New rule: warn on duplicate execute-api Interface VPC Endpoints with Private DNS enabled in same VPC

[armandofcom]

Is this feature request related to a new rule or cfn-lint capabilities?

rules

Describe the feature you'd like to request

We would like a new best-practice warning rule in cfn-lint to detect duplicate Interface VPC Endpoints for the execute-api service in the same VPC when Private DNS is enabled, as this can cause DNS ambiguity and production outages for API Gateway Private APIs.

Problem: If a CloudFormation/CDK template defines multiple AWS::EC2::VPCEndpoint resources with:
• VpcEndpointType: Interface
• ServiceName: com.amazonaws.${AWS::Region}.execute-api (or hard-coded region equivalent)
• PrivateDnsEnabled: true
• the same VpcId

then DNS resolution for *.execute-api..amazonaws.com inside the VPC may become non-deterministic (resolve to either VPCE). If API Gateway Private API resource policies restrict access to a specific VPCE via aws:SourceVpce, requests routed via the “other” endpoint can fail (403/authorizer failures).

This happened in production: a deployment created a second execute-api VPCE in the same VPC (same subnets/AZs), and traffic intermittently failed until we removed the duplicate endpoint.

Ask: Add a warning to surface this risk at lint time.

Describe the solution you'd like

Implement a new rule (Warning severity) that:
1. Parses all AWS::EC2::VPCEndpoint resources in the template
2. Filters to interface endpoints where PrivateDnsEnabled is true and ServiceName matches execute-api:
• com.amazonaws.${AWS::Region}.execute-api
• com.amazonaws..execute-api (hard-coded)
3. Groups by VpcId
4. If count > 1 per VPC, emit a warning similar to:

Message example:
“Multiple execute-api Interface VPC Endpoints with Private DNS enabled detected in the same VPC. This may cause DNS ambiguity for *.execute-api..amazonaws.com and break API Gateway Private API policies that restrict by aws:SourceVpce. Consider using a single endpoint or disabling Private DNS on duplicates.”

Additional context

Why this matters: This is an easy mistake to introduce via CDK/CloudFormation (e.g., multiple stacks creating the same execute-api VPCE). It can cause production outages that are hard to diagnose because failures may be intermittent.

Workarounds used:
• Keep only one execute-api interface endpoint with Private DNS enabled per VPC
• Or disable Private DNS on duplicates and use VPCE-specific DNS
• Or update API Gateway resource policies to allow multiple aws:SourceVpce values

Acceptance criteria:
• cfn-lint warns when >1 execute-api interface endpoint with Private DNS enabled exists in same VPC in a template
• No warning when:
• only one exists, or
• PrivateDnsEnabled is false on duplicates, or
• the service is not execute-api

Is this something that you'd be interested in working on?

• 👋 I may be able to implement this feature request

Would this feature include a breaking change?

• ⚠️ This feature might incur a breaking change