API Gateway Without Configured Authorizer
- Query id: 7fd0d461-5b8c-4815-898c-f2b4b117eb28
- Query name: API Gateway Without Configured Authorizer
- Platform: CloudFormation
- Severity: Medium
- Category: Access Control
- CWE: 284
- URL: Github
Description¶
API Gateway REST API should have an API Gateway Authorizer
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
DevWebSocket:
Type: 'AWS::ApiGatewayV2::Api'
Properties:
Name: TL-Dev-WebSocket-API
ProtocolType: WEBSOCKET
RouteSelectionExpression: $request.body.action
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
DevWebSocket5:
Type: 'AWS::ApiGatewayV2::Api'
Properties:
Name: TL-Dev-WebSocket-API
ProtocolType: WEBSOCKET
RouteSelectionExpression: $request.body.action
DevAuthorizerLambda5:
Type: 'AWS::Serverless::Function'
Properties:
CodeUri: WebSockets/Authorizer
Role: 'arn:aws:iam::************:role/LambdaDynamoDB'
Environment:
Variables:
STAGE: Dev
DevAuthorizerLambdaPermission5:
Type: 'AWS::Lambda::Permission'
Properties:
Action: 'lambda:invokeFunction'
Principal: apigateway.amazonaws.com
FunctionName:
Ref: DevAuthorizerLambda
SourceArn:
'Fn::Sub':
- >-
arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/$connect
- __Stage__: '*'
__ApiId__:
Ref: DevWebSocket
DevWebSocketAuthorizer5:
Type: 'AWS::ApiGatewayV2::Authorizer'
Properties:
Name: DevAuthorizer
ApiId:
Ref: DevWebSocket222222
AuthorizerType: REQUEST
AuthorizerUri:
'Fn::Sub': >-
arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${DevAuthorizerLambda.Arn}/invocations
IdentitySource:
- route.request.querystring.token
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
MyRestApi6:
Type: AWS::ApiGateway::RestApi
Properties:
EndpointConfiguration:
Types:
- PRIVATE
Name: myRestApi
Positive test num. 4 - yaml file
Positive test num. 5 - json file
Positive test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"DevWebSocketAuthorizer9": {
"Type": "AWS::ApiGatewayV2::Authorizer",
"Properties": {
"ApiId": {
"Ref": "DevWebSocket2err"
},
"AuthorizerType": "REQUEST",
"AuthorizerUri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${DevAuthorizerLambda.Arn}/invocations"
},
"IdentitySource": [
"route.request.querystring.token"
],
"Name": "DevAuthorizer"
}
},
"DevWebSocket9": {
"Type": "AWS::ApiGatewayV2::Api",
"Properties": {
"Name": "TL-Dev-WebSocket-API",
"ProtocolType": "WEBSOCKET",
"RouteSelectionExpression": "$request.body.action"
}
},
"DevAuthorizerLambda9": {
"Type": "AWS::Serverless::Function",
"Properties": {
"Environment": {
"Variables": {
"STAGE": "Dev"
}
},
"CodeUri": "WebSockets/Authorizer",
"Role": "arn:aws:iam::************:role/LambdaDynamoDB"
}
},
"DevAuthorizerLambdaPermission9": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"Principal": "apigateway.amazonaws.com",
"FunctionName": {
"Ref": "DevAuthorizerLambda"
},
"SourceArn": {
"Fn::Sub": [
"arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/$connect",
{
"__Stage__": "*",
"__ApiId__": {
"Ref": "DevWebSocket"
}
}
]
},
"Action": "lambda:invokeFunction"
}
}
}
}
Positive test num. 7 - json file
Positive test num. 8 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"MyRestApi11": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"EndpointConfiguration": {
"Types": [
"PRIVATE"
]
},
"Name": "myRestApi"
}
},
"Authorizer": {
"Type": "AWS::ApiGateway::Authorizer",
"Properties": {
"RestApiId": "MyRestApiwww2"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
DevWebSocket2:
Type: 'AWS::ApiGatewayV2::Api'
Properties:
Name: TL-Dev-WebSocket-API
ProtocolType: WEBSOCKET
RouteSelectionExpression: $request.body.action
DevAuthorizerLambda:
Type: 'AWS::Serverless::Function'
Properties:
CodeUri: WebSockets/Authorizer
Role: 'arn:aws:iam::************:role/LambdaDynamoDB'
Environment:
Variables:
STAGE: Dev
DevAuthorizerLambdaPermission:
Type: 'AWS::Lambda::Permission'
Properties:
Action: 'lambda:invokeFunction'
Principal: apigateway.amazonaws.com
FunctionName:
Ref: DevAuthorizerLambda
SourceArn:
'Fn::Sub':
- >-
arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/$connect
- __Stage__: '*'
__ApiId__:
Ref: DevWebSocket
DevWebSocketAuthorizer:
Type: 'AWS::ApiGatewayV2::Authorizer'
Properties:
Name: DevAuthorizer
ApiId:
Ref: DevWebSocket2
AuthorizerType: REQUEST
AuthorizerUri:
'Fn::Sub': >-
arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${DevAuthorizerLambda.Arn}/invocations
IdentitySource:
- route.request.querystring.token
Negative test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
MyRestApi2:
Type: AWS::ApiGateway::RestApi
Properties:
EndpointConfiguration:
Types:
- PRIVATE
Name: myRestApi
Authorizer:
Type: 'AWS::ApiGateway::Authorizer'
Properties:
RestApiId: !Ref MyRestApi2
Negative test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"DevWebSocket2": {
"Type": "AWS::ApiGatewayV2::Api",
"Properties": {
"ProtocolType": "WEBSOCKET",
"RouteSelectionExpression": "$request.body.action",
"Name": "TL-Dev-WebSocket-API"
}
},
"DevAuthorizerLambda": {
"Type": "AWS::Serverless::Function",
"Properties": {
"Environment": {
"Variables": {
"STAGE": "Dev"
}
},
"CodeUri": "WebSockets/Authorizer",
"Role": "arn:aws:iam::************:role/LambdaDynamoDB"
}
},
"DevAuthorizerLambdaPermission": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"Action": "lambda:invokeFunction",
"Principal": "apigateway.amazonaws.com",
"FunctionName": {
"Ref": "DevAuthorizerLambda"
},
"SourceArn": {
"Fn::Sub": [
"arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/$connect",
{
"__Stage__": "*",
"__ApiId__": {
"Ref": "DevWebSocket"
}
}
]
}
}
},
"DevWebSocketAuthorizer": {
"Type": "AWS::ApiGatewayV2::Authorizer",
"Properties": {
"Name": "DevAuthorizer",
"ApiId": {
"Ref": "DevWebSocket2"
},
"AuthorizerType": "REQUEST",
"AuthorizerUri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${DevAuthorizerLambda.Arn}/invocations"
},
"IdentitySource": [
"route.request.querystring.token"
]
}
}
}
}
Negative test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"MyRestApi3": {
"Properties": {
"EndpointConfiguration": {
"Types": [
"PRIVATE"
]
},
"Name": "myRestApi"
},
"Type": "AWS::ApiGateway::RestApi"
},
"Authorizer": {
"Type": "AWS::ApiGateway::Authorizer",
"Properties": {
"RestApiId": "MyRestApi3"
}
}
}
}