Ensure API gateway methods are not publicly accessible
Error: API gateway methods are publicly accessible
Bridgecrew Policy ID: BC_AWS_PUBLIC_6
Checkov Check ID: CKV_AWS_59
Severity: LOW
API gateway methods are publicly accessible
Description
AWS API gateway methods are by default publicly accessible. All of the methods configured as part of the API should be protected by an Authorizer or an API key. Unprotected API's can lead to data leaks and security breaches.
We recommend you configure a custom authorizer OR an API key for every method in the API Gateway.
Fix - Buildtime
CloudFormation
- Resource: AWS::ApiGateway::Method
- Argument: Properties.HttpMethod / Properties.AuthorizationType / Properties.ApiKeyRequired
Resources:
ProtectedExample1:
Type: 'AWS::ApiGateway::Method'
Properties:
...
+ HttpMethod: OPTIONS
AuthorizationType: NONE
...
ProtectedExample2:
Type: 'AWS::ApiGateway::Method'
Properties:
...
HttpMethod: GET
AuthorizationType: NONE
+ ApiKeyRequired: true
...
ProtectedExample3:
Type: 'AWS::ApiGateway::Method'
Properties:
...
HttpMethod: GET
+ AuthorizationType: AWS_IAM # or other valid authorization types
...
Terraform
- Resource: aws_api_gateway_method
- Argument: http_method, authorisation, api_key_required
resource "aws_api_gateway_method" "pass" {
rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
resource_id = aws_api_gateway_resource.MyDemoResource.id
+ http_method = "OPTIONS"
+ authorization = "NONE"
+ api_key_required = true
tags = { test = "Fail" }
}
Updated almost 2 years ago