More Info:

Default Execution Endpoint should not be enabled for your Amazon API Gateway APIs in order to secure your APIs.

Risk Level

Low

Address

Reliability, Security

Compliance Standards

CBP

Triage and Remediation

Check Cause

Using Console

  1. Sign in to the AWS Management Console and open the Amazon API Gateway console at https://console.aws.amazon.com/apigateway/.
  2. In the navigation pane, choose ‘APIs’.
  3. In the APIs pane, select the API you want to check.
  4. In the API details pane, choose ‘Stages’.
  5. In the Stages pane, select the stage you want to check. If the ‘Invoke URL’ ends with /{proxy}, the Default Execution Endpoint is enabled.
  1. Install and configure AWS CLI: Before you can start using AWS CLI, you need to install it on your local system and configure it with your AWS account credentials. You can do this by running the following commands: Installation:
    pip install awscli
    
    Configuration:
    aws configure
    
    You will be prompted to provide your AWS Access Key ID, Secret Access Key, Default region name, and Default output format.
  2. List all the APIs: Once the AWS CLI is configured, you can list all the APIs in your account by running the following command:
    aws apigateway get-rest-apis
    
    This command will return a list of all the REST APIs in your account.
  3. Check the default execution endpoint: For each API in the list, you can check the default execution endpoint by running the following command:
    aws apigateway get-stages --rest-api-id <rest-api-id>
    
    Replace <rest-api-id> with the ID of the API you want to check. This command will return a list of all the stages for the specified API.
  4. Check if the default execution endpoint is enabled: In the output of the previous command, look for the defaultRouteSettings field. If the dataTraceEnabled field is set to true, then the default execution endpoint is enabled. If it’s set to false, then it’s not enabled.
  1. Install the necessary Python libraries: Before you start, make sure you have the AWS SDK for Python (Boto3) installed, which allows you to write software that makes use of services like Amazon S3, Amazon EC2, etc.
pip install boto3
  1. Set up AWS credentials: You need to configure your AWS credentials. You can do this by setting the following environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN. The AWS SDK for Python uses these variables to authenticate your applications.
  2. Write a Python script to list all the APIs and check if the default execution endpoint is enabled:
import boto3

def check_default_execution_endpoint():
    client = boto3.client('apigateway')
    response = client.get_rest_apis()

    for item in response['items']:
        if 'disableExecuteApiEndpoint' in item and item['disableExecuteApiEndpoint'] == False:
            print(f"API Gateway {item['name']} has default execution endpoint enabled")

check_default_execution_endpoint()
This script will print the names of all API Gateways that have the default execution endpoint enabled.
  1. Run the Python script: Save the script in a file, for example, check_api_gateway.py, and then run it using Python.
python check_api_gateway.py
This will print out the names of all API Gateways where the default execution endpoint is enabled. If no such API Gateways are found, it will not print anything.

Additional Reading: