More Info:

Ensure that your Amazon API Gateway REST APIs are configured to encrypt API cached responses in order to protect data while in transit (as it travels to and from Amazon API Gateway).

Risk Level

High

Address

Security

Compliance Standards

HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Check Cause

Using Console

  1. Sign in to the AWS Management Console and open the Amazon API Gateway console at https://console.aws.amazon.com/apigateway/.
  2. In the navigation pane, choose the API Gateway service.
  3. In the APIs list, select the API you want to check.
  4. In the API details page, select the “Stages” option from the left side menu.
  5. In the Stages section, select the stage of the API you want to check.
  6. In the Stage Editor panel, under the “Cache Settings” section, check the “Cache Encryption Enabled” field. If it’s set to “Yes”, then the encryption for API cache is enabled. If it’s set to “No”, then the encryption for API cache is not enabled.
  1. First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the API Gateway.
  2. Once the AWS CLI is installed and configured, you can use the following command to list all the APIs in your AWS account: 
    aws apigateway get-rest-apis
    This command will return a list of all the APIs in your account. Note down the “id” of the API you want to check.
  3. Now, you can use the following command to get the details of the specific API: 
    aws apigateway get-rest-api --rest-api-id {API_ID}
    Replace with the id of the API you noted down in the previous step. This command will return the details of the API.
  4. In the output of the above command, look for the “cacheClusterEnabled” and “cacheClusterSize” fields. If the “cacheClusterEnabled” field is set to true and the “cacheClusterSize” field is not null, it means that the API cache is enabled. If the “cacheClusterEncrypted” field is set to true, it means that the API cache is encrypted. If it’s set to false or not present, it means that the API cache is not encrypted.
To check if encryption is enabled for API Cache in API Gateway using Python scripts, you can use the Boto3 library, which allows you to write software that makes use of services like Amazon S3, Amazon EC2, and others. Here are the steps:
  1. Import the necessary libraries: You need to import Boto3, the AWS SDK for Python, to interact with AWS services. 
    import boto3
  2. Create a session: You need to create a session using your AWS credentials. 
    session = boto3.Session(
    aws_access_key_id='YOUR_ACCESS_KEY',
    aws_secret_access_key='YOUR_SECRET_KEY',
    region_name='us-west-2'
)
  3. Create an API Gateway client: Use the session to create a client for the API Gateway service. 
    client = session.client('apigateway')
  4. List and check the APIs: Use the client to list all the APIs and check if encryption is enabled for API Cache. 
    response = client.get_rest_apis()

for item in response['items']:
    api_id = item['id']
    api_name = item['name']
    api_response = client.get_stages(
        restApiId=api_id
    )
    for stage in api_response['item']:
        if 'cacheClusterEnabled' in stage and stage['cacheClusterEnabled']:
            if 'cacheClusterSize' in stage and stage['cacheClusterSize']:
                print(f"API Gateway '{api_name}' has cache enabled with size {stage['cacheClusterSize']}")
            else:
                print(f"API Gateway '{api_name}' has cache enabled but size is not specified")
        else:
            print(f"API Gateway '{api_name}' does not have cache enabled")
This script will print out the status of cache encryption for each API in the API Gateway. If the cache is enabled, it will print out the size of the cache. If the cache is not enabled, it will print out a message stating that the cache is not enabled.

Additional Reading: