Rule: API Gateway Stage Cache Encryption at Rest Enabled
This rule ensures encryption at rest is enabled for API Gateway stage cache to enhance security.
| Rule | API Gateway stage cache encryption at rest should be enabled |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ Medium |
Rule Description:
The rule/policy requires enabling encryption at rest for the cache in the API Gateway stage. This applies specifically to environments that need to comply with GxP (Good x Practice) regulations and the requirements outlined in 21 CFR Part 11.
Enabling encryption at rest for the cache ensures that data stored in the cache is protected and encrypted when it is not actively being used. This is essential for maintaining data integrity, confidentiality, and compliance with GxP regulations.
Troubleshooting Steps:
If encryption at rest for the cache in the API Gateway stage is not enabled, the following troubleshooting steps can help resolve the issue:
- 1.
Verify GxP Compliance Requirements: Firstly, ensure that your organization needs to comply with GxP regulations, specifically 21 CFR Part 11, for the API Gateway cache.
- 2.
Check Encryption Configuration: Review the existing configuration of the API Gateway stage cache to determine whether encryption at rest is already enabled or not.
- 3.
Evaluate Cache Encryption Options: Assess the available encryption options for the cache in the API Gateway stage. Look for supported encryption mechanisms that comply with GxP regulations and the required encryption standards.
- 4.
Enable Encryption at Rest: If encryption at rest is not already enabled, apply the necessary configuration changes to enable encryption for the API Gateway stage cache. This may involve modifying the cache settings, encryption algorithms, or integration with appropriate key management systems.
Necessary Codes:
If there are any specific codes required for enabling encryption at rest for the API Gateway stage cache, follow the recommended steps below:
- 1.
Identify the Cache Encryption Settings: Check the existing configuration settings for the API Gateway stage cache to determine the encryption-related parameters.
- 2.
Update the Cache Settings: Modify the cache settings to enable encryption at rest by adding the necessary configuration elements specifying the encryption algorithm and related options. Example code in AWS API Gateway using CloudFormation:
Resources: MyApiGateway: Type: "AWS::ApiGateway::RestApi" Properties: Name: "MyAPI" CacheClusterEnabled: true CacheClusterEncryptAtRest: true CacheClusterSize: "0.5" ...
- 1.Perform Configuration Verification: After updating the cache settings, verify the configuration changes to ensure encryption at rest is now enabled. You may need to redeploy the API Gateway or restart the cache cluster for the changes to take effect.
Step-by-Step Remediation Guide:
Follow the step-by-step guide below to enable encryption at rest for the API Gateway stage cache:
- 1.
Identify GxP Compliance Requirements: Determine whether your organization needs to comply with GxP regulations, specifically 21 CFR Part 11, for the API Gateway cache.
- 2.
Verify Encryption Status: Check the current cache configuration in the API Gateway stage to see if encryption at rest is already enabled. Ensure that it meets the GxP compliance requirements.
- 3.
Evaluate Encryption Options: Review the available encryption mechanisms supported by the API Gateway and identify the one that complies with GxP regulations and the required encryption standards.
- 4.
Update Cache Encryption Configuration: Modify the cache settings for the API Gateway stage to enable encryption at rest. Depending on the cloud provider or API Gateway solution being used, access the appropriate menu or configuration file for the stage cache encryption settings.
- 5.
Enable Encryption: Enable encryption at rest for the API Gateway stage cache by adding the necessary configuration elements specifying the chosen encryption algorithm and related options.
- 6.
Save Changes: Save the updated cache configuration settings.
- 7.
Verify Configuration Changes: Validate the configuration changes to ensure encryption at rest is now enabled for the API Gateway stage cache. This may involve redeploying the API Gateway or restarting the cache cluster.
- 8.
Test Encryption Functionality: Perform tests to verify that the cache encryption at rest is functioning correctly. Store some data in the cache and confirm that it is encrypted when not actively used.
Note: The steps provided are general guidelines and may vary depending on the specific API Gateway service or solution being used. Please refer to the official documentation or consult the documentation provided by your cloud provider for detailed instructions tailored to your environment.