Authorization type for API GatewayV2 routes is not specified
Description
This policy is reviewing AWS API GatewayV2 configurations to ensure that all routes specify an authorization type. Without specifiying an authorization type within the routes, it might allow unauthorized users to access sensitive data or execute harmful operations. Therefore, not setting an authorization type can potentially lead to data leakage or other security issues.
Code Example
hcl
resource "aws_apigatewayv2_route" "example" {
api_id = aws_apigatewayv2_api.example.id
route_key = "$default"
target = "integrations/${aws_apigatewayv2_integration.example.id}"
authorization_type = "AWS_IAM"
}Remediation
Terraform
- Resource: aws_apigatewayv2_route
- Arguments: authorization_type
To fix this issue, you should explicitly define the authorization type for the API GatewayV2 route of either "AWS_IAM", "CUSTOM", or "JWT".
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0356 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_309 |