Rule: API Gateway stage should uses SSL certificate
This rule ensures that API Gateway stages use SSL certificates to secure communication.
| Rule | API Gateway stage should uses SSL certificate |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Medium |
Rule Description
The API Gateway stage should use an SSL certificate that is compliant with the FedRAMP Moderate Revision 4 security standards. This ensures that communications between the client and the API are encrypted and secure.
Troubleshooting Steps
If the API Gateway stage is not using an SSL certificate that complies with FedRAMP Moderate Revision 4, follow these troubleshooting steps:
- 1.Check the current SSL certificate configuration for the API Gateway stage.
- 2.Verify that the SSL certificate is valid and up-to-date.
- 3.Ensure that the SSL certificate meets the FedRAMP Moderate Revision 4 requirements.
- 4.If the SSL certificate is not compliant, proceed to the remediation steps.
Remediation Steps
To remediate the issue and ensure that the API Gateway stage uses an SSL certificate compliant with FedRAMP Moderate Revision 4, follow these steps:
Step 1: Generate or Obtain a FedRAMP-compliant SSL Certificate
- 1.Determine if you need to generate a new SSL certificate or obtain one from a trusted Certificate Authority (CA). If you already have an SSL certificate that meets the requirements, skip to Step 2.
- 2.If generating a new SSL certificate, consider using a CA that is recognized by the Federal PKI (Public Key Infrastructure) or FedRAMP-approved CAs.
- 3.Generate a certificate signing request (CSR) with the necessary details (e.g., Common Name, Subject Alternative Names).
- 4.Submit the CSR to the chosen CA and follow their instructions to obtain a FedRAMP-compliant SSL certificate.
Step 2: Upload the SSL Certificate to the API Gateway Stage
- 1.Log in to the API Gateway console or use the API Gateway CLI.
- 2.Navigate to the specific API Gateway stage that needs the SSL certificate update.
- 3.From the stage settings or configuration options, locate the SSL certificate section.
- 4.Upload the newly obtained FedRAMP-compliant SSL certificate to the API Gateway stage.
- 5.Validate the SSL certificate to ensure it is correctly installed and configured.
Step 3: Test SSL Certificate Integration
- 1.Make a test request to the API Gateway stage using the HTTPS protocol.
- 2.Ensure that the request is successfully processed and that communication is established over SSL.
- 3.Check the SSL certificate details in the response to verify that it meets the FedRAMP Moderate Revision 4 requirements.
- 4.If the test fails or the SSL certificate does not comply, revisit the previous steps to ensure proper configuration and installation.
Code Example
If you are using an API Gateway CLI, you can use the following command to update the SSL certificate for a specific stage:
aws apigateway update-stage \ --rest-api-id <rest-api-id> \ --stage-name <stage-name> \ --patch-operations op="replace",path="/<domain-name>/certificateArn",value="<certificate-arn>"
Replace
<rest-api-id><stage-name><domain-name><certificate-arn>Note: Ensure you have the necessary permissions to execute this command.
Conclusion
By following the above troubleshooting and remediation steps, you can ensure that your API Gateway stage uses an SSL certificate compliant with the FedRAMP Moderate Revision 4 security standards. This enhances the security of the communication between the client and the API, protecting sensitive data and meeting regulatory requirements.