API Gateway REST API endpoint is private
apigateway_restapi_public
Severitymedium
Serviceapigateway
Amazon API Gateway REST APIs are evaluated for endpoint exposure: internet-accessible endpoints versus private VPC-only access via interface VPC endpoints (AWS PrivateLink).
Risk
Internet exposure increases attack surface:
- Confidentiality: misconfigured or anonymous methods can leak data
- Integrity: unauthorized calls can change backend state
- Availability/cost: bots or DDoS can exhaust capacity and spike spend
Run this check with Prowler CLI
prowler aws --checks apigateway_restapi_public
Recommendation
Prefer private REST APIs reachable via interface VPC endpoints (PRIVATE).
If public access is required, apply least privilege and defense in depth:
- Restrict with resource policies (
aws:SourceVpc/aws:SourceVpce) - Enforce strong auth (IAM, Cognito, or authorizers)
- Add AWS WAF, throttling, usage plans, and comprehensive logging
Remediation
CLI
aws apigateway update-rest-api --rest-api-id <REST_API_ID> --patch-operations op=replace,path=/endpointConfiguration/types/0,value=PRIVATE
Native IaC
Terraform
Other
- Open the AWS console and go to API Gateway
- Under REST APIs, select your API
- In the left menu, click Settings
- Set Endpoint Type to Private
- Click Save changes
Source Code
Resource Type
AwsApiGatewayRestApi
References
- https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html
- https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html#apigateway-resource-policies-source-vpc-example
- https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html
- https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies.html