Ensure that all authorization Type in API Gateway are not set to None

when authorization Type is set to None any one with access to the APIGateway network can use it if the gateway is public anyone can use the API

Risk Level: High
Cloud Entity: Amazon API Gateway
CloudGuard Rule ID: D9.AWS.NET.67
Covered by Spectral: Yes
Category: Networking & Content Delivery


ApiGateway where not authorizers should not have resources contain-any [ methods contain-any [ authorizationType='NONE' ] ]


From TF
Set a authorizer to your api Gateway

resource "aws_api_gateway_method" "test" {
	rest_api_id   = aws_api_gateway_rest_api.this.id
	resource_id   = aws_api_gateway_resource.this.id
	+ http_method   = "..."     # i.e "GET", "PUT", "OPTIONS": if http_method != "OPTIONS"
	+ authorization = "..."     #                                 authorization != "NONE"
	# OR
	+ http_method   = "OPTIONS"  # if http_method == "OPTIONS"
	+ authorization = "NONE"     # authorization = "NONE"
	authorizer_id = aws_api_gateway_authorizer.this.id


  1. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html

Amazon API Gateway

Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. With a few clicks in the AWS Management Console, you can create REST and WebSocket APIs that act as a ���front door��� for applications to access data, business logic, or functionality from your backend services, such as workloads running on Amazon Elastic Compute Cloud (Amazon EC2), code running on AWS Lambda, any web application, or real-time communication a

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset