Serverless API Endpoint Config Not Private
- Query id: 6b5b0313-771b-4319-ad7a-122ee78700ef
- Query name: Serverless API Endpoint Config Not Private
- Platform: CloudFormation
- Severity: Medium
- Category: Networking and Firewall
- CWE: 668
- URL: Github
Description¶
AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
ApiGatewayApi:
Type: AWS::Serverless::Api
Properties:
StageName: prod
TracingEnabled: true
CacheClusterEnabled: true
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
ApiGatewayApi2:
Type: AWS::Serverless::Api
Properties:
StageName: prod
TracingEnabled: true
CacheClusterEnabled: true
EndpointConfiguration:
VpcEndpointIds:
- !Ref ApiGatewayVPCEndpoint
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
ApiGatewayApi3:
Type: AWS::Serverless::Api
Properties:
StageName: prod
TracingEnabled: true
CacheClusterEnabled: true
EndpointConfiguration:
Types:
- EDGE
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
ApiGatewayApi4:
Type: AWS::Serverless::Api
Properties:
StageName: prod
TracingEnabled: true
CacheClusterEnabled: true
EndpointConfiguration:
Types:
- PRIVATE