🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: API Gateway REST API public endpoints should be configured with authorizer

Description

Ensure API Gateway REST API public endpoint is configured with authorizer. This rule is non-compliant if API Gateway REST API public endpoint has no authorizer configured.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.api_gateway_rest_api_public_endpoint_with_authorizer

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.api_gateway_rest_api_public_endpoint_with_authorizer --share

SQL

This control uses a named query:

select
  'arn:' || p.partition || ':apigateway:' || p.region || '::/apis/' || p.api_id as resource,
  case
    when not (endpoint_configuration_types ? 'PRIVATE') and (a.provider_arns is not null and jsonb_array_length(a.provider_arns) > 0 ) then 'ok'
    when not (endpoint_configuration_types ? 'PRIVATE') and ( a.provider_arns is null or jsonb_array_length(a.provider_arns) = 0 ) then 'alarm'
    else 'ok'
  end as status,
  case
    when not (endpoint_configuration_types ? 'PRIVATE') and (a.provider_arns is not null and jsonb_array_length(a.provider_arns) > 0 ) then p.name || ' has public endpoint with authorizer.'
    when not (endpoint_configuration_types ? 'PRIVATE') and ( a.provider_arns is null or jsonb_array_length(a.provider_arns) = 0 ) then p.name || ' has public endpoint without authorizer.'
    else p.name || ' has private endpoint.'
  end as reason
  
  , p.region, p.account_id
from
  aws_api_gateway_rest_api as p
  left join aws_api_gateway_authorizer as a on p.api_id = a.rest_api_id;

Tags

category = Compliance
plugin = aws
service = AWS/APIGateway