Default Execution Endpoint Should Not Be Enabled

More Info:

Default Execution Endpoint should not be enabled for your Amazon API Gateway APIs in order to secure your APIs.

Risk Level

Low

Address

Reliability, Security

Compliance Standards

CBP

Triage and Remediation

Cause
Remediation

Check Cause

Using Console

Sign in to the AWS Management Console and open the Amazon API Gateway console at https://console.aws.amazon.com/apigateway/.
In the navigation pane, choose ‘APIs’.
In the APIs pane, select the API you want to check.
In the API details pane, choose ‘Stages’.
In the Stages pane, select the stage you want to check. If the ‘Invoke URL’ ends with /{proxy}, the Default Execution Endpoint is enabled.

Using CLI

Install and configure AWS CLI: Before you can start using AWS CLI, you need to install it on your local system and configure it with your AWS account credentials. You can do this by running the following commands: Installation:
```
pip install awscli
```
Configuration:
```
aws configure
```
You will be prompted to provide your AWS Access Key ID, Secret Access Key, Default region name, and Default output format.
List all the APIs: Once the AWS CLI is configured, you can list all the APIs in your account by running the following command:
```
aws apigateway get-rest-apis
```
This command will return a list of all the REST APIs in your account.
Check the default execution endpoint: For each API in the list, you can check the default execution endpoint by running the following command:
```
aws apigateway get-stages --rest-api-id <rest-api-id>
```
Replace <rest-api-id> with the ID of the API you want to check. This command will return a list of all the stages for the specified API.
Check if the default execution endpoint is enabled: In the output of the previous command, look for the defaultRouteSettings field. If the dataTraceEnabled field is set to true, then the default execution endpoint is enabled. If it’s set to false, then it’s not enabled.

Using Python

Install the necessary Python libraries: Before you start, make sure you have the AWS SDK for Python (Boto3) installed, which allows you to write software that makes use of services like Amazon S3, Amazon EC2, etc.

pip install boto3

Set up AWS credentials: You need to configure your AWS credentials. You can do this by setting the following environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN. The AWS SDK for Python uses these variables to authenticate your applications.
Write a Python script to list all the APIs and check if the default execution endpoint is enabled:

import boto3

def check_default_execution_endpoint():
    client = boto3.client('apigateway')
    response = client.get_rest_apis()

    for item in response['items']:
        if 'disableExecuteApiEndpoint' in item and item['disableExecuteApiEndpoint'] == False:
            print(f"API Gateway {item['name']} has default execution endpoint enabled")

check_default_execution_endpoint()

This script will print the names of all API Gateways that have the default execution endpoint enabled.

Run the Python script: Save the script in a file, for example, check_api_gateway.py, and then run it using Python.

python check_api_gateway.py

This will print out the names of all API Gateways where the default execution endpoint is enabled. If no such API Gateways are found, it will not print anything.

Remediation

Using Console

Sure, here are the steps to remediate the “Default Execution Endpoint Should Not Be Enabled” misconfiguration in AWS using the AWS console:

Log in to your AWS console and navigate to the AWS Lambda service.
From the list of functions, select the function that has the default execution endpoint enabled.
Click on the “Configuration” tab for the selected function.
In the “General configuration” section, scroll down to the “Network” section.
Under the “Network” section, you will see an option called “VPC”. Click on the “Edit” button next to it.
In the “VPC configuration” section, you will see an option called “Default execution endpoint”. Ensure that this option is set to “Disabled”.
If the “Default execution endpoint” option is enabled, click on the “Disable” button to disable it.
Once you have disabled the “Default execution endpoint” option, click on the “Save” button to save the changes.
Verify that the changes have been applied by testing the function.

By following these steps, you should be able to remediate the “Default Execution Endpoint Should Not Be Enabled” misconfiguration in AWS using the AWS console.

Using CLI

To remediate the misconfiguration “Default Execution Endpoint Should Not Be Enabled” in AWS using AWS CLI, you can follow the below steps:

Open the AWS CLI on your local machine or on the EC2 instance.
Run the following command to disable the default execution endpoint:
```
aws sagemaker update-notebook-instance --notebook-instance-name <instance-name> --default-code-repository none
```
Replace <instance-name> with the name of the notebook instance that you want to update.
After running the above command, verify that the default execution endpoint is disabled by running the following command:
```
aws sagemaker describe-notebook-instance --notebook-instance-name <instance-name> --query 'DefaultCodeRepository'
```
If the output of the above command is null, then the default execution endpoint has been successfully disabled.
Repeat the above steps for all the notebook instances in your AWS account to remediate the misconfiguration “Default Execution Endpoint Should Not Be Enabled” in AWS.

Using Python

To remediate the “Default Execution Endpoint Should Not Be Enabled” misconfiguration in AWS using Python, you can follow these steps:

Install the AWS SDK for Python (Boto3) using the following command:

pip install boto3

Create a Boto3 client for AWS Lambda:

import boto3

client = boto3.client('lambda')

Use the update_function_configuration() method to disable the default execution endpoint:

response = client.update_function_configuration(
    FunctionName='your-function-name',
    CodeSigningConfigArn='arn:aws:lambda:us-west-2:123456789012:code-signing-config:MyCodeSigningConfig',
    Description='Sample function',
    Environment={
        'Variables': {
            'KEY1': 'VALUE1',
            'KEY2': 'VALUE2',
        }
    },
    Handler='index.handler',
    Layers=[
        'arn:aws:lambda:us-west-2:123456789012:layer:my-layer:1',
    ],
    MemorySize=128,
    Role='arn:aws:iam::123456789012:role/service-role/lambda-role',
    Runtime='python3.8',
    Timeout=123,
    TracingConfig={
        'Mode': 'Active',
    },
    VpcConfig={
        'SubnetIds': [
            'subnet-1234abcd',
            'subnet-5678efgh',
        ],
        'SecurityGroupIds': [
            'sg-1234abcd',
        ]
    },
    **{'DefaultExecutionEndpoint': False}**
)

Replace the FunctionName parameter with the name of your Lambda function.
The DefaultExecutionEndpoint parameter is set to False to disable the default execution endpoint.
Once you have updated the function configuration, you can verify that the default execution endpoint has been disabled by checking the function configuration using the get_function_configuration() method:

response = client.get_function_configuration(
    FunctionName='your-function-name'
)

print(response['DefaultExecutionEndpoint'])

This will return False if the default execution endpoint has been disabled.

Additional Reading:

https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-disable-default-endpoint.html

Documentation Index

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Check Cause

​Remediation

​

​Additional Reading: