API Gateway without SSL certificate

Ce produit n'est pas pris en charge par le site Datadog que vous avez sélectionné. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: b47b98ab-e481-4a82-8bb1-1ab39fd36e33

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Insecure Configurations

Learn More

Description

API Gateway integrations must validate TLS/SSL certificates to ensure backend endpoints are authentic and prevent man-in-the-middle attacks that can expose credentials or sensitive data.

The validate_certs property in Ansible community.aws.api_gateway and api_gateway tasks must be defined and set to a truthy value (Ansible yes or true). Resources missing this property or with validate_certs set to no or false are flagged.

If your backend uses self-signed certificates, prefer adding the CA to a trusted store or using proper certificate management rather than disabling certificate validation.

Secure example Ansible task:

- name: Create API Gateway with TLS validation
  community.aws.api_gateway:
    name: my-api
    state: present
    validate_certs: yes

Compliant Code Examples

- name: update API v2
  community.aws.api_gateway:
    name: my-api
    api_id: abc123321cba
    state: present
    swagger_file: my_api.yml
    validate_certs: yes
- name: Setup AWS API Gateway setup on AWS and deploy API definition v2
  community.aws.api_gateway:
    name: my-api-v2
    swagger_file: my_api.yml
    stage: production
    cache_enabled: true
    cache_size: '1.6'
    tracing_enabled: true
    endpoint_type: EDGE
    state: present
    validate_certs: yes

Non-Compliant Code Examples

- name: update API
  community.aws.api_gateway:
    name: my-api
    api_id: 'abc123321cba'
    state: present
    swagger_file: my_api.yml
    validate_certs: no
- name: update API v1
  community.aws.api_gateway:
    name: my-api-v1
    api_id: 'abc123321cba'
    state: present
    swagger_file: my_api.yml
- name: Setup AWS API Gateway setup on AWS and deploy API definition
  community.aws.api_gateway:
    name: my-api-v2
    swagger_file: my_api.yml
    stage: production
    cache_enabled: true
    cache_size: '1.6'
    tracing_enabled: true
    endpoint_type: EDGE
    state: present
    validate_certs: no
- name: Setup AWS API Gateway setup on AWS and deploy API definition v1
  community.aws.api_gateway:
    name: my-api-v3
    swagger_file: my_api.yml
    stage: production
    cache_enabled: true
    cache_size: '1.6'
    tracing_enabled: true
    endpoint_type: EDGE
    state: present