API Gateway without security policy

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > API Gateway without security policy

Metadata

Id: cloudformation-aws-api-gateway-without-security-policy

Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Insecure Configurations

Learn More

Provider Reference

Description

API Gateway custom domain names must enforce TLS 1.2 to avoid allowing older TLS/SSL versions that are susceptible to downgrade attacks and weak ciphers, thereby protecting confidentiality and integrity of client-server connections. In CloudFormation, the AWS::ApiGateway::DomainName resource must include the SecurityPolicy property set to TLS_1_2. Resources missing SecurityPolicy or with any value other than TLS_1_2 will be flagged.

Secure CloudFormation example:

MyDomainName:
  Type: AWS::ApiGateway::DomainName
  Properties:
    DomainName: api.example.com
    SecurityPolicy: TLS_1_2
    RegionalCertificateArn: arn:aws:acm:us-east-1:123456789012:certificate/abcd-ef01-2345

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Parameters:
  cfnDomainName:
    Type: String
  certificateArn:
    Type: String
  type:
    Type: String
Resources:
  myDomainName:
    Type: AWS::ApiGateway::DomainName
    Properties:
      CertificateArn: !Ref certificateArn
      DomainName: !Ref cfnDomainName
      EndpointConfiguration:
        Types:
          - !Ref type
      RegionalCertificateArn: !Ref certificateArn
      SecurityPolicy: "TLS_1_2"
Outputs:
  DomainName:
    Value: !Ref myDomainName

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Router53",
  "Parameters": {
    "cfnDomainName": {
      "Type": "String"
    },
    "certificateArn": {
      "Type": "String"
    },
    "type": {
      "Type": "String"
    }
  },
  "Resources": {
    "myDomainName": {
      "Type": "AWS::ApiGateway::DomainName",
      "Properties": {
        "DomainName": "cfnDomainName",
        "EndpointConfiguration": {
          "Types": [
            "type"
          ]
        },
        "RegionalCertificateArn": "certificateArn",
        "SecurityPolicy": "TLS_1_2",
        "CertificateArn": "certificateArn"
      }
    }
  },
  "Outputs": {
    "DomainName": {
      "Value": "myDomainName"
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Parameters:
  cfnDomainName:
    Type: String
  certificateArn:
    Type: String
  type:
    Type: String
Resources:
  myDomainName:
    Type: AWS::ApiGateway::DomainName
    Properties:
      CertificateArn: !Ref certificateArn
      DomainName: !Ref cfnDomainName
      EndpointConfiguration:
        Types:
          - !Ref type
      RegionalCertificateArn: !Ref certificateArn
      SecurityPolicy: "TLS_1_0"
Outputs:
  DomainName:
    Value: !Ref myDomainName

AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Parameters:
  cfnDomainName:
    Type: String
  certificateArn:
    Type: String
  type:
    Type: String
Resources:
  myDomainName1:
    Type: AWS::ApiGateway::DomainName
    Properties:
      CertificateArn: !Ref certificateArn
      DomainName: !Ref cfnDomainName
      EndpointConfiguration:
        Types:
          - !Ref type
      RegionalCertificateArn: !Ref certificateArn
Outputs:
  DomainName:
    Value: !Ref myDomainName

{
  "Description": "Router53",
  "Parameters": {
    "cfnDomainName": {
      "Type": "String"
    },
    "certificateArn": {
      "Type": "String"
    },
    "type": {
      "Type": "String"
    }
  },
  "Resources": {
    "myDomainName": {
      "Type": "AWS::ApiGateway::DomainName",
      "Properties": {
        "CertificateArn": "certificateArn",
        "DomainName": "cfnDomainName",
        "EndpointConfiguration": {
          "Types": [
            "type"
          ]
        },
        "RegionalCertificateArn": "certificateArn",
        "SecurityPolicy": "TLS_1_0"
      }
    }
  },
  "Outputs": {
    "DomainName": {
      "Value": "myDomainName"
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09"
}