Rule: API Gateway Stage Cache Encryption at Rest Enabled
This rule ensures API Gateway stage cache encryption at rest is enabled for security compliance.
| Rule | API Gateway stage cache encryption at rest should be enabled |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description
API Gateway stage cache encryption at rest should be enabled for NIST 800-53 Revision 5 to ensure data security and compliance with government regulations. This rule ensures that all data stored in the cache at rest is encrypted, providing an additional layer of protection against unauthorized access or data leakage.
Troubleshooting Steps
If the API Gateway stage cache encryption at rest is not enabled or working properly, you can follow these troubleshooting steps:
- 1.
Verify Encryption Settings: Check the encryption settings for the API Gateway stage cache and ensure that it is configured to use an encryption algorithm that complies with NIST 800-53 Revision 5, such as AES-256.
- 2.
Check Cache Configuration: Ensure that the cache configuration is correctly set up to enable encryption at rest. Check the cache settings, such as cache size, cache behavior, and cache encryption configuration.
- 3.
Check IAM Policies: Verify that the relevant IAM (Identity and Access Management) policies are properly configured to allow API Gateway access to the necessary encryption resources.
- 4.
Check CloudTrail Logs: Review CloudTrail logs to investigate any potential errors or issues related to API Gateway stage cache encryption at rest. Look for any error codes or messages that indicate a problem with the encryption configuration.
- 5.
Test Data Encryption: Perform a test request to the API Gateway with cache enabled and verify that the data stored in the cache is encrypted. You can use tools like cURL or Postman to send requests to the API Gateway and examine the cache contents.
Necessary Codes
In API Gateway, you can use the following code to enable cache encryption at rest:
Stage:
Type: 'AWS::ApiGateway::Stage'
Properties:
RestApiId: !Ref YourRestApi
StageName: YourStage
DeploymentId: !Ref YourDeployment
MethodSettings:
- DataTraceEnabled: true
HttpMethod: '*'
LoggingLevel: INFO
ResourcePath: '/*'
CachingEnabled: true
CacheDataEncrypted: true
This code snippet configures the
CacheDataEncryptedRemediation Steps
To remediate the failure of API Gateway stage cache encryption at rest, follow these step-by-step instructions:
- 1.
Login to the AWS Management Console.
- 2.
Open the Amazon API Gateway service.
- 3.
Navigate to the API Gateway that needs remediation.
- 4.
Click on the desired Stage.
- 5.
Under the "Stage Settings" tab, find the "Cache" section.
- 6.
Enable the "Enable cache encryption at rest" option.
- 7.
Save the configuration changes.
- 8.
Test the API Gateway stage with cache enabled to verify that the data stored in the cache is now encrypted at rest.
CLI Command for Remediation
If you prefer to use the AWS Command Line Interface (CLI) to enable cache encryption at rest, you can follow these steps:
- 1.
Open a terminal or command prompt.
- 2.
Install and configure the AWS CLI if you haven't done so already.
- 3.
Run the following command, replacing
with the name of your API Gateway stage:<your-stage-name>
aws apigateway update-stage \ --rest-api-id <your-rest-api-id> \ --stage-name <your-stage-name> \ --patch-operations op=replace,path=/cacheDataEncrypted,value=true
This command updates the specified API Gateway stage configuration to enable cache encryption at rest.
- 1.Test the API Gateway stage with cache enabled to verify that the data stored in the cache is now encrypted at rest.
By following these steps and using the provided code or CLI command, you can ensure that API Gateway stage cache encryption at rest is enabled for NIST 800-53 Revision 5 compliance.