API Gateway Without Security Policy

  • Query id: 4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b
  • Query name: API Gateway Without Security Policy
  • Platform: Terraform
  • Severity: Medium
  • Category: Insecure Configurations
  • CWE: 326
  • URL: Github

Description

API Gateway should have a Security Policy defined and use TLS 1.2.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_api_gateway_domain_name" "example" {
  domain_name              = "api.example.com"
}
Positive test num. 2 - tf file
resource "aws_api_gateway_domain_name" "example2" {
  domain_name              = "api.example.com"
  security_policy = "TLS_1_0"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_api_gateway_domain_name" "example4" {
  domain_name              = "api.example.com"
  security_policy = "TLS_1_2"
}