APIGateway policy needs to be somewhat open to resources

[SatinderSidhu]

Description

[//]: # APIGateway policy needs to be somewhat open to resources

Use Case

[//]: # As Security is job Zero, the API Gateway is mostly protected with companies by X-Ray tracing or attaching WAF to it & its enforced with AWS Config. Now when AGC deploys API Gateway for every context, AGC currently doesn’t enable X-ray tracing or WAF. So they start seeing the compliance issues.

Proposed Solution

The APIGateway policy needs to be somewhat open to resources as a gateway is deployed dynamically for each context so the name of the resource is not known at IAM policy creation time. Having said that I think the name always begins with Agc* so we may be able to refine this. .

[markjschreiber]

Follow up with customer found that the SecurityHub detection lies with the AGCPermissionsStack (https://github.com/aws/amazon-genomics-cli/tree/main/extras/agc-minimal-permissions) which is granting access to apigateway:*.

Currently APIGateway resources deployed by AGC don't prefix the name of the resource with something predictable like "AGC" so the permissions stack cannot restrict the permissions to a resource name because it cannot know the name of the resource.

Investigating if all of apigateway:* is needed. Certainly a lot will be needed to deploy, use and destroy a context.