You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The API Gateway default templates are logging the client's authentication token into the CloudWatch logs. While this may be helpful when debugging the function, this should be avoided in production as it leaks valid user tokens to the log files, which can be seen by users that likely should not have access to invoke all of the APIs on behalf of that user.
Yes, folks should restrict access to their log files. But, it is highly unlikely that all users viewing logs should be able to impersonate all users across the API using their token. I have seen the token logging code left in place in several security reviews recently, and the log data could have resulted in a major incident.
Here are 2 instances that I identified (there could be more):
Can I suggest that these lines be removed from the default template? If the intent is to show users how to access the token, can we just set this to a variable instead with a comment explaining it contains the incoming token value?
Example:
var token = event.authorizationToken;
The text was updated successfully, but these errors were encountered:
The API Gateway default templates are logging the client's authentication token into the CloudWatch logs. While this may be helpful when debugging the function, this should be avoided in production as it leaks valid user tokens to the log files, which can be seen by users that likely should not have access to invoke all of the APIs on behalf of that user.
Yes, folks should restrict access to their log files. But, it is highly unlikely that all users viewing logs should be able to impersonate all users across the API using their token. I have seen the token logging code left in place in several security reviews recently, and the log data could have resulted in a major incident.
Here are 2 instances that I identified (there could be more):
https://github.com/awslabs/serverless-application-model/blob/a09929bcdd7cd6083d5c344ce5a64208a56bc4a6/examples/apps/api-gateway-authorizer-nodejs/index.js#L315
https://github.com/awslabs/serverless-application-model/blob/a09929bcdd7cd6083d5c344ce5a64208a56bc4a6/examples/apps/api-gateway-authorizer-python/lambda_function.py#L7
Can I suggest that these lines be removed from the default template? If the intent is to show users how to access the token, can we just set this to a variable instead with a comment explaining it contains the incoming token value?
Example:
The text was updated successfully, but these errors were encountered: