Compliance

Require authentication on data and API services

One capability across API Gateway, AppSync, MSK, ElastiCache and DMS: make sure every data and API service proves who is calling before it answers, rather than trusting the network or a shared secret.

13 min·10 sections·AWS

Last reviewed 16 June 2026

Remediates AWS Security Hub: APIGateway.8 AppSync.5 DMS.11 ElastiCache.6 MSK.6

Requiring authentication: the basics

What does it mean for a service to authenticate its callers?

Authentication is the question who are you, answered before a service does anything. Several AWS services let you skip that question, and each does so in its own shape: an API Gateway route with authorizationType set to NONE, an AppSync GraphQL API guarded only by a shared API key, an MSK Kafka cluster that accepts unauthenticated clients, a pre-6.0 ElastiCache Redis replication group with no AUTH token, a DMS MongoDB endpoint with AuthType set to no. Different services, different fields, one weakness: the service answers without knowing who asked.

AWS Security Hub turns each of these into its own control, so one estate can fail several at once. APIGateway.8 covers routes with no authorization type; AppSync.5 covers GraphQL APIs on API-key auth; MSK.6 covers clusters with unauthenticated access enabled; ElastiCache.6 covers older Redis groups without an AUTH token; DMS.11 covers MongoDB migration endpoints with authentication off. They read as separate findings, but they are one capability: require the caller to prove identity, with a mechanism tied to a real principal rather than to possession of a string or to network reachability.

The trap that runs through all of them is conflating network position with authentication. Network reachability controls who can knock on the door; authentication controls who is allowed in. A cluster that is only reachable inside a VPC still answers anyone inside that VPC, and a peering connection, a new VPN route or a compromised host turns reachability into access. These controls exist because reachability and identity get confused constantly, and the gap only surfaces after someone has already walked through.

In this lesson you will learn how AWS services express unauthenticated access across APIs, GraphQL, streaming, caching and migration, how to find every service answering anonymous callers, and how to require authentication without dropping the live producers, consumers and clients that depend on them. The Controls this lesson covers section lists every Security Hub control in this capability, each linking to a deep page with the exact check and a copy-and-paste fix.

Fun fact

The cluster that was internal only

A common pattern in incident reviews: a team stands up a data service, an MSK cluster or a Redis cache, with no authentication because it is only reachable inside the VPC, so it is fine. Months later a peering connection, a new VPN route or a compromised application host inside the same VPC gives an attacker network reachability, and because the service never required a credential, reachability was all they needed. The team genuinely believed network isolation was authentication. It is not. Network reachability controls who can knock; authentication controls who gets in. This whole capability exists because those two things get conflated constantly, and the gap only ever surfaces after someone has already walked through.

Finding unauthenticated services across an estate

Priya is the security lead at a scale-up preparing for its first SOC 2 audit. Security Hub shows authentication failures spread across API Gateway, AppSync and MSK in services that shipped before the team's current guardrails.

Rather than work the findings one by one, she starts with the front doors most exposed to the internet, the HTTP API routes, so she can separate the deliberately public ones from the data routes that should never have been open.

List every route on an HTTP API with its authorization type. A data route set to NONE is the APIGateway.8 failure; a deliberate public health check is the rare exception.

$ aws apigatewayv2 get-routes --api-id a1b2c3d4e5 --query 'Items[].{Route:RouteKey,Auth:AuthorizationType}' --output table

------------------------------------------------

| GET /partners/{id}/orders | NONE |

| POST /partners/{id}/webhook | NONE |

| GET /health | NONE |

| GET /partners/{id}/profile | JWT |

------------------------------------------------

# Two data routes are open; /health is an intentional public exception to document.

An inventory of routes by authorization type. NONE on a data route is the finding; classify each before changing anything.

How AWS decides a service is unauthenticateddeep dive

Most controls in this group resolve to a single field that names the auth mechanism, or its absence. APIGateway.8 reads each route's AuthorizationType and fails on NONE; the passing values are AWS_IAM, JWT and CUSTOM. AppSync.5 fails any GraphQL API whose auth modes include API_KEY, passing only when every mode is one of AMAZON_COGNITO_USER_POOLS, AWS_IAM, OPENID_CONNECT or AWS_LAMBDA. MSK.6 fails any cluster with Unauthenticated.Enabled set to true, even alongside IAM or SASL/SCRAM. ElastiCache.6 fails a Redis OSS replication group below version 6.0 with no AuthToken. DMS.11 fails a MongoDB endpoint whose AuthType is no rather than SCRAM-SHA-1 or MONGODB-CR.

