CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00739
- creditSnyk Research Team
Description
API keys are static, hard-coded secrets which are difficult to rotate or prevent from being leaked and re-used to gain unauthorized access. Instead, use an identity provider with strong authentication, such as AWS IAM, AWS Cognito, AWS OpenID Connect, etc.
How to fix?
Set the authentication_type attribute to AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT or AWS_LAMBDA but not API_KEY.
Example configuration:
resource "aws_appsync_graphql_api" "valid_iam_auth" {
authentication_type = "AWS_IAM"
name = "valid_iam_auth"
}
resource "aws_cognito_user_pool" "valid_cognito_user_auth" {
name = "valid_cognito_user_auth"
username_attributes = ["email"]
}
resource "aws_appsync_graphql_api" "valid_cognito_user_auth" {
authentication_type = "AMAZON_COGNITO_USER_POOLS"
name = "valid_cognito_user_auth"
user_pool_config {
aws_region = data.aws_region.current.name
default_action = "DENY"
user_pool_id = aws_cognito_user_pool.valid_cognito_user_auth.id
}
}
resource "aws_appsync_graphql_api" "valid_lambda_auth" {
authentication_type = "AWS_LAMBDA"
name = "valid_lambda_auth"
lambda_authorizer_config {
authorizer_uri = "arn:aws:lambda:<REGION>:<ACCOUNT_ID>:function:custom_lambda_authorizer"
}
}