> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Default Execution Endpoint Should Not Be Enabled

### More Info:

Default Execution Endpoint should not be enabled for your Amazon API Gateway APIs in order to secure your APIs.

### Risk Level

Low

### Address

Reliability, Security

### Compliance Standards

CBP

### Triage and Remediation

<Tabs>
  <Tab title="Cause">
    ### Check Cause

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        1. Sign in to the AWS Management Console and open the Amazon API Gateway console at [https://console.aws.amazon.com/apigateway/](https://console.aws.amazon.com/apigateway/).

        2. In the navigation pane, choose 'APIs'.

        3. In the APIs pane, select the API you want to check.

        4. In the API details pane, choose 'Stages'.

        5. In the Stages pane, select the stage you want to check. If the 'Invoke URL' ends with `/{proxy}`, the Default Execution Endpoint is enabled.
      </Accordion>

      <Accordion title="Using CLI">
        1. Install and configure AWS CLI: Before you can start using AWS CLI, you need to install it on your local system and configure it with your AWS account credentials. You can do this by running the following commands:

           Installation:

           ```
           pip install awscli
           ```

           Configuration:

           ```
           aws configure
           ```

           You will be prompted to provide your AWS Access Key ID, Secret Access Key, Default region name, and Default output format.

        2. List all the APIs: Once the AWS CLI is configured, you can list all the APIs in your account by running the following command:
           ```
           aws apigateway get-rest-apis
           ```
           This command will return a list of all the REST APIs in your account.

        3. Check the default execution endpoint: For each API in the list, you can check the default execution endpoint by running the following command:
           ```
           aws apigateway get-stages --rest-api-id <rest-api-id>
           ```
           Replace `<rest-api-id>` with the ID of the API you want to check. This command will return a list of all the stages for the specified API.

        4. Check if the default execution endpoint is enabled: In the output of the previous command, look for the `defaultRouteSettings` field. If the `dataTraceEnabled` field is set to `true`, then the default execution endpoint is enabled. If it's set to `false`, then it's not enabled.
      </Accordion>

      <Accordion title="Using Python">
        1. Install the necessary Python libraries: Before you start, make sure you have the AWS SDK for Python (Boto3) installed, which allows you to write software that makes use of services like Amazon S3, Amazon EC2, etc.

        ```python theme={null}
        pip install boto3
        ```

        2. Set up AWS credentials: You need to configure your AWS credentials. You can do this by setting the following environment variables: AWS\_ACCESS\_KEY\_ID, AWS\_SECRET\_ACCESS\_KEY, and AWS\_SESSION\_TOKEN. The AWS SDK for Python uses these variables to authenticate your applications.

        3. Write a Python script to list all the APIs and check if the default execution endpoint is enabled:

        ```python theme={null}
        import boto3

        def check_default_execution_endpoint():
            client = boto3.client('apigateway')
            response = client.get_rest_apis()

            for item in response['items']:
                if 'disableExecuteApiEndpoint' in item and item['disableExecuteApiEndpoint'] == False:
                    print(f"API Gateway {item['name']} has default execution endpoint enabled")

        check_default_execution_endpoint()
        ```

        This script will print the names of all API Gateways that have the default execution endpoint enabled.

        4. Run the Python script: Save the script in a file, for example, check\_api\_gateway.py, and then run it using Python.

        ```bash theme={null}
        python check_api_gateway.py
        ```

        This will print out the names of all API Gateways where the default execution endpoint is enabled. If no such API Gateways are found, it will not print anything.
      </Accordion>
    </AccordionGroup>
  </Tab>

  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        Sure, here are the steps to remediate the "Default Execution Endpoint Should Not Be Enabled" misconfiguration in AWS using the AWS console:

        1. Log in to your AWS console and navigate to the AWS Lambda service.

        2. From the list of functions, select the function that has the default execution endpoint enabled.

        3. Click on the "Configuration" tab for the selected function.

        4. In the "General configuration" section, scroll down to the "Network" section.

        5. Under the "Network" section, you will see an option called "VPC". Click on the "Edit" button next to it.

        6. In the "VPC configuration" section, you will see an option called "Default execution endpoint". Ensure that this option is set to "Disabled".

        7. If the "Default execution endpoint" option is enabled, click on the "Disable" button to disable it.

        8. Once you have disabled the "Default execution endpoint" option, click on the "Save" button to save the changes.

        9. Verify that the changes have been applied by testing the function.

        By following these steps, you should be able to remediate the "Default Execution Endpoint Should Not Be Enabled" misconfiguration in AWS using the AWS console.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the misconfiguration "Default Execution Endpoint Should Not Be Enabled" in AWS using AWS CLI, you can follow the below steps:

        1. Open the AWS CLI on your local machine or on the EC2 instance.

        2. Run the following command to disable the default execution endpoint:

           ```
           aws sagemaker update-notebook-instance --notebook-instance-name <instance-name> --default-code-repository none
           ```

           Replace `<instance-name>` with the name of the notebook instance that you want to update.

        3. After running the above command, verify that the default execution endpoint is disabled by running the following command:

           ```
           aws sagemaker describe-notebook-instance --notebook-instance-name <instance-name> --query 'DefaultCodeRepository'
           ```

           If the output of the above command is `null`, then the default execution endpoint has been successfully disabled.

        4. Repeat the above steps for all the notebook instances in your AWS account to remediate the misconfiguration "Default Execution Endpoint Should Not Be Enabled" in AWS.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the "Default Execution Endpoint Should Not Be Enabled" misconfiguration in AWS using Python, you can follow these steps:

        1. Install the AWS SDK for Python (Boto3) using the following command:

        ```
        pip install boto3
        ```

        2. Create a Boto3 client for AWS Lambda:

        ```
        import boto3

        client = boto3.client('lambda')
        ```

        3. Use the `update_function_configuration()` method to disable the default execution endpoint:

        ```
        response = client.update_function_configuration(
            FunctionName='your-function-name',
            CodeSigningConfigArn='arn:aws:lambda:us-west-2:123456789012:code-signing-config:MyCodeSigningConfig',
            Description='Sample function',
            Environment={
                'Variables': {
                    'KEY1': 'VALUE1',
                    'KEY2': 'VALUE2',
                }
            },
            Handler='index.handler',
            Layers=[
                'arn:aws:lambda:us-west-2:123456789012:layer:my-layer:1',
            ],
            MemorySize=128,
            Role='arn:aws:iam::123456789012:role/service-role/lambda-role',
            Runtime='python3.8',
            Timeout=123,
            TracingConfig={
                'Mode': 'Active',
            },
            VpcConfig={
                'SubnetIds': [
                    'subnet-1234abcd',
                    'subnet-5678efgh',
                ],
                'SecurityGroupIds': [
                    'sg-1234abcd',
                ]
            },
            **{'DefaultExecutionEndpoint': False}**
        )
        ```

        4. Replace the `FunctionName` parameter with the name of your Lambda function.

        5. The `DefaultExecutionEndpoint` parameter is set to `False` to disable the default execution endpoint.

        6. Once you have updated the function configuration, you can verify that the default execution endpoint has been disabled by checking the function configuration using the `get_function_configuration()` method:

        ```
        response = client.get_function_configuration(
            FunctionName='your-function-name'
        )

        print(response['DefaultExecutionEndpoint'])
        ```

        This will return `False` if the default execution endpoint has been disabled.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-disable-default-endpoint.html](https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-disable-default-endpoint.html)
