Rule: API Gateway Stage Cache Encryption at Rest Should Be Enabled
This rule ensures that API Gateway stage cache encryption at rest is enabled to maintain data security.
| Rule | API Gateway stage cache encryption at rest should be enabled |
| Framework | HIPAA |
| Severity | ✔ Medium |
Rule Description:
According to HIPAA (Health Insurance Portability and Accountability Act) compliance requirements, API Gateway stage cache encryption at rest should be enabled. This rule ensures that sensitive data stored in the cache is encrypted to protect the confidentiality and integrity of the data.
Enabling encryption at rest ensures that even if unauthorized access occurs, the data in the cache remains protected. API Gateway provides options to enable encryption at rest for the stage cache, and it is essential to follow these steps to meet HIPAA compliance.
Troubleshooting Steps:
If the encryption at rest for API Gateway stage cache is not enabled, follow these steps to troubleshoot:
- 1.
Verify Encryption Setting: Check the API Gateway stage settings to confirm if encryption at rest is enabled for the stage cache. If not enabled, proceed to the remediation steps.
- 2.
Confirm HIPAA Compliance Requirement: Ensure that your organization needs to comply with HIPAA regulations. If HIPAA compliance is not required, the API Gateway stage cache encryption at rest can be avoided.
- 3.
Review IAM Permission Policies: Check if the IAM (Identity and Access Management) policies associated with the API Gateway are properly configured to allow encryption at rest for the stage cache. Ensure that the necessary encryption-related actions are permitted.
- 4.
Check Encryption Key Management: Verify if the encryption key used for the stage cache is correctly managed. Improper key management can result in encryption issues. Ensure that the key is securely stored and accessible only to authorized individuals.
Code Sample:
To enable encryption at rest for API Gateway stage cache, you can use the AWS CLI (Command Line Interface) with the following commands:
- 1.Get the Regional API ID:
aws apigateway get-rest-apis --query "items[?name=='your-api-name'].id" --region your-region --output text
- 1.Update the Stage Cache Settings:
aws apigateway update-stage --rest-api-id your-api-id --stage-name your-stage-name --patch-operations op=replace,path=/cacheClusterEnabled,value=true,op=replace,path=/cacheClusterSize,value=your-cache-size,op=add,path=/cacheDataEncrypted,value=true --region your-region
Replace:
: Name of your APIyour-api-name
: AWS region where the API is deployedyour-region
: Regional API ID of your APIyour-api-id
: Name of the stage you want to enable cache encryption foryour-stage-name
: Size of the cache cluster (small, medium, or large)your-cache-size
Remediation Steps:
Follow these steps to enable encryption at rest for API Gateway stage cache:
- 1.
Identify the API: Determine the API for which you need to enable encryption at rest for the stage cache.
- 2.
Get Regional API ID: Use the AWS CLI command mentioned in the code sample above to get the regional API ID for the API.
- 3.
Update Stage Cache Settings: Execute the AWS CLI command mentioned above, replacing the placeholder values, such as
,your-api-name
,your-region
,your-api-id
, andyour-stage-name
, with the actual values related to your API and desired cache configuration.your-cache-size - 4.
Verify Encryption: Once the command is executed successfully, verify the encryption at rest is enabled for the stage cache by checking the API Gateway stage settings.
- 5.
Testing: Test the API and ensure that it is functioning as expected with encryption at rest enabled for the stage cache.
Following these steps will help you enable API Gateway stage cache encryption at rest, ensuring HIPAA compliance for sensitive data storage.