Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check the Minimum TLS Version Configured for API Gateway Domains

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the latest version of Transport Layer Security (TLS) protocol is enforced for your Amazon API Gateway domains in order to follow security best practices and protect your APIs from potential exploits that can target flaws in the old versions of the TLS. The TLS protocol can be updated to the latest supported version using the security policy associated with each API Gateway domain. An API Gateway domain security policy is a predefined combination of two settings: the minimum TLS version that the API Gateway service uses to communicate with API clients and the cipher suite that API Gateway uses to encrypt the content that it returns to API clients.

This rule can help you work with the AWS Well-Architected Framework.

Security

The Transport Layer Security (TLS) protocol addresses network security problems such as tampering and eavesdropping between a client and a server. Using old and deprecated TLS protocols can increase opportunities for malicious activities such as hacking, Man-in-the-Middle (MITM) and downgrade attacks. By updating the security policy associated with your Amazon API Gateway custom domains you can disable older versions of TLS protocol.


Audit

To determine the minimum TLS version configured for your Amazon API Gateway domains, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon API Gateway console at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select Custom domain names to access the API Gateway custom domains created in the selected region.

04 Click on the custom domain name that you want to examine and check the TLS version configuration attribute value available in the Domain details section. If the attribute value is different than TLS 1.2, the selected Amazon API Gateway custom domain is not using the latest TLS version, therefore the security policy configured for the API domain name is not compliant.

05 Repeat step no. 4 to verify other Amazon API Gateway custom domains available in the current region.

06 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run get-domain-names command (OSX/Linux/UNIX) using custom query filters to list the Amazon API Gateway custom domain names created within the selected AWS region:

aws apigateway get-domain-names
  --region us-east-1
  --output table
  --query 'items[*].domainName'

02 The command output should return a table with the requested domain names:

--------------------------
|     GetDomainNames     |
+------------------------+
|  cloudconformity.com   |
|  cloudrealisation.com  |
+------------------------+

03 Run get-domain-name command (OSX/Linux/UNIX) using the API Gateway custom domain name that you want to examine as identifier parameter and custom query filters to get the minimum TLS version configured for the security policy associated with the selected domain name:

aws apigateway get-domain-name
  --region us-east-1
  --domain-name cloudconformity.com
  --query 'securityPolicy'

04 The command output should return the requested configuration information:

"TLS_1_0"

If the minimum TLS version returned by the get-domain-name command output is different than "TLS_1_2", the selected Amazon API Gateway custom domain is not using the latest version of TLS, therefore the security policy configured for the API domain name is not compliant.

05 Repeat step no. 3 and 4 to verify other Amazon API Gateway custom domains available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To update the minimum Transport Layer Security (TLS) protocol version for your Amazon API Gateway custom domain names, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Configure Minimum TLS Version",
	"Resources": {
		"APIDomainName": {
			"Type": "AWS::ApiGateway::DomainName",
			"Properties": {
				"DomainName": "api.domain.com",
				"CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/abcdabcd-1234-abcd-1234-abcdabcdabcd",
				"EndpointConfiguration": {
					"Types": [
						"REGIONAL"
					]
				},
				"SecurityPolicy": "TLS_1_2"
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Configure Minimum TLS Version
	Resources:
		APIDomainName:
		Type: AWS::ApiGateway::DomainName
		Properties:
			DomainName: api.domain.com
			CertificateArn: arn:aws:acm:us-east-1:123456789012:certificate/abcdabcd-1234-abcd-1234-abcdabcdabcd
			EndpointConfiguration:
			Types:
				- REGIONAL
			SecurityPolicy: TLS_1_2

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_api_gateway_domain_name" "custom-domain-name" {
	domain_name     = "api.domain.com"
	certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/abcdabcd-1234-abcd-1234-abcdabcdabcd"

	endpoint_configuration {
		types = ["REGIONAL"]
	}

	# Configure Minimum TLS Version
	security_policy = "TLS_1_2"
}

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon API Gateway console at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select Custom domain names to access the API Gateway custom domains created in the selected AWS region.

04 Click on the custom domain name that you want to reconfigure and click on the Edit button available in the Domain details section.

05 On the Edit domain details configuration page, select TLS 1.2 (recommended) under the Minimum TLS version to enable the latest version of Transport Layer Security (TLS) protocol for the security policy associated with the selected API domain name. (Optional) If you need to comply with security requirements for an Open Banking solution or easily authenticate devices within an IOT solution, toggle the Mutual TLS authentication button and provide the truststore URI of the X.509 certificate that you trust to access your API, to enable mutual TLS authentication. Click Save to apply the changes.

06 Repeat step no. 4 and 5 to update the minimum TLS protocol version for other Amazon API Gateway custom domain names created within the current region.

07 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run update-domain-name command (OSX/Linux/UNIX) using the API Gateway custom domain name that you want to reconfigure as identifier parameter (see Audit section part II to identify the right domain) to update the Transport Layer Security (TLS) protocol to the latest version (i.e. TLS 1.2) for the security policy associated with the selected API domain name:

aws apigateway update-domain-name
  --region us-east-1
  --domain-name cloudconformity.com
  --patch-operations op='replace',path='/securityPolicy',value='TLS_1_2'

02 The command output should return the metadata of the reconfigured API Gateway custom domain name:

{
	"regionalCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"domainName": "cloudconformity.com",
	"endpointConfiguration": {
		"types": [
			"REGIONAL"
		]
	},
	"tags": {},
	"domainNameStatusMessage": "Update is in progress. Please wait until the update finishes before making another request.",
	"regionalDomainName": "d-abcdabcd.execute-api.us-east-1.amazonaws.com",
	"securityPolicy": "TLS_1_2",
	"certificateUploadDate": 1601977295,
	"domainNameStatus": "UPDATING",
	"regionalHostedZoneId": "ABCDABCDABCDABCD"
}

03 Repeat step no. 1 and 2 to update the minimum TLS protocol version for other Amazon API Gateway custom domain names available in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire remediation process for other regions.

References

Publication date Jan 16, 2024