Compliance Medium severity
AWS Security Hub · APIGateway
APIGateway.8: Routes should specify an authorization type
Written and reviewed by Emnode · Last reviewed
What does AWS Security Hub APIGateway.8 check?
APIGateway.8 fails when an HTTP or WebSocket (v2) API route has its authorization type set to NONE. Every route is expected to specify IAM, JWT, or a Lambda (CUSTOM) authorizer.
Why does APIGateway.8 matter?
NONE is the default, so the most common way a route ends up unauthenticated isn't a decision — it's the absence of one. Researchers routinely find production HTTP API endpoints returning live data with no auth at all. Requiring an explicit authorization type means a route is only ever public because someone meant it to be.
How do I fix APIGateway.8?
- Audit routes and flag any with authorizationType set to NONE.
- Attach the right authorizer to each route — IAM SigV4 for service-to-service, JWT for OIDC/Cognito clients, or a Lambda authorizer for custom logic.
- For a genuinely public route (a health check or webhook), keep NONE deliberately and document the exception rather than disabling the control.
Remediation script · bash
# Attach a JWT authorizer to an open API route, then redeploy the stage to enforce it.
aws apigatewayv2 update-route --api-id a1b2c3d4e5 \
--route-id r7h8j9 --authorization-type JWT --authorizer-id auth9z8y
aws apigatewayv2 create-deployment --api-id a1b2c3d4e5 --stage-name '$default'
# Disable the unauthenticated listener on an MSK cluster while keeping IAM auth.
ARN=arn:aws:kafka:us-east-1:111122223333:cluster/orders-stream-prod/abc123
VERSION=$(aws kafka describe-cluster-v2 --cluster-arn $ARN \
--query 'ClusterInfo.CurrentVersion' --output text)
aws kafka update-security --cluster-arn $ARN --current-version $VERSION \
--client-authentication '{"Sasl":{"Iam":{"Enabled":true}},"Unauthenticated":{"Enabled":false}}'
# Once clients send the new credential, remove the AppSync API key to clear the finding.
aws appsync delete-api-key --api-id abcd1234efgh5678ijkl --id da2-examplekeyid12345Full walkthrough (console steps, edge cases and verification) in the lesson Require authentication on data and API services.
Part of the learning path Lock down access
More APIGateway controls
- APIGateway.1 REST/WebSocket API execution logging
- APIGateway.2 REST stages should use SSL certs for backend auth
- APIGateway.4 API Gateway should be associated with a WAF web ACL
- APIGateway.5 REST API cache data should be encrypted at rest
- APIGateway.9 V2 stages should have access logging
- APIGateway.10 V2 integrations should use HTTPS for private connections
- APIGateway.11 Domain names should use recommended security policies