No Public Access | Vulnerability Database

No unauthorized access to API Gateway methods

API Gateway methods should generally be protected by authorization or api key. OPTION verb calls can be used without authorization

Impact

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Use and authorization method or require API Key

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


resource "aws_api_gateway_rest_api" "MyDemoAPI" {

}

resource "aws_api_gateway_resource" "MyDemoResource" {
  rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
}

resource "aws_api_gateway_method" "good_example" {
  rest_api_id   = aws_api_gateway_rest_api.MyDemoAPI.id
  resource_id   = aws_api_gateway_resource.MyDemoResource.id
  http_method   = "GET"
  authorization = "AWS_IAM"
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


resource "aws_api_gateway_rest_api" "MyDemoAPI" {

}

resource "aws_api_gateway_resource" "MyDemoResource" {
  rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
}

resource "aws_api_gateway_method" "good_example" {
  rest_api_id      = aws_api_gateway_rest_api.MyDemoAPI.id
  resource_id      = aws_api_gateway_resource.MyDemoResource.id
  http_method      = "GET"
  authorization    = "NONE"
  api_key_required = true
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


resource "aws_api_gateway_rest_api" "MyDemoAPI" {

}

resource "aws_api_gateway_resource" "MyDemoResource" {
  rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
}

resource "aws_api_gateway_method" "good_example" {
  rest_api_id   = aws_api_gateway_rest_api.MyDemoAPI.id
  resource_id   = aws_api_gateway_resource.MyDemoResource.id
  http_method   = "OPTION"
  authorization = "NONE"
}

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method#authorization