Ensure API gateway methods are not publicly accessible

AWS API gateway methods are by default publicly accessible. All of the methods configured as part of the API should be protected by an Authorizer or an API key. Unprotected API's can lead to data leaks and security breaches. Configure a custom authorizer OR an API key for every method in the API Gateway.

Risk Level: High
Cloud Entity: Amazon API Gateway
CloudGuard Rule ID: D9.CFT.IAM.43
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

AWS_ApiGateway_Method should have ApiKeyRequired=true and HttpMethod and AuthorizationType!='NONE'

REMEDIATION

From CFT

  1. Set AWS::ApiGateway::Method::ApiKeyRequired to true.
  2. Supply AWS::ApiGateway::Method::HttpMethod the HTTP method that clients use to call this method.
  3. Set AWS::ApiGateway::Method::AuthorizationType to value other than 'NONE' i.e. you can set any between AWS_IAM or CUSTOM or COGNITO_USER_POOLS.
    See below example;
Resources:
ExampleMethod:
Type: 'AWS::ApiGateway::Method'
Properties:
...
ApiKeyRequired : true
HttpMethod: method's HTTP verb
AuthorizationType: AWS_IAM
...

References

  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-method.html
  2. https://docs.aws.amazon.com/apigateway/api-reference/resource/method/

Amazon API Gateway

Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. With a few clicks in the AWS Management Console, you can create REST and WebSocket APIs that act as a ���front door��� for applications to access data, business logic, or functionality from your backend services, such as workloads running on Amazon Elastic Compute Cloud (Amazon EC2), code running on AWS Lambda, any web application, or real-time communication a

Compliance Frameworks

  • AWS CloudFormation ruleset