Default Execution Endpoint Should Not Be Enabled

More Info:

Default Execution Endpoint should not be enabled for your Amazon API Gateway APIs in order to secure your APIs.

Risk Level

Low

Address

Reliability, Security

Compliance Standards

CBP

Triage and Remediation

Check Cause

Using Console

Using CLI

Install and configure AWS CLI: Before you can start using AWS CLI, you need to install it on your local system and configure it with your AWS account credentials. You can do this by running the following commands: Installation:
```
pip install awscli
```
Configuration:
```
aws configure
```
You will be prompted to provide your AWS Access Key ID, Secret Access Key, Default region name, and Default output format.
List all the APIs: Once the AWS CLI is configured, you can list all the APIs in your account by running the following command:
```
aws apigateway get-rest-apis
```
This command will return a list of all the REST APIs in your account.
Check the default execution endpoint: For each API in the list, you can check the default execution endpoint by running the following command:
```
aws apigateway get-stages --rest-api-id <rest-api-id>
```
Replace <rest-api-id> with the ID of the API you want to check. This command will return a list of all the stages for the specified API.
Check if the default execution endpoint is enabled: In the output of the previous command, look for the defaultRouteSettings field. If the dataTraceEnabled field is set to true, then the default execution endpoint is enabled. If it’s set to false, then it’s not enabled.

Using Python

Install the necessary Python libraries: Before you start, make sure you have the AWS SDK for Python (Boto3) installed, which allows you to write software that makes use of services like Amazon S3, Amazon EC2, etc.

pip install boto3

Set up AWS credentials: You need to configure your AWS credentials. You can do this by setting the following environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN. The AWS SDK for Python uses these variables to authenticate your applications.
Write a Python script to list all the APIs and check if the default execution endpoint is enabled:

import boto3

def check_default_execution_endpoint():
    client = boto3.client('apigateway')
    response = client.get_rest_apis()

    for item in response['items']:
        if 'disableExecuteApiEndpoint' in item and item['disableExecuteApiEndpoint'] == False:
            print(f"API Gateway {item['name']} has default execution endpoint enabled")

check_default_execution_endpoint()

This script will print the names of all API Gateways that have the default execution endpoint enabled.

Run the Python script: Save the script in a file, for example, check_api_gateway.py, and then run it using Python.

python check_api_gateway.py

This will print out the names of all API Gateways where the default execution endpoint is enabled. If no such API Gateways are found, it will not print anything.

Additional Reading:

https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-disable-default-endpoint.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Default Execution Endpoint Should Not Be Enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Check Cause

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Check Cause

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Check Cause

Additional Reading: