Description:

API(Application Programming Interface) is a software intermediary that allows two applications to talk to each other.

AWS API Gateway is a service provided by Amazon that used to create, publish, maintain, and secure various APIs such as REST, HTTP, and WebSocket at any scale.

Client Certificate, the certificate is used in place of a user name and password, For the REST(Representational State Transfer) API, the client certificate is provided with each REST request to authenticate the user.

When you interface with API Gateway publicly accessible endpoints, it is done through public networks. When they are configured as private, the public networks are not made available to route your API instead, your API can only be accessed using the interface endpoints that you have configured.


Rationale:

It is recommended that the API Gateway endpoint should not be publicly accessible to other services and resources in AWS. Public API Gateway endpoint means that unauthorized actors could access your data which can lead to misuse of the data.


Impact:

If the backend is publicly accessible due to this policy only allows your HTTP backend to authorize only requests origination from the Amazon API gateway. It uses client-side SSL certificates to verify the requester’s authenticity.


Default Value:

By default, API Gateway has not the client certificate enabled to access your backend endpoint.


Audit:

Step 1: Sign in to AWS Management Console and go to the API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

Step 2: Click on APIs in the left navigation pane

Step 3: Click on API in the APIs listing page

Step 4: In the API click on the Stages left navigation pane

Step 5: In the stages click on your listed stage 

Step 6:  Go to the settings tab

Step 7: Scroll down and go to Client Certificate and check the Certificate dropdown list for any entries, if it select None and in the dropdown list, there is no SSL certificate available in the Certificate list, which means that this API gateway is not using Client certificate for backend requests authentication.


Via CLI:

Step 1: To get the list of  APIs in the selected AWS region

aws apigateway get-rest-apis --region < region > --output table --query 'items[*].id'


Step 2: To get lest of the stage in the particular API gateway

aws apigateway get-stages --region < region> --rest-api-id < give api id> --output table --query 'item[*].stageName'


 Step 3: To check Client Certificate in the selected API stage

aws apigateway get-stages --region <region> --rest-api-id < api id > --query 'item[?(stageName=='Staging')'.clientCertificateID'

If you get [ ] null or empty array value in the output it means the selected amazon API gateway API stage is not using client-side SSL certificates.


Remediation:

Pre-Requisite:

First Create Client Certificates and this client certificate assign to a particular API that is in your account.

Before following the implementation steps you must have REST APIs.


Implementation Steps:

Step 1: Sign in to AWS Management Console and go to the API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

Step 2: Click on APIs in the left navigation pane

Step 3: Click on API in the APIs listing page

Step 4: Go, Client Certificates in the left navigation pane

Step 5: Click on Generate Client Certificate button to generate which you can use to verify the requester’s authenticity 

Client Certificate generated and it shows as per below diagram 

You can give the description for the certificate by clicking on the Edit button

After the type in the description, box click on the Save button

you can see the description as per below pic

Step 6: In the left navigation pane click on the Stages 


Step 7: In the stages click on the listed stage which you want to enable the client certificate

Step 8: Go to the Settings tab

Step 9: Scroll down and go to Client Certificate in the drop-down menu of Certificate select newly created Client-Side Certificate

This client certificate that API Gateway will use to call your integration endpoints.

Step 10: Click on the Save Changes button


Via CLI:

To create a client-Side SSL Certificate

aws API gateway generate-client-certificate --description 'Client Side Certificate'


Backout Plan:

Step 1: Sign in to AWS Management Console and go to the API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

Step 2: Click on APIs in the left navigation pane

Step 3: Click on API in the APIs listing page

Step 4: In the left navigation pane click on the Stages 


Step 5: In the stages click on the listed stage which you want to remove the client certificate

Step 6: Scroll down and go to Client Certificate in the drop-down menu of Certificate select None option

Step 7: Click on the Save Changes button 


Before Delete, Client-Side Certificate remove it from the API stage 

Step 1: Sign in to AWS Management Console and go to the API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

Step 2: Click on APIs in the left navigation pane

Step 3: Click on API in the APIs listing page

Step 4: Go, Client Certificates in the left navigation pane

Step 5: To delete the client certificate click  on the cross button 

Step 6: You got a pop-up to confirm “Do you want to proceed? this action cannot be undone click on the delete button 


Via CLI:

To delete a client certificate