A public API, which can be requested by any authenticated or unauthenticated identities, can lead to unauthorized actions and information
disclosures.
Ask Yourself Whether
The public API:
- exposes sensitive data like personal information.
- can be used to perform sensitive operations.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It’s recommended to restrict API access to authorized entities, unless the API offers a non-sensitive service designed to be public.
Sensitive Code Example
A public API that doesn’t have access control implemented:
NoncompliantApiGatewayMethod:
Type: AWS::ApiGateway::Method
Properties:
AuthorizationType: NONE # Sensitive
HttpMethod: GET
A Serverless Application Model (SAM) API resource that is public by default:
OpenApiDefault: # Sensitive
Type: AWS::Serverless::Api
Properties:
StageName: Prod
Compliant Solution
An API that implements AWS IAM permissions:
MyApiGatewayMethodIam:
Type: AWS::ApiGateway::Method
Properties:
AuthorizationType: AWS_IAM
HttpMethod: GET
A Serverless Application Model (SAM) API resource that has to be requested using a key:
ApiKeyApi:
Type: AWS::Serverless::Api
Properties:
StageName: Prod
Auth:
ApiKeyRequired: true
See
