API Gateway Without Security Policy

• Query id: 4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b
• Query name: API Gateway Without Security Policy
• Platform: Terraform
• Severity: Medium
• Category: Insecure Configurations
• URL: Github

Description

API Gateway should have a Security Policy defined and use TLS 1.2.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "aws_api_gateway_domain_name" "example" {
  domain_name              = "api.example.com"
}

Positive test num. 2 - tf file

resource "aws_api_gateway_domain_name" "example2" {
  domain_name              = "api.example.com"
  security_policy = "TLS_1_0"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "aws_api_gateway_domain_name" "example4" {
  domain_name              = "api.example.com"
  security_policy = "TLS_1_2"
}