API Gateway Deployment Without API Gateway UsagePlan Associated

  • Query id: 783860a3-6dca-4c8b-81d0-7b62769ccbca
  • Query name: API Gateway Deployment Without API Gateway UsagePlan Associated
  • Platform: CloudFormation
  • Severity: Low
  • Category: Observability
  • CWE: 770
  • URL: Github

Description

API Gateway Deployment should have API Gateway UsagePlan defined and associated.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Resources:
  Deployment:
    Type: 'AWS::ApiGateway::Deployment'
    Properties:
      RestApiId: !Ref MyRestApi
      Description: My deployment
      StageName: Prod
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Resources:
  Deployment1:
    Type: 'AWS::ApiGateway::Deployment'
    Properties:
      RestApiId: !Ref MyRestApi
      Description: My deployment
      StageName: Prod
  usagePlan1:
    Type: 'AWS::ApiGateway::UsagePlan'
    Properties:
      ApiStages:
        - ApiId: !Ref MyRestApi
          Stage: !Ref Prod1
      Description: Customer ABC's usage plan
      Quota:
        Limit: 5000
        Period: MONTH
      Throttle:
        BurstLimit: 200
        RateLimit: 100
      UsagePlanName: Plan_ABC
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Resources:
  Deployment2:
    Type: 'AWS::ApiGateway::Deployment'
    Properties:
      RestApiId: !Ref MyRestApi
      Description: My deployment
      StageName: Prod1
  usagePlan2:
    Type: 'AWS::ApiGateway::UsagePlan'
    Properties:
      ApiStages:
        - ApiId: !Ref MyRestApi
          Stage: !Ref Prod
      Description: Customer ABC's usage plan
      Quota:
        Limit: 5000
        Period: MONTH
      Throttle:
        BurstLimit: 200
        RateLimit: 100
      UsagePlanName: Plan_ABC

Positive test num. 4 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Router53",
  "Resources": {
    "Deployment": {
      "Type": "AWS::ApiGateway::Deployment",
      "Properties": {
        "StageName": "Prod",
        "RestApiId": "MyRestApi",
        "Description": "My deployment"
      }
    }
  }
}
Positive test num. 5 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Router53",
  "Resources": {
    "Deployment1": {
      "Properties": {
        "RestApiId": "MyRestApi",
        "Description": "My deployment",
        "StageName": "Prod"
      },
      "Type": "AWS::ApiGateway::Deployment"
    },
    "usagePlan1": {
      "Properties": {
        "Quota": {
          "Limit": 5000,
          "Period": "MONTH"
        },
        "Throttle": {
          "BurstLimit": 200,
          "RateLimit": 100
        },
        "UsagePlanName": "Plan_ABC",
        "ApiStages": [
          {
            "ApiId": "MyRestApi",
            "Stage": "Prod1"
          }
        ],
        "Description": "Customer ABC's usage plan"
      },
      "Type": "AWS::ApiGateway::UsagePlan"
    }
  }
}
Positive test num. 6 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Router53",
  "Resources": {
    "Deployment2": {
      "Type": "AWS::ApiGateway::Deployment",
      "Properties": {
        "RestApiId": "MyRestApi",
        "Description": "My deployment",
        "StageName": "Prod1"
      }
    },
    "usagePlan2": {
      "Type": "AWS::ApiGateway::UsagePlan",
      "Properties": {
        "ApiStages": [
          {
            "ApiId": "MyRestApi",
            "Stage": "Prod"
          }
        ],
        "Description": "Customer ABC's usage plan",
        "Quota": {
          "Limit": 5000,
          "Period": "MONTH"
        },
        "Throttle": {
          "BurstLimit": 200,
          "RateLimit": 100
        },
        "UsagePlanName": "Plan_ABC"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Resources:
  Deployment:
    Type: 'AWS::ApiGateway::Deployment'
    Properties:
      RestApiId: !Ref MyRestApi
      Description: My deployment
      StageName: Prod
  usagePlan:
    Type: 'AWS::ApiGateway::UsagePlan'
    Properties:
      ApiStages:
        - ApiId: !Ref MyRestApi
          Stage: !Ref Prod
      Description: Customer ABC's usage plan
      Quota:
        Limit: 5000
        Period: MONTH
      Throttle:
        BurstLimit: 200
        RateLimit: 100
      UsagePlanName: Plan_ABC
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Router53",
  "Resources": {
    "Deployment": {
      "Type": "AWS::ApiGateway::Deployment",
      "Properties": {
        "RestApiId": "MyRestApi",
        "Description": "My deployment",
        "StageName": "Prod"
      }
    },
    "usagePlan": {
      "Type": "AWS::ApiGateway::UsagePlan",
      "Properties": {
        "ApiStages": [
          {
            "ApiId": "MyRestApi",
            "Stage": "Prod"
          }
        ],
        "Description": "Customer ABC's usage plan",
        "Quota": {
          "Limit": 5000,
          "Period": "MONTH"
        },
        "Throttle": {
          "RateLimit": 100,
          "BurstLimit": 200
        },
        "UsagePlanName": "Plan_ABC"
      }
    }
  }
}