Skip to content

no-public-access

Explanation

API Gateway methods should be protected by authorization or api key. OPTION verb calls can be used without authorization

Possible Impact

API gateway methods can be unauthorized accessed

Suggested Resolution

Use and authorization method or require API Key

Insecure Example

The following example will fail the aws-api-gateway-no-public-access check.

resource "aws_api_gateway_method" "bad_example" {
  rest_api_id   = aws_api_gateway_rest_api.MyDemoAPI.id
  resource_id   = aws_api_gateway_resource.MyDemoResource.id
  http_method   = "GET"
  authorization = "NONE"
}

Secure Example

The following example will pass the aws-api-gateway-no-public-access check.

resource "aws_api_gateway_method" "good_example" {
  rest_api_id   = aws_api_gateway_rest_api.MyDemoAPI.id
  resource_id   = aws_api_gateway_resource.MyDemoResource.id
  http_method   = "GET"
  authorization = "AWS_IAM"
}