Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: API Gateway Stage Should Use SSL Certificate

This rule ensures that API Gateway stages utilize SSL certificates to enhance security measures.

RuleAPI Gateway stage should uses SSL certificate
FrameworkNIST 800-53 Revision 5
Severity
Medium

Rule Description

The API Gateway stage should use an SSL certificate that is compliant with NIST 800-53 Revision 5 security standard. NIST 800-53 is a set of security controls and guidelines developed by the National Institute of Standards and Technology (NIST) for federal information systems in the United States. Revision 5 of NIST 800-53 provides updated security controls to protect sensitive and critical information.

Troubleshooting Steps

If the API Gateway stage is not using an SSL certificate that complies with NIST 800-53 Revision 5, you may encounter various issues related to security vulnerabilities and non-compliance. To troubleshoot potential problems, follow these steps:

  1. 1.

    Verify SSL Certificate Compliance: Check if the SSL certificate being used by the API Gateway stage is compliant with NIST 800-53 Revision 5. You can consult the certificate documentation or contact the certificate issuer for confirmation.

  2. 2.

    Verify Certificate Validity: Ensure that the SSL certificate is not expired or revoked. Expired or revoked certificates should be replaced with valid ones to maintain compliance.

  3. 3.

    Check SSL Configuration: Review the API Gateway stage's SSL configuration settings to ensure they align with the requirements specified in NIST 800-53 Revision 5. Compare the settings against the recommended SSL configuration guidelines provided by NIST.

  4. 4.

    Test SSL Connectivity: Use SSL testing tools or services to validate the SSL connectivity of the API Gateway stage. This will help identify any potential security vulnerabilities or weaknesses in the SSL implementation.

  5. 5.

    Monitor Certificate Updates: Regularly monitor for updates and patches provided by the SSL certificate issuer. Stay informed about any vulnerabilities or vulnerabilities related to SSL certificates and apply necessary updates to ensure compliance.

Necessary Codes

If you need to configure or update the SSL certificate for the API Gateway stage, here are some relevant codes:

  1. 1.

    AWS CLI Command to Update SSL Certificate:

    aws apigateway update-stage --rest-api-id <rest-api-id> --stage-name <stage-name> --patch-operations '[{"op" : "replace", "path" : "/canarySettings/stageVariableOverrides/TLSSettings.serverCertificateArn", "value" : "<new-certificate-arn>"}]'  
    

    Replace

    <rest-api-id>
    with the ID of your API Gateway,
    <stage-name>
    with the name of the stage, and
    <new-certificate-arn>
    with the new SSL certificate's ARN (Amazon Resource Name).

  2. 2.

    AWS CLI Command to Create a New SSL Certificate:

    aws acm request-certificate --domain-name <domain-name> --validation-method DNS --subject-alternative-names <domain-aliases> --tags <tags>
    

    Replace

    <domain-name>
    with the primary domain name,
    <domain-aliases>
    with any additional domain name aliases, and
    <tags>
    with any relevant tags to associate with the certificate.

Remediation Steps

To remediate the API Gateway stage and ensure it uses an SSL certificate compliant with NIST 800-53 Revision 5, follow these step-by-step instructions:

  1. 1.

    Identify the SSL Certificate: Determine the SSL certificate currently in use by the API Gateway stage. Check the certificate documentation or contact the certificate issuer for details.

  2. 2.

    Verify Compliance: Confirm if the SSL certificate is compliant with NIST 800-53 Revision 5. Ensure it meets the security controls and requirements specified in the standard.

  3. 3.

    Replace Non-Compliant Certificates: If the current SSL certificate is found to be non-compliant, obtain a compliant SSL certificate from a trusted certificate authority. Follow the certificate issuer's instructions to replace the non-compliant certificate with the new one.

  4. 4.

    Configure SSL Certificate: Update the API Gateway stage's SSL configuration to use the new compliant certificate. This can be done through the AWS Management Console, AWS CLI, or API Gateway SDKs. Use the necessary configuration options to specify the compliant SSL certificate and ensure it aligns with NIST 800-53 Revision 5 requirements.

  5. 5.

    Test SSL Connectivity: After configuring the new SSL certificate, conduct thorough testing to ensure proper SSL connectivity is established. Verify that the API Gateway stage is functioning correctly and securely with the compliant SSL certificate.

  6. 6.

    Monitor and Update: Regularly monitor the SSL certificate's validity and expiration dates. Stay up to date with any new compliance requirements or patches related to SSL certificates. Apply necessary updates and changes to maintain compliance with NIST 800-53 Revision 5.

By following these remediation steps, you can ensure that the API Gateway stage utilizes an SSL certificate that adheres to NIST 800-53 Revision 5 requirements, thereby promoting secure communication and compliance with relevant security standards.

Is your System Free of Underlying Vulnerabilities?
Find Out Now