Skip to content

API gateway methods are publicly accessible

Description

AWS API gateway methods are by default publicly accessible. All of the methods configured as part of the API should be protected by an Authorizer or an API key. Unprotected API's can lead to data leaks and security breaches.

We recommend you configure a custom authorizer OR an API key for every method in the API Gateway.

Fix - Buildtime

CloudFormation

  • **Resource: ** AWS::ApiGateway::Method
  • Argument: Properties.HttpMethod / Properties.AuthorizationType / Properties.ApiKeyRequired
Resources:
  ProtectedExample1:
    Type: 'AWS::ApiGateway::Method'
    Properties:
      ...
+     HttpMethod: OPTIONS
      AuthorizationType: NONE
            ...

    ProtectedExample2:
    Type: 'AWS::ApiGateway::Method'
    Properties:
      ...
      HttpMethod: GET
      AuthorizationType: NONE
+     ApiKeyRequired: true
            ...

   ProtectedExample3:
    Type: 'AWS::ApiGateway::Method'
    Properties:
      ...
      HttpMethod: GET
+     AuthorizationType: AWS_IAM # or other valid authorization types
            ...

Terraform

  • **Resource: ** aws_api_gateway_method
  • Argument: http_method, authorisation, api_key_required

go aws_api_gateway_method.pass.tf resource "aws_api_gateway_method" "pass" { rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id resource_id = aws_api_gateway_resource.MyDemoResource.id + http_method = "OPTIONS" + authorization = "NONE" + api_key_required = true tags = { test = "Fail" } }