More Info:

Ensure that your Amazon EFS file systems are encrypted in order to meet security and compliance requirements. Your data is transparently encrypted while being written and transparently decrypted while being read from your file system, therefore the encryption process does not require any additional action from you or your application. Encryption keys are managed by AWS KMS service, eliminating the need to build and maintain a secure key management infrastructure.

Risk Level

High

Address

Security

Compliance Standards

HIPAA, GDPR, CISAWS, CBP, NIST

Triage and Remediation

Check Cause

Using Console

  1. Log in to the AWS Management Console and open the Amazon API Gateway console at https://console.aws.amazon.com/apigateway/.
  2. In the navigation pane, choose APIs. This will display a list of all your APIs.
  3. Select the API you want to check. This will open the API Gateway dashboard for the selected API.
  4. In the API Gateway dashboard, navigate to the “Settings” section. Here, look for the “Encryption” settings. If the “Encrypt Data at Rest” option is enabled, then EFS encryption is enabled for the API Gateway. If not, then EFS encryption is not enabled.
  1. Install and configure AWS CLI: Before you can start using AWS CLI, you need to install it on your local system and configure it with your AWS account credentials. You can do this by running the following commands: Installation: 
    pip install awscli
    Configuration: 
    aws configure
    You will be prompted to provide your AWS Access Key ID, Secret Access Key, Default region name, and Default output format.
  2. List all the API Gateways: Use the following command to list all the API Gateways in your AWS account: 
    aws apigateway get-rest-apis
    This command will return a list of all the Rest APIs in your AWS account.
  3. Get the details of each API Gateway: For each API Gateway, use the following command to get its details: 
    aws apigateway get-rest-api --rest-api-id {rest-api-id}
    Replace {rest-api-id} with the ID of the API Gateway you want to check. This command will return the details of the specified API Gateway.
  4. Check the EFS Encryption: Unfortunately, AWS API Gateway does not directly support EFS encryption. Therefore, you cannot check EFS encryption enabled in API Gateway using AWS CLI. However, you can check if the EFS file systems that your API Gateway may interact with are encrypted. Use the following command to list all your EFS file systems: 
    aws efs describe-file-systems
    For each file system, check the Encrypted field in the output. If it is true, then the file system is encrypted. If it is false, then it is not encrypted.
To check if EFS Encryption is enabled in API Gateway using Python scripts, you can use the Boto3 library, which allows you to directly interact with AWS services such as API Gateway. Here are the steps:
  1. Import the Boto3 library in Python: Boto3 is the Amazon Web Services (AWS) Software Development Kit (SDK) for Python, which allows Python developers to write software that makes use of AWS services like Amazon S3, Amazon EC2, etc. To use Boto3, you first need to import it. 
    import boto3
  2. Create a session using your AWS credentials: You need to provide your AWS credentials (access key and secret access key) to Boto3 so it can interact with AWS services on your behalf. You can do this by creating a session. 
    session = boto3.Session(
    aws_access_key_id='YOUR_ACCESS_KEY',
    aws_secret_access_key='YOUR_SECRET_KEY',
    region_name='us-west-2' # specify the region you are interested in
)
  3. Create an API Gateway client: Once you have a session, you can create a client for API Gateway. This client will provide you with methods to interact with API Gateway. 
    client = session.client('apigateway')
  4. Check if EFS Encryption is enabled: Now you can use the client to retrieve information about your APIs and check if EFS Encryption is enabled. Here is a simple example: 
    response = client.get_rest_apis()

for item in response['items']:
    if 'efsConfig' in item:
        if 'encryptionEnabled' in item['efsConfig']:
            if item['efsConfig']['encryptionEnabled']:
                print(f"EFS Encryption is enabled for API {item['name']}")
            else:
                print(f"EFS Encryption is not enabled for API {item['name']}")
        else:
            print(f"EFS Encryption is not enabled for API {item['name']}")
    else:
        print(f"EFS Encryption is not enabled for API {item['name']}")
    This script will print out whether EFS Encryption is enabled for each of your APIs.
Please note that this script assumes that you have the necessary permissions to access API Gateway and retrieve information about your APIs. If you don’t, you may need to adjust your IAM policies accordingly.

Additional Reading: