Serverless API Endpoint Config Not Private

Query id: 4d424558-c6d1-453c-be98-9a7f877abd9a
Query name: Serverless API Endpoint Config Not Private
Platform: ServerlessFW
Severity: Medium
Category: Networking and Firewall
CWE: 668
URL: Github

Description¶

Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - yml file

service: my-service
frameworkVersion: '2'
provider:
  name: aws
functions:
  hello:
    events:
      - http:
          path: user/create
          method: get

Positive test num. 2 - yml file

service: my-service
frameworkVersion: '2'
provider:
  name: aws
  endpointType: REGIONAL
functions:
  hello:
    events:
      - http:
          path: user/create
          method: get

Code samples without security vulnerabilities¶

Negative test num. 1 - yml file

service: my-service
frameworkVersion: '2'
provider:
  name: aws
  endpointType: PRIVATE
  vpcEndpointIds:
    - vpce-123
    - vpce-456
functions:
  hello:
    events:
      - http:
          path: user/create
          method: get