A public API, which can be requested by any authenticated or unauthenticated identities, can lead to unauthorized actions and information
disclosures.
Ask Yourself Whether
The public API:
- exposes sensitive data like personal information.
- can be used to perform sensitive operations.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It’s recommended to restrict API access to authorized entities, unless the API offers a non-sensitive service designed to be public.
Sensitive Code Example
For aws-cdk-lib.aws_apigateway.Resource:
import {aws_apigateway as apigateway} from "aws-cdk-lib"
const resource = api.root.addResource("example")
resource.addMethod(
"GET",
new apigateway.HttpIntegration("https://example.org"),
{
authorizationType: apigateway.AuthorizationType.NONE // Sensitive
}
)
For aws-cdk-lib.aws_apigatewayv2.CfnRoute:
import {aws_apigatewayv2 as apigateway} from "aws-cdk-lib"
new apigateway.CfnRoute(this, "no-auth", {
apiId: api.ref,
routeKey: "GET /no-auth",
authorizationType: "NONE", // Sensitive
target: exampleIntegration
})
Compliant Solution
For aws-cdk-lib.aws_apigateway.Resource:
import {aws_apigateway as apigateway} from "aws-cdk-lib"
const resource = api.root.addResource("example",{
defaultMethodOptions:{
authorizationType: apigateway.AuthorizationType.IAM
}
})
resource.addMethod(
"POST",
new apigateway.HttpIntegration("https://example.org"),
{
authorizationType: apigateway.AuthorizationType.IAM
}
)
resource.addMethod( // authorizationType is inherited from the Resource's configured defaultMethodOptions
"GET"
)
For aws-cdk-lib.aws_apigatewayv2.CfnRoute:
import {aws_apigatewayv2 as apigateway} from "aws-cdk-lib"
new apigateway.CfnRoute(this, "auth", {
apiId: api.ref,
routeKey: "POST /auth",
authorizationType: "AWS_IAM",
target: exampleIntegration
})
See