DEV Community

Understand your unauthenticated & public AWS API Gateway exposure

Have you ever had the need to quickly audit your unauthenticated & public exposure of your API Gateway resources to plan a implementation of AWS WAF (Web Application Firewall)?

I had and I needed it to understand what API Gateway endpoints I would like to focus on for our AWS WAF rollout to minimize the risk of direct external threat / attack for the company I work for.

Well, I actually changed my prioritization as we found that 7% of our API Gateways were not supposed to be public and were exposing us for to risk.

It started with my colleague and I needing to do an inventory, We needed to understand our public exposed resources that were not protected by a authorization mechanism that is handled by AWS API Gateway (IAM, API keys etc).

I quickly decided that we would not spend time on doing an inventory on what authorization each resource is configured with in all the 312 API Gateway endpoints in production.

So I started to write a one-liner in bash using aws cli v2 (tested on Ubuntu 20.04 & macos big sur) to do that for me. Make sure to change the profile (three times in the one liner) and add --region if you need to use another one then your default configured.

aws --profile AWS-PROFILE-CHANGE-ME apigateway get-rest-apis | grep \"id\"\: | awk -F '"' '{print $4}' | while read -r restApiId; do aws --profile AWS-PROFILE-CHANGE-ME apigateway get-resources --rest-api-id $restApiId | grep -B 4  resourceMethods|grep \"id\"\:|awk -F '"' '{print $4}' | while read -r resourceId; do for httpMethod in "GET" "PATCH" "PUT" "OPTION" "DELETE" "POST"; do  aws --profile AWS-PROFILE-CHANGE-ME apigateway get-method --rest-api-id $restApiId --resource-id $resourceId --http-method $httpMethod 2>&1 | grep -A 1 '"authorizationType": "NONE"' | grep '"apiKeyRequired": false' 2>&1 >> /dev/null  && echo "APIGW $restApiId with RESOURCE ID $resourceId and HTTP METHOD $httpMethod IS PUBLIC AND NO API KEY" ; done ; done ; done  
Enter fullscreen mode Exit fullscreen mode

Expected output (if you have public resources)

APIGW XXXXXXXXXX with RESOURCE ID XXXXXXXXXX and HTTP METHOD GET IS PUBLIC AND NO API KEY
APIGW XXXXXXXXXX with RESOURCE ID XXXXXXXXXX and HTTP METHOD POST IS PUBLIC AND NO API KEY
Enter fullscreen mode Exit fullscreen mode

In my case I had 9.6% of all AWS API Gateway endpoints in production that had one or more resources with an authorization setting set to none and no api key set. That is typically the case when you build a public services as long as they are suppose to be public, in our case we only had a few endpoints serving our customers so we did not expect more then 2%, we had now 7.6% more then expected.

Based on that, we totally shifted the focus from addressing that instead of adding more layers of security (WAF in this case). With that said, if you have a pretty good feeling of how many endpoints and resources that should be public and unauthenticated, this one liner will give you a indication if your developers are doing the right thing managing their infrastructure.

Discussion (0)