Open menu
-->

API Gateway Private Endpoints

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that your Amazon API Gateway APIs are only accessible through private API endpoints and not visible to the public Internet. When the API type is private, it can be accessed only privately through the interface VPC endpoint.

With this configuration, the traffic to your API Gateway APIs uses secure connections and does not leave the Amazon network. Having private API endpoints for your REST APIs allows you to use all API Gateway service features, while securely connecting them to other AWS services and resources inside your Virtual Private Cloud (VPC).

Audit

To determine if your Amazon API Gateway APIs are using private endpoints, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs to open the APIs listing page.

04 Choose the API that you want to examine, then check the Endpoint Type configuration attribute value, available within the Endpoint Configuration section. If the attribute value is set to Regional (publicly accessible and deployed to the current region) or Edge Optimized (publicly accessible and deployed to a CloudFront network), the selected Amazon API Gateway API is not private, therefore the API is visible to the public Internet.

05 Repeat step no. 4 to check the endpoint type for other AWS API Gateway APIs available in the current region.

06 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run get-rest-apis command (OSX/Linux/UNIX) using custom query filters to list the IDs of the APIs available within the selected AWS region:

aws apigateway get-rest-apis
	--region us-east-1
	--output table
	--query 'items[*].id'

02 The command output should return a table with the requested API IDs:

----------------
|  GetRestApis |
+--------------+
|  abcdabcdac  |
|  aaaabbbbab  |
|  aabbccddaa  |
+--------------+

03 Run get-rest-api command (OSX/Linux/UNIX) using the ID of the API that you want to examine as identifier and custom query filters to obtain the endpoint type for the selected API:

aws apigateway get-rest-api
	--region us-east-1
	--rest-api-id abcdabcdac
	--query 'endpointConfiguration.types'

04 The command output should return the endpoint type configured for the selected API:

[
   "REGIONAL"
]

If the get-rest-api command output returns "REGIONAL" (deployed to the current AWS region and accessible via Internet) or "EDGE" (deployed to a CloudFront distribution network and accessible through the Internet), the selected Amazon API Gateway API is publicly accessible.

05 Repeat step no. 3 and 4 to determine the endpoint type for other AWS API Gateway APIs available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To change your Amazon API Gateway APIs endpoint type so these can be accessible only through private VPC endpoints, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs to open the APIs listing page.

04 Choose the API that you want to reconfigure (see Audit section part I to identify the right resource), then click on the API settings button (gear icon):

API settings button

to enter the configuration edit mode.

05 In the Endpoint Configuration section, select Private from the Endpoint Type dropdown list to change the selected API endpoint type to private.

06 Before your private API can be accessed, you have to create a resource policy and attach it to the selected API. This policy should grant access to the API from your VPC endpoints or from VPC endpoints available in other AWS accounts that you explicitly grant access. Within the API box, click on the Configure Resource Policy link to open the resource policy page.

07 On the Resource Policy page, paste the following API resource policy template. Replace each highlighted placeholder with your own configuration information:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": [
                "arn:aws:execute-api:::/*"
            ]
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": [
                "arn:aws:execute-api:::/*"
            ],
            "Condition" : {
                "StringNotEquals": {
                    "aws:SourceVpce": ""
                }
            }
        }
    ]
}

Replace (including the curly braces) with your own VPC endpoint ID. If you don't have a VPC endpoint already created, follow the steps outlined in this conformity rule to create one. The resource policy placeholders are enclosed in double curly braces (e.g. ). Replace each placeholder with your own configuration information.

08 Click Save to apply the resource policy to the selected API.

09 If required, repeat steps no. 4 – 8 to change the endpoint type for other Amazon API Gateway APIs available within the current region.

10 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run update-rest-api command (OSX/Linux/UNIX) using the ID of the API that you want to reconfigure as identifier (see Audit section part II to identify the right API resource) to change the selected API endpoint type to private:

aws apigateway update-rest-api
	--region us-east-1
	--rest-api-id abcdabcdac
	--patch-operations op=replace,path=/endpointConfiguration/types/REGIONAL,value=PRIVATE

02 The command output should return the request metadata:

{
    "description": "Cloud Conformity Project 5 REST API created with Amazon API Gateway.",
    "createdDate": 1541064067,
    "endpointConfiguration": {
        "types": [
            "PRIVATE"
        ]
    },
    "id": "abcdabcdac",
    "name": "Project5API"
}

03 Before your private API can be accessed, you have to create a resource policy for it. This policy should grant access to the API from your VPC endpoints or from VPC endpoints available in other AWS accounts that you explicitly grant access. To apply the required resource policy to the selected Amazon API Gateway API, execute update-rest-api command (OSX/Linux/UNIX) as shown in the example below. Make sure that you replace (including the curly braces) with your own VPC endpoint ID. If there is no VPC endpoint already created within your AWS account, follow the steps presented in this conformity rule to create one. The resource policy placeholders are enclosed in double curly braces (e.g. ). Replace each highlighted placeholder with your own configuration information:

aws apigateway update-rest-api
	--region us-east-1
	--rest-api-id abcdabcdac
	--patch-operations op=replace,path=/policy,value='{\"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"execute-api:Invoke\",\"Resource\":\"arn:aws:execute-api:::\/*\"},{\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"execute-api:Invoke\",\"Resource\":\"arn:aws:execute-api:::\/*\",\"Condition\":{\"StringNotEquals\":{\"aws:SourceVpce\":\"\"}}}]}\"}'

04 The command output should return the reconfigured API metadata:

{
    "description": "Cloud Conformity Project 5 REST API created with Amazon API Gateway.",
    "createdDate": 1541064067,
    "endpointConfiguration": {
        "types": [
            "PRIVATE"
        ]
    },
    "id": "abcdabcdac",
    "name": "Project5API"
}

05 If required, repeat steps no. 1 – 4 to change the endpoint type for other Amazon API Gateway APIs available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Nov 5, 2018