turbot/aws_compliance

Query: api_gateway_rest_api_public_endpoint_with_authorizer

Usage

powerpipe query aws_compliance.query.api_gateway_rest_api_public_endpoint_with_authorizer

SQL

select
'arn:' || p.partition || ':apigateway:' || p.region || '::/apis/' || p.api_id as resource,
case
when not (endpoint_configuration_types ? 'PRIVATE') and (a.provider_arns is not null and jsonb_array_length(a.provider_arns) > 0 ) then 'ok'
when not (endpoint_configuration_types ? 'PRIVATE') and ( a.provider_arns is null or jsonb_array_length(a.provider_arns) = 0 ) then 'alarm'
else 'ok'
end as status,
case
when not (endpoint_configuration_types ? 'PRIVATE') and (a.provider_arns is not null and jsonb_array_length(a.provider_arns) > 0 ) then p.name || ' has public endpoint with authorizer.'
when not (endpoint_configuration_types ? 'PRIVATE') and ( a.provider_arns is null or jsonb_array_length(a.provider_arns) = 0 ) then p.name || ' has public endpoint without authorizer.'
else p.name || ' has private endpoint.'
end as reason
, p.region, p.account_id
from
aws_api_gateway_rest_api as p
left join aws_api_gateway_authorizer as a on p.api_id = a.rest_api_id;

Controls

The query is being used by the following controls: