Enable Encryption For API Cache

More Info:

Ensure that your Amazon API Gateway REST APIs are configured to encrypt API cached responses in order to protect data while in transit (as it travels to and from Amazon API Gateway).

Risk Level

High

Address

Security

Compliance Standards

HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Check Cause

Using Console

Using CLI

First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the API Gateway.
Once the AWS CLI is installed and configured, you can use the following command to list all the APIs in your AWS account:
```
aws apigateway get-rest-apis
```
This command will return a list of all the APIs in your account. Note down the “id” of the API you want to check.
Now, you can use the following command to get the details of the specific API:
```
aws apigateway get-rest-api --rest-api-id {API_ID}
```
Replace with the id of the API you noted down in the previous step. This command will return the details of the API.
In the output of the above command, look for the “cacheClusterEnabled” and “cacheClusterSize” fields. If the “cacheClusterEnabled” field is set to true and the “cacheClusterSize” field is not null, it means that the API cache is enabled. If the “cacheClusterEncrypted” field is set to true, it means that the API cache is encrypted. If it’s set to false or not present, it means that the API cache is not encrypted.

Using Python

To check if encryption is enabled for API Cache in API Gateway using Python scripts, you can use the Boto3 library, which allows you to write software that makes use of services like Amazon S3, Amazon EC2, and others. Here are the steps:

Import the necessary libraries: You need to import Boto3, the AWS SDK for Python, to interact with AWS services.
```
import boto3
```

Create a session: You need to create a session using your AWS credentials.

session = boto3.Session(
    aws_access_key_id='YOUR_ACCESS_KEY',
    aws_secret_access_key='YOUR_SECRET_KEY',
    region_name='us-west-2'
)

Create an API Gateway client: Use the session to create a client for the API Gateway service.
```
client = session.client('apigateway')
```

List and check the APIs: Use the client to list all the APIs and check if encryption is enabled for API Cache.

response = client.get_rest_apis()

for item in response['items']:
    api_id = item['id']
    api_name = item['name']
    api_response = client.get_stages(
        restApiId=api_id
    )
    for stage in api_response['item']:
        if 'cacheClusterEnabled' in stage and stage['cacheClusterEnabled']:
            if 'cacheClusterSize' in stage and stage['cacheClusterSize']:
                print(f"API Gateway '{api_name}' has cache enabled with size {stage['cacheClusterSize']}")
            else:
                print(f"API Gateway '{api_name}' has cache enabled but size is not specified")
        else:
            print(f"API Gateway '{api_name}' does not have cache enabled")

This script will print out the status of cache encryption for each API in the API Gateway. If the cache is enabled, it will print out the size of the cache. If the cache is not enabled, it will print out a message stating that the cache is not enabled.

Additional Reading:

https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Enable Encryption For API Cache

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Check Cause

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Check Cause

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Check Cause

Additional Reading: