Rule: API Gateway Stage Cache Encryption at Rest Should be Enabled
This rule ensures encryption at rest is enabled for API Gateway stage cache to enhance security measures.
| Rule | API Gateway stage cache encryption at rest should be enabled |
| Framework | GxP EU Annex 11 |
| Severity | ✔ Medium |
API Gateway Stage Cache Encryption at Rest for GxP EU Annex 11 Compliance
Overview
Ensuring that the API Gateway stage cache is encrypted at rest is essential for meeting GxP EU Annex 11 compliance. This regulation governs the security and integrity of electronic records and requires that data be protected against unauthorized access. Enabling encryption at rest helps to protect sensitive information by encoding it and making it unreadable to unauthorized users. In AWS API Gateway, this entails utilizing encryption features to secure the cache data.
Detailed Rule Description
For GxP EU Annex 11 compliance, every stage in an API Gateway deployment must have cache encryption at rest enabled. This means that any temporary data stored in the API Gateway cache must be encrypted using industry-standard encryption methods.
AWS uses AWS Key Management Service (AWS KMS) for this purpose, which provides managed keys for encryption. You need to ensure that the cache encryption at rest feature is enabled for each stage of your API Gateway with an appropriate AWS KMS key.
Troubleshooting Steps
If your API Gateway stage cache is not currently encrypted, you should check the following:
- 1.Determine if cache encryption is enabled for your API Gateway stages.
- 2.Verify that an appropriate KMS key is being used for the encryption.
- 3.Ensure that IAM roles and policies grant the necessary permissions to use the KMS key.
Step by Step Guide for Remediation
Enable Cache Encryption Using AWS Management Console
- 1.Sign in to the AWS Management Console.
- 2.Navigate to the API Gateway Console.
- 3.Select the API from the list of APIs.
- 4.Choose the Stages section on the left panel.
- 5.Click on the name of the stage you want to configure.
- 6.Under the Cache Settings section, find Cache Encryption.
- 7.Select Enable Encryption.
- 8.Choose an existing AWS KMS key from the dropdown menu or create a new one.
- 9.Save your changes.
Enable Cache Encryption Using AWS CLI
For enabling cache encryption at rest through the AWS Command Line Interface (CLI), use the following command:
aws apigateway update-stage \ --rest-api-id <api-id> \ --stage-name <stage-name> \ --patch-operations op='replace',path='/cacheClusterEnabled',value='true' \ --patch-operations op='replace',path='/cacheClusterSize',value='<size-in-gb>' \ --patch-operations op='replace',path='/cacheEncryptionEnabled',value='true' \ --patch-operations op='replace',path='/cacheDataEncrypted',value='true' \ --region <aws-region>
Replace
<api-id><stage-name><size-in-gb><aws-region>Necessary AWS IAM Permissions
Ensure that IAM policies for API Gateway include the following permissions to manage cache encryption:
apigateway:GETapigateway:PATCHkms:ListKeyskms:CreateKeykms:DescribeKey
Additionally, the role performing the updates will need access to KMS actions such as
kms:Encryptkms:Decryptkms:ReEncrypt*kms:GenerateDataKey*kms:DescribeKeyBy following these guidelines and ensuring that the stage cache for API Gateway is properly encrypted, you will be able to comply with the GxP EU Annex 11 requirements for data security. Remember, maintaining compliance is an ongoing process and requires regular reviews and updates to your security practices.