API Gateway Without Configured Authorizer
- Query id: b16cdb37-ce15-4ab2-8401-d42b05d123fc
- Query name: API Gateway Without Configured Authorizer
- Platform: Ansible
- Severity: Medium
- Category: Access Control
- CWE: Ongoing
- URL: Github
Description¶
API Gateway REST API should have an API Gateway Authorizer
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
- name: Setup AWS API Gateway setup on AWS and deploy API definition
community.aws.aws_api_gateway:
swagger_dict:
{
"openapi": "3.0.0",
"info":
{
"title": "Simple API Overview",
"version": "1.0.0",
"contact": { "name": "contact", "email": "user@gmail.com" },
},
"components":
{
"securitySchemes":
{
"request_authorizer_single_stagevar":
{
"type": "apiKey",
"name": "Unused",
"in": "header",
"x-amazon-apigateway-authtype": "custom",
},
},
},
}
stage: production
cache_enabled: true
cache_size: "1.6"
tracing_enabled: true
endpoint_type: EDGE
state: present
Positive test num. 2 - yaml file
- name: Setup AWS API Gateway setup on AWS and deploy API definition2
aws_api_gateway:
stage: production
cache_enabled: true
cache_size: "1.6"
tracing_enabled: true
endpoint_type: EDGE
state: present
Positive test num. 3 - yaml file
- name: Setup AWS API Gateway setup on AWS and deploy API 222
aws_api_gateway:
swagger_file: swaggerFileWithoutAuthorizer.yaml
stage: production
cache_enabled: true
cache_size: "1.6"
tracing_enabled: true
endpoint_type: EDGE
state: present
Positive test num. 4 - yaml file
- name: Setup AWS API Gateway setup on AWS and deploy API 222
aws_api_gateway:
swagger_text: |
openapi: 3.0.0
info:
title: Sample API
description: Optional multiline or single-line description
version: 0.1.9
components:
ssecuritySchemes:
request_authorizer_single_stagevar:
type: apiKey
name: Unused
in: header
x-amazon-apigateway-authtype: custom
stage: production
cache_enabled: true
cache_size: "1.6"
tracing_enabled: true
endpoint_type: EDGE
state: present
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: Setup AWS API Gateway setup on AWS and deploy API definition3
community.aws.aws_api_gateway:
swagger_file: swaggerFile.yaml
stage: production
cache_enabled: true
cache_size: "1.6"
tracing_enabled: true
endpoint_type: EDGE
state: present
Negative test num. 2 - yaml file
- name: Setup AWS API Gateway setup on AWS and deploy API definition22222
community.aws.aws_api_gateway:
swagger_dict:
{
"openapi": "3.0.0",
"info":
{
"title": "Simple API Overview",
"version": "1.0.0",
"contact": { "name": "contact", "email": "user@gmail.com" },
},
"components":
{
"securitySchemes":
{
"request_authorizer_single_stagevar":
{
"type": "apiKey",
"name": "Unused",
"in": "header",
"x-amazon-apigateway-authtype": "custom",
"x-amazon-apigateway-authorizer":
{
"type": "request",
"identitySource": "stageVariables.stage",
"authorizerCredentials": "arn:aws:iam::123456789012:role/AWSepIntegTest-CS-LambdaRole",
"authorizerUri": "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789012:function:APIGateway-Request-Authorizer:vtwo/invocations",
"authorizerResultTtlInSeconds": 300,
},
},
},
},
}
stage: production
cache_enabled: true
cache_size: "1.6"
tracing_enabled: true
endpoint_type: EDGE
state: present
Negative test num. 3 - yaml file
- name: Setup AWS API Gateway setup on AWS and deploy API 222
aws_api_gateway:
swagger_text: |
openapi: 3.0.0
info:
title: Sample API
description: Optional multiline or single-line description
version: 0.1.9
components:
securitySchemes:
request_authorizer_single_stagevar:
type: apiKey
name: Unused
in: header
x-amazon-apigateway-authtype: custom
x-amazon-apigateway-authorizer:
type: request
identitySource: stageVariables.stage
authorizerCredentials: arn:aws:iam::123456789012:role/AWSepIntegTest-CS-LambdaRole
authorizerUri: arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789012:function:APIGateway-Request-Authorizer:vtwo/invocations
authorizerResultTtlInSeconds: 300
stage: production
cache_enabled: true
cache_size: "1.6"
tracing_enabled: true
endpoint_type: EDGE
state: present