API Gateway Endpoint Config is Not Private

  • Query id: 4a8daf95-709d-4a36-9132-d3e19878fa34
  • Query name: API Gateway Endpoint Config is Not Private
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Networking and Firewall
  • CWE: 668
  • URL: Github

Description

The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
    MyRestApi:
        Type: AWS::ApiGateway::RestApi
        Properties:
          Name: myRestApi
    MyRestApi2:
        Type: AWS::ApiGateway::RestApi
        Properties:
          EndpointConfiguration:
            Types:
              - EDGE
          Name: myRestApi2
Positive test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "MyRestApi": {
      "Type": "AWS::ApiGateway::RestApi",
      "Properties": {
        "Name": "myRestApi"
      }
    },
    "MyRestApi2": {
      "Type": "AWS::ApiGateway::RestApi",
      "Properties": {
        "EndpointConfiguration": {
          "Types": [
            "EDGE"
          ]
        },
        "Name": "myRestApi2"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
    MyRestApi:
        Type: AWS::ApiGateway::RestApi
        Properties:
          EndpointConfiguration:
            Types:
              - PRIVATE
          Name: myRestApi
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "MyRestApi": {
      "Type": "AWS::ApiGateway::RestApi",
      "Properties": {
        "EndpointConfiguration": {
          "Types": [
            "PRIVATE"
          ]
        },
        "Name": "myRestApi"
      }
    }
  }
}