API Gateway Stage Without API Gateway UsagePlan Associated
- Query id: 7f8f1b60-43df-4c28-aa21-fb836dbd8071
- Query name: API Gateway Stage Without API Gateway UsagePlan Associated
- Platform: CloudFormation
- Severity: Low
- Category: Resource Management
- CWE: Ongoing
- URL: Github
Description¶
API Gateway Stage should have API Gateway UsagePlan defined and associated.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Resources:
Prod:
Type: AWS::ApiGateway::Stage
Properties:
StageName: Prod
Description: Prod Stage
RestApiId: !Ref MyRestApi
DeploymentId: !Ref TestDeployment
DocumentationVersion: !Ref MyDocumentationVersion
ClientCertificateId: !Ref ClientCertificate
Variables:
Stack: Prod
MethodSettings:
- ResourcePath: /
HttpMethod: GET
MetricsEnabled: 'true'
DataTraceEnabled: 'false'
- ResourcePath: /stack
HttpMethod: POST
MetricsEnabled: 'true'
DataTraceEnabled: 'false'
ThrottlingBurstLimit: '999'
- ResourcePath: /stack
HttpMethod: GET
MetricsEnabled: 'true'
DataTraceEnabled: 'false'
ThrottlingBurstLimit: '555'
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Resources:
Prod1:
Type: AWS::ApiGateway::Stage
Properties:
StageName: Prod
Description: Prod Stage
RestApiId: !Ref MyRestApi
DeploymentId: !Ref TestDeployment
DocumentationVersion: !Ref MyDocumentationVersion
ClientCertificateId: !Ref ClientCertificate
Variables:
Stack: Prod
MethodSettings:
- ResourcePath: /
HttpMethod: GET
MetricsEnabled: 'true'
DataTraceEnabled: 'false'
- ResourcePath: /stack
HttpMethod: POST
MetricsEnabled: 'true'
DataTraceEnabled: 'false'
ThrottlingBurstLimit: '999'
- ResourcePath: /stack
HttpMethod: GET
MetricsEnabled: 'true'
DataTraceEnabled: 'false'
ThrottlingBurstLimit: '555'
usagePlan1:
Type: 'AWS::ApiGateway::UsagePlan'
Properties:
ApiStages:
- ApiId: !Ref MyRestApi
Stage: !Ref Prod1
Description: Customer ABC's usage plan
Quota:
Limit: 5000
Period: MONTH
Throttle:
BurstLimit: 200
RateLimit: 100
UsagePlanName: Plan_ABC
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Resources:
Prod2:
Type: AWS::ApiGateway::Stage
Properties:
StageName: Prod
Description: Prod Stage
RestApiId: !Ref MyRestApi1
DeploymentId: !Ref TestDeployment
DocumentationVersion: !Ref MyDocumentationVersion
ClientCertificateId: !Ref ClientCertificate
Variables:
Stack: Prod
MethodSettings:
- ResourcePath: /
HttpMethod: GET
MetricsEnabled: 'true'
DataTraceEnabled: 'false'
- ResourcePath: /stack
HttpMethod: POST
MetricsEnabled: 'true'
DataTraceEnabled: 'false'
ThrottlingBurstLimit: '999'
- ResourcePath: /stack
HttpMethod: GET
MetricsEnabled: 'true'
DataTraceEnabled: 'false'
ThrottlingBurstLimit: '555'
usagePlan2:
Type: 'AWS::ApiGateway::UsagePlan'
Properties:
ApiStages:
- ApiId: !Ref MyRestApi
Stage: !Ref Prod
Description: Customer ABC's usage plan
Quota:
Limit: 5000
Period: MONTH
Throttle:
BurstLimit: 200
RateLimit: 100
UsagePlanName: Plan_ABC
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Router53",
"Resources": {
"Prod": {
"Type": "AWS::ApiGateway::Stage",
"Properties": {
"MethodSettings": [
{
"MetricsEnabled": "true",
"DataTraceEnabled": "false",
"ResourcePath": "/",
"HttpMethod": "GET"
},
{
"ResourcePath": "/stack",
"HttpMethod": "POST",
"MetricsEnabled": "true",
"DataTraceEnabled": "false",
"ThrottlingBurstLimit": "999"
},
{
"DataTraceEnabled": "false",
"ThrottlingBurstLimit": "555",
"ResourcePath": "/stack",
"HttpMethod": "GET",
"MetricsEnabled": "true"
}
],
"StageName": "Prod",
"Description": "Prod Stage",
"RestApiId": "MyRestApi",
"DeploymentId": "TestDeployment",
"DocumentationVersion": "MyDocumentationVersion",
"ClientCertificateId": "ClientCertificate",
"Variables": {
"Stack": "Prod"
}
}
}
}
}
Positive test num. 5 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Router53",
"Resources": {
"Prod1": {
"Type": "AWS::ApiGateway::Stage",
"Properties": {
"Variables": {
"Stack": "Prod"
},
"MethodSettings": [
{
"ResourcePath": "/",
"HttpMethod": "GET",
"MetricsEnabled": "true",
"DataTraceEnabled": "false"
