> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Only Private End-Points Should Access APIs

### More Info:

Amazon API Gateway APIs should be accessible only through private API endpoints and must not be visible to the public Internet.

### Risk Level

Medium

### Address

Security

### Compliance Standards

SOC2, NISTCSF, PCIDSS

### Triage and Remediation

<Tabs>
  <Tab title="Cause">
    ### Check Cause

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        1. Log in to the AWS Management Console and navigate to the API Gateway service.

        2. In the API Gateway dashboard, select the API you want to inspect.

        3. In the API details page, select the "Resources" option from the left-hand side menu. This will display all the resources and methods associated with the selected API.

        4. For each method, click on the method request to view its settings. Under the "Settings" tab, check the "Endpoint Type" field. If it is set to "Edge Optimized" or "Regional", it means the API is publicly accessible. If it is set to "Private", it means the API can only be accessed from within your VPC or via a VPC endpoint.
      </Accordion>

      <Accordion title="Using CLI">
        1. First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the API Gateway.

        2. Once the AWS CLI is set up, you can list all the APIs in the API Gateway by using the following command:

           ```
           aws apigateway get-rest-apis
           ```

           This command will return a list of all the APIs in the API Gateway.

        3. To check the endpoint configuration of each API, you can use the following command:

           ```
           aws apigateway get-rest-api --rest-api-id {rest-api-id}
           ```

           Replace `{rest-api-id}` with the ID of the API you want to check. This command will return the details of the API, including its endpoint configuration.

        4. To check if only private endpoints can access the API, look at the `endpointConfiguration` field in the output. If the `types` field under `endpointConfiguration` contains "PRIVATE", then only private endpoints can access the API. If it contains "EDGE" or "REGIONAL", then the API can be accessed from public endpoints.
      </Accordion>

      <Accordion title="Using Python">
        1. Import the necessary AWS SDK for Python (Boto3) modules and initialize a new client for the API Gateway service.

        ```python theme={null}
        import boto3
        client = boto3.client('apigateway')
        ```

        2. Fetch all the APIs in the API Gateway service.

        ```python theme={null}
        response = client.get_rest_apis()
        apis = response['items']
        ```

        3. For each API, get the endpoint configuration and check if it's a private endpoint.

        ```python theme={null}
        for api in apis:
            endpoint_type = api['endpointConfiguration']['types'][0]
            if endpoint_type != 'PRIVATE':
                print(f"API {api['name']} is not a private endpoint.")
        ```

        4. The above script will print out the names of all APIs that are not private endpoints. If no APIs are printed, then all APIs are private endpoints. If some APIs are printed, then those APIs are not private endpoints and are misconfigured.

        Note: This script assumes that you have configured your AWS credentials correctly, either by setting the AWS\_ACCESS\_KEY\_ID, AWS\_SECRET\_ACCESS\_KEY, and AWS\_SESSION\_TOKEN environment variables, or by using the AWS CLI or AWS SDKs to configure your credentials.
      </Accordion>
    </AccordionGroup>
  </Tab>

  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the misconfiguration "Only Private End-Points Should Access APIs" in AWS, you can follow the steps below:

        1. Login to your AWS Console.

        2. Navigate to the Amazon API Gateway service.

        3. Select the API that you want to remediate.

        4. Click on the "Settings" tab.

        5. Under the "Endpoint Type" section, select the "Private" option.

        6. If you have not already created a VPC endpoint for the API Gateway, create one by clicking on the "Create VPC Link" button.

        7. In the "Create VPC Link" dialog box, select the VPC that you want to use for the endpoint.

        8. Choose the security groups that will be associated with the VPC endpoint.

        9. Click on the "Create" button.

        10. Once the VPC endpoint is created, go back to the API Gateway "Settings" tab.

        11. Under the "Endpoint Configuration" section, select the VPC endpoint that you just created.

        12. Click on the "Save Changes" button.

        13. Test the API to ensure that it is only accessible through the private endpoint.

        By following these steps, you have remediated the misconfiguration "Only Private End-Points Should Access APIs" in AWS.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the misconfiguration "Only Private Endpoints Should Access APIs" for AWS using AWS CLI, follow the below steps:

        1. Identify the APIs that are publicly accessible by running the following command:

        ```
        aws apigateway get-rest-apis --query "items[?endpointConfiguration.types[0]=='EDGE'].name"
        ```

        This command will list all the APIs that are publicly accessible via the internet.

        2. For each of the APIs identified in step 1, update the endpoint configuration to make it private by running the following command:

        ```
        aws apigateway update-rest-api --rest-api-id <rest-api-id> --patch-operations op=replace,path=/endpointConfiguration/types/0,value=PRIVATE
        ```

        Replace `<rest-api-id>` with the ID of the API that you want to update.

        3. Verify that the endpoint configuration has been updated by running the following command:

        ```
        aws apigateway get-rest-api --rest-api-id <rest-api-id> --query "endpointConfiguration.types"
        ```

        This command will return the endpoint configuration of the API. Verify that the first element in the array is "PRIVATE".

        4. Repeat steps 2 and 3 for all the APIs that were identified in step 1.

        5. Once you have updated all the APIs, verify that they are no longer publicly accessible by running the following command:

        ```
        aws apigateway get-rest-apis --query "items[?endpointConfiguration.types[0]=='EDGE'].name"
        ```

        This command should not return any APIs.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the misconfiguration "Only Private End-Points Should Access APIs" in AWS using Python, you can follow the below steps:

        Step 1: Identify the APIs which are not restricted to private endpoints only.

        Step 2: For each API, check if it is currently accessible from a public endpoint.

        Step 3: If the API is accessible from a public endpoint, restrict its access to private endpoints only.

        Step 4: To restrict the access of an API to private endpoints only, you can use the following Python code:

        ```python theme={null}
        import boto3

        # Create a boto3 client for the API Gateway service
        apigateway = boto3.client('apigateway')

        # Get the ID of the API which you want to restrict to private endpoints only
        api_id = 'your_api_id'

        # Get the current settings of the API
        response = apigateway.get_rest_api(restApiId=api_id)

        # Check if the API is currently accessible from a public endpoint
        if response['endpointConfiguration']['types'][0] == 'EDGE':
            # If the API is accessible from a public endpoint, restrict its access to private endpoints only
            apigateway.update_rest_api(
                restApiId=api_id,
                patchOperations=[
                    {
                        'op': 'replace',
                        'path': '/endpointConfiguration/types/0',
                        'value': 'PRIVATE'
                    }
                ]
            )
        ```

        Step 5: Run this code for all the APIs which are not restricted to private endpoints only.

        By following these steps, you can remediate the misconfiguration "Only Private End-Points Should Access APIs" in AWS using Python.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints/](https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints/)
