintf("'Resources.%s.Listeners.Protocol' should not be equal to 'HTTP'", [name]),
 		"keyActualValue": sprintf("'Resources.%s.Listeners.Protocol' equals to 'HTTP'", [name]),
 		"searchLine": common_lib.build_search_line(["Resources", name, "Properties","Listeners",l,"Protocol"], []),
 	}
@@ -34,7 +34,7 @@ CxPolicy[result] {
 		"resourceName": cf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("Resources.%s.Properties.Protocol", [name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("'Resources.%s.Protocol' not equal to 'HTTP'", [name]),
+		"keyExpectedValue": sprintf("'Resources.%s.Protocol' should not be equal to 'HTTP'", [name]),
 		"keyActualValue": sprintf("'Resources.%s.Protocol' equals to 'HTTP'", [name]),
 		"searchLine": common_lib.build_search_line(["Resources", name, "Properties","Protocol"], []),
 	}

diff --git a/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/query.rego b/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/query.rego
@@ -16,7 +16,7 @@ CxPolicy[result] {
 		"resourceName": cf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("Resources.%s.Properties.EncryptionOptions", [name]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("Resources.%s.Properties.EncryptionOptions is defined", [name]),
+		"keyExpectedValue": sprintf("Resources.%s.Properties.EncryptionOptions should be defined", [name]),
 		"keyActualValue": sprintf("Resources.%s.Properties.EncryptionOptions is not defined", [name]),
 	}
 }
diff --git a/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/query.rego b/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/query.rego
@@ -23,7 +23,7 @@ CxPolicy[result] {
 		"resourceName": "n/a",
 		"searchKey": sprintf("Parameters.%s.Default", [paramName]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("Parameters.%s.Default is defined", [paramName]),
+		"keyExpectedValue": sprintf("Parameters.%s.Default should be defined", [paramName]),
 		"keyActualValue": sprintf("Parameters.%s.Default shouldn't be defined", [paramName]),
 	}
 }

diff --git a/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/query.rego b/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/query.rego
@@ -23,7 +23,7 @@ CxPolicy[result] {
 		"resourceName": "n/a",
 		"searchKey": sprintf("Parameters.%s.Default", [paramName]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("Parameters.%s.Default is defined", [paramName]),
+		"keyExpectedValue": sprintf("Parameters.%s.Default should be defined", [paramName]),
 		"keyActualValue": sprintf("Parameters.%s.Default shouldn't be defined", [paramName]),
 	}
 }

diff --git a/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/query.rego b/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/query.rego
@@ -22,7 +22,7 @@ CxPolicy[result] {
 		"resourceName": "n/a",
 		"searchKey": sprintf("Parameters.%s.Default", [paramName]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("Parameters.%s.Default is defined", [paramName]),
+		"keyExpectedValue": sprintf("Parameters.%s.Default should be defined", [paramName]),
 		"keyActualValue": sprintf("Parameters.%s.Default shouldn't be defined", [paramName]),
 	}
 }

diff --git a/...s/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/query.rego b/...s/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/query.rego
@@ -24,7 +24,7 @@ CxPolicy[result] {
 		"resourceName": "n/a",
 		"searchKey": sprintf("Parameters.%s.Default", [paramName]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("Parameters.%s.Default is defined", [paramName]),
+		"keyExpectedValue": sprintf("Parameters.%s.Default should be defined", [paramName]),
 		"keyActualValue": sprintf("Parameters.%s.Default shouldn't be defined", [paramName]),
 	}
 }

diff --git a/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/query.rego b/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/query.rego
@@ -16,7 +16,7 @@ CxPolicy[result] {
 		"resourceName": cf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("Resources.%s.Properties", [name]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("Resources.%s.Properties.CacheClusterEnabled is defined and not null", [name]),
+		"keyExpectedValue": sprintf("Resources.%s.Properties.CacheClusterEnabled should be defined and not null", [name]),
 		"keyActualValue": sprintf("Resources.%s.Properties.CacheClusterEnabled is undefined or null", [name]),
 		"searchLine": common_lib.build_search_line(["Resources", name, "Properties"], []),
 	}
@@ -27,7 +27,7 @@ CxPolicy[result] {
 	resource = document[i].Resources[name]
 	resource.Type == "AWS::ApiGateway::Stage"
 	properties := resource.Properties
-	
+
 	properties.CacheClusterEnabled == false
 
