Rule: API Gateway stage should uses SSL certificate
This rule ensures that API Gateway stages use SSL certificates to enhance security measures.
| Rule | API Gateway stage should uses SSL certificate |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description
The API Gateway stage must use an SSL certificate to comply with the NIST 800-53 Revision 5 security requirements. This rule ensures that communications between clients and the API Gateway stage are encrypted, protecting sensitive information from unauthorized access or interception.
Troubleshooting Steps
If the API Gateway stage does not currently have an SSL certificate configured, follow the steps below to troubleshoot and resolve the issue:
- 1.
Ensure that you have a valid SSL certificate for the API Gateway stage. Contact your organization's certificate authority or vendor to obtain or renew the certificate if necessary.
- 2.
Verify that the SSL certificate is correctly installed on the API Gateway stage. Check the certificate store or configuration settings to confirm its presence.
- 3.
Make sure that the SSL certificate is valid and has not expired. Examine the certificate's expiration date and renew it if needed.
- 4.
Check that the SSL certificate's common name (CN) matches the hostname/domain name used to access the API Gateway stage. If they do not match, you may need to obtain a new certificate with the correct CN.
- 5.
Validate that the SSL certificate is from a trusted authority. If it is self-signed or from an untrusted source, clients may encounter warnings or errors when attempting to access the API Gateway stage.
- 6.
Ensure that the SSL certificate's private key is securely stored and accessible to the API Gateway stage. Check the key store or configuration settings to verify its availability.
- 7.
Confirm that the SSL certificate's chain of trust is complete. Check if any intermediate or root certificates are required for validation and install them if necessary.
Necessary Codes
In order to enforce the usage of SSL certificate for the API Gateway stage, you may need to update the stage configuration. Utilize the following code snippet as an example:
Resources:
MyApiGatewayStage:
Type: AWS::ApiGateway::Stage
Properties:
StageName: Prod
...
ClientCertificateId: arn:aws:acm:us-west-2:123456789012:certificate/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Make sure to replace the
ClientCertificateIdStep-by-Step Guide for Remediation
Follow these steps to enforce the usage of SSL certificate for the API Gateway stage:
- 1.
Identify the SSL certificate to be used for the API Gateway stage. If you don't have a valid SSL certificate, obtain one from a trusted certificate authority.
- 2.
Access the AWS Management Console and navigate to the Amazon API Gateway service.
- 3.
Open the API Gateway instance containing the desired stage that needs SSL certificate enforcement.
- 4.
Select the specific stage that requires SSL certificate configuration.
- 5.
In the stage settings, locate the option for SSL certificate configuration or security settings.
- 6.
Specify the ARN of the SSL certificate within the stage configuration. This ARN should belong to the appropriate certificate stored in AWS Certificate Manager (ACM) or a compatible certificate repository.
- 7.
Save the stage configuration to apply the changes.
- 8.
Test the API Gateway stage by accessing its endpoint using HTTPS. Ensure that the SSL certificate is correctly presented without any warnings or errors.
Following these steps should enforce the SSL certificate usage for the API Gateway stage, satisfying the NIST 800-53 Revision 5 security requirements.