Ensure that all requestValidatorId in API Gateway are not null
before you send the API request to your server to be process it is recommended to validate the inputs to avoid several types of attacks
Risk Level: High
Cloud Entity: Amazon API Gateway
CloudGuard Rule ID: D9.AWS.NET.68
Covered by Spectral: No
Category: Networking & Content Delivery
GSL LOGIC
ApiGateway should not have resources contain-any [ methods contain-any [ requestValidatorId isEmpty() ] ]
REMEDIATION
From Portal:
Use following steps to enable a request validator on a method.
- Sign in to the API Gateway console.
- Choose the relevant API.
- Select the method which has no validation.
- Click 'Method Request'.
- Choose the pencil icon of Request Validator under Settings.
- Choose validation option from the Request Validator drop-down list. Then choose the check mark icon to save your choice.
References:
- https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-request-validation-set-up.html
- https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-method-request-validation.html
Amazon API Gateway
Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. With a few clicks in the AWS Management Console, you can create REST and WebSocket APIs that act as a ���front door��� for applications to access data, business logic, or functionality from your backend services, such as workloads running on Amazon Elastic Compute Cloud (Amazon EC2), code running on AWS Lambda, any web application, or real-time communication a
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ITSG-33
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- CloudGuard AWS All Rules Ruleset
Updated about 1 year ago