},
{
"MetricsEnabled": "true",
"DataTraceEnabled": "false",
"ThrottlingBurstLimit": "999",
"ResourcePath": "/stack",
"HttpMethod": "POST"
},
{
"ResourcePath": "/stack",
"HttpMethod": "GET",
"MetricsEnabled": "true",
"DataTraceEnabled": "false",
"ThrottlingBurstLimit": "555"
}
],
"StageName": "Prod",
"Description": "Prod Stage",
"RestApiId": "MyRestApi",
"DeploymentId": "TestDeployment",
"DocumentationVersion": "MyDocumentationVersion",
"ClientCertificateId": "ClientCertificate"
}
},
"usagePlan1": {
"Type": "AWS::ApiGateway::UsagePlan",
"Properties": {
"ApiStages": [
{
"ApiId": "MyRestApi",
"Stage": "Prod1"
}
],
"Description": "Customer ABC's usage plan",
"Quota": {
"Limit": 5000,
"Period": "MONTH"
},
"Throttle": {
"BurstLimit": 200,
"RateLimit": 100
},
"UsagePlanName": "Plan_ABC"
}
}
}
}
Positive test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Router53",
"Resources": {
"Prod2": {
"Type": "AWS::ApiGateway::Stage",
"Properties": {
"Variables": {
"Stack": "Prod"
},
"MethodSettings": [
{
"HttpMethod": "GET",
"MetricsEnabled": "true",
"DataTraceEnabled": "false",
"ResourcePath": "/"
},
{
"DataTraceEnabled": "false",
"ThrottlingBurstLimit": "999",
"ResourcePath": "/stack",
"HttpMethod": "POST",
"MetricsEnabled": "true"
},
{
"MetricsEnabled": "true",
"DataTraceEnabled": "false",
"ThrottlingBurstLimit": "555",
"ResourcePath": "/stack",
"HttpMethod": "GET"
}
],
"StageName": "Prod",
"Description": "Prod Stage",
"RestApiId": "MyRestApi1",
"DeploymentId": "TestDeployment",
"DocumentationVersion": "MyDocumentationVersion",
"ClientCertificateId": "ClientCertificate"
}
},
"usagePlan2": {
"Type": "AWS::ApiGateway::UsagePlan",
"Properties": {
"ApiStages": [
{
"ApiId": "MyRestApi",
"Stage": "Prod"
}
],
"Description": "Customer ABC's usage plan",
"Quota": {
"Limit": 5000,
"Period": "MONTH"
},
"Throttle": {
"BurstLimit": 200,
"RateLimit": 100
},
"UsagePlanName": "Plan_ABC"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Resources:
Prod:
Type: AWS::ApiGateway::Stage
Properties:
StageName: Prod
Description: Prod Stage
RestApiId: !Ref MyRestApi
DeploymentId: !Ref TestDeployment
DocumentationVersion: !Ref MyDocumentationVersion
ClientCertificateId: !Ref ClientCertificate
Variables:
Stack: Prod
MethodSettings:
- ResourcePath: /
HttpMethod: GET
MetricsEnabled: 'true'
DataTraceEnabled: 'false'
- ResourcePath: /stack
HttpMethod: POST
MetricsEnabled: 'true'
DataTraceEnabled: 'false'
ThrottlingBurstLimit: '999'
- ResourcePath: /stack
HttpMethod: GET
MetricsEnabled: 'true'
DataTraceEnabled: 'false'
ThrottlingBurstLimit: '555'
usagePlan:
Type: 'AWS::ApiGateway::UsagePlan'
Properties:
ApiStages:
- ApiId: !Ref MyRestApi
Stage: !Ref Prod
Description: Customer ABC's usage plan
Quota:
Limit: 5000
Period: MONTH
Throttle:
BurstLimit: 200
RateLimit: 100
UsagePlanName: Plan_ABC
Negative test num. 2 - json file
{
"Resources": {
"Prod": {
"Type": "AWS::ApiGateway::Stage",
"Properties": {
"ClientCertificateId": "ClientCertificate",
"Variables": {
"Stack": "Prod"
},
"MethodSettings": [
{
"ResourcePath": "/",
"HttpMethod": "GET",
"MetricsEnabled": "true",
"DataTraceEnabled": "false"
},
{
"ResourcePath": "/stack",
"HttpMethod": "POST",
"MetricsEnabled": "true",
"DataTraceEnabled": "false",
"ThrottlingBurstLimit": "999"
},
{
"MetricsEnabled": "true",
"DataTraceEnabled": "false",
"ThrottlingBurstLimit": "555",
"ResourcePath": "/stack",
"HttpMethod": "GET"
}
],
"StageName": "Prod",
"Description": "Prod Stage",
"RestApiId": "MyRestApi",
"DeploymentId": "TestDeployment",
"DocumentationVersion": "MyDocumentationVersion"
}
},
"usagePlan": {
"Type": "AWS::ApiGateway::UsagePlan",
"Properties": {
"ApiStages": [
{
"Stage": "Prod",
"ApiId": "MyRestApi"
}
],
"Description": "Customer ABC's usage plan",
"Quota": {
"Period": "MONTH",
"Limit": 5000
},
"Throttle": {
"BurstLimit": 200,
"RateLimit": 100
},
"UsagePlanName": "Plan_ABC"
}
}
},
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Router53"
}