A public API, which can be requested by any authenticated or unauthenticated identities, can lead to unauthorized actions and information disclosures.

Ask Yourself Whether

The public API:

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It’s recommended to restrict API access to authorized entities, unless the API offers a non-sensitive service designed to be public.

Sensitive Code Example

For aws-cdk-lib.aws_apigateway.Resource:

import {aws_apigateway as apigateway} from "aws-cdk-lib"

const resource = api.root.addResource("example")
resource.addMethod(
    "GET",
    new apigateway.HttpIntegration("https://example.org"),
    {
        authorizationType: apigateway.AuthorizationType.NONE // Sensitive
    }
)

For aws-cdk-lib.aws_apigatewayv2.CfnRoute:

import {aws_apigatewayv2 as apigateway} from "aws-cdk-lib"

new apigateway.CfnRoute(this, "no-auth", {
    apiId: api.ref,
    routeKey: "GET /no-auth",
    authorizationType: "NONE", // Sensitive
    target: exampleIntegration
})

Compliant Solution

For aws-cdk-lib.aws_apigateway.Resource:

import {aws_apigateway as apigateway} from "aws-cdk-lib"

const resource = api.root.addResource("example",{
    defaultMethodOptions:{
        authorizationType: apigateway.AuthorizationType.IAM
    }
})
resource.addMethod(
    "POST",
    new apigateway.HttpIntegration("https://example.org"),
    {
        authorizationType: apigateway.AuthorizationType.IAM
    }
)
resource.addMethod(  // authorizationType is inherited from the Resource's configured defaultMethodOptions
    "GET"
)

For aws-cdk-lib.aws_apigatewayv2.CfnRoute:

import {aws_apigatewayv2 as apigateway} from "aws-cdk-lib"

new apigateway.CfnRoute(this, "auth", {
    apiId: api.ref,
    routeKey: "POST /auth",
    authorizationType: "AWS_IAM",
    target: exampleIntegration
})

See