Restrict HTTP methods to only those necessary for the application's functionality to prevent security risks.
Resources:
MyApi:
Type: AWS::Serverless::Api
Properties:
StageName: Prod
MethodSettings:
- ResourcePath: "/*"
HttpMethod: "*"
LoggingLevel: INFO
The above CloudFormation template defines an AWS::Serverless::Api resource where
MethodSettings
allows all HTTP methods (
HttpMethod: "*"
, equivalent to
ANY
).
Allowing all HTTP methods increases the risk of:
- Unauthorized file uploads (PUT)
- Accidental or malicious deletion of resources (DELETE)
- Cross-site tracing attacks (TRACE), which can be used to expose sensitive information.
This misconfiguration can lead to data manipulation or unauthorized actions on the API.
Resources:
MyApi:
Type: AWS::Serverless::Api
Properties:
StageName: Prod
MethodSettings:
- ResourcePath: "/secure"
HttpMethod: "GET"
LoggingLevel: INFO
- ResourcePath: "/secure"
HttpMethod: "POST"
LoggingLevel: INFO
The secure approach explicitly defines only the necessary HTTP methods (
GET
and
POST
), ensuring that potentially harmful methods such as
TRACE
,
PUT
, and
DELETE
are not exposed.
By restricting
MethodSettings
, the API enforces a more controlled access policy, reducing attack vectors.