API Gateway authorizer caching TTL is not configured Affecting API Gateway (REST APIs) service in AWS

Severity Framework Snyk CCSS

Rule category Availability / Best Practices

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

Snyk ID SNYK-CC-00771
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Disabling the TTL for API Gateway Authorizer caching can lead to increased latency and higher load on the authorizer's Lambda function, potentially impacting performance and cost. Without TTL, each request requires a fresh authorization decision, which can also increase the risk of rate-limiting and reduce the overall availability of the service.

How to fix?

Set the authorizer_result_ttl_in_seconds attribute in a aws_apigatewayv2_authorizer or a aws_api_gateway_authorizer resource to a value greater than 0.

Example Configuration

resource "aws_apigatewayv2_authorizer" "allowed1" {
  api_id                            = aws_apigatewayv2_api.api.id
  authorizer_type                   = "REQUEST"
  authorizer_uri                    = aws_lambda_function.lambda.invoke_arn
  authorizer_result_ttl_in_seconds  = 500
  identity_sources                  = [","]
  authorizer_payload_format_version = "1.0"
  name                              = "authorizer"
}

resource "aws_api_gateway_authorizer" "allowed1" {
  rest_api_id                       = aws_api_gateway_authorizer.api.id
  type                              = "REQUEST"
  authorizer_uri                    = aws_lambda_function.lambda.invoke_arn
  authorizer_result_ttl_in_seconds  = 500
  name                              = "authorizer"
}

Terraform

References

Use API Gateway Lambda authorizer