A public API, which can be requested by any authenticated or unauthenticated identities, can lead to unauthorized actions and information
disclosures.
Ask Yourself Whether
The public API:
- exposes sensitive data like personal information.
- can be used to perform sensitive operations.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It’s recommended to restrict API access to authorized entities, unless the API offers a non-sensitive service designed to be public.
Sensitive Code Example
For aws_cdk.aws_apigateway.Resource:
from aws_cdk import (
aws_apigateway as apigateway
)
resource = api.root.add_resource("example")
resource.add_method(
"GET",
authorization_type=apigateway.AuthorizationType.NONE # Sensitive
)
For aws_cdk.aws_apigatewayv2.CfnRoute:
from aws_cdk import (
aws_apigatewayv2 as apigateway
)
apigateway.CfnRoute(
self,
"no-auth",
api_id=api.ref,
route_key="GET /test",
authorization_type="NONE" # Sensitive
)
Compliant Solution
For aws_cdk.aws_apigateway.Resource:
from aws_cdk import (
aws_apigateway as apigateway
)
opts = apigateway.MethodOptions(
authorization_type=apigateway.AuthorizationType.IAM
)
resource = api.root.add_resource(
"example",
default_method_options=opts
)
resource.add_method(
"POST",
authorization_type=apigateway.AuthorizationType.IAM
)
resource.add_method( # authorization_type is inherited from the Resource's configured default_method_options
"POST"
)
For aws_cdk.aws_apigatewayv2.CfnRoute:
from aws_cdk import (
aws_apigatewayv2 as apigateway
)
apigateway.CfnRoute(
self,
"auth",
api_id=api.ref,
route_key="GET /test",
authorization_type="AWS_IAM"
)
See
