- Knowledge Base
- Amazon Web Services
- Amazon API Gateway
- Enable Encryption for API Cache
Ensure that your Amazon API Gateway REST APIs are configured to encrypt API cached responses in order to protect data while in transit (as it travels to and from Amazon API Gateway).
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When working with production and sensitive data, it is strongly recommended to enforce encryption for API cached responses in order to protect your data from unauthorized access and fulfill compliance requirements for API data encryption within your organization. This prevents potential attackers from getting access to API's data in case of data interception and theft.
Audit
To determine if your REST API stage-level cached responses are encrypted, perform the following actions:
Using AWS Console
01 Sign in to AWS Management Console.
02 Navigate to Amazon API Gateway console at https://console.aws.amazon.com/apigateway/.
03 In the left navigation panel, select APIs to access the Amazon API Gateway APIs listing page.
04 Click on the name (link) of the REST API that you want to examine to access the API configuration. To identify a REST API check the value available in the Protocol column for each listed API.
05 In the navigation panel, within the API submenu, click Stages to list the stages created for the selected API.
06 Under Stages, choose the API stage that you want to examine.
07 Select the Settings tab from the console top panel to access the stage settings.
08 On the Settings panel, within Cache Settings section, check the Encrypt cache data setting status. If the Encrypt cache data setting is not available in the Cache Settings section, the response caching is not enabled for the selected API stage. If the Encrypt cache data setting is available but the checkbox is not selected, the stage-level cache encryption is not enabled for the selected Amazon API Gateway API stage.
09 Repeat steps no. 6 – 8 to determine the cache encryption status for other stages created for the selected API.
10 Repeat steps no. 4 – 9 to verify other REST APIs available within the current AWS cloud region.
11 Change the AWS region from the navigation bar and repeat the audit process for other regions.
Using AWS CLI
01 Run get-rest-apis command (OSX/Linux/UNIX) with custom query filters to list the IDs of the REST APIs created in the selected AWS region:
aws apigateway get-rest-apis --region us-east-1 --output table --query 'items[*].id'
02 The command output should return a table with the requested API identifiers (IDs):
---------------- | GetRestApis | +--------------+ | aaabbbbccc | | aabbccddee | | abcdabcdab | +--------------+
03 Run get-stages command (OSX/Linux/UNIX) using the ID of the REST API that you want to examine as identifier and custom query filters to get the name(s) of the API stage(s) created for the selected API:
aws apigateway get-stages --region us-east-1 --rest-api-id aaabbbbccc --output table --query 'item[*].stageName'
04 The command output should return a table with the API stage name(s):
---------------- | GetStages | +--------------+ | Production | | Testing | | Development | +--------------+
05 Execute get-stages command (OSX/Linux/UNIX) using the name of the API stage that you want to examine as identifier parameter and custom query filters to describe the API caching feature configuration attributes available for the selected API stage:
aws apigateway get-stages --region us-east-1 --rest-api-id aaabbbbccc --query 'item[?(stageName==`Production`)].methodSettings | []'
06 The command output should return the requested configuration information. If an empty object (i.e. {}) is returned instead, the response caching is not enabled for the selected API stage:
[ { "*/*": { "throttlingRateLimit": 10000.0, "dataTraceEnabled": True, "metricsEnabled": false, "unauthorizedCacheControlHeaderStrategy": "SUCCEED_WITH_RESPONSE_HEADER", "cacheTtlInSeconds": 3600, "cacheDataEncrypted": false, "cachingEnabled": true, "throttlingBurstLimit": 5000, "requireAuthorizationForCacheControl": true } } ]
If get-stages command output returns false for the "cacheDataEncrypted" configuration attribute (highlighted), as shown in the example above, the stage-level cache encryption is not enabled for the selected Amazon API Gateway API stage.
07 Repeat step no. 5 and 6 to determine the cache encryption status for other stages created for the selected API.
08 Repeat steps no. 3 – 7 to check other REST APIs available in the selected AWS cloud region.
09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the entire audit process for other regions.
