Rule: API Gateway Stage Should Use SSL Certificate
This rule ensures that API Gateway stages are secured using SSL certificate for improved security and data protection.
| Rule | API Gateway stage should uses SSL certificate |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
AWS API Gateway Stage Compliance with NIST 800-53 Revision 5
NIST 800-53 Revision 5 is a set of security and privacy controls for federal information systems and organizations that aims to improve information security. For an API Gateway stage to comply with NIST 800-53 Rev. 5, it must use an SSL/TLS certificate.
Description of the Rule
An SSL/TLS certificate is a digital certificate that encrypts data transmitted between the user's browser and the server, ensuring the integrity and confidentiality of the data in transit. For AWS API Gateway, the use of an SSL certificate is mandatory to secure API data.
- Rule Purpose: To comply with NIST 800-53 Rev. 5 - SC-13 (Cryptography), which requires secure communication.
- Affected Resource: AWS API Gateway stages.
- Remediation: Attach a valid SSL certificate to each API Gateway stage.
Troubleshooting Steps
If the API Gateway stage isn't using an SSL certificate or if there are issues with the certificate, the following troubleshooting steps should be taken:
- 1.Check Certificate Binding: Verify that an SSL certificate is bound to the API Gateway custom domain name.
- 2.Certificate Validity: Ensure that the SSL certificate is not expired.
- 3.Domain Name Matching: Confirm that the SSL certificate matches the custom domain name of your API Gateway stage.
- 4.AWS Certificate Manager (ACM): If using ACM, confirm that the status of the certificate is
.ISSUED - 5.SSL Protocols and Ciphers: Check SSL protocols and ciphers to ensure that they are strong and up to date.
Necessary Codes and CLI Commands
To attach an SSL certificate to an API Gateway custom domain, first, request or import a certificate in AWS Certificate Manager, then use the AWS CLI to associate the certificate with the domain.
Step 1: Request or Import a Certificate
Request a certificate in ACM using the AWS CLI:
aws acm request-certificate --domain-name example.com --validation-method DNS
Or import a certificate:
aws acm import-certificate --certificate fileb://Certificate.pem \ --certificate-chain fileb://CertificateChain.pem \ --private-key fileb://PrivateKey.pem
Step 2: Attach the Certificate to API Gateway Domain Name
Create or update the custom domain name in API Gateway:
aws apigateway create-domain-name --domain-name 'api.example.com' \ --certificate-arn 'arn:aws:acm:us-east-1:123456789012:certificate/123abcd-456efg-789hij'
Or update if it already exists:
aws apigateway update-domain-name --domain-name 'api.example.com' \ --patch-operations op='replace',path='/certificateArn',value='arn:aws:acm:us-east-1:123456789012:certificate/123abcd-456efg-789hij'
Step by Step Guide for Remediation
- 1.
Obtain or Request an SSL Certificate:
- Use the AWS CLI or AWS Management Console to request or import an SSL/TLS certificate via the AWS Certificate Manager.
- 2.
Validate the SSL Certificate:
- Follow the instructions provided by AWS to validate the certificate using either DNS or email validation.
- 3.
Attach the SSL Certificate to the Custom Domain Name:
- Use the
orcreate-domain-name
API or CLI commands to bind the SSL certificate to the API Gateway custom domain.update-domain-name
- 4.
Deploy the API to the Appropriate Stage:
Once the certificate is in place, deploy the API to the stage using the console or CLI command:
aws apigateway create-deployment --rest-api-id 'restapi_id' --stage-name 'stage_name'
- 5.
Verify the Setup:
- Visit the API's custom domain name via a secure HTTPS connection to verify the SSL/TLS certificate is working correctly.
Following these steps helps ensure your API Gateway complies with the NIST 800-53 Rev. 5 requirements for secure communications.