- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: terraform-aws/public-api-no-authorization
Language: Terraform
Severity: Warning
Category: Security
This rule mandates that all public APIs must have an authorization mechanism in place. The authorization attribute in the aws_api_gateway_method
resource determines the authorization type for the API method. When it’s set to “NONE”, it means that the API is public and can be accessed by anyone, which is a major security risk.
The importance of this rule lies in its potential to prevent unauthorized access to your APIs. APIs often provide a gateway to sensitive information and systems, and leaving them unprotected can lead to data breaches, system disruptions, and other serious issues.
To avoid violating this rule, always ensure that your APIs have an appropriate level of authorization. In the AWS API Gateway, for instance, you can set the authorization to “AWS_IAM” to use AWS Identity and Access Management (IAM) for authorization. This ensures that only authenticated and authorized users can access your APIs. Here is an example of how to do this: resource "aws_api_gateway_method" "compliantapi" { authorization = "AWS_IAM" http_method = "GET" }
. Always ensure to review the authorization settings of your APIs to conform to best security practices.
resource "aws_api_gateway_method" "noncompliantapi" {
authorization = "NONE"
http_method = "GET"
}
resource "aws_api_gateway_method" "compliantapi" {
authorization = "AWS_IAM"
http_method = "GET"
}
|
|
For more information, please read the Code Security documentation
Identify code vulnerabilities directly in yourVS Code editor
Identify code vulnerabilities directly inJetBrains products