Serverless API Endpoint Config Not Private

• Query id: 4d424558-c6d1-453c-be98-9a7f877abd9a
• Query name: Serverless API Endpoint Config Not Private
• Platform: ServerlessFW
• Severity: Medium
• Category: Networking and Firewall
• URL: Github

Description

Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yml file

service: my-service
frameworkVersion: '2'
provider:
  name: aws
functions:
  hello:
    events:
      - http:
          path: user/create
          method: get

Positive test num. 2 - yml file

service: my-service
frameworkVersion: '2'
provider:
  name: aws
  endpointType: REGIONAL
functions:
  hello:
    events:
      - http:
          path: user/create
          method: get

Code samples without security vulnerabilities

Negative test num. 1 - yml file

service: my-service
frameworkVersion: '2'
provider:
  name: aws
  endpointType: PRIVATE
  vpcEndpointIds:
    - vpce-123
    - vpce-456
functions:
  hello:
    events:
      - http:
          path: user/create
          method: get