Hacking API Gateway

API Gateway is a service that allows developers to create APIs for applications. In addition, it can also be integrated with AWS Services, which can pose a security risk due to possible misconfigurations.


Each API Gateway has a URL called Endpoint which can be used to invoke it.

For example, here endpoint is: https://wpeiyqw4d6.execute-api.us-east-2.amazonaws.com

API Gateway configuration for the above endpoint includes a method named wpeiyqw4ds and a region named us-east-2.

These endpoints can be of 2 types:-

  • Private API Endpoint : Accessible from VPC and approved subnets using a VPC interface.

  • Public API Endpoints : Accessible from Internet

Routes for API Gateway

Users can create their own application flow by using routes in API Gateway. For instance, adding a route for /application indicates that the user can specify the service or resource which will be invoked when request is sent to /application.

As an example, here the route for /route has been added, which indicates API Gateway will perform configured action when requests reach the specified path.

Integrations for API Gateway

Integrations for a API Gateway allows users to configure actions based on specified routes.

The above configuration specifies the integration where any request to /route is sent to https://google.com. Hence, here the route /route is having a HTTP integration with https://google.com

Stage in API Gateway

Stage is a snapshot of API Gateway which is used to manage and optimize a individual deployment. For instance a single API Gateway can have multiple stages and each stage can have different throttling and monitoring configurations.

Stages in API Gateway can be used to throttle request for a single route for one stage but the same route may work for another stage due to laxed throtteling.

Here we have 2 stages, one is $default which is a default stage and is present whenever API Gateway is created. A new custom stage present here is production_stage which has a different endpoint

NOTE: Notice that except path, the domain for any stage remains same.

Access Control for API Gateways

As informed earlier, an API Gateway can be public or private. Resource policy is optional for public API Gateway but compulsory for private API Gateway since it acts as access control for private API Gateways.

Example resource policy:

   "Version": "2012-10-17",
   "Statement": [
            "Effect": "Allow",
            "Principal": {
                "AWS": [
            "Action": "execute-api:Invoke",
            "Resource": [

This policy reveals that :-

  • Effect parameter indicates if the mentioned Principal has Allow or Deny permissions on Resource. Here, Allow indicates that user Alice can invoke the API Gateway. If Effect was Deny, then it would have indicated that user Alice is not authorized to invoke the API Gateway.

  • Action here indicates the exact permission given to the principal on the Resource. Here execute-api:Invoke suggests that Alice user is allowed to invoke the API Gateway.

  • Principal here indicates the source ARN which is associated with this policy. Here arn:aws:iam::account-id-2:user/Alice indicates that Alice user is the one associated with this policy who is being granted access.

  • Resource here indicates the route in API gateway which is associated with the policy. In this case Alice can make GET request to pets route.

Just looking at the Resouce policy helped us accumulate useful information about target. For instance, we now know a user in target AWS Account, a working route of /pets and even a stage called production which can be useful for enumeration purpose.

Last updated