API Gateway Without Security Policy

  • Query id: 8275fab0-68ec-4705-bbf4-86975edb170e
  • Query name: API Gateway Without Security Policy
  • Platform: CloudFormation
  • Severity: High
  • Category: Insecure Configurations
  • URL: Github

Description

API Gateway should have a Security Policy defined and use TLS 1.2.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Parameters:
  cfnDomainName:
    Type: String
  certificateArn:
    Type: String
  type:
    Type: String
Resources:
  myDomainName:
    Type: AWS::ApiGateway::DomainName
    Properties:
      CertificateArn: !Ref certificateArn
      DomainName: !Ref cfnDomainName
      EndpointConfiguration:
        Types:
          - !Ref type
      RegionalCertificateArn: !Ref certificateArn
      SecurityPolicy: "TLS_1_0"
Outputs:
  DomainName:
    Value: !Ref myDomainName
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Parameters:
  cfnDomainName:
    Type: String
  certificateArn:
    Type: String
  type:
    Type: String
Resources:
  myDomainName1:
    Type: AWS::ApiGateway::DomainName
    Properties:
      CertificateArn: !Ref certificateArn
      DomainName: !Ref cfnDomainName
      EndpointConfiguration:
        Types:
          - !Ref type
      RegionalCertificateArn: !Ref certificateArn
Outputs:
  DomainName:
    Value: !Ref myDomainName
Positive test num. 3 - json file
{
  "Description": "Router53",
  "Parameters": {
    "cfnDomainName": {
      "Type": "String"
    },
    "certificateArn": {
      "Type": "String"
    },
    "type": {
      "Type": "String"
    }
  },
  "Resources": {
    "myDomainName": {
      "Type": "AWS::ApiGateway::DomainName",
      "Properties": {
        "CertificateArn": "certificateArn",
        "DomainName": "cfnDomainName",
        "EndpointConfiguration": {
          "Types": [
            "type"
          ]
        },
        "RegionalCertificateArn": "certificateArn",
        "SecurityPolicy": "TLS_1_0"
      }
    }
  },
  "Outputs": {
    "DomainName": {
      "Value": "myDomainName"
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09"
}

Positive test num. 4 - json file
{
  "Parameters": {
    "type": {
      "Type": "String"
    },
    "cfnDomainName": {
      "Type": "String"
    },
    "certificateArn": {
      "Type": "String"
    }
  },
  "Resources": {
    "myDomainName1": {
      "Properties": {
        "DomainName": "cfnDomainName",
        "EndpointConfiguration": {
          "Types": [
            "type"
          ]
        },
        "RegionalCertificateArn": "certificateArn",
        "CertificateArn": "certificateArn"
      },
      "Type": "AWS::ApiGateway::DomainName"
    }
  },
  "Outputs": {
    "DomainName": {
      "Value": "myDomainName"
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Router53"
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Parameters:
  cfnDomainName:
    Type: String
  certificateArn:
    Type: String
  type:
    Type: String
Resources:
  myDomainName:
    Type: AWS::ApiGateway::DomainName
    Properties:
      CertificateArn: !Ref certificateArn
      DomainName: !Ref cfnDomainName
      EndpointConfiguration:
        Types:
          - !Ref type
      RegionalCertificateArn: !Ref certificateArn
      SecurityPolicy: "TLS_1_2"
Outputs:
  DomainName:
    Value: !Ref myDomainName
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Router53",
  "Parameters": {
    "cfnDomainName": {
      "Type": "String"
    },
    "certificateArn": {
      "Type": "String"
    },
    "type": {
      "Type": "String"
    }
  },
  "Resources": {
    "myDomainName": {
      "Type": "AWS::ApiGateway::DomainName",
      "Properties": {
        "DomainName": "cfnDomainName",
        "EndpointConfiguration": {
          "Types": [
            "type"
          ]
        },
        "RegionalCertificateArn": "certificateArn",
        "SecurityPolicy": "TLS_1_2",
        "CertificateArn": "certificateArn"
      }
    }
  },
  "Outputs": {
    "DomainName": {
      "Value": "myDomainName"
    }
  }
}