Alibaba Cloud API Gateway API Protocol does not use HTTPS
Description
This policy ensures that Alibaba Cloud API Gateway APIs are configured to only accept HTTPS traffic. HTTPS ensures that communications between the clients and the API Gateway are securely encrypted, protecting against potential eavesdropping and man-in-the-middle attacks.
Failing to enforce HTTPS can result in sensitive data being transmitted over unsecure connections, making it vulnerable to interception and tampering.
Code Example
go
resource "alicloud_api_gateway_api" "example" {
...
request_config {
...
+ protocol = "HTTPS"
}
}Remediation
Terraform
- Resource: alicloud_api_gateway_api
- Attribute: request_config.protocol
To mitigate this issue, ensure that the `protocol` attribute in the `request_config` block of the `alicloud_api_gateway_api` resource is set to `HTTPS`.
Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0021 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_ALI_21 |