56 lines
1.1 KiB
Plaintext
56 lines
1.1 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
A public API that doesn't have access control implemented:
|
|
|
|
[source,cloudformation]
|
|
----
|
|
NoncompliantApiGatewayMethod:
|
|
Type: AWS::ApiGateway::Method
|
|
Properties:
|
|
AuthorizationType: NONE # Sensitive
|
|
HttpMethod: GET
|
|
----
|
|
|
|
A Serverless Application Model (SAM) API resource that is public by default:
|
|
|
|
[source,cloudformation]
|
|
----
|
|
OpenApiDefault: # Sensitive
|
|
Type: AWS::Serverless::Api
|
|
Properties:
|
|
StageName: Prod
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
An API that implements AWS IAM permissions:
|
|
|
|
[source,cloudformation]
|
|
----
|
|
MyApiGatewayMethodIam:
|
|
Type: AWS::ApiGateway::Method
|
|
Properties:
|
|
AuthorizationType: AWS_IAM
|
|
HttpMethod: GET
|
|
----
|
|
|
|
A Serverless Application Model (SAM) API resource that has to be requested using a key:
|
|
|
|
[source,cloudformation]
|
|
----
|
|
ApiKeyApi:
|
|
Type: AWS::Serverless::Api
|
|
Properties:
|
|
StageName: Prod
|
|
Auth:
|
|
ApiKeyRequired: true
|
|
----
|
|
|
|
include::../see.adoc[]
|