Rule: API Gateway Stage Cache Encryption at Rest Enabled
This rule ensures API Gateway stage cache encryption at rest is enabled.
| Rule | API Gateway stage cache encryption at rest should be enabled |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Medium |
Rule Description:
The API Gateway stage cache encryption at rest rule states that the data stored in the cache of the API Gateway stage should be encrypted at rest. This ensures that sensitive information stored in the cache remains secure and unreadable to unauthorized users.
Policy Explanation:
Enabling encryption at rest for the API Gateway stage cache adds an additional layer of security to protect sensitive data. Encrypting the cache ensures that even if someone gains unauthorized access to the underlying storage medium, they will not be able to read the stored information without the encryption key.
Troubleshooting Steps:
If you encounter any issues related to API Gateway stage cache encryption at rest, consider following these steps for troubleshooting:
- 1.
Double-check the encryption settings: Verify that the encryption at rest configuration is correctly set up for the API Gateway stage cache. Ensure you have selected a strong encryption algorithm and have provided the necessary encryption key.
- 2.
Check IAM permissions: Ensure that the AWS Identity and Access Management (IAM) policies associated with the API Gateway stage cache allow the necessary permissions for encryption. Make sure that the IAM role or user has the required encryption-related permissions.
- 3.
Review CloudTrail logs: If you suspect any issues with the encryption at rest configuration, examine the AWS CloudTrail logs related to the API Gateway stage cache. Look for any error messages or irregularities that might indicate the cause of the problem.
- 4.
Test with a known cache item: Create a test item and store it in the API Gateway stage cache. Retrieve the item and verify if it is properly encrypted. If not, there might be an issue with the configuration or encryption settings.
Remediation:
Follow the steps below to remediate the API Gateway stage cache encryption at rest issue:
- 1.
Identify the API Gateway stage: Identify the specific API Gateway stage for which you need to enable encryption at rest for the cache.
- 2.
Open API Gateway console: Go to the AWS Management Console and navigate to the API Gateway service.
- 3.
Select the API Gateway stage: Choose the relevant API Gateway API and select the desired stage.
- 4.
Configure cache encryption at rest: In the stage settings, locate the cache configuration section and enable encryption at rest for the cache. Specify the encryption algorithm and provide the encryption key. Ensure the encryption key is stored securely and follow AWS best practices for managing encryption keys.
- 5.
Test cache encryption: Perform tests to ensure that the data stored in the cache is now encrypted at rest. Store a test item in the cache and confirm that it is properly encrypted and unreadable without the encryption key.
CLI Command:
The API Gateway stage cache encryption at rest configuration can also be done using the AWS Command Line Interface (CLI). Follow the steps below:
$ aws apigateway update-stage --rest-api-id <rest-api-id> --stage-name <stage-name> --patch-operations op=replace,path=/cacheClusterEnabled,value=true \ --patch-operations op=replace,path=/cacheClusterSize,value=1.6
Replace
<rest-api-id><stage-name>Note: The above CLI command assumes the AWS CLI is installed and properly configured on your machine.
By following these steps to enable API Gateway stage cache encryption at rest, you can ensure that sensitive data stored in the cache remains protected from unauthorized access.