API Gateway Module #64
Conversation
|
Thanks @wdahlenburg - Can't wait to give this a spin! |
Moved all api calls to the sdk package. Added counter to getEndpointsPerAPIGatewayv2 and getEndpointsPerAPIGateway because in regions with lots of apigateways this took a long time and it just hung on 66/68 tasks and i worried. The additional counters will help give visabilty that things are still moving along. Added an additional alias api-gws
|
Worked great @wdahlenburg - I just moved the moved all api calls to the sdk package, added a counter to Can you give this a test to make sure it still works as designed in your test env? |
|
I tested it out and everything seems to work as expected. I noticed the same thing on an account with a bunch of endpoints, so the update looks good. Thanks @sethsec-bf! |
|
Merged, thanks again @wdahlenburg, this one is a really nice addition! |
Description
The endpoints module does a great job capturing various endpoints, but it doesn't go into detail on what HTTP methods are supported.
The API Gateway service allows for the method, url, and API keys to be retrieved. I mirrored a lot of the logic from the endpoints module, but wanted to format the loot as a
curlcommand.At a high level, this module should allow for API Gateways to be tested more efficiently. I think the endpoints functionality should be kept, where this module extends the existing functionality.
Details
I wrote this a few months back and finally had a chance to test it out.
The module enumerates all of the API gateways along with if they have a custom domain name. It grabs the API keys, which use a hardcoded header of
X-Api-Key, and associates them with any stages where they are used.The loot file generates a
curlcommand with the method, endpoint, and API key if needed. If the request is a POST, DELETE, PATCH, or PUT, the content-type is set to application/json and the data that is sent is an empty json blob. I figure this is a decent starting point, but users will need to try to figure out what a legitimate request body looks like.API Gateways can define that
ANYmethod can be used on the endpoint. This isn't a standard HTTP verb, so to simplify things for users, I split it into a GET and POST request. This could be expanded to cover the rest of common methods if needed.The API key is a nice add-in that allows authenticated access to the endpoints, where IAM
Get*permissions are more likely to be found in an audit account.I found this to be a nice way to test accounts with hundreds++ of endpoints. Similar to some of the other loot files, users should be able to append to the
curlsyntax as needed (Ex:-kfor cert validation).It's been a few months since I wrote it, so feel free to request updates if I missed some styling changes. Let me know if there is more functionality that you would add.