Ensure that an API key is required on a method request for AWS API Gateway Method

MEDIUM

Description

API keys are not meant for IAM authentication and authorization. For more information, see the AWS documentation.
References:
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html#apigateway-usage-plans-best-practices

Remediation

In AWS Console -

  1. Sign in to the AWS Management Console and open the API Gateway console.
  2. Choose the REST API you want.
  3. In the API Gateway main navigation pane, select Resources.
  4. Under Resources, you can choose an existing method or create a new one.
  5. Choose Method Request.
  6. Under the Settings section, set true for 'API Key Required' to 'true'.
  7. Select the checkmark icon to save the settings.
  8. Deploy or redeploy the API for the changes to take effect.

In Terraform -

  1. In the aws_api_gateway_method resource, set 'api_key_required' to 'true'.

References:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method#api_key_required

Policy Details

Rule Reference ID: AC_AWS_0403
CSP: AWS
Remediation Available: Yes
Resource Category: Virtual Network
Resource Type: API Gateway

Frameworks