Table: aws_api_gateway_rest_api - Query AWS API Gateway Rest APIs using SQL
The AWS API Gateway Rest API is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. These APIs act as the "front door" for applications to access data, business logic, or functionality from your backend services. They can be used to enable real-time two-way communication (WebSocket APIs), or create, deploy, and manage HTTP and REST APIs (RESTful APIs).
Table Usage Guide
The aws_api_gateway_rest_api
table in Steampipe provides you with information about API Gateway REST APIs within AWS API Gateway. This table allows you, as a DevOps engineer, to query REST API-specific details, including the API's name, description, id, and created date. You can utilize this table to gather insights on APIs, such as their deployment status, endpoint configurations, and more. The schema outlines the various attributes of the API Gateway REST API for you, including the API's ARN, created date, endpoint configuration, and associated tags.
Examples
API gateway rest API basic info
Explore the basic configuration details of your API Gateway's REST APIs to understand aspects like the source of API keys and compression settings. This can be particularly useful in managing and optimizing your APIs for better performance and security.
select name, api_id, api_key_source, minimum_compression_size, binary_media_typesfrom aws_api_gateway_rest_api;
select name, api_id, api_key_source, minimum_compression_size, binary_media_typesfrom aws_api_gateway_rest_api;
List all the rest APIs that have content encoding disabled
Determine the areas in which REST APIs do not have content encoding enabled, to identify potential performance improvements.
select name, api_id, api_key_source, minimum_compression_sizefrom aws_api_gateway_rest_apiwhere minimum_compression_size is null;
select name, api_id, api_key_source, minimum_compression_sizefrom aws_api_gateway_rest_apiwhere minimum_compression_size is null;
List all the APIs which are not configured to private endpoint
Determine the areas in which the APIs are publicly accessible, allowing you to assess potential security risks and implement necessary changes to enhance data protection.
select name, api_id, api_key_source, endpoint_configuration_types, endpoint_configuration_vpc_endpoint_idsfrom aws_api_gateway_rest_apiwhere not endpoint_configuration_types ? 'PRIVATE';
select name, api_id, api_key_source, endpoint_configuration_types, endpoint_configuration_vpc_endpoint_idsfrom aws_api_gateway_rest_apiwhere json_extract(endpoint_configuration_types, '$[0]') != 'PRIVATE';
List of APIs policy statements that grant external access
Determine the areas in which your API's policy statements are granting access to external entities. This is useful to identify potential security risks and ensure that your API's access control is as intended.
select name, p as principal, a as action, s ->> 'Effect' as effect, s -> 'Condition' as conditionsfrom aws_api_gateway_rest_api, jsonb_array_elements(policy_std -> 'Statement') as s, jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p, string_to_array(p, ':') as pa, jsonb_array_elements_text(s -> 'Action') as awhere s ->> 'Effect' = 'Allow' and ( pa [ 5 ] != account_id or p = '*' );
Error: SQLite does not support the splitor string_to_array functions.
API policy statements that grant anonymous access
Identify instances where API policy statements are granting access to anonymous users. This is crucial for maintaining the security of your API by preventing unauthorized access.
select title, p as principal, a as action, s ->> 'Effect' as effect, s -> 'Condition' as conditionsfrom aws_api_gateway_rest_api, jsonb_array_elements(policy_std -> 'Statement') as s, jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p, jsonb_array_elements_text(s -> 'Action') as awhere p = '*' and s ->> 'Effect' = 'Allow';
select title, json_extract(principal.value, '$') as p, json_extract(action.value, '$') as a, json_extract(effect.value, '$') as effect, conditions.value as conditionsfrom aws_api_gateway_rest_api, json_each(json_extract(policy_std, '$.Statement')) as s, json_each(json_extract(s.value, '$.Principal.AWS')) as principal, json_each(json_extract(s.value, '$.Action')) as action, json_tree(s.value, '$.Effect') as effect, json_tree(s.value, '$.Condition') as conditionswhere json_extract(principal.value, '$') = '*' and json_extract(effect.value, '$') = 'Allow';
Schema for aws_api_gateway_rest_api
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
api_id | text | = | The API's identifier. This identifier is unique across all of APIs in API Gateway |
api_key_source | text | The source of the API key for metering requests according to a usage plan | |
binary_media_types | jsonb | The list of binary media types supported by the RestApi. By default, the RestApi supports only UTF-8-encoded text payloads | |
created_date | timestamp with time zone | The timestamp when the API was created | |
description | text | The API's description | |
endpoint_configuration_types | jsonb | The endpoint configuration of this RestApi showing the endpoint types of the API | |
endpoint_configuration_vpc_endpoint_ids | jsonb | The endpoint configuration of this RestApi showing the endpoint types of the API | |
minimum_compression_size | bigint | A nullable integer that is used to enable compression (with non-negative between 0 and 10485760 (10M) bytes, inclusive) or disable compression (with a null value) on an API. When compression is enabled, compression or decompression is not applied on the payload if the payload size is smaller than this value | |
name | text | The API's name | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
policy | jsonb | A stringified JSON policy document that applies to this RestApi regardless of the caller and Method configuration | |
policy_std | jsonb | Contains the policy in a canonical form for easier searching. | |
region | text | The AWS Region in which the resource is located. | |
root_resource_id | text | The API's root resource ID. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
tags | jsonb | A map of tags for the resource. | |
title | text | Title of the resource. | |
version | text | A version identifier for the API | |
warnings | jsonb | The warning messages reported when failonwarnings is turned on during API import |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_api_gateway_rest_api