AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
API Gateway V2 Should Have Authorization Type Configuration
More Info:
This rule verifies whether Amazon API Gatewayv2 API routes have an authorization type configured. It ensures that appropriate authentication and authorization mechanisms are in place for accessing the API routes. The rule is marked as non-compliant if the authorization type is set to NONE, indicating that no authentication is required to access the routes
Risk Level
Medium
Address
Security
Compliance Standards
CBP,SEBI
Triage and Remediation
Check Cause
- Log in to the AWS Management Console and navigate to the API Gateway service.
- In the API Gateway dashboard, select the API Gateway V2 that you want to check.
- In the API Gateway V2 details page, select the ‘Routes’ option from the left-hand side menu.
- For each route, check the ‘Authorization’ column. If the value is ‘NONE’ or not set, then the API Gateway V2 does not have an Authorization Type configuration.
-
Install and configure AWS CLI: Before you can start using AWS CLI, you need to install it on your local machine and configure it with your AWS account credentials. You can do this by running the following commands:
Installation:
pip install awscli
Configuration:
aws configure
You will be prompted to provide your AWS Access Key ID, Secret Access Key, Default region name, and Default output format.
-
List all API Gateway V2 APIs: Use the following AWS CLI command to list all your API Gateway V2 APIs:
aws apigatewayv2 get-apis
This command will return a list of all your APIs, including their API ID, name, protocol type, and other details.
-
Get the details of each API: For each API in the list, use the following AWS CLI command to get its details:
aws apigatewayv2 get-api --api-id <API_ID>
Replace
<API_ID>
with the ID of the API you want to check. This command will return the details of the specified API, including its authorization type. -
Check the authorization type: In the output of the previous command, look for the
AuthorizationType
field. If this field is not present or its value isNONE
, it means that the API does not have an authorization type configured.
-
Install the necessary Python libraries: Before you start, you need to install the AWS SDK for Python (Boto3) to interact with AWS services. You can install it using pip:
pip install boto3
-
Set up AWS credentials: You need to configure your AWS credentials. You can do this by creating the files ~/.aws/credentials and ~/.aws/config. In the credentials file, add:
[default] aws_access_key_id = YOUR_ACCESS_KEY aws_secret_access_key = YOUR_SECRET_KEY
In the config file, add:
[default] region=us-east-1
-
Write a Python script to check the authorization type configuration: You can use the following Python script to check the authorization type configuration in API Gateway V2:
import boto3 client = boto3.client('apigatewayv2') response = client.get_apis() for item in response['Items']: api_id = item['ApiId'] api_name = item['Name'] try: response = client.get_authorizers( ApiId=api_id ) if 'Items' in response: for authorizer in response['Items']: print(f"API Name: {api_name}, Authorizer Name: {authorizer['Name']}, Authorization Type: {authorizer['AuthorizationType']}") else: print(f"API Name: {api_name} does not have an authorizer configured.") except Exception as e: print(f"Error getting authorizer for API: {api_name}. Error: {str(e)}")
-
Run the Python script: You can run the Python script using the command:
python check_authorization.py
This script will print the name of each API, the name of its authorizer (if any), and the authorization type. If an API does not have an authorizer configured, it will print a message indicating this.