AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Only Private End-Points Should Access APIs
More Info:
Amazon API Gateway APIs should be accessible only through private API endpoints and must not be visible to the public Internet.
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration “Only Private End-Points Should Access APIs” in AWS, you can follow the steps below:
-
Login to your AWS Console.
-
Navigate to the Amazon API Gateway service.
-
Select the API that you want to remediate.
-
Click on the “Settings” tab.
-
Under the “Endpoint Type” section, select the “Private” option.
-
If you have not already created a VPC endpoint for the API Gateway, create one by clicking on the “Create VPC Link” button.
-
In the “Create VPC Link” dialog box, select the VPC that you want to use for the endpoint.
-
Choose the security groups that will be associated with the VPC endpoint.
-
Click on the “Create” button.
-
Once the VPC endpoint is created, go back to the API Gateway “Settings” tab.
-
Under the “Endpoint Configuration” section, select the VPC endpoint that you just created.
-
Click on the “Save Changes” button.
-
Test the API to ensure that it is only accessible through the private endpoint.
By following these steps, you have remediated the misconfiguration “Only Private End-Points Should Access APIs” in AWS.
To remediate the misconfiguration “Only Private Endpoints Should Access APIs” for AWS using AWS CLI, follow the below steps:
- Identify the APIs that are publicly accessible by running the following command:
aws apigateway get-rest-apis --query "items[?endpointConfiguration.types[0]=='EDGE'].name"
This command will list all the APIs that are publicly accessible via the internet.
- For each of the APIs identified in step 1, update the endpoint configuration to make it private by running the following command:
aws apigateway update-rest-api --rest-api-id <rest-api-id> --patch-operations op=replace,path=/endpointConfiguration/types/0,value=PRIVATE
Replace <rest-api-id>
with the ID of the API that you want to update.
- Verify that the endpoint configuration has been updated by running the following command:
aws apigateway get-rest-api --rest-api-id <rest-api-id> --query "endpointConfiguration.types"
This command will return the endpoint configuration of the API. Verify that the first element in the array is “PRIVATE”.
-
Repeat steps 2 and 3 for all the APIs that were identified in step 1.
-
Once you have updated all the APIs, verify that they are no longer publicly accessible by running the following command:
aws apigateway get-rest-apis --query "items[?endpointConfiguration.types[0]=='EDGE'].name"
This command should not return any APIs.
To remediate the misconfiguration “Only Private End-Points Should Access APIs” in AWS using Python, you can follow the below steps:
Step 1: Identify the APIs which are not restricted to private endpoints only.
Step 2: For each API, check if it is currently accessible from a public endpoint.
Step 3: If the API is accessible from a public endpoint, restrict its access to private endpoints only.
Step 4: To restrict the access of an API to private endpoints only, you can use the following Python code:
import boto3
# Create a boto3 client for the API Gateway service
apigateway = boto3.client('apigateway')
# Get the ID of the API which you want to restrict to private endpoints only
api_id = 'your_api_id'
# Get the current settings of the API
response = apigateway.get_rest_api(restApiId=api_id)
# Check if the API is currently accessible from a public endpoint
if response['endpointConfiguration']['types'][0] == 'EDGE':
# If the API is accessible from a public endpoint, restrict its access to private endpoints only
apigateway.update_rest_api(
restApiId=api_id,
patchOperations=[
{
'op': 'replace',
'path': '/endpointConfiguration/types/0',
'value': 'PRIVATE'
}
]
)
Step 5: Run this code for all the APIs which are not restricted to private endpoints only.
By following these steps, you can remediate the misconfiguration “Only Private End-Points Should Access APIs” in AWS using Python.