Two subtleties bite during remediation. First, enabling a strong mechanism does not disable a weak one: an MSK cluster can have IAM on and still accept anonymous connections on the unauthenticated listener, and an AppSync API can have Cognito as primary while keeping API_KEY as an additional provider. The finding clears only when the insecure mode is explicitly removed, not merely supplemented. Second, some mechanisms have prerequisites: ElastiCache AUTH requires in-transit encryption first, because the token travels with the connection.

Security Hub evaluates these through AWS Config. Some checks are change-triggered and clear within minutes; others are periodic. The control-plane change is immediate, so confirm by querying the service directly rather than waiting on the report. The durable version of this capability is preventive: a pipeline gate that rejects an API route without an authorizer, an IaC guardrail that blocks API_KEY on AppSync or the unauthenticated listener on MSK, so anonymous access can only exist as a deliberate, reviewed exception.

What is the impact of leaving services unauthenticated?

The direct impact is unauthorised access to whatever the service holds or fronts. An open API route or GraphQL endpoint accepts any request that reaches it; an unauthenticated MSK cluster lets any network-reachable client read, publish or delete topics; an unprotected Redis cache hands its session tokens and cached records to anyone who connects; an unauthenticated DMS endpoint exposes the production data in flight during a migration. With no identity check there is also no audit trail tying the access to anyone, which is exactly the capability you need most when you suspect a leak.

The second-order impact is integrity and availability, not just confidentiality. Unauthenticated access is rarely read-only: an anonymous client can publish forged events that poison every downstream consumer, overwrite cache entries, or run a destructive command. A forged payment event or a deleted topic is a data-integrity and availability incident that is expensive and slow to unwind, well beyond the confidentiality breach.

On the compliance side, every modern framework, SOC 2, ISO 27001, HIPAA, PCI DSS and FedRAMP, treats authentication on data and API services as table stakes, and cyber-insurance questionnaires routinely ask whether data services enforce it. An unauthenticated service is a clean, demonstrable failure with no nuance to argue: the service either requires identity or it does not. A single such finding can hold up an audit sign-off or an insurance renewal far out of proportion to the minutes it takes to close.

How do you require authentication safely?

Work the capability as one loop rather than chasing individual findings. The order matters: confirm an authenticated path exists and clients use it before you remove the unauthenticated one, so you do not drop a live producer, consumer or client.

1. Inventory every service answering anonymous callers

Across services, list the ones with authentication off: API routes with AuthorizationType NONE, AppSync APIs using API_KEY, MSK clusters with the unauthenticated listener enabled, pre-6.0 Redis groups with no AuthToken, DMS MongoDB endpoints with AuthType no. Rank by exposure, public and internet-facing first, and by the data behind each service. Capture what each one fronts, because that decides which fixes are urgent.

2. Separate genuine public endpoints from defaults

Most unauthenticated access is unintended. A deliberately public health check that returns no data, or a webhook that verifies a provider signature inside the handler, is a legitimate exception to document and suppress with a written justification. Everything that fronts business data needs authentication. Choose the mechanism by caller: IAM SigV4 for service-to-service, a JWT or Cognito authorizer for user-facing apps, IAM or SASL/SCRAM for Kafka clients.

3. Migrate gracefully, then remove the insecure mode

Do not hard-cut. Add the authenticated mechanism alongside the open one, deploy clients to use it, watch the unauthenticated path's usage fall to zero in metrics, then remove it: delete the AppSync API key, set MSK Unauthenticated.Enabled to false, enforce the Redis AUTH token with SET after ROTATE, attach the API authorizer and redeploy the stage. The finding clears only when the insecure mode is gone, so verify each removal against the real triggers before closing the ticket.

4. Prevent it shipping again

Closing existing services is one-off; stopping new ones is the durable fix. Add a deploy-time gate that rejects an API route without an authorizer, an IaC guardrail that blocks API_KEY on AppSync and the unauthenticated listener on MSK, and provisioning defaults that require a named auth method. Keep the relevant AWS Config rules enabled for detection. The goal is that an unauthenticated data or API service can only exist as a deliberate, reviewed exception.

