Ensure that the API Endpoint type in API Gateway is set to Private and is not exposed to the public internet

API Gateway private endpoints are made possible via AWS PrivateLink interface VPC endpoints. Interface endpoints work by creating elastic network interfaces in subnets that you define inside your VPC. Those network interfaces then provide access to services running in other VPCs, or to AWS services such as API Gateway. When configuring your interface endpoints, you specify which service traffic should go through them. API Gateway as a fully managed service runs its infrastructure in its own VPCs. When you interface with API Gateway publicly accessible endpoints, it is done through public networks. When they re configured as private, the public networks are not made available to route your API. Instead, your API can only be accessed using the interface endpoints that you have configured.

Risk Level: Critical
Cloud Entity: Amazon API Gateway
CloudGuard Rule ID: D9.AWS.NET.52
Covered by Spectral: Yes
Category: Networking & Content Delivery


ApiGateway should have endpointConfiguration.types contain-all ['Private']


From Portal:
To change the API endpoint type of your API, perform one of the following sets of steps:

  1. To convert a public endpoint from regional or edge-optimized and vice versa
    a. Sign in to the API Gateway console at https://console.aws.amazon.com/apigateway.
    b. Choose a REST API.
    c. Choose Settings.
    d. Change the Endpoint Type option under Endpoint Configuration from Edge Optimized to Regional or from Regional to Edge Optimized.
    e. Choose Save Changes to start the update.

  2. To convert a private endpoint to a regional endpoint
    a. Sign in to the API Gateway console at https://console.aws.amazon.com/apigateway.
    b. Choose a REST API.
    c. Edit the resource policy for your API to remove any mention of VPCs or VPC endpoints so that API calls from outside your VPC as well as inside your VPC will succeed.
    d. Choose Settings.
    e. Change the Endpoint Type to Regional.
    f. Choose Save Changes to start the update.
    g. Remove the resource policy from your API.
    h. Redeploy your API so that the changes will take effect.

From TF:

resource "aws_api_gateway_rest_api" "example1" {
	name = "private-api-name"
	endpoint_configuration {
		+   types = ["PRIVATE"]

From Command Line:

  1. To use the AWS CLI to update an edge-optimized API whose API ID is {api-id}, call update-rest-api as follows:
aws apigateway update-rest-api --rest-api-id api_id --patch-operations op=replace,path=/endpointConfiguration/types/EDGE,value=REGIONAL
  1. Update a regional API to an edge-optimized API as follows:
aws apigateway update-rest-api --rest-api-id api_id --patch-operations op=replace,path=/endpointConfiguration/types/REGIONAL,value=EDGE


  1. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-api-migration.html
  2. https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-endpoint-types.html
  3. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html#apigateway-private-api-create-using-console
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api
  5. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/apigateway/update-rest-api.html

Amazon API Gateway

Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. With a few clicks in the AWS Management Console, you can create REST and WebSocket APIs that act as a ���front door��� for applications to access data, business logic, or functionality from your backend services, such as workloads running on Amazon Elastic Compute Cloud (Amazon EC2), code running on AWS Lambda, any web application, or real-time communication a

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset