FireTail logo FireTail logo
Platform Documentation
SaaS platform docs
API Documentation
REST API reference
Release Notes
Changelog & releases
Go to App
Region
    • Welcome to FireTail's Documentation Hub
    • Product Overview
    • Setup Guide
    • Glossary
    • Dashboard Overview
    • API Risk Dashboard
    • API Traffic Dashboard
    • AI Usage Dashboard
    • Dashboard Filters
    • Tag Reference Guide
    • AI Filters
        • AI Findings Overview
        • FireTail's AI Findings
          • Adversarial Suffix Vulnerability
          • ANSI Vulnerability
          • Attack Generation Vulnerability
          • Block List Bypass Vulnerability
          • Continuation Vulnerability
          • DAN Jailbreak Vulnerability
          • Do Not Answer Vulnerability
          • Glitch Token Vulnerability
          • Goodside Vulnerability
          • Grandma Vulnerability
          • Latent Injection Vulnerability
          • Malware Generation Vulnerability
          • Misleading Claims Vulerability
          • Modal Jailbreak Vulnerability
          • No Output Scanning
          • Package Hallucination Vulnerability
          • Phrasing Vulnerability
          • Prompt Encoding Vulnerability
          • Prompt Injection Vulnerability
          • Prone To Harmful Content
          • Prone To Toxic Content Generation
          • Repeat Reply Vulnerability
          • Replay Vulnerability
          • Snowball Vulnerability
          • TAP Jailbreak Vulnerability
          • XSS Attack Vulnerability
          • AI Input Tokens Elevated
          • AI Input Tokens Reduced
          • AI Latency Elevated
          • AI Latency Reduced
          • AI Majority Stop Reason
          • AI Output Tokens Elevated
          • AI Output Tokens Reduced
          • AI Total Tokens Elevated
          • AI Total Tokens Reduced
          • AWS Secrets Found In AI Logs
          • Base 64 Encoded Content Detected In AI Logs
          • Facebook Secrets Found In AI Logs
          • Git Lab Secrets Found In AI Logs
          • Google Secrets Found In AI Logs
          • Mailgun Secrets Found In AI Logs
          • Multilingual Content Detected In AI Logs
          • Pay Pal Secrets Found In AI Logs
          • PII Detected In AI Logs
          • Send Grid Secrets Found In AI Logs
          • Slack Secrets Found In AI Logs
          • Stripe Secrets Found In AI Logs
          • Twilio Secrets Found In AI Logs
        • AI Resource Policies Overview
        • Create an AI Resource Policy
        • AI Alerting Overview
        • Delete an AI Alert
        • AI Static Alert
        • AI Alert Examples
      • Workforce Overview
      • Platforms
      • Employees
      • Groups
      • Devices
      • Applications
      • Policies
        • Employee Logs Overview
        • FireTail AI Monitor Browser Extension
        • AI Providers
      • Workload Overview
      • Services
      • Model
      • Agents
      • Prompts
        • Model Scanning Overview
        • Event-Driven Model Scans
        • Scheduled Model Scans
        • Managed Model Scans
        • Model Scanning History
        • Model Scanning Quotas
      • Cloud Logs
        • API Findings Overview
        • FireTail's API Findings
          • Accepted Negative Data
          • Alias Overloading
          • Array Based Query Batching
          • CVE Detected
          • Data Exposure Detected
          • Default Login Detected
          • Directive Overloading
          • Field Duplication
          • Field Suggestions
          • Get Method Query Support
          • Graph QL Client Error
          • Graph QL IDE
          • Graph QL Server Error
          • Introspection Is Enabled
          • Introspection Based Circular Query
          • JSON Deserialization Error
          • Malformed Media Type
          • Missing Content Type Header
          • Missing Required Headers
          • Mutation Over GET
          • POST Based Url Encoded Query Possible CSRF
          • Response Time Limit Exceeded
          • Response Timeout
          • Response Violates Schema
          • Server Error
          • Tracing Enabled
          • Undocumented Content Type
          • Undocumented HTTP Status Code
          • Unexpected Graph QL Response
          • Unhandled Errors In Graph QL Endpoint
          • Use After Free
          • Access Logging Should Be Configured For API Gateway V 2 Stages
          • API Gateway Access Logging Is Not Configured For Fire Tail
          • API Gateway REST And Web Socket API Execution Logging Should Be Enabled
          • API Gateway Stage Missing WAF
          • App Sync Field Level Logging Is Not Enabled
          • App Sync Graph QL API Authentication Using API Keys