# Attach a JWT authorizer to an open API route, then redeploy the stage to enforce it.
aws apigatewayv2 update-route --api-id a1b2c3d4e5 \
  --route-id r7h8j9 --authorization-type JWT --authorizer-id auth9z8y
aws apigatewayv2 create-deployment --api-id a1b2c3d4e5 --stage-name '$default'

# Disable the unauthenticated listener on an MSK cluster while keeping IAM auth.
ARN=arn:aws:kafka:us-east-1:111122223333:cluster/orders-stream-prod/abc123
VERSION=$(aws kafka describe-cluster-v2 --cluster-arn $ARN \
  --query 'ClusterInfo.CurrentVersion' --output text)
aws kafka update-security --cluster-arn $ARN --current-version $VERSION \
  --client-authentication '{"Sasl":{"Iam":{"Enabled":true}},"Unauthenticated":{"Enabled":false}}'

# Once clients send the new credential, remove the AppSync API key to clear the finding.
aws appsync delete-api-key --api-id abcd1234efgh5678ijkl --id da2-examplekeyid12345

Quick quiz

Question 1 of 5

Security Hub shows authentication failures across API Gateway, AppSync and MSK. What is the most efficient way to think about them?

Keep learning

Go deeper on how authentication works across the services in this capability.

You can now treat service authentication as one capability rather than a scatter of findings: inventory the services answering anonymous callers across API Gateway, AppSync, MSK, ElastiCache and DMS, separate the deliberate public endpoints, migrate clients to an authenticated mechanism, then remove the insecure mode and enforce auth-by-default in provisioning. The Controls this lesson covers section below links every control in this group to its deep page and fix.

Back to the library

Requiring authentication: the cost and risk view

A near-zero-cost capability that protects the data flowing through your services

Requiring authentication costs nothing in AWS spend across this whole group. Adding an authorizer to an API route, moving AppSync off an API key, turning off the unauthenticated listener on MSK, setting a Redis AUTH token or requiring a login on a DMS endpoint are all configuration changes, not paid features. The cost sits entirely on the risk side of the ledger, which is why these findings often carry a zero-pound impact figure that masks a real liability.

Two of these controls also touch the bill directly. An open API Gateway route or a leaked AppSync key sits in front of usage-priced services, so an attacker or scanner can hammer it and convert the exposure into an unbudgeted four- or five-figure invocation spike with no warning. So this capability is one a CFO should care about on cost grounds, not just risk, even though the fix itself is free.

Frame each failing control by the data behind it. A service answering unauthenticated callers in front of customer session data or order events is a breach-class exposure that maps directly to PCI DSS and NIST access-control requirements and to the cyber-insurance questionnaires that ask whether data services enforce authentication. The right question is not what it costs to fix; it is how long it has been open and what it has exposed.

This lesson is for the finance partner who sees a finding with no monthly dollar figure on the security report and wants to understand why it still belongs on the risk register. It covers why these fixes are free, how an open service can become a usage-billed surprise, and how the capability maps to the audit and cyber-insurance commitments the business already carries.

Fun fact

The cluster that was internal only

How a finance partner frames the unauthenticated-service findings

Priya brings the authentication findings to her finance partner ahead of the SOC 2 audit, because the report shows a scatter of red across API Gateway, AppSync and MSK and she wants to know how to rank the work. The partner's first observation is that the fix costs nothing in AWS spend: adding an authorizer to a route, moving AppSync off an API key or turning off the unauthenticated MSK listener are all configuration changes, not paid features. So there is no budget trade-off to weigh and no line item to approve. The exposure sits entirely on the risk side, which is why each finding reads as a zero-pound impact figure that quietly understates a real liability.

The partner then reframes the list by the data behind each service rather than by control number. A route fronting partner order events or a Redis cache holding customer session tokens is a breach-class exposure that maps straight to PCI DSS and NIST access-control requirements and to the cyber-insurance questionnaire that asks whether data services enforce authentication. Two of the findings, the open API Gateway route and the leaked AppSync key, also touch the bill directly, because both sit in front of usage-priced services and an attacker or scanner can convert the exposure into an unbudgeted four- or five-figure invocation spike in hours. The finance ask is therefore precise: attach expected loss to each failing service, treat any open high-severity finding of this type as a tracked item with an owner and a deadline, and route a billing anomaly on a usage-priced API to the security team rather than handling it as a pure cost question.

Why authentication belongs on the risk register

The cost model here is asymmetric. Requiring authentication costs nothing in AWS spend, and leaving it off creates a contingent liability that reads as zero on the bill until the day it does not. Each failing control is a service where a future leak or a compromised host could read or corrupt the data behind it, and for a service fronting customer or payment data the worst case is a reportable breach.

