API Gateway Without Configured Authorizer

• Query id: 7fd0d461-5b8c-4815-898c-f2b4b117eb28
• Query name: API Gateway Without Configured Authorizer
• Platform: CloudFormation
• Severity: Medium
• Category: Access Control
• URL: Github

Description

API Gateway REST API should have an API Gateway Authorizer
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

AWSTemplateFormatVersion: 2010-09-09
Resources:
  DevWebSocket:
    Type: 'AWS::ApiGatewayV2::Api'
    Properties:
      Name: TL-Dev-WebSocket-API
      ProtocolType: WEBSOCKET
      RouteSelectionExpression: $request.body.action

Positive test num. 2 - yaml file

AWSTemplateFormatVersion: 2010-09-09
Resources:
  DevWebSocket5:
    Type: 'AWS::ApiGatewayV2::Api'
    Properties:
      Name: TL-Dev-WebSocket-API
      ProtocolType: WEBSOCKET
      RouteSelectionExpression: $request.body.action
  DevAuthorizerLambda5:
    Type: 'AWS::Serverless::Function'
    Properties:
      CodeUri: WebSockets/Authorizer
      Role: 'arn:aws:iam::************:role/LambdaDynamoDB'
      Environment:
        Variables:
          STAGE: Dev
  DevAuthorizerLambdaPermission5:
    Type: 'AWS::Lambda::Permission'
    Properties:
      Action: 'lambda:invokeFunction'
      Principal: apigateway.amazonaws.com
      FunctionName:
        Ref: DevAuthorizerLambda
      SourceArn:
        'Fn::Sub':
          - >-
            arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/$connect
          - __Stage__: '*'
            __ApiId__:
              Ref: DevWebSocket
  DevWebSocketAuthorizer5:
    Type: 'AWS::ApiGatewayV2::Authorizer'
    Properties:
      Name: DevAuthorizer
      ApiId:
        Ref: DevWebSocket222222
      AuthorizerType: REQUEST
      AuthorizerUri:
        'Fn::Sub': >-
          arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${DevAuthorizerLambda.Arn}/invocations
      IdentitySource:
        - route.request.querystring.token

Positive test num. 3 - yaml file

AWSTemplateFormatVersion: 2010-09-09
Resources:
    MyRestApi6:
        Type: AWS::ApiGateway::RestApi
        Properties:
          EndpointConfiguration:
            Types:
              - PRIVATE
          Name: myRestApi

Positive test num. 4 - yaml file

AWSTemplateFormatVersion: 2010-09-09
Resources:
    MyRestApi7:
        Type: AWS::ApiGateway::RestApi
        Properties:
          EndpointConfiguration:
            Types:
              - PRIVATE
          Name: myRestApi
    Authorizer:
        Type: 'AWS::ApiGateway::Authorizer'
        Properties:
          RestApiId: !Ref MyRestApi242

Positive test num. 5 - json file

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "DevWebSocket8": {
      "Type": "AWS::ApiGatewayV2::Api",
      "Properties": {
        "Name": "TL-Dev-WebSocket-API",
        "ProtocolType": "WEBSOCKET",
        "RouteSelectionExpression": "$request.body.action"
      }
    }
  }
}

Positive test num. 6 - json file

{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "DevWebSocketAuthorizer9": {
      "Type": "AWS::ApiGatewayV2::Authorizer",
      "Properties": {
        "ApiId": {
          "Ref": "DevWebSocket2err"
        },
        "AuthorizerType": "REQUEST",
        "AuthorizerUri": {
          "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${DevAuthorizerLambda.Arn}/invocations"
        },
        "IdentitySource": [
          "route.request.querystring.token"
        ],
        "Name": "DevAuthorizer"
      }
    },
    "DevWebSocket9": {
      "Type": "AWS::ApiGatewayV2::Api",
      "Properties": {
        "Name": "TL-Dev-WebSocket-API",
        "ProtocolType": "WEBSOCKET",
        "RouteSelectionExpression": "$request.body.action"
      }
    },
    "DevAuthorizerLambda9": {
      "Type": "AWS::Serverless::Function",
      "Properties": {
        "Environment": {
          "Variables": {
            "STAGE": "Dev"
          }
        },
        "CodeUri": "WebSockets/Authorizer",
        "Role": "arn:aws:iam::************:role/LambdaDynamoDB"
      }
    },
    "DevAuthorizerLambdaPermission9": {
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "Principal": "apigateway.amazonaws.com",
        "FunctionName": {
          "Ref": "DevAuthorizerLambda"
        },
        "SourceArn": {
          "Fn::Sub": [
            "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/$connect",
            {
              "__Stage__": "*",
              "__ApiId__": {
                "Ref": "DevWebSocket"
              }
            }
          ]
        },
        "Action": "lambda:invokeFunction"
      }
    }
  }
}

