A public API, which can be requested by any authenticated or unauthenticated identities, can lead to unauthorized actions and information disclosures.

Ask Yourself Whether

The public API:

• exposes sensitive data like personal information.
• can be used to perform sensitive operations.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It’s recommended to restrict API access to authorized entities, unless the API offers a non-sensitive service designed to be public.

Sensitive Code Example

A public API that doesn’t have access control implemented:

NoncompliantApiGatewayMethod:
    Type: AWS::ApiGateway::Method
    Properties:
      AuthorizationType: NONE # Sensitive
      HttpMethod: GET

A Serverless Application Model (SAM) API resource that is public by default:

OpenApiDefault: # Sensitive
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod

Compliant Solution

An API that implements AWS IAM permissions:

MyApiGatewayMethodIam:
    Type: AWS::ApiGateway::Method
    Properties:
      AuthorizationType: AWS_IAM
      HttpMethod: GET

A Serverless Application Model (SAM) API resource that has to be requested using a key:

ApiKeyApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
      Auth:
        ApiKeyRequired: true

See

• OWASP Top 10 2021 Category A1 - Broken Access Control
• AWS Documentation - Controlling and managing access to a REST API in API Gateway
• MITRE, CWE-284 - Improper Access Control
• OWASP Top 10 2017 Category A5 - Broken Access Control