API Gateway Without Configured Authorizer

  • Query id: b16cdb37-ce15-4ab2-8401-d42b05d123fc
  • Query name: API Gateway Without Configured Authorizer
  • Platform: Ansible
  • Severity: Medium
  • Category: Access Control
  • CWE: 284
  • URL: Github

Description

API Gateway REST API should have an API Gateway Authorizer
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: Setup AWS API Gateway setup on AWS and deploy API definition
  community.aws.aws_api_gateway:
    swagger_dict:
      {
        "openapi": "3.0.0",
        "info":
          {
            "title": "Simple API Overview",
            "version": "1.0.0",
            "contact": { "name": "contact", "email": "user@gmail.com" },
          },
        "components":
          {
            "securitySchemes":
              {
                "request_authorizer_single_stagevar":
                  {
                    "type": "apiKey",
                    "name": "Unused",
                    "in": "header",
                    "x-amazon-apigateway-authtype": "custom",
                  },
              },
          },
      }
    stage: production
    cache_enabled: true
    cache_size: "1.6"
    tracing_enabled: true
    endpoint_type: EDGE
    state: present
Positive test num. 2 - yaml file
- name: Setup AWS API Gateway setup on AWS and deploy API definition2
  aws_api_gateway:
    stage: production
    cache_enabled: true
    cache_size: "1.6"
    tracing_enabled: true
    endpoint_type: EDGE
    state: present
Positive test num. 3 - yaml file
- name: Setup AWS API Gateway setup on AWS and deploy API 222
  aws_api_gateway:
    swagger_file: swaggerFileWithoutAuthorizer.yaml
    stage: production
    cache_enabled: true
    cache_size: "1.6"
    tracing_enabled: true
    endpoint_type: EDGE
    state: present

Positive test num. 4 - yaml file
- name: Setup AWS API Gateway setup on AWS and deploy API 222
  aws_api_gateway:
    swagger_text: |
      openapi: 3.0.0
      info:
        title: Sample API
        description: Optional multiline or single-line description
        version: 0.1.9
      components:
        ssecuritySchemes:
          request_authorizer_single_stagevar:
            type: apiKey
            name: Unused
            in: header
            x-amazon-apigateway-authtype: custom
    stage: production
    cache_enabled: true
    cache_size: "1.6"
    tracing_enabled: true
    endpoint_type: EDGE
    state: present

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Setup AWS API Gateway setup on AWS and deploy API definition3
  community.aws.aws_api_gateway:
    swagger_file: swaggerFile.yaml
    stage: production
    cache_enabled: true
    cache_size: "1.6"
    tracing_enabled: true
    endpoint_type: EDGE
    state: present
Negative test num. 2 - yaml file
- name: Setup AWS API Gateway setup on AWS and deploy API definition22222
  community.aws.aws_api_gateway:
    swagger_dict:
      {
        "openapi": "3.0.0",
        "info":
          {
            "title": "Simple API Overview",
            "version": "1.0.0",
            "contact": { "name": "contact", "email": "user@gmail.com" },
          },
        "components":
          {
            "securitySchemes":
              {
                "request_authorizer_single_stagevar":
                  {
                    "type": "apiKey",
                    "name": "Unused",
                    "in": "header",
                    "x-amazon-apigateway-authtype": "custom",
                    "x-amazon-apigateway-authorizer":
                      {
                        "type": "request",
                        "identitySource": "stageVariables.stage",
                        "authorizerCredentials": "arn:aws:iam::123456789012:role/AWSepIntegTest-CS-LambdaRole",
                        "authorizerUri": "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789012:function:APIGateway-Request-Authorizer:vtwo/invocations",
                        "authorizerResultTtlInSeconds": 300,
                      },
                  },
              },
          },
      }
    stage: production
    cache_enabled: true
    cache_size: "1.6"
    tracing_enabled: true
    endpoint_type: EDGE
    state: present
Negative test num. 3 - yaml file
- name: Setup AWS API Gateway setup on AWS and deploy API 222
  aws_api_gateway:
    swagger_text: |
      openapi: 3.0.0
      info:
        title: Sample API
        description: Optional multiline or single-line description
        version: 0.1.9
      components:
        securitySchemes:
          request_authorizer_single_stagevar:
            type: apiKey
            name: Unused
            in: header
            x-amazon-apigateway-authtype: custom
            x-amazon-apigateway-authorizer:
              type: request
              identitySource: stageVariables.stage
              authorizerCredentials: arn:aws:iam::123456789012:role/AWSepIntegTest-CS-LambdaRole
              authorizerUri: arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789012:function:APIGateway-Request-Authorizer:vtwo/invocations
              authorizerResultTtlInSeconds: 300
          stage: production
    cache_enabled: true
    cache_size: "1.6"
    tracing_enabled: true
    endpoint_type: EDGE
    state: present