AWS API gateway methods are publicly accessible
Description
AWS API gateway methods are by default publicly accessible. All of the methods configured as part of the API should be protected by an Authorizer or an API key. Unprotected API's can lead to data leaks and security breaches. We recommend you configure a custom authorizer OR an API key for every method in the API Gateway.
Code Example
yaml
Resources:
ProtectedExample1:
Type: 'AWS::ApiGateway::Method'
Properties:
...
+ HttpMethod: OPTIONS
AuthorizationType: NONE
...
ProtectedExample2:
Type: 'AWS::ApiGateway::Method'
Properties:
...
HttpMethod: GET
AuthorizationType: NONE
+ ApiKeyRequired: true
...
ProtectedExample3:
Type: 'AWS::ApiGateway::Method'
Properties:
...
HttpMethod: GET
+ AuthorizationType: AWS_IAM # or other valid authorization types
...Remediation
CloudFormation
- Resource: AWS::ApiGateway::Method
- Arguments: Properties.HttpMethod / Properties.AuthorizationType / Properties.ApiKeyRequired
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0112 |
| Severity | LOW |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_59 |