Description: 

When you interface with API Gateway publicly accessible endpoints, it is done through public networks. When they're configured as private, the public networks are not made available to route your API. Instead, your API can only be accessed using the interface endpoints that you have configured.


Rationale: 

It is recommended that API Gateway endpoint should not be publicly accessible to other services and resources in AWS. Public API Gateway endpoint means that unauthorized actors could access your data which can lead to misuse of the data. 


Remediation:

Log in to the Amazon VPC console at https://console.aws.amazon.com/vpc/ .

  •     In the left navigation pane, choose Endpoints and then choose your interface VPC endpoint for API Gateway.
  •     In the Details pane, you'll see 5 values in the DNS names field. The first 3 are the public DNS names for your API, make sure it is not publicly accessible.


Resources: 

    https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints/ 

    https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-api-migration.html