          • App Sync Graphql API Is Missing WAF
          • App Sync Graph QL API Query Depth Limit High
          • App Sync Graph QL API Query Depth Limit Not Set
          • App Sync Graph QL API Resolver Count Limit High
          • App Sync Graph QL API Resolver Count Limit Not Set
          • App Sync Introspection Endpoint Enabled
          • App Sync Logging Is Not Enabled
          • AWS ALB Has Insecure Desync Mitigation Mode
          • AWS ALB Has WAF Set To Fail Open
          • AWS ALB Is Missing WAF
          • AWS ALB Listeners Should Be Configured With A Strong Security Policy
          • AWS ALB Listeners Should Use HTTPS Or TLS Termination
          • AWS ALB Logging Is Not Enabled
          • AWS ALB Not Configured To Drop Invalid HTTP Headers
          • AWS ALB Should Redirect HTTP To HTTPS
          • AWS Load Balancer Missing Deletion Protection
          • Average Combined Header Size Elevated
          • Average Combined Header Size Reduced
          • Average Combined Payload Size Elevated
          • Average Combined Payload Size Reduced
          • Average Execution Time Elevated
          • Average Execution Time Reduced
          • Average Request Header Size Elevated
          • Average Request Header Size Reduced
          • Average Request Payload Size Elevated
          • Average Request Payload Size Reduced
          • Average Response Header Size Elevated
          • Average Response Header Size Reduced
          • Average Response Payload Size Elevated
          • Average Response Payload Size Reduced
          • AWS Secrets Found In Logs
          • Basic Authentication Found In Logs
          • Facebook Secrets Found In Logs
          • Fuzzing Successful
          • Git Lab Secrets Found In Logs
          • Google Secrets Found In Logs
          • Graph QL Injection Found In Logs
          • Mailgun Secrets Found In Logs
          • Majority Response Status Codes 1 XX
          • Majority Response Status Codes 3 XX
          • Majority Response Status Codes 4 XX
          • Majority Response Status Codes 5 XX
          • Malicious Activity Found In Logs
          • Paypal Secrets Found In Logs
          • PHP Injection Found In Logs
          • PII Detected In Logs
          • Send Grid Secrets Found In Logs
          • Slack Secrets Found In Logs
          • SQL Injection Found In Logs
          • SSL Vulnerabilities Detected
          • Stripe Secrets Found In Logs
          • Suspicious Activity Found In Logs
          • Twilio Secrets Found In Logs
          • Vulnerabilities Detected
          • XSS Attempt Found In Logs
          • API Key In Query String
          • API Key In URL
          • Authentication Removed
          • AWS API Gateway Not Private
          • Basic HTTP Auth
          • Circular References
          • Credentials In URL
          • Index Creation Failed
          • Insecure Auth Scheme
          • Insecure Host OAS 2
          • Insecure Host OAS 3
          • Legacy Integer Limit
          • Missing 401 Response
          • Missing 429 Response
          • Missing 4 Xx Response
          • Missing 500 Response
          • Missing Additional Properties
          • Missing Array Limit
          • Missing Authentication
          • Missing Global Security
          • Missing Global Security
          • Missing Rate Limit Headers
          • Missing Retry Header
          • Non Standard JSON Web Token
          • Numeric ID
          • Plaintext Alternative Authentication
          • Plaintext API Key
          • Plaintext Basic Authentication
          • Plaintext Bearer Token
          • Plaintext Digest Authentication
          • Plaintext Negotiated Authentication
          • Plaintext Unknown Authentication
          • Schema Build Failure
          • Unconstrained Additional Properties
          • Undefined Integer Format
          • Undefined Integer Limit
          • Undefined String Limit
          • Unresolvable References
          • Unrestricted String
        • API Resource Policies Overview
        • Create an API Resource Policy
        • API Alerting Overview
        • API Static Alert
        • Create an Anomaly Alert
        • Comparison of API Static and Anomaly Alerts
        • API Managed Alerts
        • Delete an API Alert
        • Update an API Static Alert
        • Update an API Anomaly Alert
        • Automations
        • Event Driven Automations
        • Scheduled Automations
        • Managed Automations
        • Custom Automation Integration Example
        • Automations History
      • API Inventory Overview
      • Create an API
      • Delete an API
      • Modify an API
      • Create an API Token
      • Delete an API Token
      • API Risk Scoring
