Rule: Encrypt API Gateway REST API Cache Data at Rest
This rule requires encrypting cache data in API Gateway REST API for enhanced security.
| Rule | API Gateway REST API cache data should be encrypted at rest |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
Rule Description:
The rule "API Gateway REST API cache data should be encrypted at rest" is a part of the AWS Foundational Security Best Practices. It ensures that the data stored in the cache of the API Gateway REST API is encrypted at rest, providing an additional layer of security.
Remediation Steps:
To ensure that the API Gateway REST API cache data is encrypted at rest, follow the steps below:
Step 1: Verify Cache Encryption:
- 1.Open the AWS Management Console and navigate to the API Gateway service.
- 2.Select the target REST API from the list.
Step 2: Enable Encryption for the Cache:
- 1.In the left navigation pane, select the "Caching" option under the selected REST API.
- 2.Click on the "Edit" button located in the right corner of the "Cache Settings" section.
- 3.Enable the "Encrypt cache data at rest" option.
- 4.Save the changes made.
Step 3: Review and Update Cache Behavior:
- 1.In the left navigation pane, select the "Stages" option under the selected REST API.
- 2.Choose the target stage where caching is enabled.
- 3.Click on the "Cache" tab.
- 4.Review the list of available cache behaviors and make sure that caching is enabled for the necessary resources, methods, or paths.
- 5.Adjust the cache settings, if required, by clicking on the "Edit" button for a specific cache behavior.
Step 4: Testing and Validation:
- 1.After enabling cache encryption and reviewing cache behavior, it is recommended to test the API to ensure that the cache data is encrypted at rest.
- 2.Use appropriate API test cases and examine the response headers to verify that the "x-amz-cf-encrypt-cache-data" header is present.
Troubleshooting Steps:
If you encounter any issues while enabling cache encryption or validating cache behavior, follow the guide below:
Issue: Cache encryption option is disabled
- Ensure that you are using the appropriate permissions to modify the cache settings. The user or role should have the necessary API Gateway permissions.
- Verify that the API Gateway REST API is in the "Enabled" state. If it is disabled, you may not have sufficient permissions to modify it.
Issue: Cache data is not being encrypted at rest
- Double-check the cache behavior settings for the API. Ensure that the cache behaviors are correctly configured to include the desired resources, methods, or paths.
- Confirm that the API stage where caching is enabled is associated with the appropriate cache behavior.
- Check if the IAM role associated with the API Gateway REST API has sufficient permissions to access and encrypt the cache data.
- Review the encryption settings for the underlying cache service (e.g., Amazon CloudFront) associated with the API Gateway REST API.
If the issues persist, consider referring to the official AWS API Gateway documentation or contacting AWS support for further assistance.
Additional Notes:
It is important to regularly review this rule's compliance to maintain the security of your API Gateway REST API cache data. Enabling encryption at rest for cache data helps protect sensitive information and aligns with industry best practices for data protection.