Profile Applicability:

  • Level 1

Description:

Amazon API Gateway enables you to create, manage, and secure APIs for accessing AWS services. Authorizers in API Gateway are used to validate requests from clients before allowing access to the API. Authorizers can be configured at both the API level (for all methods in the API) or method level (for individual API methods). Common types of authorizers include Lambda authorizers and Cognito user pool authorizers. Configuring an authorizer ensures that only authenticated and authorized clients can access the resources exposed by the API Gateway.

Rationale:

Configuring authorizers at the API or method level helps secure your API endpoints by ensuring that requests are validated before they reach the backend resources. This prevents unauthorized access to sensitive resources, maintains control over who can access the API, and ensures compliance with security policies. Implementing authorizers at the right levels ensures that the API is protected according to the security requirements.

Impact:

Pros:

  • Ensures proper access control to your API endpoints.

  • Reduces the risk of unauthorized access to sensitive data.

  • Enforces security standards and compliance for public-facing APIs.

Cons:

  • Introducing authorizers adds additional configuration steps to manage and could result in more complex deployments.

  • Misconfiguration could block legitimate users or services from accessing the API.

Default Value:

By default, API Gateway does not have an authorizer configured for APIs or methods unless explicitly set up by the user.

Pre-requisite:

  • AWS IAM permissions:

    • apigateway:GET

    • apigateway:DescribeAuthorizers

    • apigateway:UpdateMethod

    • apigateway:PutMethod

  • AWS CLI installed and configured.

  • Familiarity with API Gateway methods and authorizer configurations (e.g., Lambda authorizers, Cognito user pools).

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon API Gateway under Services.

   

  1. Select APIs from the left navigation panel.

                     

  1. Select the API that you want to check.

     

  1. In the API Gateway Console, go to Resources.

                           

  1. For each Method (GET, POST, etc.) under the resource, click on the method and check if an authorizer is configured in the Method Request section.

                       

  • If None is selected for the Authorization field, it means no authorizer is configured for that method.

  1. Check the API level settings by selecting the Authorizers option in the navigation panel. Ensure that the appropriate authorizers are configured at the API level if required.

Using AWS CLI:

List the available APIs using the following command:

aws apigateway get-rest-apis --query 'items[*].{ID:id,Name:name}' --output table

For each API, list the methods for the resources:

aws apigateway get-resources --rest-api-id <api-id> --query 'items[*].{Resource:path,Methods:method}' --output table

For each method, run the following command to check if an authorizer is configured:

aws apigateway get-method --rest-api-id <api-id> --resource-id <resource-id> --http-method <method> --query 'authorizationType'

  • If the result is NONE, no authorizer is configured. If it’s AWS_IAMCOGNITO_USER_POOLS, or CUSTOM, an authorizer is configured.

Implementation Steps:

Using AWS Console:

  1. Open the AWS Management Console 

  2. Navigate to Amazon API Gateway.

                 

  1. Select the API to check for authorizers.

       

  1. Go to Resources.

             

  1. Select the method and ensure that the Authorization field is correctly configured.

             

  1. If no authorizer is configured, select the appropriate authorizer (e.g., Lambda authorizer, Cognito user pool) from the Authorization dropdown in the Method Request section.

             

  1. Save the changes and deploy the API.

Using AWS CLI:

  1. List the available APIs using aws apigateway get-rest-apis.

  2. For each API, list the resources using aws apigateway get-resources.

  3. For each method, check if an authorizer is configured using aws apigateway get-method.

  4. If no authorizer is configured, run the following command to add an authorizer (for example, Lambda or Cognito):

For Lambda Authorizer:

aws apigateway update-method --rest-api-id <api-id> --resource-id <resource-id> --http-method <method> --authorization-type CUSTOM --authorizer-id <authorizer-id>

For Cognito Authorizer:

aws apigateway update-method --rest-api-id <api-id> --resource-id <resource-id> --http-method <method> --authorization-type COGNITO_USER_POOLS --authorizer-id <authorizer-id>

Deploy the changes to apply the authorizer:

aws apigateway create-deployment --rest-api-id <api-id> --stage-name <stage-name>


Backout Plan:

If authorizer configuration causes issues:

  1. Identify the affected API and method.

Remove or update the authorizer configuration to restore functionality:

aws apigateway update-method --rest-api-id <api-id> --resource-id <resource-id> --http-method <method> --authorization-type NONE

  1. Test to ensure that the API behaves as expected.

  2. Document all changes and restoration actions for compliance and auditing purposes.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.