API Gateway allows anonymous access Affecting API Gateway (REST APIs) service in AWS


Severity

0.0
high
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    General / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    CIS-Controls CSA-CCM
  • Snyk ID SNYK-CC-00250
  • credit Snyk Research Team

Description

API Gateway will accept HTTP methods without authorization so anyone could potentially access resources behind the gateway.

How to fix?

Set authorization attribute to value other than NONE.

Example Configuration

resource "aws_api_gateway_method" "any" {
  rest_api_id   = aws_api_gateway_rest_api.this.id
  resource_id   = aws_api_gateway_resource.this.id
  http_method   = "ANY"
  authorization = "AWS_IAM"