API Gateway endpoint config is not private

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > API Gateway endpoint config is not private

Metadata

Id: 6b2739db-9c49-4db7-b980-7816e0c248c1

Cloud Provider: AWS

Platform: Terraform

Severity: Medium

Category: Networking and Firewall

Learn More

Provider Reference

Description

This check ensures that the endpoint_configuration.types attribute for aws_api_gateway_rest_api resources is set to "PRIVATE", rather than "REGIONAL" or "EDGE". By exposing API Gateway endpoints to the public internet (for example, with "REGIONAL"), sensitive services can be accessed or exploited by unauthorized parties. Setting the endpoint type to "PRIVATE" restricts access to only sources within your VPC, mitigating the risk of data exposure or malicious traffic.

resource "aws_api_gateway_rest_api" "secure_example" {
  name = "private-endpoint"

  endpoint_configuration {
    types = ["PRIVATE"]
  }
}

Compliant Code Examples

resource "aws_api_gateway_rest_api" "negative1" {
  name = "regional-example"

  endpoint_configuration {
    types = ["PRIVATE"]
  }
}

Non-Compliant Code Examples

resource "aws_api_gateway_rest_api" "positive1" {
  name = "regional-example"

  endpoint_configuration {
    types = ["REGIONAL"]
  }
}