Serverless API Endpoint Config Not Private

  • Query id: 6b5b0313-771b-4319-ad7a-122ee78700ef
  • Query name: Serverless API Endpoint Config Not Private
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Networking and Firewall
  • CWE: 668
  • URL: Github

Description

AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  ApiGatewayApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod
      TracingEnabled: true
      CacheClusterEnabled: true
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  ApiGatewayApi2:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod
      TracingEnabled: true
      CacheClusterEnabled: true
      EndpointConfiguration:
        VpcEndpointIds:
          - !Ref ApiGatewayVPCEndpoint
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  ApiGatewayApi3:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod
      TracingEnabled: true
      CacheClusterEnabled: true
      EndpointConfiguration:
        Types:
          - EDGE 

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  ApiGatewayApi4:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod
      TracingEnabled: true
      CacheClusterEnabled: true
      EndpointConfiguration:
        Types:
          - PRIVATE