AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Enable Encryption For API Cache
More Info:
Ensure that your Amazon API Gateway REST APIs are configured to encrypt API cached responses in order to protect data while in transit (as it travels to and from Amazon API Gateway).
Risk Level
High
Address
Security
Compliance Standards
HITRUST, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Check Cause
-
Sign in to the AWS Management Console and open the Amazon API Gateway console at https://console.aws.amazon.com/apigateway/.
-
In the navigation pane, choose the API Gateway service.
-
In the APIs list, select the API you want to check.
-
In the API details page, select the “Stages” option from the left side menu.
-
In the Stages section, select the stage of the API you want to check.
-
In the Stage Editor panel, under the “Cache Settings” section, check the “Cache Encryption Enabled” field. If it’s set to “Yes”, then the encryption for API cache is enabled. If it’s set to “No”, then the encryption for API cache is not enabled.
-
First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the API Gateway.
-
Once the AWS CLI is installed and configured, you can use the following command to list all the APIs in your AWS account:
aws apigateway get-rest-apisThis command will return a list of all the APIs in your account. Note down the “id” of the API you want to check.
-
Now, you can use the following command to get the details of the specific API:
aws apigateway get-rest-api --rest-api-id {API_ID}Replace with the id of the API you noted down in the previous step. This command will return the details of the API.
-
In the output of the above command, look for the “cacheClusterEnabled” and “cacheClusterSize” fields. If the “cacheClusterEnabled” field is set to true and the “cacheClusterSize” field is not null, it means that the API cache is enabled. If the “cacheClusterEncrypted” field is set to true, it means that the API cache is encrypted. If it’s set to false or not present, it means that the API cache is not encrypted.
To check if encryption is enabled for API Cache in API Gateway using Python scripts, you can use the Boto3 library, which allows you to write software that makes use of services like Amazon S3, Amazon EC2, and others. Here are the steps:
-
Import the necessary libraries: You need to import Boto3, the AWS SDK for Python, to interact with AWS services.
import boto3 -
Create a session: You need to create a session using your AWS credentials.
session = boto3.Session( aws_access_key_id='YOUR_ACCESS_KEY', aws_secret_access_key='YOUR_SECRET_KEY', region_name='us-west-2' ) -
Create an API Gateway client: Use the session to create a client for the API Gateway service.
client = session.client('apigateway') -
List and check the APIs: Use the client to list all the APIs and check if encryption is enabled for API Cache.
response = client.get_rest_apis() for item in response['items']: api_id = item['id'] api_name = item['name'] api_response = client.get_stages( restApiId=api_id ) for stage in api_response['item']: if 'cacheClusterEnabled' in stage and stage['cacheClusterEnabled']: if 'cacheClusterSize' in stage and stage['cacheClusterSize']: print(f"API Gateway '{api_name}' has cache enabled with size {stage['cacheClusterSize']}") else: print(f"API Gateway '{api_name}' has cache enabled but size is not specified") else: print(f"API Gateway '{api_name}' does not have cache enabled")
This script will print out the status of cache encryption for each API in the API Gateway. If the cache is enabled, it will print out the size of the cache. If the cache is not enabled, it will print out a message stating that the cache is not enabled.