API Gateway Without Configured Authorizer
- Query id: 0a96ce49-4163-4ee6-8169-eb3b0797d694
- Query name: API Gateway Without Configured Authorizer
- Platform: Terraform
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
API Gateway REST API should have an API Gateway Authorizer
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_api_gateway_authorizer" "demo" {
name = "demo"
rest_api_id = aws_api_gateway_rest_api.demo.id
authorizer_uri = aws_lambda_function.authorizer.invoke_arn
authorizer_credentials = aws_iam_role.invocation_role.arn
}
resource "aws_api_gateway_rest_api" "demo2" {
name = "auth-demo"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_api_gateway_authorizer" "demo" {
name = "demo"
rest_api_id = aws_api_gateway_rest_api.demo.id
authorizer_uri = aws_lambda_function.authorizer.invoke_arn
authorizer_credentials = aws_iam_role.invocation_role.arn
}
resource "aws_api_gateway_rest_api" "demo" {
name = "auth-demo"
}