Skip to main content
HIGHAPI GatewaySecurity

API Gateway Method Has No Authorization

api-gateway-method-auth-missing

What this rule checks

Detects AWS::ApiGateway::Method and AWS::ApiGatewayV2::Route resources where AuthorizationType is missing or NONE (excluding OPTIONS preflight). Public-by-default endpoints expose backend Lambdas to anyone on the internet.

How to fix it

  1. 1Set AuthorizationType to AWS_IAM, COGNITO_USER_POOLS, or CUSTOM (REST APIs)
  2. 2Use JWT or AWS_IAM AuthorizationType for HTTP APIs (v2)
  3. 3If the route is intentionally public (e.g. webhook receiver), prefer api-key + WAF rate limiting and suppress this rule explicitly
FlaggedThe GET method uses authorizationType NONE, leaving the backing Lambda invokable by anyone on the internet.
import { aws_apigateway as apigw, aws_lambda as lambda } from 'aws-cdk-lib';

const handler = new lambda.Function(this, 'Handler', {
  runtime: lambda.Runtime.NODEJS_20_X,
  handler: 'index.handler',
  code: lambda.Code.fromInline('exports.handler = async () => ({ statusCode: 200 });'),
});

const api = new apigw.RestApi(this, 'Api');
const orders = api.root.addResource('orders');
orders.addMethod('GET', new apigw.LambdaIntegration(handler), {
  authorizationType: apigw.AuthorizationType.NONE,
});
FixedA Cognito user pool authorizer is attached so the method requires a valid bearer token before invoking the Lambda.
import { aws_apigateway as apigw, aws_lambda as lambda, aws_cognito as cognito } from 'aws-cdk-lib';

const handler = new lambda.Function(this, 'Handler', {
  runtime: lambda.Runtime.NODEJS_20_X,
  handler: 'index.handler',
  code: lambda.Code.fromInline('exports.handler = async () => ({ statusCode: 200 });'),
});

const userPool = new cognito.UserPool(this, 'UserPool');
const authorizer = new apigw.CognitoUserPoolsAuthorizer(this, 'Authorizer', {
  cognitoUserPools: [userPool],
});

const api = new apigw.RestApi(this, 'Api');
const orders = api.root.addResource('orders');
orders.addMethod('GET', new apigw.LambdaIntegration(handler), {
  authorizationType: apigw.AuthorizationType.COGNITO,
  authorizer,
});

CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.

Affected resource types

AWS::ApiGateway::MethodAWS::ApiGatewayV2::Route

Compliance frameworks

SOC2HIPAAPCI-DSSNIST

AWS documentation

Read the AWS guidance

Intentional? Suppress this finding

Sometimes a flag is deliberate โ€” a genuinely public endpoint, say. You can dismiss api-gateway-method-auth-missing and the reason is kept in the report, not silently hidden.

In .cdk-insights.json:

{
  "ignoreRules": [
    { "id": "api-gateway-method-auth-missing", "reason": "Why this is intentional" }
  ]
}

Or inline in your CDK code:

Validations.of(scope).acknowledge({
  id: 'cdk-insights::api-gateway-method-auth-missing',
  reason: 'Why this is intentional',
});

Use the rule ID api-gateway-method-auth-missing shown above โ€” not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs โ†’

Catch this in your stack

$ npx cdk-insights scan

CDK Insights runs this and 118+ other rules locally against your synthesised CDK app โ€” free, no account, your code never leaves your machine.

More API Gateway rules