Rule: API Gateway Stage Cache Encryption at Rest Enabled
This rule ensures encryption at rest is enabled for API Gateway stage cache.
| Rule | API Gateway stage cache encryption at rest should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
API Gateway Stage Cache Encryption at Rest for NIST 800-53 Revision 5
Description
Enabling the API Gateway stage cache encryption at rest feature ensures that the data stored in the cache is encrypted, providing an additional layer of security as per the NIST 800-53 Revision 5 guidelines.
When the stage cache encryption at rest is enabled, the cache data is stored in an encrypted format on the underlying storage medium. This prevents unauthorized access to the cache data and helps in maintaining the confidentiality and integrity of the cached information.
Troubleshooting Steps
If you face any issues while enabling the API Gateway stage cache encryption at rest, perform the following troubleshooting steps:
- 1.
Verify IAM Permissions: Ensure that the user or role attempting to enable the cache encryption has the necessary permissions to modify the API Gateway stage settings. Check the AWS Identity and Access Management (IAM) policies associated with the user or role.
- 2.
Clear Cache and Retry: If you encounter any errors during the encryption process, clear the existing cache held by the API Gateway stage and try enabling cache encryption again. This will ensure that there are no conflicts or corruption in the cache data.
- 3.
Check KMS Key Configuration: Ensure that the Key Management Service (KMS) key used for encrypting the cache data is correctly configured and has the appropriate access policies. Verify that the KMS key has the necessary permissions to encrypt and decrypt data.
- 4.
Review API Gateway Logs: If the issue persists, review the API Gateway logs for any error messages related to the cache encryption feature. These logs can provide insights into specific issues that may be causing the problem.
Necessary Codes
There are no specific codes required for enabling the API Gateway stage cache encryption at rest. The encryption at rest feature can be enabled through the AWS Management Console or by using AWS Command Line Interface (CLI) commands.
Step-by-Step Guide
Enabling API Gateway Stage Cache Encryption at Rest
- 1.
Open the AWS Management Console and navigate to the API Gateway service.
- 2.
Select the desired API Gateway that contains the stage for which you want to enable cache encryption.
- 3.
In the left navigation pane, click on "Stages."
- 4.
Select the stage for which you want to enable cache encryption.
- 5.
Under the "Settings" tab, locate the "Cache" section.
- 6.
Enable the "Cache Encryption at Rest" option.
- 7.
Choose a Key Management Service (KMS) key from the drop-down menu. This key will be used to encrypt the cache data. If you don't have a KMS key already, you can create one within the AWS Management Console.
- 8.
Click "Save" to enable stage cache encryption at rest.
Verification
To verify that the API Gateway stage cache encryption at rest is enabled successfully, follow these steps:
- 1.
Open the AWS Management Console and navigate to the API Gateway service.
- 2.
Select the relevant API Gateway containing the stage for which you enabled the cache encryption.
- 3.
In the left navigation pane, click on "Stages."
- 4.
Select the desired stage for which you enabled cache encryption.
- 5.
Under the "Settings" tab, verify that the "Cache Encryption at Rest" option is enabled.
If the option is enabled, the cache data for the selected stage is encrypted at rest.
Note: Enabling cache encryption at rest may incur additional costs for using the Key Management Service (KMS). Ensure that you are aware of any potential cost implications before enabling this feature.