Rule: API Gateway Stage Should Use SSL Certificate
This rule ensures that the API Gateway stage uses SSL certificates for secure communication.
| Rule | API Gateway stage should uses SSL certificate |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description
The rule states that the API Gateway stage should use an SSL certificate that complies with the NIST 800-53 Revision 5 standard. This ensures that all data transmitted between the API Gateway and client applications is securely encrypted, maintaining the confidentiality and integrity of the information.
Troubleshooting Steps
If the API Gateway stage does not use an SSL certificate that meets the NIST 800-53 Revision 5 standard, follow these troubleshooting steps:
- 1.
Verify SSL Certificate: Check if the SSL certificate used by the API Gateway stage aligns with the NIST 800-53 Revision 5 standard. Ensure that the certificate meets the required encryption level and has not expired.
- 2.
Determine Compliance Status: Review the API Gateway stage configuration to identify if an SSL certificate is being used. Confirm whether it complies with the NIST 800-53 Revision 5 standard.
- 3.
Check SSL/TLS Settings: Validate the SSL/TLS settings of the API Gateway stage. Ensure that the appropriate protocols and security ciphers are enabled to meet the NIST 800-53 Revision 5 requirements.
- 4.
Verify Certificate Chain: Ensure that the SSL certificate used by the API Gateway includes a valid certificate chain. If the certificate chain is incomplete or contains expired certificates, it can cause compliance issues.
- 5.
Test Connectivity: Perform a connectivity test to verify if client applications can establish a secure connection with the API Gateway stage. Validate that the SSL certificate is correctly configured and functional.
Necessary Codes
If the API Gateway stage does not have an SSL certificate meeting the NIST 800-53 Revision 5 standard, you may need to update the configuration using the following code:
# Example CloudFormation Template Resources: MyApiGatewayStage: Type: AWS::ApiGateway::Stage Properties: RestApiId: <API Gateway RestApiId> StageName: <Stage Name> DeploymentId: <Deployment ID> MethodSettings: - HttpMethod: '*' ResourcePath: '/*' ThrottlingBurstLimit: 5000 ThrottlingRateLimit: 10000 ClientCertificateId: <Client Certificate Id>
When creating or updating the API Gateway stage, ensure to include the
ClientCertificateIdStep-by-Step Guide for Remediation
To remediate the API Gateway stage to use an SSL certificate compliant with NIST 800-53 Revision 5, follow these steps:
- 1.
Determine SSL Certificate Requirements: Refer to the NIST 800-53 Revision 5 guidelines to understand the specific SSL certificate requirements such as encryption algorithms, key sizes, and certificate authority restrictions.
- 2.
Generate or Obtain SSL Certificate: Generate or obtain an SSL certificate that adheres to the NIST 800-53 Revision 5 standard. You can either generate a self-signed certificate or obtain one from a trusted certificate authority.
- 3.
Update API Gateway Stage Configuration: Access the AWS Management Console or use the AWS CLI/APIs to navigate to the API Gateway service. Locate the specific stage that requires SSL certificate configuration.
- 4.
Configure SSL Certificate: In the API Gateway stage settings, find the SSL certificate configuration section. Upload or specify the newly generated or obtained SSL certificate. Ensure it meets the NIST 800-53 Revision 5 compliance requirements.
- 5.
Test Connectivity: Once the SSL certificate is configured, perform connectivity tests to verify that client applications can successfully establish secure connections with the API Gateway stage. Validate that the SSL certificate meets the compliance standards.
By following these steps, the API Gateway stage will utilize an SSL certificate compliant with NIST 800-53 Revision 5, ensuring secure encrypted communication with client applications.