API Gateway With Open Access
- Query id: 15ccec05-5476-4890-ad19-53991eba1db8
- Query name: API Gateway With Open Access
- Platform: Terraform
- Severity: Medium
- Category: Insecure Configurations
- CWE: 284
- URL: Github
Description¶
API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_api_gateway_method" "positive1" {
rest_api_id = aws_api_gateway_rest_api.this.id
resource_id = aws_api_gateway_resource.this.id
http_method = "GET"
authorization = "NONE"
authorizer_id = aws_api_gateway_authorizer.this.id
request_parameters = {
"method.request.path.proxy" = true
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_api_gateway_method" "negative1" {
rest_api_id = aws_api_gateway_rest_api.this.id
resource_id = aws_api_gateway_resource.this.id
http_method = "OPTIONS"
authorization = "NONE"
authorizer_id = aws_api_gateway_authorizer.this.id
request_parameters = {
"method.request.path.proxy" = true
}
}