Two of these controls fold straight into the bill. An open API Gateway route or a leaked AppSync key sits in front of usage-priced services, so automated abuse converts the exposure into an unbudgeted invocation spike in hours. That makes a billing anomaly on a usage-priced API a security signal worth routing to the security team, not just a cost question.

The documented cost of an exposure breach includes mandatory notification within tight regulatory windows, forensics and legal fees that run into six and seven figures, and the audit or insurance consequences of having represented that data services authenticate when one did not. Against that, the remediation is engineering time. The finance role is to attach expected loss to each failing service and treat any open high-severity finding of this type as a tracked item with an owner and a deadline, not a backlog candidate.

What finance can do about the authentication gap

Finance cannot attach an authorizer, but it can frame authentication as a near-zero-cost liability fix and make sure the work is ranked by exposure rather than by control count. Three levers.

1. Separate the free fix from the priced exposure

Make clear that the remediation itself has no AWS cost, so there is no spend to approve and no reason to defer on budget grounds. The cost lives in two places: the contingent breach liability behind each service, and the direct billing exposure on the two usage-priced controls, an open API Gateway route or a leaked AppSync key, where automated abuse becomes an unbudgeted invocation spike in hours. Funding the fix is never the question; the question is why a free fix on regulated data has stayed open.

2. Risk-weight each failing service by the data behind it

A single red finding flattens a route fronting payment events and a quiet internal endpoint into the same line. Attach an expected loss to each failing service based on what it holds or fronts, customer session data, order events, production data in flight, and prioritise by that, not by control number. A service answering anonymous callers in front of regulated data maps directly to PCI DSS and NIST access-control requirements and to the cyber-insurance questionnaire, so it carries the highest expected loss and the shortest deadline.

3. Track open high-severity findings as owned, deadlined items

Treat any open high-severity authentication finding as a tracked item with a named owner and a date, not a backlog candidate, because the metric that matters is how long it has been open and what it has exposed. Route a billing anomaly on a usage-priced API to the security team as a possible abuse signal rather than handling it purely as a cost question, and require a recorded justification for any service deliberately left public so the picture is defensible at audit.

Quick quiz

Question 1 of 5

What is the direct AWS spend required to remediate the authentication controls in this capability?

Keep learning

Go deeper on how authentication works across the services in this capability.

You have finished the finance view of service authentication. You know the fix is free in AWS terms, that the exposure is a contingent breach liability mapping to PCI DSS and NIST access-control requirements plus a direct billing risk on the two usage-priced controls, and that the right metric is how long a finding has been open and what it has exposed, not what it costs to close. Next time the cluster appears, you will risk-weight each service by the data behind it, treat every open high-severity finding as an owned and deadlined item, and route usage-priced billing spikes to security as a possible abuse signal.

Back to the library

Requiring authentication: the headline

Whether every data and API service proves who is calling before it answers

Authentication is the difference between a contained system and an open one. A service that answers without checking identity, whether through an open API route, a shared key, or an unauthenticated data pipeline, is as secure as the network around it and no more. The report shows this as a scatter of separate findings across many services.

The leadership question is simple: do all our data pipelines and APIs require callers to prove who they are, and for any that do not, who signed off? The defensible end state is that every data and API service authenticates by default, with the few deliberate public exceptions documented and owned.

None of this is a cost decision; the fixes are free in AWS terms. It is a governance decision about whether access is granted to identified callers or simply to anyone who can reach the service on the network.

A short read for the leader who needs to know what unauthenticated services expose, why closing them is a governance decision rather than a budget one, and what a defensible end state looks like: authentication by default on every data and API service, with documented exceptions.

Fun fact

The cluster that was internal only

What it looks like when authentication is a default, not a network assumption

The authentication findings reached the executive review after a near-miss: a Redis cache stood up as internal only turned out to be reachable through a new VPN route, and because the service never required a credential, reachability was all an attacker would have needed. The team had genuinely believed network isolation was authentication. The lesson leadership drew was not about that one cache. It was that the company runs data pipelines and APIs, across API Gateway, AppSync, MSK, ElastiCache and DMS, that answer anyone who can reach them, and that every framework the business reports against treats authentication on data services as table stakes.

