AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Default Execution Endpoint Should Not Be Enabled
More Info:
Default Execution Endpoint should not be enabled for your Amazon API Gateway APIs in order to secure your APIs.
Risk Level
Low
Address
Reliability, Security
Compliance Standards
CBP
Triage and Remediation
Check Cause
-
Sign in to the AWS Management Console and open the Amazon API Gateway console at https://console.aws.amazon.com/apigateway/.
-
In the navigation pane, choose ‘APIs’.
-
In the APIs pane, select the API you want to check.
-
In the API details pane, choose ‘Stages’.
-
In the Stages pane, select the stage you want to check. If the ‘Invoke URL’ ends with
/{proxy}, the Default Execution Endpoint is enabled.
-
Install and configure AWS CLI: Before you can start using AWS CLI, you need to install it on your local system and configure it with your AWS account credentials. You can do this by running the following commands:
Installation:
pip install awscliConfiguration:
aws configureYou will be prompted to provide your AWS Access Key ID, Secret Access Key, Default region name, and Default output format.
-
List all the APIs: Once the AWS CLI is configured, you can list all the APIs in your account by running the following command:
aws apigateway get-rest-apisThis command will return a list of all the REST APIs in your account.
-
Check the default execution endpoint: For each API in the list, you can check the default execution endpoint by running the following command:
aws apigateway get-stages --rest-api-id <rest-api-id>Replace
<rest-api-id>with the ID of the API you want to check. This command will return a list of all the stages for the specified API. -
Check if the default execution endpoint is enabled: In the output of the previous command, look for the
defaultRouteSettingsfield. If thedataTraceEnabledfield is set totrue, then the default execution endpoint is enabled. If it’s set tofalse, then it’s not enabled.
- Install the necessary Python libraries: Before you start, make sure you have the AWS SDK for Python (Boto3) installed, which allows you to write software that makes use of services like Amazon S3, Amazon EC2, etc.
pip install boto3
-
Set up AWS credentials: You need to configure your AWS credentials. You can do this by setting the following environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN. The AWS SDK for Python uses these variables to authenticate your applications.
-
Write a Python script to list all the APIs and check if the default execution endpoint is enabled:
import boto3
def check_default_execution_endpoint():
client = boto3.client('apigateway')
response = client.get_rest_apis()
for item in response['items']:
if 'disableExecuteApiEndpoint' in item and item['disableExecuteApiEndpoint'] == False:
print(f"API Gateway {item['name']} has default execution endpoint enabled")
check_default_execution_endpoint()
This script will print the names of all API Gateways that have the default execution endpoint enabled.
- Run the Python script: Save the script in a file, for example, check_api_gateway.py, and then run it using Python.
python check_api_gateway.py
This will print out the names of all API Gateways where the default execution endpoint is enabled. If no such API Gateways are found, it will not print anything.