API Gateway allows anonymous access Affecting API Gateway (REST APIs) service in AWS

Severity Framework Snyk CCSS

Rule category General / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CSA-CCM

Snyk ID SNYK-CC-00250
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

API Gateway will accept HTTP methods without authorization so anyone could potentially access resources behind the gateway.

How to fix?

Set authorization attribute to value other than NONE.

Example Configuration

resource "aws_api_gateway_method" "any" {
  rest_api_id   = aws_api_gateway_rest_api.this.id
  resource_id   = aws_api_gateway_resource.this.id
  http_method   = "ANY"
  authorization = "AWS_IAM"

CloudFormation

AWS::ApiGateway::Method
AWS::ApiGateway::RestApi

Terraform

Resource: aws_api_gateway_method
Resource: aws_api_gateway_rest_api

References

Set up a method request in API Gateway