API Gateway Without Configured Authorizer

  • Query id: 0a96ce49-4163-4ee6-8169-eb3b0797d694
  • Query name: API Gateway Without Configured Authorizer
  • Platform: Terraform
  • Severity: Medium
  • Category: Access Control
  • CWE: 284
  • URL: Github

Description

API Gateway REST API should have an API Gateway Authorizer
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_api_gateway_authorizer" "demo" {
  name                   = "demo"
  rest_api_id            = aws_api_gateway_rest_api.demo.id
  authorizer_uri         = aws_lambda_function.authorizer.invoke_arn
  authorizer_credentials = aws_iam_role.invocation_role.arn
}

resource "aws_api_gateway_rest_api" "demo2" {
  name = "auth-demo"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_api_gateway_authorizer" "demo" {
  name                   = "demo"
  rest_api_id            = aws_api_gateway_rest_api.demo.id
  authorizer_uri         = aws_lambda_function.authorizer.invoke_arn
  authorizer_credentials = aws_iam_role.invocation_role.arn
}

resource "aws_api_gateway_rest_api" "demo" {
  name = "auth-demo"
}