Skip to content
Ask AI about this
Help improve this page

API Gateway V2 routes should require an authorizer

An API Gateway V2 route without an authorizer accepts requests from any caller, no identity verification required. Backend integrations (Lambda functions, HTTP endpoints, private resources) are directly exposed to unauthorized access, data exfiltration, and abuse.

Misconfigured routes are common in rapid development cycles where teams add new paths and forget to attach authorization. A single unprotected route can punch through an otherwise complete authentication layer.

Retrofit consideration

Existing routes serving public traffic (webhooks, health checks) may intentionally lack authorization. Adding authorizers to these routes will break callers that do not supply credentials. Audit each route's intended access model before enforcing.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_apigatewayv2_route.

resource "aws_apigatewayv2_api" "this" {
  name          = "pofix-abc123"
  protocol_type = "HTTP"
}

resource "aws_apigatewayv2_route" "this" {
  api_id             = "abc123"
  authorization_type = "CUSTOM"
  authorizer_id      = "abc123"
  route_key          = "GET /example"
}

What this control checks

This control validates that each aws_apigatewayv2_route has authorization_type set to something other than "NONE". Valid passing values are "JWT", "AWS_IAM", or "CUSTOM". For JWT type, authorizer_id must reference an aws_apigatewayv2_authorizer of type "JWT" with a valid jwt_configuration block specifying issuer and audience. For CUSTOM type, authorizer_id must point to an aws_apigatewayv2_authorizer of type "REQUEST" backed by a Lambda function ARN in authorizer_uri. A route that omits authorization_type or sets it to "NONE" fails. For JWT and CUSTOM types, authorizer_id must also be populated; setting authorization_type without a corresponding authorizer reference causes an API error at apply time.

Common pitfalls

  • Default authorization_type is NONE

    Omitting authorization_type on aws_apigatewayv2_route leaves the route unauthenticated. The default is NONE, so teams that don't set this argument explicitly will fail the control silently until a policy check catches it at plan time.

  • Authorizer ID required alongside authorization_type

    Setting authorization_type to "JWT" or "CUSTOM" without a matching authorizer_id causes a deployment error at apply time. Create the aws_apigatewayv2_authorizer resource first and reference its id attribute in the route resource.

  • $default route often missed

    The $default route (route_key = "$default") catches all unmatched requests on HTTP APIs. It needs an authorizer like any other route, but teams regularly overlook it because it doesn't correspond to an explicit path.

  • WebSocket $connect vs $disconnect authorization

    On WebSocket APIs, authorization only applies to the $connect route. $disconnect and the WebSocket $default route don't support authorizers, so flagging them as non-compliant produces false positives depending on your scanner implementation.

Audit evidence

Auditors expect Config rule evaluation results showing compliant status for all API Gateway V2 routes, or equivalent output from Prowler or Steampipe. Console evidence comes from the API Gateway V2 console: navigate to each API's Routes section and confirm an authorizer is attached to every route. CloudTrail UpdateRoute and CreateRoute events expose the authorizationType field, giving a historical record of when authorization was added or changed. For large environments, aws apigatewayv2 get-routes --api-id <id> returns AuthorizationType per route and can be exported as a compliance artifact.

Framework-specific interpretation

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: api_gatewayv2_route_authorizer_configured

  • AWS Config Managed Rule: API_GWV2_AUTHORIZATION_TYPE_CONFIGURED

  • Checkov Check: CKV_AWS_309

  • Powerpipe Control: aws_compliance.control.api_gatewayv2_route_authorizer_configured

  • Prowler Check: apigatewayv2_api_authorizers_enabled

  • AWS Security Hub Control: APIGateway.8

Last reviewed: 2026-03-08