Ensure that Google Cloud API Gateway is configured to use an authentication method in order to validate incoming requests before passing them to your API backend.
Google Cloud API Gateway needs authentication to act as a security checkpoint. By validating requests with authentication methods such as API keys or JSON Web Tokens (JWTs), it prevents unauthorized access to your backend APIs, protects sensitive data, and can help mitigate potential attacks like DDoS or injection attacks.
Audit
To determine if API Gateway uses an authentication method to secure access to your API backend, perform the following operations:
Getting the API configuration file information via Google Cloud CLI (gcloud) is not currently supported.Remediation / Resolution
To ensure that Google Cloud API Gateway uses an authentication method to secure access to your API backend, perform the following operations:
As an example, the Remediation section provides instructions on how to implement the API key authentication method for an API Gateway REST API.References
- Google Cloud Platform (GCP) Documentation
- Choosing an Authentication Method
- Using API Keys
- Authentication between services
- GCP Command Line Interface (CLI) Documentation
- gcloud services enable
- gcloud alpha services api-keys create
- gcloud api-gateway api-configs create
- gcloud api-gateway gateways update
- gcloud alpha services api-keys update
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Check for API Gateway Authentication Method
Risk Level: Medium