Description:

Amazon API Gateway is an AWS service for creating, publishing, maintaining, monitoring, and securing REST, HTTP, and WebSocket APIs at any scale. API developers can create APIs that access AWS or other web services, as well as data stored in the AWS Cloud. As an API Gateway API developer, you can create APIs for use in your own client applications. Or you can make your APIs available to third-party app developers. 


Rationale:

API Gateway private endpoints are made possible via AWS PrivateLink interface VPC endpoints. Interface endpoints work by creating elastic network interfaces in subnets that you define inside your VPC. Those network interfaces then provide access to services running in other VPCs, or to AWS services such as API Gateway.


Impact:

When you interface with API Gateway publicly accessible endpoints, it is done through public networks. When they’re configured as private, the public networks are not made available to route your API. Instead, your API can only be accessed using the interface endpoints that you have configured.


Audit:

  1. Login to AWS management console

  2. Go to API Gateway at https://console.aws.amazon.com/apigateway

  3. Click on APIs in the left navigation pane 

  4. Select the API you want to examine and click on it

  5. Click on the Settings under the API you opened

  6. In the settings page opened, go to the Endpoint Configuration section and then check the Endpoint Type configuration attribute value, if the attribute value is set to Regional or Edge Optimized then the selected Amazon API Gateway API is not private, therefore the API is visible to the public Internet.


Remediation: 

Pre-Requisite: 

  • Sign in as admin or IAM user with required permissions


Implementation Steps : 

  1. Login to AWS management console

  2. Go to API Gateway at https://console.aws.amazon.com/apigateway

  3. Click on APIs in the left navigation pane 

  4. Select the API you want to modify and click on it

  5. Click on the Settings under the API you opened

  6. In the settings page opened, go to the Endpoint Configuration section and click on Endpoint Type drop-down and select Private

    For Private APIs, you can associate one or more VPC endpoints with your API and API Gateway will generate new Route 53 Alias records which you can use to invoke your API.

  7. Click on Save Changes


Backout plan:

To revoke changes that mean if you want to change endpoint type to Regional or Edge follow the same implementation steps and in step 6 choose the type and click on save.


Reference:

Creating a private API in Amazon API Gateway - Amazon API Gateway