Creating AWS API Gateway resources without enforcing authentication exposes the underlying API to any anonymous internet user.

Why is this an issue?

Unless an authentication method is explicitly configured, AWS API Gateway allows any internet user to call the API without proving their identity. This unnecessarily increases the attack surface, giving unauthenticated actors the opportunity to target both the functionality provided by the API and its underlying infrastructure.

What is the potential impact?

Unauthorized access

An unauthenticated API endpoint can be reached by any internet user without proving their identity. Attackers may abuse the exposed functionality to extract sensitive data, trigger resource-intensive operations, or exploit other vulnerabilities in the backend infrastructure.

How to fix it

Code examples

The following examples show API Gateway resources configured without authentication, allowing access by any internet user.

Noncompliant code example

A public API that doesn’t have access control implemented:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  ExampleMethod:
    Type: AWS::ApiGateway::Method
    Properties:
      AuthorizationType: NONE # Noncompliant
      HttpMethod: POST

A Serverless Application Model (SAM) API resource that is public by default:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  AdminApi: # Noncompliant
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod

Compliant solution

An API that implements AWS IAM permissions:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  ExampleMethod:
    Type: AWS::ApiGateway::Method
    Properties:
      AuthorizationType: AWS_IAM
      HttpMethod: POST

A Serverless Application Model (SAM) API resource that has to be requested using a key:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  AdminApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
      Auth:
        ApiKeyRequired: true

Resources

Documentation

Standards