 	result := {
@@ -36,7 +36,7 @@ CxPolicy[result] {
 		"resourceName": cf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("Resources.%s.Properties.CacheClusterEnabled", [name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("Resources.%s.Properties.CacheClusterEnabled is set to true", [name]),
+		"keyExpectedValue": sprintf("Resources.%s.Properties.CacheClusterEnabled should be set to true", [name]),
 		"keyActualValue": sprintf("Resources.%s.Properties.CacheClusterEnabled is set to false", [name]),
 		"searchLine": common_lib.build_search_line(["Resources", name, "Properties", "CacheClusterEnabled"], []),
 	}

diff --git a/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/query.rego b/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/query.rego
@@ -18,7 +18,7 @@ CxPolicy[result] {
 		"resourceName": cf_lib.get_resource_name(deployment, name),
 		"searchKey": sprintf("Resources.%s.Properties.StageDescription", [name]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("'Resources.%s.Properties.StageDescription.CacheDataEncrypted' is defined and not null", [name]),
+		"keyExpectedValue": sprintf("'Resources.%s.Properties.StageDescription.CacheDataEncrypted' should be defined and not null", [name]),
 		"keyActualValue": sprintf("'Resources.%s.Properties.StageDescription.CacheDataEncrypted' is undefined or null", [name]),
 	}
 }
@@ -38,7 +38,7 @@ CxPolicy[result] {
 		"resourceName": cf_lib.get_resource_name(deployment, name),
 		"searchKey": sprintf("Resources.%s.Properties.StageDescription.CacheDataEncrypted", [name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("'Resources.%s.Properties.StageDescription.CacheDataEncrypted' is set to true", [name]),
+		"keyExpectedValue": sprintf("'Resources.%s.Properties.StageDescription.CacheDataEncrypted' should be set to true", [name]),
 		"keyActualValue": sprintf("'Resources.%s.Properties.StageDescription.CacheDataEncrypted' is set to false", [name]),
 	}
 }
diff --git a/...s/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/query.rego b/...s/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/query.rego
@@ -17,7 +17,7 @@ CxPolicy[result] {
 		"resourceName": cf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("Resources.%s", [name]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("Resources.%s has Stage defined", [name]),
+		"keyExpectedValue": sprintf("Resources.%s should have Stage defined", [name]),
 		"keyActualValue": sprintf("Resources.%s doesn't have Stage defined", [name]),
 	}
 }
@@ -36,7 +36,7 @@ CxPolicy[result] {
 		"resourceName": cf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("Resources.%s", [name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("Resources.%s has AWS::ApiGateway::Stage associated, DeploymentId.Ref is the same as the ApiGateway::Stage resource", [name]),
+		"keyExpectedValue": sprintf("Resources.%s should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same as the ApiGateway::Stage resource", [name]),
 		"keyActualValue": sprintf("Resources.%s should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource", [name]),
 	}
 }
@@ -57,7 +57,7 @@ CxPolicy[result] {
 		"resourceName": cf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("Resources.%s.Properties.StageDescription", [name]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("Resources.%s.Properties.StageDescription is defined", [name]),
+		"keyExpectedValue": sprintf("Resources.%s.Properties.StageDescription should be defined", [name]),
 		"keyActualValue": sprintf("Resources.%s.Properties.StageDescription is not defined", [name]),
 	}
 }
@@ -78,7 +78,7 @@ CxPolicy[result] {
 		"resourceName": cf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("Resources.%s.Properties.StageDescription.AccessLogSetting", [name]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("Resources.%s.Properties.StageDescriptionAccessLogSetting is defined", [name]),
+		"keyExpectedValue": sprintf("Resources.%s.Properties.StageDescriptionAccessLogSetting should be defined", [name]),
 		"keyActualValue": sprintf("Resources.%s.Properties.StageDescription.AccessLogSetting is not defined", [name]),
 	}
 }

diff --git a/...Formation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/query.rego b/...Formation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/query.rego
@@ -16,7 +16,7 @@ CxPolicy[result] {
 		"resourceName": cf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("Resources.%s", [name]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("Resources.%s has UsagePlan defined", [name]),
+		"keyExpectedValue": sprintf("Resources.%s should have UsagePlan defined", [name]),
 		"keyActualValue": sprintf("Resources.%s doesn't have UsagePlan defined", [name]),
 	}
 }
@@ -35,7 +35,7 @@ CxPolicy[result] {
 		"resourceName": cf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("Resources.%s", [name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("Resources.%s has AWS::ApiGateway::UsagePlan associated, RestApiId and StageName are the same as the %s resource", [name, name]),
+		"keyExpectedValue": sprintf("Resources.%s should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the %s resource", [name, name]),
 		"keyActualValue": sprintf("Resources.%s should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the %s resource", [name, name]),
 	}
 }