Profile Applicability:

  • Level 1

Description:

This control ensures that Amazon API Gateway V2 (HTTP and WebSocket APIs) has authorizers configured to authenticate and authorize incoming API requests before granting access to backend resources. Authorizers add a crucial layer of access control, allowing only authenticated and authorized users, applications, or services to invoke the API.

Rationale:

APIs exposed without proper authorization mechanisms are highly vulnerable to unauthorized access, privilege escalation, data exfiltration, and other security breaches. Configuring authorizers ensures that every API request is properly authenticated before execution. This control supports compliance with major security standards such as CIS, SOC 2, ISO 27001, HIPAA, and OWASP API Security Top 10 (API1: Broken Object Level Authorization).

Impact:

  • Positive Impact:Protects APIs from unauthorized access and misuse.Enables integration with IAM, JWT, or custom authentication mechanisms.Ensures compliance with access control and identity management requirements.

  • Negative Impact:May introduce slight latency due to token validation or Lambda invocation.Requires proper maintenance of identity provider configurations.


Default Value:

By default, API Gateway V2 does not have an authorizer configured — APIs are accessible unless explicitly protected by an authorizer or IAM policy.


Pre-Requisite:

  • IAM permissions required: apigatewayv2:GetApisapigatewayv2:GetAuthorizersapigatewayv2:CreateAuthorizerapigatewayv2:UpdateAuthorizer.

  • A configured authentication source, such as:

    • Amazon Cognito User Pool (for JWT authorizer).

    • Lambda function (for custom authorizer).

    • Identity provider (IdP) supporting OpenID Connect (OIDC).


Remediation:

Test Plan 

Using AWS Console:

Test Plan (Using AWS Console):

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon API Gateway → APIs (V2).

  3. Select the desired HTTP or WebSocket API.

  4. Choose Authorization → Authorizers from the left panel.

  5. Verify that:

    • An Authorizer is configured.

    • The authorizer type is either JWT or Lambda.

    • The authorizer is assigned to routes that require authentication.

  6. If no authorizer is configured or assigned, the API is non-compliant.

Implementation Plan 

Using AWS Console:

  1. Navigate to Amazon API Gateway → APIs (V2).

  2. Select your HTTP API.

  3. Choose Authorization → Create Authorizer.

  4. Set:

    • Authorizer type: JWT

    • Identity source: $request.header.Authorization

    • Issuer URL: URL of your identity provider (e.g., Cognito or Auth0).

    • Audience: Application client ID(s) from your identity provider.

  5. Save the authorizer.

  6. Go to Routes → [Route Name] → Authorization.

  7. Attach the created JWT authorizer to the route(s) that should require authentication.

Backout Plan:

Using AWS Console:

  1. If authentication issues occur after enabling an authorizer:

    • Temporarily detach the authorizer from the route(s) to restore API accessibility.

    • Review authorizer configuration (identity source, token validation, Lambda permissions).

  2. Once corrected, reapply the authorizer configuration and test API access.

References:

  • Amazon API Gateway V2 Authorizers Documentation

  • Using Lambda Authorizers with HTTP APIs

  • OWASP API Security Top 10 – Broken Authentication

  • AWS Security Best Practices Whitepaper