Insecure HTTP methods enabled - cloudformation

Insecure HTTP methods enabled - cloudformation

Need

Restrict HTTP methods to only those necessary for the application's functionality to prevent security risks.

Context

  • HTTP methods define how clients interact with a server, but some methods can introduce security risks if not properly restricted.
  • Insecure HTTP methods such as `TRACE`, `PUT`, and `DELETE` can allow attackers to manipulate resources, perform cross-site tracing attacks, or introduce malicious content.
  • {'CloudFormation templates may inadvertently allow all HTTP methods (`HttpMethod': '\\"*\\"`) when defining API resources, exposing services to potential threats.'}

Description

Non compliant code

        Resources:
  MyApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
      MethodSettings:
        - ResourcePath: "/*"
          HttpMethod: "*"
          LoggingLevel: INFO
        
        

The above CloudFormation template defines an AWS::Serverless::Api resource where MethodSettings allows all HTTP methods ( HttpMethod: "*", equivalent to ANY).

Allowing all HTTP methods increases the risk of:
- Unauthorized file uploads (PUT)
- Accidental or malicious deletion of resources (DELETE)
- Cross-site tracing attacks (TRACE), which can be used to expose sensitive information.

This misconfiguration can lead to data manipulation or unauthorized actions on the API.

Steps

  • Identify API configurations that allow unrestricted HTTP methods.
  • Review API settings (`MethodSettings` in AWS, similar configurations in other frameworks).
  • {'Replace `HttpMethod': '\\"*\\"` or equivalent settings with explicitly defined methods (e.g., `GET`, `POST`).'}
  • Validate the configuration to ensure only intended methods are accessible.

Compliant code

        Resources:
  MyApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
      MethodSettings:
        - ResourcePath: "/secure"
          HttpMethod: "GET"
          LoggingLevel: INFO
        - ResourcePath: "/secure"
          HttpMethod: "POST"
          LoggingLevel: INFO
        
        

The secure approach explicitly defines only the necessary HTTP methods ( GET and POST), ensuring that potentially harmful methods such as TRACE, PUT, and DELETE are not exposed.

By restricting MethodSettings, the API enforces a more controlled access policy, reducing attack vectors.

References