feat(apigateway): Add exposed_internet property based on endpoint type #2341
+42
−8
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Clarifies the distinction between two security concepts for API Gateway: - anonymous_access: Policy-level access (from PolicyUniverse analysis) - exposed_internet: Network-level exposure (from endpoint configuration) API Gateway endpoint types and their internet exposure: - EDGE: Internet exposed (default, via CloudFront) - REGIONAL: Internet exposed (direct regional access) - PRIVATE: NOT internet exposed (VPC-only via VPC Endpoints) This allows users to correctly identify APIs that are truly accessible from the internet vs those that only have permissive policies but are network-isolated. Resolves #1452 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Signed-off-by: Jeremy Chapeau <jeremy@subimage.io>
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
2 issues found across 4 files
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="cartography/models/aws/apigateway/apigateway.py">
<violation number="1" location="cartography/models/aws/apigateway/apigateway.py:27">
P2: Consider adding an index for `endpoint_type` since it is a lookup-heavy field for filtering API Gateway exposure and isn’t auto-indexed.
(Based on your team's feedback about indexing security-relevant and lookup-heavy properties.) [FEEDBACK_USED]</violation>
<violation number="2" location="cartography/models/aws/apigateway/apigateway.py:28">
P2: Consider adding an index for `exposed_internet`; it’s a security-relevant filter that will be used in compliance queries and isn’t auto-indexed.
(Based on your team's feedback about indexing security-relevant and lookup-heavy properties.) [FEEDBACK_USED]</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
These security-relevant properties will be used in compliance queries and should be indexed for efficient filtering. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Signed-off-by: Jeremy Chapeau <jeremy@subimage.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Type of change
Summary
This PR clarifies the distinction between two security concepts for API Gateway REST APIs:
anonymous_access(existing): Policy-level access determined by PolicyUniverse analysis of the resource policy. Indicates whether the policy allows anonymous/public access.exposed_internet(new): Network-level exposure based on endpoint configuration type:EDGE→ Internet exposed (default, via CloudFront)REGIONAL→ Internet exposed (direct regional access)PRIVATE→ NOT internet exposed (VPC-only via VPC Endpoints)Problem solved: Previously, a PRIVATE API Gateway with an open resource policy would show
anonymous_access=true, which is misleading because the API is not actually reachable from the internet. Now users can useexposed_internetto determine network reachability and combine both properties for accurate security assessment.New properties on
APIGatewayRestAPI:endpoint_typeEDGE,REGIONAL, orPRIVATE)exposed_internettruefor EDGE/REGIONAL endpoints,falsefor PRIVATE endpointsRelated issues or links
How was this tested?
test-001(REGIONAL):endpoint_type='REGIONAL',exposed_internet=truetest-002(PRIVATE):endpoint_type='PRIVATE',exposed_internet=falseChecklist
General
make lint).Proof of functionality
If you are changing a node or relationship
Notes for reviewers
endpointConfiguration.typesfield is already returned by the AWSget_rest_apisAPI and was present in our test data, so no additional API calls are needed.typesfield is a list for historical AWS API reasons but in practice contains only one element.anonymous_accesswill continue to work.