API Gateway Method Does Not Contains An API Key
- Query id: 3641d5b4-d339-4bc2-bfb9-208fe8d3477f
- Query name: API Gateway Method Does Not Contains An API Key
- Platform: CloudFormation
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
An API Key should be required on a method request.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: ApiGateway
Resources:
MockMethod:
Type: 'AWS::ApiGateway::Method'
Properties:
ApiKeyRequired: false
RestApiId: !Ref MyApi
ResourceId: !GetAtt
- MyApi
- RootResourceId
HttpMethod: GET
AuthorizationType: NONE
Integration:
Type: MOCK
MethodResponses:
- StatusCode : "200"
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: ApiGateway
Resources:
MockMethod1:
Type: 'AWS::ApiGateway::Method'
Properties:
RestApiId: !Ref MyApi
ResourceId: !GetAtt
- MyApi
- RootResourceId
HttpMethod: GET
AuthorizationType: NONE
Integration:
Type: MOCK
MethodResponses:
- StatusCode : "200"
Positive test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "ApiGateway",
"Resources": {
"MockMethod": {
"Type": "AWS::ApiGateway::Method",
"Properties": {
"MethodResponses": [
{
"StatusCode": "200"
}
],
"ApiKeyRequired": false,
"RestApiId": "MyApi",
"ResourceId": [
"MyApi",
"RootResourceId"
],
"HttpMethod": "GET",
"AuthorizationType": "NONE",
"Integration": {
"Type": "MOCK"
}
}
}
}
}
Positive test num. 4 - json file
{
"Description": "ApiGateway",
"Resources": {
"MockMethod1": {
"Type": "AWS::ApiGateway::Method",
"Properties": {
"ResourceId": [
"MyApi",
"RootResourceId"
],
"HttpMethod": "GET",
"AuthorizationType": "NONE",
"Integration": {
"Type": "MOCK"
},
"MethodResponses": [
{
"StatusCode": "200"
}
],
"RestApiId": "MyApi"
}
}
},
"AWSTemplateFormatVersion": "2010-09-09"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: ApiGateway
Resources:
MockMethod:
Type: 'AWS::ApiGateway::Method'
Properties:
ApiKeyRequired: true
RestApiId: !Ref MyApi
ResourceId: !GetAtt
- MyApi
- RootResourceId
HttpMethod: ""
AuthorizationType: NONE
Integration:
Type: MOCK
MethodResponses:
- StatusCode : "200"
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "ApiGateway",
"Resources": {
"MockMethod": {
"Type": "AWS::ApiGateway::Method",
"Properties": {
"Integration": {
"Type": "MOCK"
},
"MethodResponses": [
{
"StatusCode": "200"
}
],
"ApiKeyRequired": true,
"RestApiId": "MyApi",
"ResourceId": [
"MyApi",
"RootResourceId"
],
"HttpMethod": "",
"AuthorizationType": "NONE"
}
}
}
}