AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Default Execution Endpoint Should Not Be Enabled
More Info:
Default Execution Endpoint should not be enabled for your Amazon API Gateway APIs in order to secure your APIs.
Risk Level
Low
Address
Reliability, Security
Compliance Standards
CBP
Triage and Remediation
Remediation
Sure, here are the steps to remediate the “Default Execution Endpoint Should Not Be Enabled” misconfiguration in AWS using the AWS console:
-
Log in to your AWS console and navigate to the AWS Lambda service.
-
From the list of functions, select the function that has the default execution endpoint enabled.
-
Click on the “Configuration” tab for the selected function.
-
In the “General configuration” section, scroll down to the “Network” section.
-
Under the “Network” section, you will see an option called “VPC”. Click on the “Edit” button next to it.
-
In the “VPC configuration” section, you will see an option called “Default execution endpoint”. Ensure that this option is set to “Disabled”.
-
If the “Default execution endpoint” option is enabled, click on the “Disable” button to disable it.
-
Once you have disabled the “Default execution endpoint” option, click on the “Save” button to save the changes.
-
Verify that the changes have been applied by testing the function.
By following these steps, you should be able to remediate the “Default Execution Endpoint Should Not Be Enabled” misconfiguration in AWS using the AWS console.
To remediate the misconfiguration “Default Execution Endpoint Should Not Be Enabled” in AWS using AWS CLI, you can follow the below steps:
-
Open the AWS CLI on your local machine or on the EC2 instance.
-
Run the following command to disable the default execution endpoint:
aws sagemaker update-notebook-instance --notebook-instance-name <instance-name> --default-code-repository none
Replace
<instance-name>
with the name of the notebook instance that you want to update. -
After running the above command, verify that the default execution endpoint is disabled by running the following command:
aws sagemaker describe-notebook-instance --notebook-instance-name <instance-name> --query 'DefaultCodeRepository'
If the output of the above command is
null
, then the default execution endpoint has been successfully disabled. -
Repeat the above steps for all the notebook instances in your AWS account to remediate the misconfiguration “Default Execution Endpoint Should Not Be Enabled” in AWS.
To remediate the “Default Execution Endpoint Should Not Be Enabled” misconfiguration in AWS using Python, you can follow these steps:
- Install the AWS SDK for Python (Boto3) using the following command:
pip install boto3
- Create a Boto3 client for AWS Lambda:
import boto3
client = boto3.client('lambda')
- Use the
update_function_configuration()
method to disable the default execution endpoint:
response = client.update_function_configuration(
FunctionName='your-function-name',
CodeSigningConfigArn='arn:aws:lambda:us-west-2:123456789012:code-signing-config:MyCodeSigningConfig',
Description='Sample function',
Environment={
'Variables': {
'KEY1': 'VALUE1',
'KEY2': 'VALUE2',
}
},
Handler='index.handler',
Layers=[
'arn:aws:lambda:us-west-2:123456789012:layer:my-layer:1',
],
MemorySize=128,
Role='arn:aws:iam::123456789012:role/service-role/lambda-role',
Runtime='python3.8',
Timeout=123,
TracingConfig={
'Mode': 'Active',
},
VpcConfig={
'SubnetIds': [
'subnet-1234abcd',
'subnet-5678efgh',
],
'SecurityGroupIds': [
'sg-1234abcd',
]
},
**{'DefaultExecutionEndpoint': False}**
)
-
Replace the
FunctionName
parameter with the name of your Lambda function. -
The
DefaultExecutionEndpoint
parameter is set toFalse
to disable the default execution endpoint. -
Once you have updated the function configuration, you can verify that the default execution endpoint has been disabled by checking the function configuration using the
get_function_configuration()
method:
response = client.get_function_configuration(
FunctionName='your-function-name'
)
print(response['DefaultExecutionEndpoint'])
This will return False
if the default execution endpoint has been disabled.