AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Expiring SSL Client Certificates Should Be Rotated
More Info:
The client-side SSL certificates used by your Amazon API Gateway REST APIs for secure authentication at the API integration endpoint level should be rotated before their expiration date
Risk Level
Medium
Address
Security
Compliance Standards
GDPR
Triage and Remediation
Check Cause
-
Sign in to the AWS Management Console and open the API Gateway console at https://console.aws.amazon.com/apigateway/.
-
In the navigation pane, choose ‘APIs’.
-
In the APIs pane, choose the API you want to check.
-
In the API details pane, choose ‘Client Certificates’.
-
In the Client Certificates pane, you can see the expiration date of the SSL client certificate. If the certificate is about to expire, it indicates a misconfiguration.
-
First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the API Gateway.
-
Once the AWS CLI is installed and configured, you can use the following command to list all the APIs in your AWS account:
aws apigateway get-rest-apisThis command will return a list of all the APIs in your account. Note down the id of the API you want to check.
-
Now, you can use the following command to get the details of the API:
aws apigateway get-rest-api --rest-api-id <your-api-id>Replace
<your-api-id>with the id of your API. This command will return the details of the API including the client certificate id if one is associated with the API. -
Finally, you can use the following command to get the details of the client certificate:
aws apigateway get-client-certificate --client-certificate-id <your-client-certificate-id>Replace
<your-client-certificate-id>with the id of your client certificate. This command will return the details of the client certificate including the expiration date. You can then check if the certificate is about to expire.
-
Setup AWS SDK (Boto3) in Python: First, you need to set up AWS SDK (Boto3) in your Python environment. You can install it using pip:
pip install boto3Then, configure your AWS credentials either by setting up environment variables or by using the AWS CLI.
-
List all the API Gateways: Use the
get_rest_apisfunction from theapigatewayclient in Boto3 to list all the API Gateways in your AWS account. Here is a sample script:import boto3 def list_apis(): client = boto3.client('apigateway') response = client.get_rest_apis() return response['items'] apis = list_apis() for api in apis: print(api['name'], api['id'])This script will print the name and ID of all the API Gateways.
-
Get the Client Certificate of each API Gateway: Use the
get_client_certificatefunction from theapigatewayclient in Boto3 to get the details of the client certificate of each API Gateway. Here is a sample script:import boto3 def get_certificate(api_id): client = boto3.client('apigateway') response = client.get_client_certificate(clientCertificateId=api_id) return response apis = list_apis() for api in apis: certificate = get_certificate(api['id']) print(certificate)This script will print the details of the client certificate of each API Gateway.
-
Check the Expiration Date of the Client Certificate: The
get_client_certificatefunction returns a dictionary that includes theexpirationDateof the client certificate. You can compare this date with the current date to check if the certificate is expiring soon. Here is a sample script:import boto3 from datetime import datetime, timedelta def is_expiring_soon(certificate): expiration_date = datetime.fromtimestamp(certificate['expirationDate']) return expiration_date < datetime.now() + timedelta(days=30) apis = list_apis() for api in apis: certificate = get_certificate(api['id']) if is_expiring_soon(certificate): print(f"The client certificate of the API Gateway {api['name']} is expiring soon.")This script will print a warning message for each API Gateway whose client certificate is expiring in less than 30 days.