So the executive framing settled on one standard and one question. The standard is that data and API services authenticate by default, with the few deliberate public exceptions, a health check, a signature-verifying webhook, documented and owned. The question, for any exception, is who signed off. Because the fix is free and the downside is a breach, an audit failure or a runaway bill all at once, this is the rare class of control where the risk of inaction is severe and the cost of action is small. The number leadership keeps asking for is not how much authentication costs, it is whether the set of unauthenticated services is shrinking and fast-closing, because a growing or long-open set means secure defaults are not enforced and the same gap almost certainly exists on services nobody has scanned yet.

Why this is a board-level risk

A data pipeline or API that answers anyone on the network is the shape of risk that becomes a headline. The pattern matters more than any single finding: a small, fast-closing set means data and API services authenticate by default and the team has a working cadence; a growing or long-open set means secure defaults are not enforced and the same gap almost certainly exists on services that have not been scanned yet.

Because the fix is free and the downside is a breach, an audit failure or a runaway bill all at once, this is the rare class of control where the risk of inaction is severe and the cost of action is small. The leadership move is one standard, data and API services authenticate by default, and one question, for any exception, who signed off, so the foundation does not drift back open one service at a time.

The leadership move on service authentication

The executive handle is not to approve each authorizer, it is to set one standard, authentication by default on every data and API service, and one question for any exception. Three moves.

1. Set the standard: data and API services authenticate by default

Make it policy that every data pipeline and API requires the caller to prove identity through a mechanism tied to a real principal, not possession of a string or network reachability. The right place to enforce this is provisioning, a deploy-time gate that rejects a route without an authorizer and an IaC guardrail that blocks API_KEY on AppSync and the unauthenticated listener on MSK, so an unauthenticated service can only exist as a deliberate, reviewed exception rather than the accidental default.

2. Require a named owner and a deadline for every open exposure

For each service still answering anonymous callers, ask for the owner, the data it fronts and the date it will be closed. Because the fix is free, an open finding is a decision to leave a service exposed, not a resourcing problem. The defensible end state is a small, fast-closing set; a growing or long-open set is the signal that secure defaults are not enforced and that the same gap exists on services that have not yet been scanned.

3. For any deliberate public endpoint, ask who signed off

A genuine public exception, a health check that returns no data or a webhook that verifies a provider signature inside the handler, is legitimate, but it should be a documented and owned decision, not a silent default. The one question that keeps the foundation from drifting back open one service at a time is, for each exception, who signed off, with the justification on the record where an auditor or an insurer can see it.

Quick quiz

Question 1 of 5

At the leadership level, what does a service answering anyone on the network actually represent?

Keep learning

Go deeper on how authentication works across the services in this capability.

Two takeaways: a service that answers anyone on the network is as secure as the network around it and no more, and because the fix is free while the downside is a breach, an audit failure or a runaway bill, this is the easy trade to approve. The leadership outcome is one standard, authentication by default on every data and API service, and one question for every exception, who signed off. The number to watch is whether the set of unauthenticated services is small and fast-closing, not whether today's count happens to be zero.

Back to the library

Controls this lesson covers

One capability, many AWS Security Hub controls. This lesson is the shared playbook; each control below keeps its own deep page with the exact check, severity and a copy-and-paste fix.

Require authentication on data and API services

Requiring authentication: the basics

The cluster that was internal only

Finding unauthenticated services across an estate

How AWS decides a service is unauthenticateddeep dive

What is the impact of leaving services unauthenticated?

How do you require authentication safely?

1. Inventory every service answering anonymous callers

2. Separate genuine public endpoints from defaults

3. Migrate gracefully, then remove the insecure mode

4. Prevent it shipping again

Quick quiz

Keep learning

Requiring authentication: the cost and risk view

The cluster that was internal only

How a finance partner frames the unauthenticated-service findings

Why authentication belongs on the risk register

What finance can do about the authentication gap

1. Separate the free fix from the priced exposure

2. Risk-weight each failing service by the data behind it

3. Track open high-severity findings as owned, deadlined items

Quick quiz

Keep learning

Requiring authentication: the headline

The cluster that was internal only

What it looks like when authentication is a default, not a network assumption

Why this is a board-level risk

The leadership move on service authentication

1. Set the standard: data and API services authenticate by default

2. Require a named owner and a deadline for every open exposure

3. For any deliberate public endpoint, ask who signed off

Quick quiz

Keep learning

Controls this lesson covers

APIGateway

AppSync

DMS

ElastiCache

MSK

Related compliance lessons