🛡️ AWS API Gateway REST API Stage is not configured to use an SSL certificate for authentication🟢

• Contextual name: 🛡️ REST API Stage is not configured to use an SSL certificate for authentication🟢
• ID: /ce/ca/aws/apigateway/rest-api-stage-ssl-certificate
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS API Gateway Stage
  • 🔌 AWS API Gateway API - object.extracts.yaml
  • 🔌 AWS API Gateway Method - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Internal: dec-x-d9d39f21

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-d9d39f21	1

Description

Open File

Description

API Gateway REST API stages should be configured with SSL certificates to ensure secure communication between API Gateway and backend systems. This configuration ensures that requests originating from API Gateway are authenticated, allowing backend systems to trust that the requests come from API Gateway and not unauthorized sources. SSL certificates encrypt communication between these components, adding a layer of security and ensuring integrity.

Rationale

Configuring SSL certificates for API Gateway REST API stages addresses several important security concerns. It allows backend systems to authenticate the source of incoming requests, ensuring that only trusted entities are interacting with the system. This prevents potential man-in-the-middle attacks and unauthorized access, which could otherwise compromise the confidentiality and integrity of the data being transmitted.

Audit

This policy marks an API Gateway Stage as INCOMPLIANT if an SSL Certificate is not configured. This is identified when the Client Certificate field is empty or the associated certificate has been deleted from the CMDB.

... see more

Remediation

Open File

Remediation

Note: Some backend servers may not support SSL client authentication as API Gateway does, which can result in an SSL certificate error.

From Command Line

Generate a client certificate

aws apigateway generate-client-certificate --description "Client certificate for secure API communication"

This command returns Client Certificate Id and the PEM-encoded public key of the newly generated client certificate. Save the PEM for configuring a backend HTTPS server.

The client certificate generated by API Gateway is valid for 365 days. To prevent API downtime, rotate the certificate before it expires on an API Gateway Stage.

Configure an API to Use SSL Certificates

To associate the generated client certificate with a specific API stage, update the stage settings:

aws apigateway update-stage \
--rest-api-id {{rest-api-id}} \
--stage-name {{stage-name}} \
--patch-operations op=replace,path=/clientCertificateId,value={{client-certificate-id}}

Replace {{rest-api-id}}, {{stage-name}}, and {{client-certificate-id}} with the appropriate values.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication"		1	1		no data
💼 Cloudaware Framework → 💼 Data Encryption			70		no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	37	105		no data
💼 FedRAMP High Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)			21		no data
💼 FedRAMP High Security Controls → 💼 IA-5(1) Password-based Authentication (L)(M)(H)		1	13		no data
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49		no data
💼 FedRAMP High Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1	8	25		no data
💼 FedRAMP High Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)		8	24		no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	43		no data
💼 FedRAMP High Security Controls → 💼 SC-23 Session Authenticity (M)(H)		7	21		no data
💼 FedRAMP Low Security Controls → 💼 IA-5(1) Password-based Authentication (L)(M)(H)			13		no data
💼 FedRAMP Low Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		25		no data
💼 FedRAMP Low Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			24		no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		89		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)			21		no data
💼 FedRAMP Moderate Security Controls → 💼 IA-5(1) Password-based Authentication (L)(M)(H)			13		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		25		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			24		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-23 Session Authenticity (M)(H)			21		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			181		no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			89		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			123		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	69	123		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(2) Information Flow Enforcement _ Processing Domains		31	33		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(15) Information Flow Enforcement _ Detection of Unsanctioned Information		9	10		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(26) Information Flow Enforcement _ Audit Filtering Actions			17		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption		12	21		no data
💼 NIST SP 800-53 Revision 5 → 💼 IA-5(1) Authenticator Management _ Password-based Authentication			13		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			49		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8 Transmission Confidentiality and Integrity	5	8	25		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection		8	23		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(2) Transmission Confidentiality and Integrity _ Pre- and Post-transmission Handling			16		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-12(3) Cryptographic Key Establishment and Management _ Asymmetric Keys			10		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-13 Cryptographic Protection	4		32		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-23 Session Authenticity	5		15		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-23(3) Session Authenticity _ Unique System-generated Session Identifiers			14		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection			27		no data
💼 UK Cyber Essentials → 💼 1.3 Block unauthenticated inbound connections by default		2	3		no data