AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
API Gateway APIs Should Use SSL Certificates
More Info:
Your Amazon API Gateway APIs should be using SSL certificates to verify that HTTP requests made to your backend system are from API Gateway service.
Risk Level
Medium
Address
Security
Compliance Standards
NIST
Triage and Remediation
Check Cause
- Sign in to the AWS Management Console.
- Navigate to the API Gateway service by typing ‘API Gateway’ in the search bar and selecting it from the dropdown menu.
- In the API Gateway dashboard, you will see a list of all your APIs. Select the API you want to check.
- Once you’ve selected the API, navigate to the ‘Custom Domain Names’ section in the left-hand menu. Here, you can see if an SSL certificate is associated with your API. If there is no SSL certificate, or if it’s expired, then it’s a misconfiguration.
-
First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the API Gateway services.
-
Once the AWS CLI is set up, you can list all the APIs in the API Gateway by using the following command:
aws apigateway get-rest-apisThis command will return a list of all the APIs in the API Gateway.
-
To check if an API is using SSL certificates, you need to get the details of each API. You can do this by using the following command:
aws apigateway get-rest-api --rest-api-id {rest-api-id}Replace
{rest-api-id}with the ID of the API you want to check. This command will return the details of the specified API. -
In the returned details, look for the
endpointConfigurationfield. If thetypesfield underendpointConfigurationis set toEDGE, it means the API is using a CloudFront distribution and SSL certificates are managed by AWS. If thetypesfield is set toREGIONALorPRIVATE, you need to manually manage SSL certificates.
-
Install the necessary Python libraries: Before you start, make sure you have the necessary Python libraries installed. You will need the boto3 library, which is the Amazon Web Services (AWS) SDK for Python. It allows Python developers to write software that makes use of services like Amazon S3, Amazon EC2, etc. You can install it using pip:
pip install boto3 -
Configure AWS Credentials: You need to configure your AWS credentials. You can do this in several ways, but the simplest is to use the AWS CLI. Run
aws configureand then enter your access key, secret access key, and default region when prompted. -
Python Script: Now you can use the following Python script to check if API Gateway APIs are using SSL certificates:
import boto3 def check_api_gateway_ssl(): client = boto3.client('apigateway') response = client.get_rest_apis() for api in response['items']: api_id = api['id'] api_name = api['name'] response = client.get_stages(restApiId=api_id) for stage in response['item']: if 'clientCertificateId' not in stage: print(f"API Gateway '{api_name}' does not use SSL certificate.") else: print(f"API Gateway '{api_name}' uses SSL certificate.") check_api_gateway_ssl()This script retrieves all the API Gateways and checks if they have a client certificate ID associated with them. If they don’t, it means they are not using SSL certificates.
-
Run the Script: Finally, you can run the script using a Python interpreter. If any API Gateway is not using SSL certificates, it will be printed out.
Please note that this script only checks for the existence of a client certificate ID, not whether the certificate is valid or expired. You may need to add additional checks depending on your requirements.