🛡️ AWS API Gateway API Route Authorization Type is not configured🟢

Contextual name: 🛡️ API Route Authorization Type is not configured🟢
ID: /ce/ca/aws/apigateway/api-route-authorization-type
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS API Gateway API
- 🔌 AWS API Gateway API - object.extracts.yaml
- 🔌 AWS API Gateway Route - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

Internal: dec-x-5fa71eac

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-5fa71eac	1

Description

Open File

Description

Ensure that each AWS API Gateway API Route is configured with a mechanism for controlling and managing access to the API. API Gateway supports the following mechanisms:

Lambda authorizers - Leverage custom AWS Lambda functions to evaluate incoming requests and determine access.

JWT authorizers - Validate JSON Web Tokens (JWTs) issued by trusted identity providers to control access.

AWS IAM - Use standard AWS Identity and Access Management (IAM) roles and policies to authorize requests.

Rationale

Enhance API Security: Enforcing authorization at the route level is essential to ensure that only authenticated and authorized clients can access your API endpoints. This mitigates the risk of unauthorized access, abuse, and exposure of internal services.

Protect Sensitive Data and Functionality: APIs often handle sensitive data or critical business logic. Without proper authorization, malicious actors could exploit unsecured endpoints, leading to data leaks, service interruptions, or unauthorized operations.

... see more

Remediation

Open File

Remediation

Configure an appropriate Authorization Type for each route in AWS API Gateway. Select the authorization mechanism based on your security requirements, for example, IAM, JWT, or Lambda authorizers for HTTP APIs, and IAM or Lambda authorizers for WebSocket APIs.

From AWS CLI
To update an API route to use IAM authorization, run the following command:
aws apigatewayv2 update-route \
--api-id {{api-id}} \
--route-id {{route-id}} \
--authorization-type AWS_IAM
Replace {{api-id}} with the ID of your API Gateway API and {{route-id}} with the ID of the route you are updating.

When IAM authorization is enabled, clients must use Signature Version 4 (SigV4) to sign their requests with AWS credentials. API Gateway invokes the route only if the client has execute-api permission for it.
To configure a Lambda or JWT authorizer, use the create-authorizer command:
    aws apigatewayv2 create-authorizer \
    --api-id {{api-id}} \
... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [APIGateway.8] API Gateway routes should specify an authorization type		1	1	no data
💼 Cloudaware Framework → 💼 Secure Access			75	no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	84	no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	37	105	no data
💼 FedRAMP High Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3	1	47	no data
💼 FedRAMP High Security Controls → 💼 CM-2(2) Automation Support for Accuracy and Currency (M)(H)			22	no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84	no data
💼 FedRAMP Low Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)			45	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		89	no data
💼 FedRAMP Moderate Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3		47	no data
💼 FedRAMP Moderate Security Controls → 💼 CM-2(2) Automation Support for Accuracy and Currency (M)(H)			22	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			181	no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			89	no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			133	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			123	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	59	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	69	123	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(2) Information Flow Enforcement _ Processing Domains		31	33	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(15) Information Flow Enforcement _ Detection of Unsanctioned Information		9	10	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-2 Baseline Configuration	7		46	no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency			22	no data

Logic​

Similar Policies​

Similar Internal Rules​

Description​

Description​

Rationale​

Remediation​

Remediation​

From AWS CLI​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Similar Internal Rules

Description

Description

Rationale

Remediation

Remediation

From AWS CLI

policy.yaml

Linked Framework Sections