API_ID="your-api-id"RESOURCE_ID="your-resource-id"HTTP_METHOD="GET"LAMBDA_FUNCTION_ARN="arn:aws:lambda:region:account-id:function:function-name"LAMBDA_ROLE_ARN="arn:aws:iam::account-id:role/lambda-role"# Add a new integration to the API Gateway REST APIaws apigateway put-integration --rest-api-id $API_ID --resource-id $RESOURCE_ID --http-method $HTTP_METHOD --type AWS_PROXY --integration-http-method POST --uri arn:aws:apigateway:region:lambda:path/2015-03-31/functions/$LAMBDA_FUNCTION_ARN/invocations --credentials $LAMBDA_ROLE_ARN
# Create a deployment for the updated API Gateway REST APIawsapigatewaycreate-deployment--rest-api-id $API_ID --stage-nameProd
API_ID="your-api-id"AUTHORIZER_ID="your-authorizer-id"LAMBDA_FUNCTION_ARN="arn:aws:lambda:region:account-id:function:function-name"# Update the API Gateway authorizeraws apigateway update-authorizer --rest-api-id $API_ID --authorizer-id $AUTHORIZER_ID --authorizer-uri arn:aws:apigateway:region:lambda:path/2015-03-31/functions/$LAMBDA_FUNCTION_ARN/invocations
# Create a deployment for the updated API Gateway REST APIawsapigatewaycreate-deployment--rest-api-id $API_ID --stage-nameProd
潜在影响:绕过安全检查,未经授权访问 API 资源。
apigateway:UpdateVpcLink
需要测试
拥有 apigateway:UpdateVpcLink 权限的攻击者可以修改现有的 VPC 链接,将其指向不同的网络负载均衡器,从而将私有 API 流量重定向到未经授权或恶意资源。