AWS-APIGateway-API-Gateway-Private-Endpoints

Severity: High

Description: This control ensures that API gateway apis are only accessible through private api endpoints. Using Amazon API Gateway, you can create private REST APIs that can only be accessed from your virtual private cloud in Amazon VPC by using an interface VPC endpoint. To restrict access to your private API to specific VPCs and VPC endpoints, you must add aws:SourceVpc and aws:SourceVpce conditions to your API's resource policy.

Remediation Steps:

Perform following to  create an interface VPC endpoint for API Gateway execute-api:

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to VPC console.

3. Step 1: Create Private VPC endpoint

   1. In the navigation pane, choose Endpoints ,Create Endpoint

   2. For Service category, ensure that AWS services is selected

   3. For Service Name, choose the API Gateway service endpoint, including the AWS Region that you want to connect to. This is in the form com.amazonaws.region.execute-api

   4. Complete the following information: 

      • For VPC, choose the VPC that you want to create the endpoint in

      • For Subnets, choose the subnets (Availability Zones) in which to create the endpoint network interfaces

      • For Enable Private DNS Name, leave the check box selected. Private DNS is enabled by default

      • For Security group, select the security group to associate with the VPC endpoint network interfaces.

   5. Choose Create endpoint.

4. Step 2: Create Private API

   1. Navigate to API Gateway console.

   2. Under Create new API, choose the New API option

   3. Type a name for API name

   4. For Endpoint Type, choose Private

   5. Choose Create API

Important:

Reference:

• https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html#apigateway-private-api-create-interface-vpc-endpoint

• https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints/