API Gateway allows anonymous access Affecting API Gateway (REST APIs) service in AWS
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-ControlsCIS-AWS-FoundationsCSA-CCM
- Snyk IDSNYK-CC-TF-99
- creditSnyk Research Team
Description
Anyone could potentially access resources behind the gateway
How to fix?
Set authorization attribute to value other than NONE, utilize api_key_required, or properly use an OpenAPI extension, such as x-amazon-apigateway-authtype
Set Properties.AuthorizationType attribute to value other than NONE, utilize ApiKeyRequired, or properly use an OpenAPI extension, such as x-amazon-apigateway-authtype
References
- https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-method-settings-method-request.html
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-method.html
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api