For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-api-gateway-with-open-access.md. A documentation index is available at /llms.txt.

API Gateway with open access

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-api-gateway-with-open-access

Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Insecure Configurations

Learn More

Description

API Gateway methods must not set AuthorizationType to NONE except for CORS preflight (OPTIONS) requests, because leaving a method unauthenticated allows anyone to invoke the endpoint and can lead to unauthorized access, data exposure, or backend abuse.

For AWS::ApiGateway::Method resources, AuthorizationType must specify an authentication mechanism (for example, AWS_IAM, CUSTOM, or COGNITO_USER_POOLS) when HttpMethod is not OPTIONS. This rule flags Resources.<name>.Properties where AuthorizationType is NONE and HttpMethod is not OPTIONS.

If you use CUSTOM, also set AuthorizerId to reference a configured authorizer. If you use COGNITO_USER_POOLS or AWS_IAM, ensure the corresponding user pool or IAM policies and roles are correctly configured.

Secure configuration example (CloudFormation YAML):

MyMethod:
  Type: AWS::ApiGateway::Method
  Properties:
    HttpMethod: POST
    AuthorizationType: AWS_IAM
    RestApiId: !Ref MyApi
    ResourceId: !Ref MyResource
    Integration:
      Type: AWS_PROXY
      IntegrationHttpMethod: POST
      Uri: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${MyFunction.Arn}/invocations

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Resources:
  MockMethod:
    Type: 'AWS::ApiGateway::Method'
    Properties:
      RestApiId: !Ref MyApi
      ResourceId: !GetAtt
        - MyApi
        - RootResourceId
      HttpMethod: OPTIONS
      AuthorizationType: NONE
      Integration:
        Type: MOCK

{
  "Description": "Router53",
  "Resources": {
    "MockMethod": {
      "Type": "AWS::ApiGateway::Method",
      "Properties": {
        "RestApiId": "MyApi",
        "ResourceId": [
          "MyApi",
          "RootResourceId"
        ],
        "HttpMethod": "OPTIONS",
        "AuthorizationType": "NONE",
        "Integration": {
          "Type": "MOCK"
        }
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09"
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Resources:
  MockMethod:
    Type: 'AWS::ApiGateway::Method'
    Properties:
      RestApiId: !Ref MyApi
      ResourceId: !GetAtt
        - MyApi
        - RootResourceId
      HttpMethod: GET
      AuthorizationType: NONE
      Integration:
        Type: MOCK

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Router53",
  "Resources": {
    "MockMethod": {
      "Type": "AWS::ApiGateway::Method",
      "Properties": {
        "RestApiId": "MyApi",
        "ResourceId": [
          "MyApi",
          "RootResourceId"
        ],
        "HttpMethod": "GET",
        "AuthorizationType": "NONE",
        "Integration": {
          "Type": "MOCK"
        }
      }
    }
  }
}