Rule: API Gateway Stage Should Use SSL Certificate

Rule Description:

Troubleshooting Steps:

2. 1.

   Invalid or Expired Certificate:

   • Check the validity of the SSL certificate associated with the API Gateway stage.
   • Ensure the SSL certificate has not expired.
   • Obtain a valid SSL certificate if the existing one is invalid or expired.
4. 2.

   Incorrect Certificate Configuration:

   • Verify the correct SSL certificate is configured for the API Gateway stage.
   • Check that the certificate's common name matches the domain name configured for the stage.
6. 3.

   Certificate Chain Issues:

   • Ensure the SSL certificate chain is properly configured.
   • Validate that the SSL certificate chain includes all necessary intermediate and root certificates.
8. 4.

   Revoked Certificate:

   • Verify that the SSL certificate has not been revoked by the issuing authority.
10. 5.

    Inadequate Key Length:

    • Verify that the SSL certificate's key length meets the security requirements specified in NIST 800-53 Revision 5.
    • Generate a new SSL certificate with a suitable key length if it does not meet the requirements.

Code/Configurations:

2. 1.

   Provisioning an SSL Certificate:

   • Use a trusted certificate authority or internal PKI infrastructure to issue an SSL certificate.
   • Follow the certificate issuing process provided by the certificate authority or internal PKI infrastructure.
   • Ensure that the certificate's key length and encryption algorithm comply with NIST 800-53 Revision 5.
4. 2.

   Configuring SSL Certificate in API Gateway:

   • Access the API Gateway management console or use the API Gateway command-line interface (CLI).
   • Locate the specific stage configuration for which SSL certificate settings need to be updated.
   • Use the appropriate API Gateway configuration commands to specify the SSL certificate.
   • Provide the necessary SSL certificate details such as the certificate's ARN (Amazon Resource Name) or its identifier.
   • Verify that the SSL certificate you are configuring adheres to the requirements stated in NIST 800-53 Revision 5.

Remediation Steps:

2. 1.

   Identify the current SSL certificate:

   • Determine which SSL certificate is currently associated with the API Gateway stage.
   • Verify if it meets the SSL certificate requirements specified in NIST 800-53 Revision 5.
4. 2.

   Update or obtain a compliant SSL certificate:

   • If the current SSL certificate does not comply with the specified requirements, obtain a new SSL certificate from a trusted certificate authority or your organization's internal PKI infrastructure.
   • Ensure that the new SSL certificate meets the required key length and encryption algorithm as per NIST 800-53 Revision 5.
6. 3.

   Update the SSL certificate configuration in API Gateway:

   • Access the API Gateway management console or use the API Gateway CLI.
   • Locate the configuration settings for the relevant API Gateway stage.
   • Use the appropriate commands or UI options to update the SSL certificate settings.
   • Specify the SSL certificate's ARN or identifier.
   • Validate that the SSL certificate chosen meets the requirements outlined in NIST 800-53 Revision 5.
8. 4.

   Test the SSL configuration:

   • Perform tests to ensure the SSL certificate is properly installed and configured.
   • Verify that the SSL certificate provides secure communication between clients and the API Gateway stage.
   • Conduct checks for any potential errors or warnings related to the SSL certificate configuration.
10. 5.

    Monitor SSL certificate validity:

    • Regularly monitor the SSL certificate's expiration date to avoid potential disruptions.
    • Implement processes to track and renew SSL certificates before they expire.
    • Maintain a record of SSL certificate renewals and ensure compliance with NIST 800-53 Revision 5 for future updates.