Rule: API Gateway Stage Should Use SSL Certificate
This rule ensures that API Gateway stages are secured using SSL certificates to protect data in transit.
| Rule | API Gateway stage should uses SSL certificate |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Medium |
Rule Description:
This rule states that the API Gateway stage should use an SSL certificate to ensure secure communication for CISA Cyber Essentials. SSL (Secure Sockets Layer) is a protocol that provides secure communication over the internet by encrypting the data exchanged between the client (user) and the server.
Troubleshooting Steps:
If the API Gateway stage is not using an SSL certificate, you may encounter the following issues:
- 1.Insecure communication: Without an SSL certificate, the data transmitted between the client and the server is not encrypted, making it vulnerable to interception and unauthorized access.
- 2.Compliance violations: Not using SSL for CISA Cyber Essentials can violate compliance requirements related to data privacy and security.
To troubleshoot these issues and ensure compliance, follow the steps below:
Step 1: Obtain an SSL Certificate
- 1.Purchase or obtain an SSL certificate from a trusted Certificate Authority (CA) or use your organization's internal CA.
- 2.Generate a certificate signing request (CSR) for the desired domain or subdomain.
Step 2: Configure API Gateway
- 1.Open the AWS Management Console and navigate to the API Gateway service.
- 2.Choose the desired API or create a new one.
- 3.Select the appropriate stage that needs SSL configuration.
- 4.In the Stage Editor, select the "Settings" tab.
- 5.Under the "Security" section, select the "Edit" button next to the "TLS/SSL Certificate" option.
- 6.Choose "Custom SSL Certificate" and provide the following details:
- SSL certificate name: Enter the name for the certificate.
- Certificate body: Paste the contents of the SSL certificate.
- Private key: Enter the private key associated with the certificate.
- Certificate chain (optional): If applicable, provide the intermediate certificate chain.
- 7.Choose "Save" to apply the SSL certificate to the stage.
Step 3: Verify SSL Configuration
- 1.After saving the SSL certificate configuration, it may take some time for the changes to propagate.
- 2.Once the changes are applied, you can ensure SSL is correctly configured by performing the following actions:
- Access the API Gateway stage using the HTTPS protocol (e.g., https://api.example.com).
- Verify that the browser shows a secure padlock icon and the connection is encrypted (HTTPS).
- Confirm that no warning or error messages related to SSL are displayed.
Necessary Codes:
There are no specific codes required for this rule. The steps mentioned above explain the configuration process through the AWS Management Console.
Remediation:
To remediate this issue, follow the troubleshooting steps mentioned above to configure SSL for the API Gateway stage. Ensure that a valid SSL certificate is obtained and properly configured for secure communication. Verify the SSL configuration by accessing the API Gateway stage using HTTPS and confirming the absence of any SSL-related warnings or errors.