lerra/list-all-none-authorized-and-no-apikey-apigw.sh

## list-all-none-authorized-and-no-apikey-apigw.sh
# This is a ugly but working bash oneliner to quickly list all resources in api gateway with no authorizer set, that means public internet access to that API.
# It is a good way to get a indication if you or your developers are doing the right thing when they deploy services, internal services should be using keys or better, aws_iam protection. This is not checking if your api gateway is deployed on a private vpc but that should be easy to fix if you need it.
#
# You need aws cli v2 as v1 will only give you ~25% of all api gateways.
# Tested in Ubuntu 20.04 with aws cli version aws-cli/1.18.48 Python/3.8.5 Linux/5.8.0-50-generic botocore/1.15.48 and
# MAC aws cli version aws-cli/2.2.5 Python/3.8.8 Darwin/20.3.0 exe/x86_64 prompt/off
#
# Grab a lunch when you execute this. In my case, it took 21 mins with a setup with 113 api gateways and 117 resources with aws-cli v1 on a fast connection
#
# Expected result from the command bellow is a new line for each public accessible resource with a apigw id, resource id and the specific http method, eg
# APIGW XXXXXXX with RESOURCE ID XXXXXX and HTTP METHOD XXX
#
# Dont forget to update your aws profile bellow (three places, look for AWS-PROFILE-CHANGE-ME) and add --region as this will use the region in your aws config file
aws --profile AWS-PROFILE-CHANGE-ME apigateway get-rest-apis | grep \"id\"\: | awk -F '"' '{print $4}' | while read -r restApiId; do aws --profile AWS-PROFILE-CHANGE-ME apigateway get-resources --rest-api-id $restApiId | grep -B 4  resourceMethods|grep \"id\"\:|awk -F '"' '{print $4}' | while read -r resourceId; do for httpMethod in "GET" "PATCH" "PUT" "OPTION" "DELETE" "POST"; do  aws --profile AWS-PROFILE-CHANGE-ME apigateway get-method --rest-api-id $restApiId --resource-id $resourceId --http-method $httpMethod 2>&1 | grep -A 1 '"authorizationType": "NONE"' | grep '"apiKeyRequired": false' 2>&1 >> /dev/null  && echo "APIGW $restApiId with RESOURCE ID $resourceId and HTTP METHOD $httpMethod IS PUBLIC AND NO API KEY" ; done ; done ; done
	# This is a ugly but working bash oneliner to quickly list all resources in api gateway with no authorizer set, that means public internet access to that API.
	# It is a good way to get a indication if you or your developers are doing the right thing when they deploy services, internal services should be using keys or better, aws_iam protection. This is not checking if your api gateway is deployed on a private vpc but that should be easy to fix if you need it.
	#
	# You need aws cli v2 as v1 will only give you ~25% of all api gateways.
	# Tested in Ubuntu 20.04 with aws cli version aws-cli/1.18.48 Python/3.8.5 Linux/5.8.0-50-generic botocore/1.15.48 and
	# MAC aws cli version aws-cli/2.2.5 Python/3.8.8 Darwin/20.3.0 exe/x86_64 prompt/off
	#
	# Grab a lunch when you execute this. In my case, it took 21 mins with a setup with 113 api gateways and 117 resources with aws-cli v1 on a fast connection
	#
	# Expected result from the command bellow is a new line for each public accessible resource with a apigw id, resource id and the specific http method, eg
	# APIGW XXXXXXX with RESOURCE ID XXXXXX and HTTP METHOD XXX
	#
	# Dont forget to update your aws profile bellow (three places, look for AWS-PROFILE-CHANGE-ME) and add --region as this will use the region in your aws config file
	aws --profile AWS-PROFILE-CHANGE-ME apigateway get-rest-apis \| grep \"id\"\: \| awk -F '"' '{print $4}' \| while read -r restApiId; do aws --profile AWS-PROFILE-CHANGE-ME apigateway get-resources --rest-api-id $restApiId \| grep -B 4 resourceMethods\|grep \"id\"\:\|awk -F '"' '{print $4}' \| while read -r resourceId; do for httpMethod in "GET" "PATCH" "PUT" "OPTION" "DELETE" "POST"; do aws --profile AWS-PROFILE-CHANGE-ME apigateway get-method --rest-api-id $restApiId --resource-id $resourceId --http-method $httpMethod 2>&1 \| grep -A 1 '"authorizationType": "NONE"' \| grep '"apiKeyRequired": false' 2>&1 >> /dev/null && echo "APIGW $restApiId with RESOURCE ID $resourceId and HTTP METHOD $httpMethod IS PUBLIC AND NO API KEY" ; done ; done ; done