Description:
Amazon API Gateway is an AWS service for creating, publishing, maintaining, monitoring, and securing REST, HTTP, and WebSocket APIs at any scale. API developers can create APIs that access AWS or other web services, as well as data stored in the AWS Cloud. As an API Gateway API developer, you can create APIs for use in your client applications. Or you can make your APIs available to third-party app developers.
Rationale:
API Gateway private endpoints are made possible via AWS PrivateLink interface VPC endpoints. Interface endpoints work by creating elastic network interfaces in subnets that you define inside your VPC. Those network interfaces then provide access to services running in other VPCs, or to AWS services such as API Gateway.
Impact:
When you interface with API Gateway publicly accessible endpoints, it is done through public networks. When they’re configured as private, the public networks are not made available to route your API. Instead, your API can only be accessed using the interface endpoints that you have configured.
Pre-Requisite:
Sign in as admin or IAM user with required permissions
Remediation:
Test plan:
Login to AWS management console.
Go to API Gateway at https://console.aws.amazon.com/apigateway.
Click on APIs in the left navigation pane.
Select the API you want to examine and click on it.
Click on the Settings under the API you opened.
In the settings page opened, go to the Endpoint Configuration section and then check the Endpoint Type configuration attribute value, if the attribute value is set to Regional or Edge Optimized then the selected Amazon API Gateway API is not private, therefore the API is visible to the public Internet.
Using AWS CLI :
This command is used to get the rest-api
aws apigateway get-rest-apis
Implementation Steps :
Login to AWS management console.
Go to API Gateway at https://console.aws.amazon.com/apigateway
Click on APIs in the left navigation pane.
Select the API you want to modify and click on it.
Click on the Settings under the API you opened.
In the settings page opened, go to the Endpoint Configuration section and click on Endpoint Type drop-down and select Private.
For Private APIs, you can associate one or more VPC endpoints with your API, and API Gateway will generate new Route 53 Alias records which you can use to invoke your API.Click on Save Changes.
Using AWS CLI :
This command is used to set the Endpoint type as private
aws apigateway update-rest-api --rest-api-id 1234123412 --patch-operations op=replace,path=/endpointtype,value='private'
Backout plan:
To revoke changes that mean if you want to change endpoint type to Regional or Edge follow the same implementation steps and in step 6 choose the type and click on save.
Using AWS CLI :
This command is used to set the Endpoint type as Regional
aws apigateway update-rest-api --rest-api-id 1234123412 --patch-operations op=replace,path=/endpointtype,value='REGIONAL'
Reference:
Creating a private API in Amazon API Gateway - Amazon API Gateway
Change a public or private API endpoint type in API Gateway - Amazon API Gateway