Profile Applicability:
Level 1
Description:
This control ensures that Amazon API Gateway endpoints are configured with the appropriate endpoint type — either Public (Edge-Optimized / Regional) or Private — based on the organization’s use case and security requirements. Configuring the correct endpoint type ensures that APIs are accessible only to intended users and systems, minimizing exposure to unauthorized access.
Rationale:
Selecting the appropriate API Gateway endpoint type is critical for security and compliance:
Private Endpoints should be used for internal services accessible only within a VPC or through VPC Endpoints (AWS PrivateLink).
Public Endpoints (Edge-Optimized or Regional) should be secured with IAM authorization, WAF, API keys, or Custom Authorizers to prevent unauthorized public access.
Improper configuration could lead to sensitive APIs being exposed publicly or legitimate traffic being unintentionally blocked. Ensuring endpoint types are reviewed and configured properly reduces the risk of data breaches, supports least-privilege access, and ensures compliance with CIS, SOC 2, and ISO 27001 controls.
Impact:
Positive Impact:Ensures APIs are accessible only to intended users.Reduces potential attack surface for sensitive internal APIs.Helps meet compliance and governance requirements.
Negative Impact:Restricting access to Private endpoints requires proper VPC configuration and may limit cross-region availability.
Default Value:
By default, APIs created in Amazon API Gateway are Public (Regional), meaning they are accessible over the internet unless restricted by authentication or network controls.
Pre-Requisite:
IAM permissions required: apigateway:GET, apigateway:PATCH, apigateway:UpdateRestApi, and apigateway:GETStages.
Knowledge of API use cases (internal-only vs public-facing).
Remediation:
Test Plan
Using AWS Console:
Test Plan (Using AWS Console):
Sign in to the AWS Management Console.
Navigate to Amazon API Gateway → APIs.
Select your API from the list.
Under the Settings tab (for REST APIs) or Stages tab (for HTTP APIs), locate the Endpoint type field.
Verify that the endpoint type is correctly configured for the use case:
Private: Accessible only within your VPC using AWS PrivateLink.
Regional: Accessible over the internet within a specific AWS Region.
Edge-Optimized: Accessible globally via Amazon CloudFront.
If a sensitive API is publicly accessible or if a public-facing API is incorrectly restricted, the configuration is non-compliant.
Implementation Plan
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon API Gateway → APIs.
Select the API you want to modify.
Choose Settings (for REST APIs) or Configure stages (for HTTP APIs).
Under Endpoint type, select the appropriate option:
Private for internal APIs (requires VPC endpoint configuration).
Regional for APIs accessed via direct internet connections (secured with WAF, IAM, or custom authorizers).
Edge-Optimized for globally distributed public APIs using CloudFront.
Save the changes.
If you selected Private, ensure the following:
A VPC endpoint (AWS PrivateLink) is created for API Gateway (com.amazonaws.<region>.execute-api).
IAM policies allow access from authorized VPCs and principals only.
Test the API endpoint to confirm connectivity from allowed sources.
Backout Plan:
Using AWS Console:
If API access becomes unavailable after changing endpoint type:
Revert the endpoint type to its previous configuration.
Validate that DNS and VPC endpoints are configured correctly for private APIs.
Re-test application connectivity and reapply the updated configuration after resolving any network or permission issues.
References:
Amazon API Gateway Endpoint Types Documentation
AWS PrivateLink for API Gateway
AWS Security Best Practices Whitepaper