AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Encryption At Rest Should Be Enabled For App Sync Cache
More Info:
This rule checks whether encryption at rest is enabled for the cache of an AWS AppSync API. Enabling encryption at rest helps protect sensitive data stored in the cache from unauthorized access or tampering. It ensures that data is encrypted while stored, providing an additional layer of security.
Risk Level
Medium
Address
Security
Compliance Standards
CBP,SEBI
Triage and Remediation
Check Cause
- Sign in to the AWS Management Console.
- Navigate to the AppSync service. You can find this by typing ‘AppSync’ into the search bar at the top of the console.
- In the AppSync dashboard, select the APIs from the navigation pane.
- For each API, click on its name to open its details page. In the details page, click on ‘Settings’ in the left-hand navigation pane.
- In the Settings page, look for the ‘Cache’ section. If the ‘Encryption at Rest’ field is set to ‘Disabled’, then Encryption at Rest is not enabled for the App Sync Cache.
-
First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the AppSync resources.
-
Once the AWS CLI is set up, you can use the following command to list all the AppSync APIs in your account:
aws appsync list-graphql-apis --region your-regionReplace ‘your-region’ with the region where your resources are located. This command will return a list of all the AppSync APIs in the specified region.
-
To check the encryption at rest configuration for each API, you can use the following command:
aws appsync get-graphql-api --api-id your-api-id --region your-regionReplace ‘your-api-id’ with the ID of the API you want to check and ‘your-region’ with the region where the API is located. This command will return the details of the specified API, including the encryption at rest configuration.
-
To check if encryption at rest is enabled, you need to look at the ‘userPoolConfig’ field in the output. If the ‘awsCognitoUserPools’ field is set to ‘true’, then encryption at rest is enabled. If it’s set to ‘false’ or not present, then encryption at rest is not enabled.
Note: The ‘awsCognitoUserPools’ field might not be present if the API is not using AWS Cognito User Pools for authorization. In this case, you need to check the ‘authorizationConfig’ field to see if encryption at rest is enabled.
To check if Encryption At Rest is enabled for App Sync Cache in AWS App Sync, you can use the AWS SDK for Python (Boto3). Here are the steps:
-
Set up AWS SDK for Python (Boto3): First, you need to install and configure Boto3. You can install it using pip:
pip install boto3Then, configure your AWS credentials. You can do this by setting the following environment variables:
AWS_ACCESS_KEY_ID = 'your_access_key' AWS_SECRET_ACCESS_KEY = 'your_secret_key' -
Import Boto3 and Initialize AppSync Client: Now, you can import Boto3 in your Python script and initialize the AppSync client.
import boto3 client = boto3.client('appsync') -
List AppSync APIs and Check Encryption Configuration: You can use the
list_graphql_apismethod to get a list of all AppSync APIs. Then, for each API, you can check thexrayEnabledattribute in thelogConfigfield to see if Encryption At Rest is enabled.response = client.list_graphql_apis() for api in response['graphqlApis']: if 'logConfig' in api and 'xrayEnabled' in api['logConfig']: if api['logConfig']['xrayEnabled']: print(f"Encryption At Rest is enabled for {api['name']}") else: print(f"Encryption At Rest is not enabled for {api['name']}") -
Handle Pagination: The
list_graphql_apismethod returns a maximum of 25 APIs at a time. If you have more than 25 APIs, you need to handle pagination by using thenextTokenparameter.next_token = None while True: if next_token: response = client.list_graphql_apis(nextToken=next_token) else: response = client.list_graphql_apis() for api in response['graphqlApis']: if 'logConfig' in api and 'xrayEnabled' in api['logConfig']: if api['logConfig']['xrayEnabled']: print(f"Encryption At Rest is enabled for {api['name']}") else: print(f"Encryption At Rest is not enabled for {api['name']}") if 'nextToken' in response: next_token = response['nextToken'] else: break
Please note that this script assumes that you have the necessary permissions to list and describe AppSync APIs. If you don’t, you may need to adjust your IAM policies accordingly.