Remediation / Resolution
To enable stage-level cache encryption for your existing Amazon API Gateway REST APIs, perform the following actions:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Enable API Cache", "Resources": { "RestAPI": { "Type": "AWS::ApiGateway::RestApi", "Properties": { "Name": "WebServiceRestAPI", "Description": "A simple API Gateway REST API" } }, "StageDeployment": { "Type": "AWS::ApiGateway::Deployment", "Properties": { "RestApiId": { "Ref": "RestAPI" } } }, "APIStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { "DeploymentId": { "Ref": "StageDeployment" }, "RestApiId": { "Ref": "RestAPI" }, "StageName": "Production", "TracingEnabled": true, "MethodSettings": [ { "ResourcePath": "/*", "HttpMethod": "*", "CachingEnabled": true, "CacheTtlInSeconds": 3600, "CacheDataEncrypted": true } ] } } } }
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Description: Enable API Cache Resources: RestAPI: Type: AWS::ApiGateway::RestApi Properties: Name: WebServiceRestAPI Description: A simple API Gateway REST API StageDeployment: Type: AWS::ApiGateway::Deployment Properties: RestApiId: !Ref 'RestAPI' APIStage: Type: AWS::ApiGateway::Stage Properties: DeploymentId: !Ref 'StageDeployment' RestApiId: !Ref 'RestAPI' StageName: Production TracingEnabled: true MethodSettings: - ResourcePath: /* HttpMethod: '*' CachingEnabled: true CacheTtlInSeconds: 3600 CacheDataEncrypted: true
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 4.0" } } required_version = ">= 0.14.9" } provider "aws" { profile = "default" region = "us-east-1" } resource "aws_api_gateway_rest_api" "rest-api" { name = "web-service-rest-api" description = "A simple API Gateway REST API" } resource "aws_api_gateway_deployment" "rest-api-deployment" { rest_api_id = aws_api_gateway_rest_api.rest-api.id } resource "aws_api_gateway_stage" "api-stage" { deployment_id = aws_api_gateway_deployment.rest-api-deployment.id rest_api_id = aws_api_gateway_rest_api.rest-api.id stage_name = "Production" xray_tracing_enabled = true } resource "aws_api_gateway_method_settings" "api-gateway-method-settings" { rest_api_id = aws_api_gateway_rest_api.rest-api.id stage_name = aws_api_gateway_stage.api-stage.stage_name method_path = "*/*" settings { caching_enabled = true cache_ttl_in_seconds = 3600 cache_data_encrypted = true } }
Using AWS Console
01 Sign in to AWS Management Console.
02 Navigate to Amazon API Gateway console at https://console.aws.amazon.com/apigateway/.
03 In the left navigation panel, select APIs.
04 Click on the name (link) of the REST API that you want to reconfigure, to access the API configuration settings.
05 In the navigation panel, in the API submenu, click Stages to list the stages created for the selected API.
06 Under Stages, choose the API stage that you want to reconfigure (see Audit section part I to identify the right stage).
07 Select the Settings tab from the console top panel to access the stage settings.
08 On the Settings panel, in the Cache Settings section, select the Encrypt cache data checkbox to enable encryption for API stage response caching. Choose Save Changes to apply the new configuration changes.
09 Repeat steps no. 6 – 8 to enable stage-level cache encryption for other stages created for the selected REST API.
10 Repeat steps no. 4 – 9 to reconfigure other Amazon API Gateway APIs available within the current AWS region.
11 Change the AWS region from the navigation bar and repeat the remediation process for other regions.
Using AWS CLI
01 Run update-stage command (OSX/Linux/UNIX) using the name of the API stage that you want to reconfigure as identifier parameter (see Audit section part II to identify the right API stage) to enable in-transit encryption for API stage response caching. The following command example enables cache encryption for an API stage named "Production", deployed for an API identified by the ID "aaabbbbccc":
aws apigateway update-stage --region us-east-1 --rest-api-id aaabbbbccc --stage-name 'Production' --patch-operations op=replace,path=/*/*/caching/dataEncrypted,value=true
02 The command output should return the metadata available for the reconfigured API stage:
{ "tracingEnabled": true, "stageName": "Production", "cacheClusterSize": "0.5", "cacheClusterEnabled": true, "cacheClusterStatus": "AVAILABLE", "deploymentId": "abcabc", "lastUpdatedDate": 1608634577, "createdDate": 1608629899, "methodSettings": { "*/*": { "throttlingRateLimit": 10000.0, "dataTraceEnabled": true, "metricsEnabled": false, "unauthorizedCacheControlHeaderStrategy": "SUCCEED_WITH_RESPONSE_HEADER", "cacheTtlInSeconds": 3600, "cacheDataEncrypted": true, "cachingEnabled": true, "throttlingBurstLimit": 5000, "requireAuthorizationForCacheControl": true } } }
03 Repeat step no. 1 and 2 to enable stage-level cache encryption for other API stages deployed for the selected REST API.
04 Repeat steps no. 1 – 3 to reconfigure other Amazon API Gateway APIs available in the selected AWS region.
05 Change the AWS region by updating the --region command parameter value and repeat the entire remediation process for other regions.
References
- AWS Documentation
- Optimizing performance of REST APIs
- Enabling API caching to enhance responsiveness
- Data encryption in Amazon API Gateway
- AWS Command Line Interface (CLI) Documentation
- apigateway
- get-rest-apis
- get-stages
- update-stage