API Gateway Without Configured Authorizer

• Query id: 0a96ce49-4163-4ee6-8169-eb3b0797d694
• Query name: API Gateway Without Configured Authorizer
• Platform: Terraform
• Severity: Medium
• Category: Access Control
• URL: Github

Description

API Gateway REST API should have an API Gateway Authorizer
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "aws_api_gateway_authorizer" "demo" {
  name                   = "demo"
  rest_api_id            = aws_api_gateway_rest_api.demo.id
  authorizer_uri         = aws_lambda_function.authorizer.invoke_arn
  authorizer_credentials = aws_iam_role.invocation_role.arn
}

resource "aws_api_gateway_rest_api" "demo2" {
  name = "auth-demo"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "aws_api_gateway_authorizer" "demo" {
  name                   = "demo"
  rest_api_id            = aws_api_gateway_rest_api.demo.id
  authorizer_uri         = aws_lambda_function.authorizer.invoke_arn
  authorizer_credentials = aws_iam_role.invocation_role.arn
}

resource "aws_api_gateway_rest_api" "demo" {
  name = "auth-demo"
}