Serverless API Endpoint Config Not Private

  • Query id: 4d424558-c6d1-453c-be98-9a7f877abd9a
  • Query name: Serverless API Endpoint Config Not Private
  • Platform: ServerlessFW
  • Severity: Medium
  • Category: Networking and Firewall
  • CWE: 668
  • URL: Github

Description

Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yml file
service: my-service
frameworkVersion: '2'
provider:
  name: aws
functions:
  hello:
    events:
      - http:
          path: user/create
          method: get
Positive test num. 2 - yml file
service: my-service
frameworkVersion: '2'
provider:
  name: aws
  endpointType: REGIONAL
functions:
  hello:
    events:
      - http:
          path: user/create
          method: get

Code samples without security vulnerabilities

Negative test num. 1 - yml file
service: my-service
frameworkVersion: '2'
provider:
  name: aws
  endpointType: PRIVATE
  vpcEndpointIds:
    - vpce-123
    - vpce-456
functions:
  hello:
    events:
      - http:
          path: user/create
          method: get