Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Control Access to REST APIs using Keys or Tokens

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (should be achieved)

Ensure that access to your Amazon API Gateway REST APIs is managed by an authorizer using keys or tokens. Controlled access to an Amazon API Gateway REST APIs ensures security and protects sensitive data from unauthorized users.

This rule can help you work with the AWS Well-Architected Framework.

Security
Reliability
Operational
excellence
Cost
optimisation

Enabling access control through keys or tokens from an authorizer in Amazon API Gateway REST APIs ensures secure and authenticated API usage. It allows fine-grained control over who can access specific resources, implements rate limiting, facilitates auditing, and enables revoking access when needed. This approach enhances API security and authorization, protecting against unauthorized access and potential misuse of API resources.

Audit

To determine if the access to your API Gateway REST APIs is controlled using keys or tokens, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to API Gateway console available at https://console.aws.amazon.com/apigateway.

03 In the main navigation panel, select APIs to access your API Gateway APIs.

04 Click on the name (link) of the REST API that you want to examine. A REST API has the Protocol set to REST.

05 Choose Resources from the API menu to access the API methods created for the selected API.

06 Click on the name of the API method that you want to examine.

07 In the Method Request section, check the Auth attribute value. If the Auth attribute value is set to NONE, there is no access control configured for the selected API method.

08 Repeat steps no. 6 and 7 for each API method created for the selected API. If the API methods available don't use authorizers, the access to the selected API Gateway REST API is not controlled using keys or tokens.

09 Repeat steps no. 4 – 8 for each Amazon API Gateway REST API available within the current region.

10 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run get-rest-apis command (OSX/Linux/UNIX) using custom query filters to list the ID of each API Gateway API available in the selected AWS region: 

aws apigateway get-rest-apis
  --region us-east-1
  --output table
  --query 'items[*].id'

02 The command output should return a table with the requested API IDs: 

----------------
|  GetRestApis |
+--------------+
|  abcabcabca  |
|  abcdabcdab  |
+--------------+

03 Run get-resources command (OSX/Linux/UNIX) using the ID of the Amazon API Gateway REST API that you want to examine as the identifier parameter and custom query filters to get the IDs of the API resources created for the selected API: 

aws apigateway get-resources 
  --rest-api-id abcabcabca 
  --query 'items[].id'

04 The command output should return the requested API resource IDs: 

[
	"1234ab1234",
	"abcd12abcd",
	"12abcd1234"
]

05 Run get-method command (OSX/Linux/UNIX) using the name of the API resource that you want to examine as the identifier parameter, and the HTTP method type, to describe the API method's authorization type: 

aws apigateway get-method 
  --rest-api-id abcabcabca 
  --resource-id 1234ab1234 
  --http-method GET 
  --query 'authorizationType'

06 The command output should return the authorization type configured for the selected resource: 

"NONE"

If the get-method command output returns "NONE", as shown in the output example above, there is no access control configured for the selected API method.

07 Repeat steps no. 5 and 6 for each API method created for the selected API. If the API methods available don't use authorizers, the access to the selected API Gateway REST API is not controlled using keys or tokens.

08 Repeat steps no. 3 – 7 for each Amazon API Gateway API available in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To control access to your Amazon API Gateway REST APIs using keys or tokens, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to API Gateway console available at https://console.aws.amazon.com/apigateway.

03 In the main navigation panel, select APIs to access your API Gateway APIs.

04 Click on the name (link) of the REST API that you want to configure and choose Authorizers from the API menu.

05 Choose Create New Authorizer and follow the setup wizard to create an authorizer for your REST API. With authorizers, you can control access to your REST APIs using Cognito User Pools or Lambda functions. Once your custom authorizer is configured and personalised to your needs, choose Create to deploy the authorizer.

06 Choose Resources from the API menu to access the API methods created for the selected API.

07 Click on the name of the API method that you want to configure and choose Method Request.

08 In the Settings section, configure the following settings:

  1. For Authorization, choose Edit (pencil icon), and select the name of your new authorizer, listed under Token authorizer. Choose Update (check mark icon) to apply the changes.
  2. For Request Validator, configure the method request validation. Choose Update (check mark icon).
  3. For API Key Required, choose true to require an API key for authorization. Choose Update (check mark icon) to apply the changes.

09 Repeat steps no. 8 and 9 for each API method created for the selected API.

10 Repeat steps no. 4 – 10 to reconfigure each Amazon API Gateway API available within the current AWS region.

11 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-authorizer command (OSX/Linux/UNIX) to create a new, token-based authorizer for your REST API. With authorizers, you can control access to your REST APIs using Cognito User Pools or Lambda functions: 

aws apigateway create-authorizer 
  --region us-east-1 
  --rest-api-id abcabcabca 
  --name 'cc-custom-authorizer' 
  --type TOKEN 
  --authorizer-uri 'arn:aws:apigateway:us-east-1:lambda:path/serverless/functions/arn:aws:lambda:us-east-1:123456789012:function:custom-auth-function/invocations' 
  --identity-source 'method.request.header.Authorization' 
  --authorizer-result-ttl-in-seconds 300

02 The command output should return the information available for the new authorizer: 

{
	"authType": "custom",
	"name": "cc-custom-authorizer",
	"authorizerUri": "arn:aws:apigateway:us-east-1:lambda:path/serverless/functions/arn:aws:lambda:us-east-1:123456789012:function:custom-auth-function/invocations",
	"authorizerResultTtlInSeconds": 300,
	"identitySource": "method.request.header.Authorization",
	"type": "TOKEN",
	"id": "abcabc"
}

03 Run update-method command (OSX/Linux/UNIX) to modify the selected API method in order to require authorization. Use the token-based authorizer created at the previous steps to control access to your REST API: 

aws apigateway update-method 
  --rest-api-id abcabcabca 
  --resource-id 1234ab1234 
  --http-method GET 
  --patch-operations op="replace",path="/authorizationType",value="CUSTOM" op="replace",path="/authorizerId",value="abcabc" op="replace",path="/apiKeyRequired",value="true"

04 The command output should return the information available for the modified API method: 

{
	"httpMethod": "GET",
	"authorizationType": "CUSTOM",
	"authorizerId" : "abcabc",
	"apiKeyRequired": true,
	"methodResponses": {
		"200": {
			"statusCode": "200",
			"responseModels": {}
		}
	},
	"methodIntegration": {
		"type": "AWS",
		"httpMethod": "POST",
		"passthroughBehavior": "WHEN_NO_MATCH",
		"contentHandling": "CONVERT_TO_TEXT",
		"timeoutInMillis": 29000,
		"cacheNamespace": "abc123",
		"cacheKeyParameters": [],
		"integrationResponses": {
			"200": {
				"statusCode": "200",
				"responseTemplates": {}
			}
		}
	}
}

05 Repeat steps no. 3 and 4 for each API method created for the selected API.

06 Repeat steps no. 1 – 5 to reconfigure each Amazon API Gateway API available in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and perform the Remediation process for other regions.

References

Publication date Aug 31, 2023

Related APIGateway rules