A public API, which can be requested by any authenticated or unauthenticated identities, can lead to unauthorized actions and information disclosures.

Ask Yourself Whether

The public API:

• exposes sensitive data like personal information.
• can be used to perform sensitive operations.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It’s recommended to restrict API access to authorized entities, unless the API offers a non-sensitive service designed to be public.

Noncompliant Code Example

A public API that doesn’t have access control implemented:

resource "aws_api_gateway_method" "noncompliantapi" {
  authorization = "NONE" # Sensitive
  http_method   = "GET"
}

Compliant Solution

An API that implements AWS IAM permissions:

resource "aws_api_gateway_method" "compliantapi" {
  authorization = "AWS_IAM"
  http_method   = "GET"
}

See

• OWASP Top 10 2021 Category A1 - Broken Access Control
• AWS Documentation - Controlling and managing access to a REST API in API Gateway
• MITRE, CWE-284 - Improper Access Control
• OWASP Top 10 2017 Category A5 - Broken Access Control