API Gateway Method Does Not Contains An API Key

  • Query id: 3641d5b4-d339-4bc2-bfb9-208fe8d3477f
  • Query name: API Gateway Method Does Not Contains An API Key
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Access Control
  • URL: Github

Description

An API Key should be required on a method request.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: ApiGateway
Resources:
  MockMethod:
    Type: 'AWS::ApiGateway::Method'
    Properties:
      ApiKeyRequired: false
      RestApiId: !Ref MyApi
      ResourceId: !GetAtt
        - MyApi
        - RootResourceId
      HttpMethod: GET
      AuthorizationType: NONE
      Integration:
        Type: MOCK
      MethodResponses:
        - StatusCode : "200"
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: ApiGateway
Resources:
  MockMethod1:
    Type: 'AWS::ApiGateway::Method'
    Properties:
      RestApiId: !Ref MyApi
      ResourceId: !GetAtt
        - MyApi
        - RootResourceId
      HttpMethod: GET
      AuthorizationType: NONE
      Integration:
        Type: MOCK
      MethodResponses:
        - StatusCode : "200"
Positive test num. 3 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "ApiGateway",
  "Resources": {
    "MockMethod": {
      "Type": "AWS::ApiGateway::Method",
      "Properties": {
        "MethodResponses": [
          {
            "StatusCode": "200"
          }
        ],
        "ApiKeyRequired": false,
        "RestApiId": "MyApi",
        "ResourceId": [
          "MyApi",
          "RootResourceId"
        ],
        "HttpMethod": "GET",
        "AuthorizationType": "NONE",
        "Integration": {
          "Type": "MOCK"
        }
      }
    }
  }
}

Positive test num. 4 - json file
{
  "Description": "ApiGateway",
  "Resources": {
    "MockMethod1": {
      "Type": "AWS::ApiGateway::Method",
      "Properties": {
        "ResourceId": [
          "MyApi",
          "RootResourceId"
        ],
        "HttpMethod": "GET",
        "AuthorizationType": "NONE",
        "Integration": {
          "Type": "MOCK"
        },
        "MethodResponses": [
          {
            "StatusCode": "200"
          }
        ],
        "RestApiId": "MyApi"
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09"
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: ApiGateway
Resources:
  MockMethod:
    Type: 'AWS::ApiGateway::Method'
    Properties:
      ApiKeyRequired: true
      RestApiId: !Ref MyApi
      ResourceId: !GetAtt
        - MyApi
        - RootResourceId
      HttpMethod: ""
      AuthorizationType: NONE
      Integration:
        Type: MOCK
      MethodResponses:
        - StatusCode : "200"
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "ApiGateway",
  "Resources": {
    "MockMethod": {
      "Type": "AWS::ApiGateway::Method",
      "Properties": {
        "Integration": {
          "Type": "MOCK"
        },
        "MethodResponses": [
          {
            "StatusCode": "200"
          }
        ],
        "ApiKeyRequired": true,
        "RestApiId": "MyApi",
        "ResourceId": [
          "MyApi",
          "RootResourceId"
        ],
        "HttpMethod": "",
        "AuthorizationType": "NONE"
      }
    }
  }
}