Ensure API gateway policy limits public access

Checks if the API Gateway has a policy statement that allows public access. It is recommended to limit public access to your API Gateway to protect your resources.

Risk Level: High
Cloud Entity: Amazon API Gateway
CloudGuard Rule ID: D9.AWS.IAM.114
Covered by Spectral: No
Category: Networking & Content Delivery


ApiGateway should not have policy.Statement isEmpty() or policy.Statement contain [Effect='Allow' and (Principal = '*' or Principal.AWS = '*') and not Condition]


From Portal 1. Sign in to the AWS Management Console and open the API Gateway console. 2. In the navigation pane, choose the API Gateway you want to modify. 3. Choose the 'Resource Policy' tab. 4. If a policy does not exist, create one. If a policy exists, modify it to remove any statements that allow public access. 5. Save your changes, and deploy.
From TF

	data "aws_iam_policy_document" "test" { statement { effect = "Allow"
		principals { type        = "AWS" identifiers = ["*"] }
			actions   = ["execute-api:Invoke"] resources = [aws_api_gateway_rest_api.test.execution_arn]
condition { test     = "IpAddress" variable = "aws:SourceIp" values   = [""] } } } resource "aws_api_gateway_rest_api_policy" "test" { rest_api_id = aws_api_gateway_rest_api.test.id policy      = data.aws_iam_policy_document.test.json }

From Command Line 1.

References 1. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-create-attach.html 2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api_policy

Amazon API Gateway

Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. With a few clicks in the AWS Management Console, you can create REST and WebSocket APIs that act as a ���front door��� for applications to access data, business logic, or functionality from your backend services, such as workloads running on Amazon Elastic Compute Cloud (Amazon EC2), code running on AWS Lambda, any web application, or real-time communication a

Compliance Frameworks

  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset