No unauthorized access to API Gateway methods
Default Severity: low
Explanation
API Gateway methods should generally be protected by authorization or api key. OPTION verb calls can be used without authorization
Possible Impact
API gateway methods can be accessed without authorization.
Suggested Resolution
Use and authorization method or require API Key
Insecure Example
The following example will fail the aws-api-gateway-no-public-access check.
resource "aws_api_gateway_rest_api" "MyDemoAPI" {
}
resource "aws_api_gateway_resource" "MyDemoResource" {
rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
}
resource "aws_api_gateway_method" "bad_example" {
rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
resource_id = aws_api_gateway_resource.MyDemoResource.id
http_method = "GET"
authorization = "NONE"
}
Secure Example
The following example will pass the aws-api-gateway-no-public-access check.
resource "aws_api_gateway_rest_api" "MyDemoAPI" {
}
resource "aws_api_gateway_resource" "MyDemoResource" {
rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
}
resource "aws_api_gateway_method" "good_example" {
rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
resource_id = aws_api_gateway_resource.MyDemoResource.id
http_method = "GET"
authorization = "AWS_IAM"
}