--- title: API Gateway with open access description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > API Gateway with open access --- # API Gateway with open access {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-api-gateway-with-open-access` **Provider:** AWS **Platform:** Terraform **Severity:** Medium **Category:** Insecure Configurations #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method) ### Description{% #description %} API Gateway methods should restrict the `authorization` type to prevent unauthenticated access, except for the `OPTIONS` method used in CORS preflight requests. If you configure an API Gateway method without specifying authorization, as shown in the example below, it allows open, unauthenticated access to your API, increasing the risk of data exposure and abuse. ``` resource "aws_api_gateway_method" "example" { http_method = "GET" authorization = "NONE" // ... } ``` Proper configuration requires setting `authorization = "NONE"` only for the `OPTIONS` method. For example: ``` resource "aws_api_gateway_method" "example" { http_method = "OPTIONS" authorization = "NONE" // ... } ``` This ensures that only preflight CORS requests remain unauthenticated, while all other methods require proper authorization, reducing the attack surface of your API. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_api_gateway_method" "negative1" { rest_api_id = aws_api_gateway_rest_api.this.id resource_id = aws_api_gateway_resource.this.id http_method = "OPTIONS" authorization = "NONE" authorizer_id = aws_api_gateway_authorizer.this.id request_parameters = { "method.request.path.proxy" = true } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "aws_api_gateway_method" "positive1" { rest_api_id = aws_api_gateway_rest_api.this.id resource_id = aws_api_gateway_resource.this.id http_method = "GET" authorization = "NONE" authorizer_id = aws_api_gateway_authorizer.this.id request_parameters = { "method.request.path.proxy" = true } } ```