Amazon API Gateway

API Gateway Missing Private Endpoints

This AWS plug-in ensures that there are secure connections for the API Gateway APIs and that these APIs are accessible only through private endpoints and not publicly available.

Risk Level: High

Description:

This AWS plug-in ensures that there are secure connections for the API Gateway APIs and that these APIs are accessible only through private endpoints and not publicly available . Also , having private endpoints helps reduce latency of the APIs  to the client accessing it. Having private endpoints for your APIs allows users to access all  API services and features from within the Virtual Private Cloud.

About the Service :

API(Application Programming Interface) Gateway is an AWS service that lies between the client and tons of backend services. The actions performed by API Gateways include creating, deploying, and managing RESTful API and WebSocket API.

Impact : 

The unavailability of private endpoints for the APIs , client is going to face problems like increased latency on calling the APIs , insecure connections between  the API endpoints that can result in traffic going out of the AWS network or more importantly be publicly available .Not having private endpoints may also mean you could not access some features of the APIs from inside  the VPC. 

Steps to reproduce :

 

  • Choose the API you want to examine .

 

  • Within the Endpoint Configuration section , check the Endpoint Type configurations attribute value . If the  attribute value is set to either of the following  :
  • Regional ( publicly accessible and deployed to current region ) 
  • Edge Optimized ( publicly accessible and deployed to CloudFront network   )

           The API is not private , hence visible to the public internet .

 

Steps for remediation :

  • Sign-in to AWS management console.
  • Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/
  • Open the API listing page by selecting APIs  , present in the left navigation panel.

 

  • Choose the API you want to examine .

 

  • Visit the Endpoint Configuration settings , click on the Endpoint Type dropdown and select  Private   to change selected API endpoint to private .
  • To access the private endpoint you have to create a resource  policy and attach it to the selected API . This policy should grant access to the API from your VPC endpoints or from VPC endpoints available in other AWS accounts that you explicitly grant access to. Within the API box, click on the Configure Resource Policy link to open the resource policy page.
  • Click Save to apply the changes.

  

References: