Rule: API Gateway Stage Should Use SSL Certificate

This rule ensures that the API Gateway stage is configured to use SSL certificate for secure communication.

Rule	API Gateway stage should uses SSL certificate
Framework	CISA-cyber-essentials
Severity	✔ Medium

Rule Description: API Gateway Stage SSL Certificate for CISA-Cyber Essentials

Overview:

The following rule mandates that all API Gateway stages should use an SSL (Secure Sockets Layer) certificate for CISA (Cybersecurity and Infrastructure Security Agency) Cyber Essentials compliance. This is an important security measure to protect the data transmitted between clients and the API Gateway endpoint.

Importance/Purpose:

Using an SSL certificate ensures that the communication between the client and the API Gateway is encrypted and secure. By enabling SSL, sensitive information, such as user credentials and data, remains protected from unauthorized access or interception by malicious actors. Complying with CISA-Cyber Essentials guidelines ensures a higher level of security and minimizes potential vulnerabilities.

Steps to Implement SSL Certificate for API Gateway Stage:

1. Obtain an SSL Certificate:

Obtain a valid SSL certificate from a trusted certificate authority (CA) or from Amazon Certificate Manager (ACM). Ensure that the certificate is compatible with the API Gateway stage.

2. Import the SSL Certificate to AWS Certificate Manager (ACM):

If you are using ACM, follow these steps to import the SSL certificate:
2. 1.
  Log in to the AWS Management Console.
4. 2.
  Navigate to the ACM service.
6. 3.
  Click "Import a certificate."
8. 4.
  Follow the on-screen instructions to import the SSL certificate.

3. Associate the SSL Certificate with the API Gateway Stage:

To associate the SSL certificate with the API Gateway stage, follow these steps:
2. 1.
  Log in to the AWS Management Console.
4. 2.
  Navigate to the API Gateway service.
6. 3.
  Select the desired API Gateway stage.
8. 4.
  Go to the "Settings" tab.
10. 5.
  Under the "Custom domain name" section, choose the desired domain name.
12. 6.
  Select the imported SSL certificate from either ACM or the CA.
14. 7.
  Save the changes.

4. Verify SSL Certificate Configuration:

After associating the SSL certificate, perform the following steps to verify the SSL certificate configuration:
2. 1.
  Open a web browser and enter the custom domain name linked to the API Gateway stage.
4. 2.
  If the SSL certificate has been configured correctly, the browser should display a lock icon indicating a secure connection.
6. 3.
  Perform a thorough testing of the API Gateway endpoints to ensure SSL is properly functioning.

Troubleshooting Steps (If SSL Certificate Configuration Fails):

1. Verify Certificate Chain:

Ensure the SSL certificate chain is properly configured:
- If using ACM, check if the certificate chain is intact and all intermediate certificates are correctly linked.
- If using a CA certificate, verify the certificate chain with the CA's documentation.

2. Check SSL Certificate Expiration:

Confirm that the SSL certificate is not expired. If it has expired, obtain and configure a new SSL certificate.

3. Validate DNS Configuration:

Verify that the custom domain name is correctly mapped to the API Gateway using the appropriate DNS settings.

Rule: API Gateway Stage Should Use SSL Certificate

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Overview:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Importance/Purpose:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Steps to Implement SSL Certificate for API Gateway Stage:

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}1. Obtain an SSL Certificate:

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}2. Import the SSL Certificate to AWS Certificate Manager (ACM):

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}3. Associate the SSL Certificate with the API Gateway Stage:

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}4. Verify SSL Certificate Configuration:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps (If SSL Certificate Configuration Fails):

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}1. Verify Certificate Chain:

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}2. Check SSL Certificate Expiration:

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}3. Validate DNS Configuration:

Is your System Free of Underlying Vulnerabilities? Find Out Now