AWS API Gateway method lacking authorization or API keys
Description
This policy detects whether an API Gateway method is missing authorization or an API key. It is crucial to implement these security measures to ensure that only authenticated and authorized users can access the API. Without such controls, APIs could be exposed to unauthorized access and potential misuse, leading to data breaches, unauthorized data modifications, and other security vulnerabilities. Proper authorization mechanisms and API keys help safeguard sensitive information and maintain the integrity of the API.
Code Example
go
resource "aws_api_gateway_method" "example" {
...
# Ensure that authorization is set
authorization = "AWS_IAM"
# Optionally, you can also indicate that an API key is required
api_key_required = true
}Remediation
Terraform
- Resource: aws_api_gateway_method, aws_api_gateway_rest_api
- Arguments: authorization, api_key_required
In this example, the Terraform configuration defines an API Gateway method and configures it for secure access using AWS IAM authentication and an API key.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0503 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, |
| Checkov ID | CKV2_AWS_70 |