All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.sonar.l10n.py.rules.python.S6333.html Maven / Gradle / Ivy

There is a newer version: 4.23.0.17664
Show newest version

Creating APIs without authentication unnecessarily increases the attack surface on the target infrastructure.

Unless another authentication method is used, attackers have the opportunity to attempt attacks against the underlying API.
This means attacks both on the functionality provided by the API and its infrastructure.

Ask Yourself Whether

  • The underlying API exposes all of its contents to any anonymous Internet user.

There is a risk if you answered yes to this question.

Recommended Secure Coding Practices

In general, prefer limiting API access to a specific set of people or entities.

AWS provides multiple methods to do so:

  • AWS_IAM, to use standard AWS IAM roles and policies.
  • COGNITO_USER_POOLS, to use customizable OpenID Connect (OIDC) identity providers (IdP).
  • CUSTOM, to use an AWS-independant OIDC provider, glued to the infrastructure with a Lambda authorizer.

Sensitive Code Example

For aws_cdk.aws_apigateway.Resource:

from aws_cdk import (
    aws_apigateway as apigateway
)

resource = api.root.add_resource("example")
resource.add_method(
    "GET",
    authorization_type=apigateway.AuthorizationType.NONE  # Sensitive
)

For aws_cdk.aws_apigatewayv2.CfnRoute:

from aws_cdk import (
    aws_apigatewayv2 as apigateway
)

apigateway.CfnRoute(
    self,
    "no-auth",
    api_id=api.ref,
    route_key="GET /test",
    authorization_type="NONE"  # Sensitive
)

Compliant Solution

For aws_cdk.aws_apigateway.Resource:

from aws_cdk import (
    aws_apigateway as apigateway
)

opts = apigateway.MethodOptions(
    authorization_type=apigateway.AuthorizationType.IAM
)
resource = api.root.add_resource(
    "example",
    default_method_options=opts
)
resource.add_method(
    "POST",
    authorization_type=apigateway.AuthorizationType.IAM
)
resource.add_method(  # authorization_type is inherited from the Resource's configured default_method_options
    "POST"
)

For aws_cdk.aws_apigatewayv2.CfnRoute:

from aws_cdk import (
    aws_apigatewayv2 as apigateway
)

apigateway.CfnRoute(
    self,
    "auth",
    api_id=api.ref,
    route_key="GET /test",
    authorization_type="AWS_IAM"
)

See





© 2015 - 2024 Weber Informatics LLC | Privacy Policy