DEV Community

3 1

Understand your unauthenticated & public AWS API Gateway exposure

Have you ever had the need to quickly audit your unauthenticated & public exposure of your API Gateway resources to plan a implementation of AWS WAF (Web Application Firewall)?

I had and I needed it to understand what API Gateway endpoints I would like to focus on for our AWS WAF rollout to minimize the risk of direct external threat / attack for the company I work for.

Well, I actually changed my prioritization as we found that 7% of our API Gateways were not supposed to be public and were exposing us for to risk.

It started with my colleague and I needing to do an inventory, We needed to understand our public exposed resources that were not protected by a authorization mechanism that is handled by AWS API Gateway (IAM, API keys etc).

I quickly decided that we would not spend time on doing an inventory on what authorization each resource is configured with in all the 312 API Gateway endpoints in production.

So I started to write a one-liner in bash using aws cli v2 (tested on Ubuntu 20.04 & macos big sur) to do that for me. Make sure to change the profile (three times in the one liner) and add --region if you need to use another one then your default configured.

aws --profile AWS-PROFILE-CHANGE-ME apigateway get-rest-apis | grep \"id\"\: | awk -F '"' '{print $4}' | while read -r restApiId; do aws --profile AWS-PROFILE-CHANGE-ME apigateway get-resources --rest-api-id $restApiId | grep -B 4  resourceMethods|grep \"id\"\:|awk -F '"' '{print $4}' | while read -r resourceId; do for httpMethod in "GET" "PATCH" "PUT" "OPTION" "DELETE" "POST"; do  aws --profile AWS-PROFILE-CHANGE-ME apigateway get-method --rest-api-id $restApiId --resource-id $resourceId --http-method $httpMethod 2>&1 | grep -A 1 '"authorizationType": "NONE"' | grep '"apiKeyRequired": false' 2>&1 >> /dev/null  && echo "APIGW $restApiId with RESOURCE ID $resourceId and HTTP METHOD $httpMethod IS PUBLIC AND NO API KEY" ; done ; done ; done  
Enter fullscreen mode Exit fullscreen mode

Expected output (if you have public resources)

APIGW XXXXXXXXXX with RESOURCE ID XXXXXXXXXX and HTTP METHOD GET IS PUBLIC AND NO API KEY
APIGW XXXXXXXXXX with RESOURCE ID XXXXXXXXXX and HTTP METHOD POST IS PUBLIC AND NO API KEY
Enter fullscreen mode Exit fullscreen mode

In my case I had 9.6% of all AWS API Gateway endpoints in production that had one or more resources with an authorization setting set to none and no api key set. That is typically the case when you build a public services as long as they are suppose to be public, in our case we only had a few endpoints serving our customers so we did not expect more then 2%, we had now 7.6% more then expected.

Based on that, we totally shifted the focus from addressing that instead of adding more layers of security (WAF in this case). With that said, if you have a pretty good feeling of how many endpoints and resources that should be public and unauthenticated, this one liner will give you a indication if your developers are doing the right thing managing their infrastructure.

Image of Timescale

🚀 pgai Vectorizer: SQLAlchemy and LiteLLM Make Vector Search Simple

We built pgai Vectorizer to simplify embedding management for AI applications—without needing a separate database or complex infrastructure. Since launch, developers have created over 3,000 vectorizers on Timescale Cloud, with many more self-hosted.

Read more

Top comments (0)

Create a simple OTP system with AWS Serverless cover image

Create a simple OTP system with AWS Serverless

Implement a One Time Password (OTP) system with AWS Serverless services including Lambda, API Gateway, DynamoDB, Simple Email Service (SES), and Amplify Web Hosting using VueJS for the frontend.

Read full post

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay