API Gateway With Open Access

• Query id: 15ccec05-5476-4890-ad19-53991eba1db8
• Query name: API Gateway With Open Access
• Platform: Terraform
• Severity: Medium
• Category: Insecure Configurations
• URL: Github

Description

API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "aws_api_gateway_method" "positive1" {
  rest_api_id   = aws_api_gateway_rest_api.this.id
  resource_id   = aws_api_gateway_resource.this.id
  http_method   = "GET"
  authorization = "NONE"
  authorizer_id = aws_api_gateway_authorizer.this.id

  request_parameters = {
    "method.request.path.proxy" = true
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "aws_api_gateway_method" "negative1" {
  rest_api_id   = aws_api_gateway_rest_api.this.id
  resource_id   = aws_api_gateway_resource.this.id
  http_method   = "OPTIONS"
  authorization = "NONE"
  authorizer_id = aws_api_gateway_authorizer.this.id

  request_parameters = {
    "method.request.path.proxy" = true
  }
}