Skip to main content

More Info:

This rule verifies whether Amazon API Gatewayv2 API routes have an authorization type configured. It ensures that appropriate authentication and authorization mechanisms are in place for accessing the API routes. The rule is marked as non-compliant if the authorization type is set to NONE, indicating that no authentication is required to access the routes

Risk Level

Medium

Address

Security

Compliance Standards

CBP,SEBI

Triage and Remediation

Check Cause

Using Console

  1. Log in to the AWS Management Console and navigate to the API Gateway service.
  2. In the API Gateway dashboard, select the API Gateway V2 that you want to check.
  3. In the API Gateway V2 details page, select the ‘Routes’ option from the left-hand side menu.
  4. For each route, check the ‘Authorization’ column. If the value is ‘NONE’ or not set, then the API Gateway V2 does not have an Authorization Type configuration.
  1. Install and configure AWS CLI: Before you can start using AWS CLI, you need to install it on your local machine and configure it with your AWS account credentials. You can do this by running the following commands: Installation: 
    pip install awscli
    Configuration: 
    aws configure
    You will be prompted to provide your AWS Access Key ID, Secret Access Key, Default region name, and Default output format.
  2. List all API Gateway V2 APIs: Use the following AWS CLI command to list all your API Gateway V2 APIs: 
    aws apigatewayv2 get-apis
    This command will return a list of all your APIs, including their API ID, name, protocol type, and other details.
  3. Get the details of each API: For each API in the list, use the following AWS CLI command to get its details: 
    aws apigatewayv2 get-api --api-id <API_ID>
    Replace <API_ID> with the ID of the API you want to check. This command will return the details of the specified API, including its authorization type.
  4. Check the authorization type: In the output of the previous command, look for the AuthorizationType field. If this field is not present or its value is NONE, it means that the API does not have an authorization type configured.
  1. Install the necessary Python libraries: Before you start, you need to install the AWS SDK for Python (Boto3) to interact with AWS services. You can install it using pip: 
    pip install boto3
  2. Set up AWS credentials: You need to configure your AWS credentials. You can do this by creating the files ~/.aws/credentials and ~/.aws/config. In the credentials file, add: 
    [default]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY
    In the config file, add: 
    [default]
region=us-east-1
  3. Write a Python script to check the authorization type configuration: You can use the following Python script to check the authorization type configuration in API Gateway V2: 
    import boto3

client = boto3.client('apigatewayv2')

response = client.get_apis()

for item in response['Items']:
    api_id = item['ApiId']
    api_name = item['Name']
    try:
        response = client.get_authorizers(
            ApiId=api_id
        )
        if 'Items' in response:
            for authorizer in response['Items']:
                print(f"API Name: {api_name}, Authorizer Name: {authorizer['Name']}, Authorization Type: {authorizer['AuthorizationType']}")
        else:
            print(f"API Name: {api_name} does not have an authorizer configured.")
    except Exception as e:
        print(f"Error getting authorizer for API: {api_name}. Error: {str(e)}")
  4. Run the Python script: You can run the Python script using the command: 
    python check_authorization.py
    This script will print the name of each API, the name of its authorizer (if any), and the authorization type. If an API does not have an authorizer configured, it will print a message indicating this.