API Gateway authorizer caching TTL is not configured Affecting API Gateway (REST APIs) service in AWS


Severity

0.0
medium
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    Availability / Best Practices

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
  • Snyk ID SNYK-CC-00771
  • credit Snyk Research Team

Description

Disabling the TTL for API Gateway Authorizer caching can lead to increased latency and higher load on the authorizer's Lambda function, potentially impacting performance and cost. Without TTL, each request requires a fresh authorization decision, which can also increase the risk of rate-limiting and reduce the overall availability of the service.

How to fix?

Set the authorizer_result_ttl_in_seconds attribute in a aws_apigatewayv2_authorizer or a aws_api_gateway_authorizer resource to a value greater than 0.

Example Configuration

resource "aws_apigatewayv2_authorizer" "allowed1" {
  api_id                            = aws_apigatewayv2_api.api.id
  authorizer_type                   = "REQUEST"
  authorizer_uri                    = aws_lambda_function.lambda.invoke_arn
  authorizer_result_ttl_in_seconds  = 500
  identity_sources                  = [","]
  authorizer_payload_format_version = "1.0"
  name                              = "authorizer"
}

Or

resource "aws_api_gateway_authorizer" "allowed1" {
  rest_api_id                       = aws_api_gateway_authorizer.api.id
  type                              = "REQUEST"
  authorizer_uri                    = aws_lambda_function.lambda.invoke_arn
  authorizer_result_ttl_in_seconds  = 500
  name                              = "authorizer"
}