Severity: High
Description: This control ensures that API gateway apis are only accessible through private api endpoints. Using Amazon API Gateway, you can create private REST APIs that can only be accessed from your virtual private cloud in Amazon VPC by using an interface VPC endpoint. To restrict access to your private API to specific VPCs and VPC endpoints, you must add aws:SourceVpc and aws:SourceVpce conditions to your API's resource policy.
Remediation Steps:
Perform following to create an interface VPC endpoint for API Gateway execute-api:
Login to the AWS Management Console at https://console.aws.amazon.com.
Navigate to VPC console.
Step 1: Create Private VPC endpoint
In the navigation pane, choose Endpoints ,Create Endpoint
For Service category, ensure that AWS services is selected
For Service Name, choose the API Gateway service endpoint, including the AWS Region that you want to connect to. This is in the form com.amazonaws.region.execute-api
Complete the following information:
For VPC, choose the VPC that you want to create the endpoint in
For Subnets, choose the subnets (Availability Zones) in which to create the endpoint network interfaces
For Enable Private DNS Name, leave the check box selected. Private DNS is enabled by default
For Security group, select the security group to associate with the VPC endpoint network interfaces.
Choose Create endpoint.
Step 2: Create Private API
Navigate to API Gateway console.
Under Create new API, choose the New API option
Type a name for API name
For Endpoint Type, choose Private
Choose Create API
Important:
Reference: