Rule: API Gateway Stage Should Use SSL Certificate

Rule Description

Troubleshooting Steps

2. 1.

   Verify SSL Certificate Compliance: Check if the SSL certificate being used by the API Gateway stage is compliant with NIST 800-53 Revision 5. You can consult the certificate documentation or contact the certificate issuer for confirmation.

4. 2.

   Verify Certificate Validity: Ensure that the SSL certificate is not expired or revoked. Expired or revoked certificates should be replaced with valid ones to maintain compliance.

6. 3.

   Check SSL Configuration: Review the API Gateway stage's SSL configuration settings to ensure they align with the requirements specified in NIST 800-53 Revision 5. Compare the settings against the recommended SSL configuration guidelines provided by NIST.

8. 4.

   Test SSL Connectivity: Use SSL testing tools or services to validate the SSL connectivity of the API Gateway stage. This will help identify any potential security vulnerabilities or weaknesses in the SSL implementation.

10. 5.

    Monitor Certificate Updates: Regularly monitor for updates and patches provided by the SSL certificate issuer. Stay informed about any vulnerabilities or vulnerabilities related to SSL certificates and apply necessary updates to ensure compliance.

Necessary Codes

2. 1.

   AWS CLI Command to Update SSL Certificate:

   aws apigateway update-stage --rest-api-id <rest-api-id> --stage-name <stage-name> --patch-operations '[{"op" : "replace", "path" : "/canarySettings/stageVariableOverrides/TLSSettings.serverCertificateArn", "value" : "<new-certificate-arn>"}]'  
   

   Replace

   <rest-api-id>

   with the ID of your API Gateway,

   <stage-name>

   with the name of the stage, and

   <new-certificate-arn>

   with the new SSL certificate's ARN (Amazon Resource Name).

4. 2.

   AWS CLI Command to Create a New SSL Certificate:

   aws acm request-certificate --domain-name <domain-name> --validation-method DNS --subject-alternative-names <domain-aliases> --tags <tags>
   

   Replace

   <domain-name>

   with the primary domain name,

   <domain-aliases>

   with any additional domain name aliases, and

   <tags>

   with any relevant tags to associate with the certificate.

Remediation Steps

2. 1.

   Identify the SSL Certificate: Determine the SSL certificate currently in use by the API Gateway stage. Check the certificate documentation or contact the certificate issuer for details.

4. 2.

   Verify Compliance: Confirm if the SSL certificate is compliant with NIST 800-53 Revision 5. Ensure it meets the security controls and requirements specified in the standard.

6. 3.

   Replace Non-Compliant Certificates: If the current SSL certificate is found to be non-compliant, obtain a compliant SSL certificate from a trusted certificate authority. Follow the certificate issuer's instructions to replace the non-compliant certificate with the new one.

8. 4.

   Configure SSL Certificate: Update the API Gateway stage's SSL configuration to use the new compliant certificate. This can be done through the AWS Management Console, AWS CLI, or API Gateway SDKs. Use the necessary configuration options to specify the compliant SSL certificate and ensure it aligns with NIST 800-53 Revision 5 requirements.

10. 5.

    Test SSL Connectivity: After configuring the new SSL certificate, conduct thorough testing to ensure proper SSL connectivity is established. Verify that the API Gateway stage is functioning correctly and securely with the compliant SSL certificate.

12. 6.

    Monitor and Update: Regularly monitor the SSL certificate's validity and expiration dates. Stay up to date with any new compliance requirements or patches related to SSL certificates. Apply necessary updates and changes to maintain compliance with NIST 800-53 Revision 5.