Positive test num. 7 - json file

{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "MyRestApi10": {
      "Type": "AWS::ApiGateway::RestApi",
      "Properties": {
        "EndpointConfiguration": {
          "Types": [
            "PRIVATE"
          ]
        },
        "Name": "myRestApi"
      }
    }
  }
}

Positive test num. 8 - json file

{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "MyRestApi11": {
      "Type": "AWS::ApiGateway::RestApi",
      "Properties": {
        "EndpointConfiguration": {
          "Types": [
            "PRIVATE"
          ]
        },
        "Name": "myRestApi"
      }
    },
    "Authorizer": {
      "Type": "AWS::ApiGateway::Authorizer",
      "Properties": {
        "RestApiId": "MyRestApiwww2"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

AWSTemplateFormatVersion: 2010-09-09
Resources:
  DevWebSocket2:
    Type: 'AWS::ApiGatewayV2::Api'
    Properties:
      Name: TL-Dev-WebSocket-API
      ProtocolType: WEBSOCKET
      RouteSelectionExpression: $request.body.action
  DevAuthorizerLambda:
    Type: 'AWS::Serverless::Function'
    Properties:
      CodeUri: WebSockets/Authorizer
      Role: 'arn:aws:iam::************:role/LambdaDynamoDB'
      Environment:
        Variables:
          STAGE: Dev
  DevAuthorizerLambdaPermission:
    Type: 'AWS::Lambda::Permission'
    Properties:
      Action: 'lambda:invokeFunction'
      Principal: apigateway.amazonaws.com
      FunctionName:
        Ref: DevAuthorizerLambda
      SourceArn:
        'Fn::Sub':
          - >-
            arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/$connect
          - __Stage__: '*'
            __ApiId__:
              Ref: DevWebSocket
  DevWebSocketAuthorizer:
    Type: 'AWS::ApiGatewayV2::Authorizer'
    Properties:
      Name: DevAuthorizer
      ApiId:
        Ref: DevWebSocket2
      AuthorizerType: REQUEST
      AuthorizerUri:
        'Fn::Sub': >-
          arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${DevAuthorizerLambda.Arn}/invocations
      IdentitySource:
        - route.request.querystring.token

Negative test num. 2 - yaml file

AWSTemplateFormatVersion: 2010-09-09
Resources:
    MyRestApi2:
        Type: AWS::ApiGateway::RestApi
        Properties:
          EndpointConfiguration:
            Types:
              - PRIVATE
          Name: myRestApi
    Authorizer:
        Type: 'AWS::ApiGateway::Authorizer'
        Properties:
          RestApiId: !Ref MyRestApi2

Negative test num. 3 - json file

{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "DevWebSocket2": {
      "Type": "AWS::ApiGatewayV2::Api",
      "Properties": {
        "ProtocolType": "WEBSOCKET",
        "RouteSelectionExpression": "$request.body.action",
        "Name": "TL-Dev-WebSocket-API"
      }
    },
    "DevAuthorizerLambda": {
      "Type": "AWS::Serverless::Function",
      "Properties": {
        "Environment": {
          "Variables": {
            "STAGE": "Dev"
          }
        },
        "CodeUri": "WebSockets/Authorizer",
        "Role": "arn:aws:iam::************:role/LambdaDynamoDB"
      }
    },
    "DevAuthorizerLambdaPermission": {
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "Action": "lambda:invokeFunction",
        "Principal": "apigateway.amazonaws.com",
        "FunctionName": {
          "Ref": "DevAuthorizerLambda"
        },
        "SourceArn": {
          "Fn::Sub": [
            "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/$connect",
            {
              "__Stage__": "*",
              "__ApiId__": {
                "Ref": "DevWebSocket"
              }
            }
          ]
        }
      }
    },
    "DevWebSocketAuthorizer": {
      "Type": "AWS::ApiGatewayV2::Authorizer",
      "Properties": {
        "Name": "DevAuthorizer",
        "ApiId": {
          "Ref": "DevWebSocket2"
        },
        "AuthorizerType": "REQUEST",
        "AuthorizerUri": {
          "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${DevAuthorizerLambda.Arn}/invocations"
        },
        "IdentitySource": [
          "route.request.querystring.token"
        ]
      }
    }
  }
}

Negative test num. 4 - json file

{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "MyRestApi3": {
      "Properties": {
        "EndpointConfiguration": {
          "Types": [
            "PRIVATE"
          ]
        },
        "Name": "myRestApi"
      },
      "Type": "AWS::ApiGateway::RestApi"
    },
    "Authorizer": {
      "Type": "AWS::ApiGateway::Authorizer",
      "Properties": {
        "RestApiId": "MyRestApi3"
      }
    }
  }
}