API Gateway Without Security Policy
- Query id: 8275fab0-68ec-4705-bbf4-86975edb170e
- Query name: API Gateway Without Security Policy
- Platform: CloudFormation
- Severity: High
- Category: Insecure Configurations
- URL: Github
Description¶
API Gateway should have a Security Policy defined and use TLS 1.2.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Parameters:
cfnDomainName:
Type: String
certificateArn:
Type: String
type:
Type: String
Resources:
myDomainName:
Type: AWS::ApiGateway::DomainName
Properties:
CertificateArn: !Ref certificateArn
DomainName: !Ref cfnDomainName
EndpointConfiguration:
Types:
- !Ref type
RegionalCertificateArn: !Ref certificateArn
SecurityPolicy: "TLS_1_0"
Outputs:
DomainName:
Value: !Ref myDomainName
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Parameters:
cfnDomainName:
Type: String
certificateArn:
Type: String
type:
Type: String
Resources:
myDomainName1:
Type: AWS::ApiGateway::DomainName
Properties:
CertificateArn: !Ref certificateArn
DomainName: !Ref cfnDomainName
EndpointConfiguration:
Types:
- !Ref type
RegionalCertificateArn: !Ref certificateArn
Outputs:
DomainName:
Value: !Ref myDomainName
Positive test num. 3 - json file
{
"Description": "Router53",
"Parameters": {
"cfnDomainName": {
"Type": "String"
},
"certificateArn": {
"Type": "String"
},
"type": {
"Type": "String"
}
},
"Resources": {
"myDomainName": {
"Type": "AWS::ApiGateway::DomainName",
"Properties": {
"CertificateArn": "certificateArn",
"DomainName": "cfnDomainName",
"EndpointConfiguration": {
"Types": [
"type"
]
},
"RegionalCertificateArn": "certificateArn",
"SecurityPolicy": "TLS_1_0"
}
}
},
"Outputs": {
"DomainName": {
"Value": "myDomainName"
}
},
"AWSTemplateFormatVersion": "2010-09-09"
}
Positive test num. 4 - json file
{
"Parameters": {
"type": {
"Type": "String"
},
"cfnDomainName": {
"Type": "String"
},
"certificateArn": {
"Type": "String"
}
},
"Resources": {
"myDomainName1": {
"Properties": {
"DomainName": "cfnDomainName",
"EndpointConfiguration": {
"Types": [
"type"
]
},
"RegionalCertificateArn": "certificateArn",
"CertificateArn": "certificateArn"
},
"Type": "AWS::ApiGateway::DomainName"
}
},
"Outputs": {
"DomainName": {
"Value": "myDomainName"
}
},
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Router53"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Parameters:
cfnDomainName:
Type: String
certificateArn:
Type: String
type:
Type: String
Resources:
myDomainName:
Type: AWS::ApiGateway::DomainName
Properties:
CertificateArn: !Ref certificateArn
DomainName: !Ref cfnDomainName
EndpointConfiguration:
Types:
- !Ref type
RegionalCertificateArn: !Ref certificateArn
SecurityPolicy: "TLS_1_2"
Outputs:
DomainName:
Value: !Ref myDomainName
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Router53",
"Parameters": {
"cfnDomainName": {
"Type": "String"
},
"certificateArn": {
"Type": "String"
},
"type": {
"Type": "String"
}
},
"Resources": {
"myDomainName": {
"Type": "AWS::ApiGateway::DomainName",
"Properties": {
"DomainName": "cfnDomainName",
"EndpointConfiguration": {
"Types": [
"type"
]
},
"RegionalCertificateArn": "certificateArn",
"SecurityPolicy": "TLS_1_2",
"CertificateArn": "certificateArn"
}
}
},
"Outputs": {
"DomainName": {
"Value": "myDomainName"
}
}
}