API Gateway With Open Access
- Query id: 1056dfbb-5802-4762-bf2b-8b9b9684b1b0
- Query name: API Gateway With Open Access
- Platform: CloudFormation
- Severity: Medium
- Category: Insecure Configurations
- CWE: 284
- URL: Github
Description¶
API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Resources:
MockMethod:
Type: 'AWS::ApiGateway::Method'
Properties:
RestApiId: !Ref MyApi
ResourceId: !GetAtt
- MyApi
- RootResourceId
HttpMethod: GET
AuthorizationType: NONE
Integration:
Type: MOCK
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Router53",
"Resources": {
"MockMethod": {
"Type": "AWS::ApiGateway::Method",
"Properties": {
"RestApiId": "MyApi",
"ResourceId": [
"MyApi",
"RootResourceId"
],
"HttpMethod": "GET",
"AuthorizationType": "NONE",
"Integration": {
"Type": "MOCK"
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Resources:
MockMethod:
Type: 'AWS::ApiGateway::Method'
Properties:
RestApiId: !Ref MyApi
ResourceId: !GetAtt
- MyApi
- RootResourceId
HttpMethod: OPTIONS
AuthorizationType: NONE
Integration:
Type: MOCK
Negative test num. 2 - json file
{
"Description": "Router53",
"Resources": {
"MockMethod": {
"Type": "AWS::ApiGateway::Method",
"Properties": {
"RestApiId": "MyApi",
"ResourceId": [
"MyApi",
"RootResourceId"
],
"HttpMethod": "OPTIONS",
"AuthorizationType": "NONE",
"Integration": {
"Type": "MOCK"
}
}
}
},
"AWSTemplateFormatVersion": "2010-09-09"
}