A public API, which can be requested by any authenticated or unauthenticated identities, can lead to unauthorized actions and information
disclosures.
Ask Yourself Whether
The public API:
- exposes sensitive data like personal information.
- can be used to perform sensitive operations.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It’s recommended to restrict API access to authorized entities, unless the API offers a non-sensitive service designed to be public.
Sensitive Code Example
A public API that doesn’t have access control implemented:
resource "aws_api_gateway_method" "noncompliantapi" {
authorization = "NONE" # Sensitive
http_method = "GET"
}
Compliant Solution
An API that implements AWS IAM permissions:
resource "aws_api_gateway_method" "compliantapi" {
authorization = "AWS_IAM"
http_method = "GET"
}
See