Triage and Remediation
Check Cause
Using Console
Using Console
- Sign in to the AWS Management Console and open the API Gateway console at https://console.aws.amazon.com/apigateway/.
- In the navigation pane, choose ‘APIs’.
- In the APIs pane, choose the API you want to check.
- In the API details pane, choose ‘Custom Domain Names’. This will display a list of custom domain names associated with the API.
- For each custom domain name, check the ‘ACM Certificate’ column. If the certificate is not valid, it will be indicated here.
Using CLI
Using CLI
- First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the resources.
-
Once the AWS CLI is set up, you can list all the API Gateways in your account using the following command:
Replace ‘your-region-name’ with the name of your AWS region. This command will return a list of all the REST APIs in the specified region.
-
For each API Gateway, you can get the details of the API Gateway’s stages using the following command:
Replace ‘your-rest-api-id’ with the ID of your REST API and ‘your-region-name’ with the name of your AWS region. This command will return a list of all the stages of the specified REST API.
-
For each stage, check the ‘clientCertificateId’ field. If this field is empty or the certificate ID is not valid, then the ACM Certificate is not valid in the API Gateway. You can check the validity of the certificate ID using the following command:
Replace ‘your-certificate-arn’ with the ARN of your certificate and ‘your-region-name’ with the name of your AWS region. This command will return the details of the specified certificate. If the ‘Status’ field is not ‘ISSUED’, then the certificate is not valid.
Using Python
Using Python
- Install and configure AWS SDK for Python (Boto3) on your local system. This will allow you to interact with AWS services using Python.
- Import the necessary modules and create a session using your AWS credentials.
- Use the
get_rest_apismethod from theapigatewayclient to get a list of all the APIs in your account. Then, for each API, use theget_domain_namesmethod to get a list of all the domain names associated with that API. For each domain name, check thecertificateUploadDateattribute. If it is more than 13 months ago, the certificate is not valid.
- This script will print out the names of all the APIs and their associated domain names that have invalid certificates. You can modify this script to suit your needs, for example by sending an email alert instead of printing to the console.