Creating AWS API Gateway resources without enforcing authentication exposes the underlying API to any anonymous internet user.
Unless an authentication method is explicitly configured, AWS API Gateway allows any internet user to call the API without proving their identity. This unnecessarily increases the attack surface, giving unauthenticated actors the opportunity to target both the functionality provided by the API and its underlying infrastructure.
An unauthenticated API endpoint can be reached by any internet user without proving their identity. Attackers may abuse the exposed functionality to extract sensitive data, trigger resource-intensive operations, or exploit other vulnerabilities in the backend infrastructure.
The following examples show API Gateway resources configured without authentication, allowing access by any internet user.
For aws_cdk.aws_apigateway.Resource:
from aws_cdk import (
aws_apigateway as apigateway
)
resource = api.root.add_resource("example")
resource.add_method(
"POST",
authorization_type=apigateway.AuthorizationType.NONE # Noncompliant
)
from aws_cdk import (
aws_apigateway as apigateway
)
resource = api.root.add_resource("example")
resource.add_method(
"POST",
authorization_type=apigateway.AuthorizationType.IAM
)
The following examples show API Gateway resources configured without authentication, allowing access by any internet user.
For aws_cdk.aws_apigatewayv2.CfnRoute:
from aws_cdk import (
aws_apigatewayv2 as apigateway
)
apigateway.CfnRoute(
self,
"update",
api_id=api.ref,
route_key="POST /update",
authorization_type="NONE" # Noncompliant
)
from aws_cdk import (
aws_apigatewayv2 as apigateway
)
apigateway.CfnRoute(
self,
"update",
api_id=api.ref,
route_key="POST /update",
authorization_type="AWS_IAM"
)