Creating AWS API Gateway resources without enforcing authentication exposes the underlying API to any anonymous internet user.
Unless an authentication method is explicitly configured, AWS API Gateway allows any internet user to call the API without proving their identity. This unnecessarily increases the attack surface, giving unauthenticated actors the opportunity to target both the functionality provided by the API and its underlying infrastructure.
An unauthenticated API endpoint can be reached by any internet user without proving their identity. Attackers may abuse the exposed functionality to extract sensitive data, trigger resource-intensive operations, or exploit other vulnerabilities in the backend infrastructure.
The following examples show API Gateway resources configured without authentication, allowing access by any internet user.
For aws-cdk-lib.aws_apigateway.Resource:
import {aws_apigateway as apigateway} from "aws-cdk-lib"
const resource = api.root.addResource("example")
resource.addMethod(
"POST",
new apigateway.HttpIntegration("https://example.org"),
{
authorizationType: apigateway.AuthorizationType.NONE // Noncompliant
}
)
import {aws_apigateway as apigateway} from "aws-cdk-lib"
const resource = api.root.addResource("example")
resource.addMethod(
"POST",
new apigateway.HttpIntegration("https://example.org"),
{
authorizationType: apigateway.AuthorizationType.IAM
}
)
The following examples show API Gateway resources configured without authentication, allowing access by any internet user.
For aws-cdk-lib.aws_apigatewayv2.CfnRoute:
import {aws_apigatewayv2 as apigateway} from "aws-cdk-lib"
new apigateway.CfnRoute(this, "update", {
apiId: api.ref,
routeKey: "POST /update",
authorizationType: "NONE", // Noncompliant
target: exampleIntegration
})
import {aws_apigatewayv2 as apigateway} from "aws-cdk-lib"
new apigateway.CfnRoute(this, "update", {
apiId: api.ref,
routeKey: "POST /update",
authorizationType: "AWS_IAM",
target: exampleIntegration
})