API Gateway Authorizers Insecure Authentication Token Logging

[ejohn20]

The API Gateway default templates are logging the client's authentication token into the CloudWatch logs. While this may be helpful when debugging the function, this should be avoided in production as it leaks valid user tokens to the log files, which can be seen by users that likely should not have access to invoke all of the APIs on behalf of that user.

Yes, folks should restrict access to their log files. But, it is highly unlikely that all users viewing logs should be able to impersonate all users across the API using their token. I have seen the token logging code left in place in several security reviews recently, and the log data could have resulted in a major incident.

Here are 2 instances that I identified (there could be more):

https://github.com/awslabs/serverless-application-model/blob/a09929bcdd7cd6083d5c344ce5a64208a56bc4a6/examples/apps/api-gateway-authorizer-nodejs/index.js#L315

https://github.com/awslabs/serverless-application-model/blob/a09929bcdd7cd6083d5c344ce5a64208a56bc4a6/examples/apps/api-gateway-authorizer-python/lambda_function.py#L7

Can I suggest that these lines be removed from the default template? If the intent is to show users how to access the token, can we just set this to a variable instead with a comment explaining it contains the incoming token value?

Example:

var token = event.authorizationToken;