Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: API Gateway Stage Cache Encryption at Rest Should Be Enabled

This rule ensures that encryption at rest is enabled for API Gateway stage cache.

RuleAPI Gateway stage cache encryption at rest should be enabled
FrameworkNIST Cybersecurity Framework (CSF) v1.1
Severity
Medium

Rule Description

The rule requires enabling encryption at rest for the cache in Amazon API Gateway stages. This rule specifically targets the NIST Cybersecurity Framework (CSF) version 1 compliance.

Troubleshooting Steps

If you encounter any issues implementing this rule, consider the following troubleshooting steps:

  2. 1.
    Verify the API Gateway stage configuration.
  4. 2.
    Ensure the appropriate AWS Identity and Access Management (IAM) roles and policies are set up correctly.
  6. 3.
    Check if the encryption at rest feature is enabled for the cache in API Gateway stages.
  8. 4.
    Review the Amazon CloudWatch Logs for any error messages or indicators of misconfiguration.

Necessary Code

To enable encryption at rest for the cache in API Gateway stages, you can utilize the AWS Management Console or AWS Command Line Interface (CLI) with the necessary code snippets provided below.

AWS Management Console

  2. 1.
    Go to the Amazon API Gateway service console.
  4. 2.
    Select the desired API.
  6. 3.
    Navigate to the Stages section and choose the specific stage.
  8. 4.
    Scroll down to the Cache Settings section and click on Edit.
  10. 5.
    Check the box next to Encrypt cache data at rest.
  12. 6.
    Click Save Changes to apply the encryption at rest for the cache.

AWS CLI

$ aws apigateway update-stage --rest-api-id <rest-api-id> --stage-name <stage-name> --patch-operations op=replace,path=/cacheClusterEnabled,value=true op=replace,path=/noCache,value=false op=replace,path=/cacheClusterSize,value=<cache-cluster-size> op=replace,path=/cacheDataEncrypted,value=true

Replace the following placeholders with appropriate values:

  • <rest-api-id>
    : The identifier of your API in API Gateway.
  • <stage-name>
    : The name of the specific stage where you want to enable encryption at rest for the cache.
  • <cache-cluster-size>
    : The size of your cache cluster. Choose an appropriate value based on your requirements.

Remediation Steps

Follow the step-by-step guide below to remediate the rule violation by enabling cache encryption at rest for the API Gateway stage:

  2. 1.
    Open the AWS Management Console.
  4. 2.
    Go to the Amazon API Gateway service console.
  6. 3.
    Select the relevant API from the list.
  8. 4.
    Click the Stages link in the left-hand menu.
  10. 5.
    Choose the specific stage you want to enable cache encryption at rest for.
  12. 6.
    Scroll down to the Cache Settings section and click on Edit.
  14. 7.
    Check the box next to Encrypt cache data at rest.
  16. 8.
    Click Save Changes to apply the configuration.
  18. 9.
    Validate the changes by reviewing the API Gateway stage's configuration and verifying that encryption at rest is enabled for the cache.

Ensure that you have proper documentation and communication processes in place to inform relevant stakeholders about the implementation of this rule.

Is your System Free of Underlying Vulnerabilities?
Find Out Now