Ensure that an API Key is required on a Method Request
API keys are string tokens that you provide to client application developers to grant access to your APIs. You can use API keys together with usage plans or Lambda authorizers to control access to your APIs. API Gateway can generate API keys on your behalf, or you can import them from a CSV file.
Risk Level: High
Cloud Entity: Amazon API Gateway
CloudGuard Rule ID: D9.AWS.CRY.37
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
ApiGateway should have resources contain-all [ (methods contain-all [ apiKeyRequired=true ]) or (methods isEmpty()) ] or authorizers isEmpty() = false
REMEDIATION
From Portal
Follow the below steps to configure an API method to require an API key
- Sign in to the AWS Management Console and open the API Gateway console at https://console.aws.amazon.com/apigateway/.
- Choose a REST API.
- In the API Gateway main navigation pane, choose Resources.
- Under Resources, create a new method or choose an existing one.
- Choose Method Request.
- Under the Settings section, choose true for API Key Required.
- Select the checkmark icon to save the settings.
- Deploy or redeploy the API for the requirement to take effect.
Note: If the API Key Required option is set to false and you don't execute the previous steps, any API key that's associated with an API stage isn't used for the method.
From TF
resource "aws_api_gateway_method" "test" {
rest_api_id = aws_api_gateway_rest_api.testapi.id
resource_id = aws_api_gateway_resource.testapi.id
http_method = "GET" # HTTP methods of DELETE, GET, HEAD, OPTIONS, PATCH, POST, and PUT.
authorization = "NONE"
+ api_key_required = true
}
References
- https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-setup-api-key-with-console.html
- https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-create-api.html
- https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-deploy-api.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method
Amazon API Gateway
Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. With a few clicks in the AWS Management Console, you can create REST and WebSocket APIs that act as a ���front door��� for applications to access data, business logic, or functionality from your backend services, such as workloads running on Amazon Elastic Compute Cloud (Amazon EC2), code running on AWS Lambda, any web application, or real-time communication a
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ITSG-33
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago