no-public-access
Explanation
API Gateway methods should be protected by authorization or api key. OPTION verb calls can be used without authorization
Possible Impact
API gateway methods can be unauthorized accessed
Suggested Resolution
Use and authorization method or require API Key
Insecure Example
The following example will fail the aws-api-gateway-no-public-access check.
resource "aws_api_gateway_method" "bad_example" {
rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
resource_id = aws_api_gateway_resource.MyDemoResource.id
http_method = "GET"
authorization = "NONE"
}
Secure Example
The following example will pass the aws-api-gateway-no-public-access check.
resource "aws_api_gateway_method" "good_example" {
rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
resource_id = aws_api_gateway_resource.MyDemoResource.id
http_method = "GET"
authorization = "AWS_IAM"
}