        • Specifications Overview
        • Upload a Specification
        • Generate a Specification
        • Upload a New Version of a Specification
        • Delete a Specification
    • API Logging
    • Create an Auth Provider
      • Add a Member to an Organization
      • Roles and Permissions
      • Change Member Role
      • Delete Member
      • Reset Password
      • Reset Two-factor Authentication
    • Understanding Quotas in FireTail
    • Audit Logging
      • Create a Project
      • Modify a Project
      • Delete a Project
      • Create a Project Token
      • Delete a Project Token
      • Events Overview
      • Event Codes
      • Integrations Overview
      • Dynamic Variables
      • Integrations Permissions Requirements
      • Delete an Integration
        • AWS Inventory Scanning (single account)
        • AWS Inventory Scanning (multi-account)
        • Update FireTail Scanning Role in AWS Inventory Scanning
        • Azure Inventory Scanning
        • Google Cloud Inventory Scanning
        • Wiz Integration Setup
        • GitHub Integration for API & AI Discovery
        • GitLab Integration for API & AI Discovery
        • Bitbucket Cloud Repo Scanning for API & AI Discovery
        • Azure DevOps Repo Scanning for API & AI Discovery
        • Google Workspace AI Discovery Scanning
        • Microsoft 365
        • AWS Bedrock Invoke
        • OpenAI Discovery
        • Google Cloud API Gateway Logging
        • AWS API Gateway Logging with AWS Lambda
        • AWS Bedrock Logging with AWS Lambda
        • AWS API Gateway Logging with Kinesis FireHose
        • AppSync Lambda Logging
        • Lambda Extension
        • AWS Application Load Balancer Logging
        • Azure API Management Service Logging
        • Fastly Logging
        • OpenAI Logging
        • Set up a Slack Integration
        • Set up an Elastic Cloud Integration
        • Set up a Microsoft Teams Integration
        • Set up a Lambda Notification Integration
        • Set up a Jira Integration
        • Set up an HTTP Webhook Integration
        • AWS WAFv2 IP Set
        • Set up a Splunk Integration
        • Set up a PagerDuty Integration
        • Set up an Email Integration
        • Set up a ServiceNow Integration
        • Set up an SMTP Email Notification
        • Customize Notification Integrations
        • Notification History
        • Code Library Overview
        • Python Library
        • Go Library
        • FireTail Node JS Library
        • Ruby Library
        • GitHub Actions
        • NGINX Module
        • APISIX Integration
        • KrakenD Plugin
        • Rust Library
        • Kubernetes Sensor
        • Introduction
        • Quickstart
        • Command-line Interface
        • Routing
        • Request Handling
        • Response Handling
        • Security
        • FireTail Cookbook
        • Exception Handling
      • OWASP Top 10 Report
      • Findings Report
      • Mitre CWE Top 25 Report
      • CIS API Security Guide Report
      • Mitre Techniques Report
      • Mitre Tactics Report
      • Platform Usage Report
      • AWS Bedrock AI Resources Report
      • OpenAI Resources Report
      • GitHub AI Resource Scanning Service Report
      • GitLab AI Resource Scanning Service Report
      • Azure AI Service Report
      • Azure OpenAI Service Resources Report
    • Programmatic Access Setup
      • How do I create an account?
      • How do I log in to the platform?
      • How do I reset my password?
      • Why create an organization?
      • How do I delete a member?
      • What are the differences between the subscription plans?
      • How do I switch my subscription plan?
      • How do I change my payment details?
      • How do I scan my AWS account for APIs?
      • Do you have any integrations with Azure?
      • Can I set up an on premise installation?
      • How do I view and analyze AI logs?
      • How can I check my usage quotas?
      • How long is traffic data stored?
      • How do I download information from the FireTail platform?
      • What is the significance of token usage in AI services?
      • What is the difference between an AI system prompt and a user prompt?
      • What does FireTail consider an API?
      • What's the difference between a finding and an alert?
      • What happens when a finding is fixed?

AWS API Gateway Not Private

Updated: April 3, 2026

Findings Design Based Findings API Finding

Description

Severity: Low

A private API Gateway is configured with an IAM policy that allows public access.

Remediation

Review and update the IAM policy attached to the API Gateway to ensure it restricts access appropriately.

Need help?

Contact FireTail support