Profile Applicability:

  • Level 1

Description:

Amazon API Gateway allows you to create and manage APIs for accessing AWS services, and it supports both public and private endpoints. Public API Gateway endpoints are exposed to the internet and can be accessed by any client unless specific security measures, such as an authorizer, are configured. An authorizer in API Gateway is used to verify the identity of incoming requests and ensure that only authorized clients can access the API. Common types of authorizers include Lambda authorizers and Cognito user pool authorizers. It is a best practice to configure an authorizer for all public API Gateway endpoints to protect them from unauthorized access.

Rationale:

By configuring an authorizer for a public API Gateway endpoint, you ensure that only authenticated or authorized clients can access the resources behind the API. This reduces the risk of unauthorized access and helps protect sensitive data. It also ensures compliance with security policies and best practices, preventing attacks such as unauthorized API consumption or abuse.

Impact:

Pros:

  • Enhances the security of your public API Gateway endpoints.

  • Reduces the risk of unauthorized access to sensitive APIs.

  • Enforces authentication and authorization standards, improving overall system security.

Cons:

  • Introducing an authorizer may add additional complexity to the API's configuration.

  • Misconfiguration could result in legitimate users being denied access.

Default Value:

By default, API Gateway public endpoints do not have an authorizer configured. It is necessary to explicitly configure an authorizer for the endpoint to ensure secure access.

Pre-requisite:

  • AWS IAM permissions:

    • apigateway:GET

    • apigateway:DescribeAuthorizers

    • apigateway:UpdateAuthorizer

  • AWS CLI installed and configured.

  • Knowledge of how to configure API Gateway and authorizers (e.g., Lambda authorizer, Cognito user pool).

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon API Gateway under Services.

     

  1. Select APIs from the navigation pane.

             

  1. Select the API you want to check for an authorizer.

     

  1. Under the Authorizers section, verify if an authorizer is configured for the public endpoints.

                      

  1. If no authorizer is configured, consider adding a Lambda or Cognito authorizer as needed for enhanced security.

             

Using AWS CLI:

List the available APIs:

aws apigateway get-rest-apis --query 'items[*].{ID:id,Name:name}' --output table

For the selected API, check the existing authorizers:

aws apigateway get-authorizers --rest-api-id <api-id> --query 'items[*].{Name:name}' --output table

If no authorizer is listed, then the public API endpoint does not have an authorizer configured. You can add an authorizer using the AWS CLI or Console.

Implementation Steps:

Using AWS Console:

  1. Open the AWS Management Console 

  2. Navigate to API Gateway.

         

  1. Select the desired API from the list of available APIs.

 

  1. Under the Authorizers section, click Create New Authorizer.

         

  1. Select the type of authorizer, such as Lambda or Cognito.

         

  1. Complete the necessary configuration to associate the authorizer with the API Gateway endpoint.

  2. Save the changes and deploy the API to make the authorizer active for the public endpoint.

Using AWS CLI:

If no authorizer is configured, create a Lambda or Cognito user pool authorizer:

For a Lambda authorizer:

aws apigateway create-authorizer --rest-api-id <api-id> --name <authorizer-name> --type TOKEN --authorizer-uri arn:aws:lambda:<region>:<account-id>:function:<lambda-function-name> --identity-source 'method.request.header.Authorization'

For a Cognito authorizer:

aws apigateway create-authorizer --rest-api-id <api-id> --name <authorizer-name> --type COGNITO_USER_POOLS --provider-arns arn:aws:cognito-idp:<region>:<account-id>:userpool/<user-pool-id> --identity-source 'method.request.header.Authorization'

Deploy the API to apply the changes:

 aws apigateway create-deployment --rest-api-id <api-id> --stage-name <stage-name>

Backout Plan:

If the configuration of the authorizer causes access issues:

  1. Identify the affected API and verify if the issue is related to the authorizer configuration.

  2. Remove or update the authorizer configuration, reverting to the previous configuration if necessary.

  3. Test the API to ensure it functions as expected with the authorizer configuration.

  4. Document all changes made for auditing and compliance purposes.

References:

CIS Controls Mapping:

Control Version

Control ID

Control Description

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.

v7

9.1

Limit Exposure to External Networks – Use techniques like connection draining to ensure reliable connections.