Creating AWS API Gateway resources without enforcing authentication exposes the underlying API to any anonymous internet user.

Why is this an issue?

Unless an authentication method is explicitly configured, AWS API Gateway allows any internet user to call the API without proving their identity. This unnecessarily increases the attack surface, giving unauthenticated actors the opportunity to target both the functionality provided by the API and its underlying infrastructure.

What is the potential impact?

Unauthorized access

An unauthenticated API endpoint can be reached by any internet user without proving their identity. Attackers may abuse the exposed functionality to extract sensitive data, trigger resource-intensive operations, or exploit other vulnerabilities in the backend infrastructure.

How to fix it

Code examples

The following examples show API Gateway resources configured without authentication, allowing access by any internet user.

Noncompliant code example

resource "aws_api_gateway_method" "exampleapi" {
  authorization = "NONE" # Noncompliant
  http_method   = "POST"
}

Compliant solution

resource "aws_api_gateway_method" "exampleapi" {
  authorization = "AWS_IAM"
  http_method   = "POST"
}

Resources

Documentation

• AWS Documentation - Controlling and managing access to a REST API in API Gateway

Standards

• CWE - CWE-306 - Missing Authentication for Critical Function