AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Only Private End-Points Should Access APIs
More Info:
Amazon API Gateway APIs should be accessible only through private API endpoints and must not be visible to the public Internet.
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, NISTCSF, PCIDSS
Triage and Remediation
Check Cause
-
Log in to the AWS Management Console and navigate to the API Gateway service.
-
In the API Gateway dashboard, select the API you want to inspect.
-
In the API details page, select the “Resources” option from the left-hand side menu. This will display all the resources and methods associated with the selected API.
-
For each method, click on the method request to view its settings. Under the “Settings” tab, check the “Endpoint Type” field. If it is set to “Edge Optimized” or “Regional”, it means the API is publicly accessible. If it is set to “Private”, it means the API can only be accessed from within your VPC or via a VPC endpoint.
-
First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the API Gateway.
-
Once the AWS CLI is set up, you can list all the APIs in the API Gateway by using the following command:
aws apigateway get-rest-apisThis command will return a list of all the APIs in the API Gateway.
-
To check the endpoint configuration of each API, you can use the following command:
aws apigateway get-rest-api --rest-api-id {rest-api-id}Replace
{rest-api-id}with the ID of the API you want to check. This command will return the details of the API, including its endpoint configuration. -
To check if only private endpoints can access the API, look at the
endpointConfigurationfield in the output. If thetypesfield underendpointConfigurationcontains “PRIVATE”, then only private endpoints can access the API. If it contains “EDGE” or “REGIONAL”, then the API can be accessed from public endpoints.
- Import the necessary AWS SDK for Python (Boto3) modules and initialize a new client for the API Gateway service.
import boto3
client = boto3.client('apigateway')
- Fetch all the APIs in the API Gateway service.
response = client.get_rest_apis()
apis = response['items']
- For each API, get the endpoint configuration and check if it’s a private endpoint.
for api in apis:
endpoint_type = api['endpointConfiguration']['types'][0]
if endpoint_type != 'PRIVATE':
print(f"API {api['name']} is not a private endpoint.")
- The above script will print out the names of all APIs that are not private endpoints. If no APIs are printed, then all APIs are private endpoints. If some APIs are printed, then those APIs are not private endpoints and are misconfigured.
Note: This script assumes that you have configured your AWS credentials correctly, either by setting the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN environment variables, or by using the AWS CLI or AWS SDKs to configure your credentials.