AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
API Gateway APIs Should Use SSL Certificates
More Info:
Your Amazon API Gateway APIs should be using SSL certificates to verify that HTTP requests made to your backend system are from API Gateway service.
Risk Level
Medium
Address
Security
Compliance Standards
NIST
Triage and Remediation
Remediation
To remediate the misconfiguration “API Gateway APIs should use SSL Certificates” in AWS using the AWS console, follow the below steps:
-
Login to the AWS Management Console and navigate to the Amazon API Gateway service.
-
Select the API that needs to be remediated.
-
In the left-hand panel, select the “Stages” option.
-
Select the stage that needs to be remediated.
-
In the “Settings” tab, scroll down to the “Security” section.
-
In the “Security” section, select the “Edit” button.
-
In the “Edit Security” dialog box, select the “Enable HTTPS” checkbox.
-
Choose the SSL certificate from the dropdown list or upload a new one.
-
Click “Save Changes” to remediate the misconfiguration.
-
Repeat the above steps for all the APIs that are not using SSL certificates.
By following the above steps, you can remediate the “API Gateway APIs should use SSL Certificates” misconfiguration in AWS using the AWS console.
To remediate the misconfiguration “API Gateway APIs Should Use SSL Certificates” for AWS using AWS CLI, follow these steps:
-
Open the AWS CLI and run the following command to list all the APIs in the API Gateway:
aws apigateway get-rest-apisThis will return a list of all the APIs in the API Gateway.
-
Identify the API that does not have an SSL certificate attached to it.
-
Run the following command to create an SSL certificate:
aws acm request-certificate --domain-name <your_domain_name> --validation-method DNSReplace
<your_domain_name>with the domain name that you want to use for the SSL certificate. This will create a new SSL certificate. -
Run the following command to get the ARN of the SSL certificate:
aws acm list-certificatesThis will return a list of all the SSL certificates that have been created.
-
Identify the ARN of the SSL certificate that you just created.
-
Run the following command to update the API Gateway to use the SSL certificate:
aws apigateway update-rest-api --rest-api-id <your_rest_api_id> --patch-operations op=replace,path=/protocolType,value=HTTPS op=add,path=/tlsConfig/serverName,value=<your_domain_name> op=add,path=/tlsConfig/serverCertificateId,value=<your_ssl_certificate_arn>Replace
<your_rest_api_id>with the ID of the API that you want to update. Replace<your_domain_name>with the domain name that you used for the SSL certificate. Replace<your_ssl_certificate_arn>with the ARN of the SSL certificate that you just created. -
Verify that the API is now using the SSL certificate by accessing the API using HTTPS.
By following these steps, you can remediate the “API Gateway APIs Should Use SSL Certificates” misconfiguration for AWS using AWS CLI.
To remediate the issue of API Gateway APIs not using SSL certificates in AWS, you can use the following steps using Python:
- Import the necessary AWS SDK libraries for Python, including
boto3andbotocore.
import boto3
from botocore.exceptions import ClientError
- Create a new
boto3client for the API Gateway service.
api_gateway_client = boto3.client('apigateway')
- Get a list of all APIs in the API Gateway service using the
get_rest_apis()method.
api_list = api_gateway_client.get_rest_apis()
- Loop through each API in the list and check if it has an SSL certificate attached to it using the
get_domain_name()method.
for api in api_list['items']:
api_id = api['id']
try:
domain_name = api_gateway_client.get_domain_name(restApiId=api_id)
if domain_name['securityPolicy'] == 'TLS_1_0':
# SSL certificate not attached, remediate the issue
# ...
except ClientError as e:
# Handle any errors that occur during the API check
print(e)
- If the API does not have an SSL certificate attached, you can remediate the issue by creating a new SSL certificate using the AWS Certificate Manager service and attaching it to the API using the
create_domain_name()andupdate_domain_name()methods.
# Create a new SSL certificate using AWS Certificate Manager
acm_client = boto3.client('acm')
certificate_arn = acm_client.request_certificate(
DomainName='example.com',
ValidationMethod='DNS'
)['CertificateArn']
# Attach the SSL certificate to the API using API Gateway
api_gateway_client.create_domain_name(
domainName='example.com',
certificateArn=certificate_arn,
securityPolicy='TLS_1_2'
)
# Update the API Gateway API to use the new SSL certificate
api_gateway_client.update_domain_name(
domainName='example.com',
patchOperations=[
{
'op': 'replace',
'path': '/certificateArn',
'value': certificate_arn
}
]
)
- Repeat steps 4 and 5 for each API that does not have an SSL certificate attached.
Note: Make sure to replace the DomainName parameter in step 5 with the actual domain name of your API.