Skip to main content

πŸ“ AWS API Gateway API Route Authorization Type is not configured 🟒

  • Contextual name: πŸ“ API Route Authorization Type is not configured 🟒
  • ID: /ce/ca/aws/apigateway/api-route-authorization-type
  • Located in: πŸ“ AWS API Gateway

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

  • Internal
    • dec-x-5fa71eac

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-5fa71eac1

Logic​

Description​

Open File

Description​

Ensure that each AWS API Gateway API Route is configured with a mechanisms for controlling and managing access to the API. API Gateway supports the following mechanisms:

  • Lambda authorizers - Leverage custom AWS Lambda functions to evaluate incoming requests and determine access.
  • JWT authorizers - Validate JSON Web Tokens (JWTs) issued by trusted identity providers to control access.
  • AWS IAM - Use standard AWS Identity and Access Management (IAM) roles and policies to authorize requests.

Rationale​

  1. Enhance API Security: Enforcing authorization at the route level is essential to ensure that only authenticated and authorized clients can access your API endpoints. This mitigates the risk of unauthorized access, abuse, and exposure of internal services.

  2. Protect Sensitive Data and Functionality: APIs often handle sensitive data or critical business logic. Without proper authorization, malicious actors could exploit unsecured endpoints, leading to data leaks, service interruptions, or unauthorized operations.

... see more

Remediation​

Open File

Remediation​

Configure an appropriate Authorization Type for each route in AWS API Gateway. Select the authorization mechanism based on your security requirements - for example, IAM, JWT, or Lambda authorizers for HTTP APIs, and IAM or Lambda authorizers for WebSocket APIs.

From AWS CLI​

  1. To update an API Route to use IAM authorization, run the following command:

    aws apigatewayv2 update-route \
    --api-id {{api-id}} \
    --route-id {{route-id}} \
    --authorization-type AWS_IAM

    Replace {{api-id}} with the ID of your API Gateway API and {{route-id}} with the ID of the Route you are updating.

    When IAM authorization is enabled, clients must use Signature Version 4 (SigV4) to sign their requests with AWS credentials. API Gateway invokes your API route only if the client has execute-api permission for the route.

  2. To configure a Lambda or JWT authorizer, use the create-authorizer command:

        aws apigatewayv2 create-authorizer \
        --api-id {{api-id}} \

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [APIGateway.8] API Gateway routes should specify an authorization type11
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access43
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3747
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)23165
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)3114
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2(2) Automation Support for Accuracy and Currency (M)(H)13
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)13
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)151
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)314
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-2(2) Automation Support for Accuracy and Currency (M)(H)13
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events89
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained31
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties58
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected67
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage40
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3 Access Enforcement15417
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4 Information Flow Enforcement326173
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains2527
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(15) Information Flow Enforcement _ Detection of Unsanctioned Information78
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-2 Baseline Configuration713
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency13