Vulnerability Discussion

The API Gateway must audit authentication and authorization information to ensure robust security, compliance, and accountability in access control. As the central entry point for all incoming API requests, the gateway is responsible for verifying the identity of users and ensuring they have the necessary permissions to access specific resources. By auditing authentication and authorization events, the gateway creates an audit trail that helps track and verify who accessed the API, when, and with what permissions. This is crucial for identifying and responding to potential security threats, such as unauthorized access attempts or privilege escalation. Auditing also helps detect suspicious patterns, such as repeated failed login attempts or attempts to access restricted endpoints, which could indicate an ongoing attack.

Check

If an API Gateway is not in use, this is Not Applicable.

Verify the API Gateway audits authentication and authorization information.

1. Confirm audit logging is enabled for authentication and authorization events. This includes both successful and failed authentication attempts, as well as the authorization decisions (e.g., whether a user is granted or denied access).

2. Verify the logs capture relevant authentication and authorization details.

3. After performing tests, review the logs for entries related to authentication and authorization. Ensure that logs contain the appropriate level of detail (e.g., timestamps, user IDs, status codes).

If the API Gateway does not audit authentication and authorization information, this is a finding.

Fix

Build or configure the API Gateway to log authentication and authorization events, including the appropriate level of detail (e.g., timestamps, user IDs, status codes).