Description:

API(Application Programming Interface) is a software intermediary that allows two applications to talk to each other.

AWS API Gateway is a service provided by Amazon that used to create, publish, maintain, and secure various APIs such as REST, HTTP, and WebSocket at any scale.

Client Certificate, the certificate is used in place of a user name and password, For the REST(Representational State Transfer) API, the client certificate is provided with each REST request to authenticate the user.

When you interface with API Gateway publicly accessible endpoints, it is done through public networks. When they are configured as private, the public networks are not made available to route your API instead, your API can only be accessed using the interface endpoints that you have configured.


Rationale:

It is recommended that the API Gateway endpoint should not be publicly accessible to other services and resources in AWS. Public API Gateway endpoint means that unauthorized actors could access your data which can lead to misuse of the data.


Impact:

If the backend is publicly accessible due to this policy only allows your HTTP backend to authorize only requests origination from the Amazon API gateway. It uses client-side SSL certificates to verify the requester’s authenticity.


Default Value:

By default, API Gateway has not the client certificate enabled to access your backend endpoint.


Pre-Requisite:

  1. First Create Client Certificates and this client certificate assign to a particular API that is in your account.
  2. Before following the implementation steps you must have REST APIs.


Remediation:

Test Plan:

  1.  Sign in to AWS Management Console and go to the API Gateway dashboard at https://console.aws.amazon.com/apigateway/.
  2. Click on APIs in the left navigation pane.
  3. Click on API in the APIs listing page.
  4. In the API click on the Stages left navigation pane.
  5. In the stages click on your listed stage. 
  6. Go to the settings tab.
  7. Scroll down and go to Client Certificate and check the Certificate dropdown list for any entries, if it select None and in the dropdown list, there is no SSL certificate available in the Certificate list, which means that this API gateway is not using Client certificate for backend requests authentication.
Using AWS CLI:
  1. To get the list of  APIs in the selected AWS region
    aws apigateway get-rest-apis --region < region >
  2. To get lest of the stage in the particular API gateway
    aws apigateway get-stages --region < region> --rest-api-id < give api id>
  3. To check Client Certificate in the selected API stage
    aws apigateway get-stages --region <region> --rest-api-id < api id > --query 'item[?(stageName=='Staging')'.clientCertificateID'
     
  4. If you get [ ] null or empty array value in the output it means the selected amazon API gateway API stage is not using client-side SSL certificates.


Implementation Steps:
  1. Sign in to AWS Management Console and go to the API Gateway dashboard at https://console.aws.amazon.com/apigateway/.
  2. Click on APIs in the left navigation pane
  3. Click on API in the APIs listing page.
  4. Go, Client Certificates in the left navigation pane
  5. Click on Generate Client Certificate button to generate which you can use to verify the requester’s authenticity 
  6. Client Certificate generated and it shows as per below diagram 
  7. You can give the description for the certificate by clicking on the Edit button
  8. After the type in the description, box click on the Save button
  9. You can see the description as per below pic 
  10. In the left navigation pane click on the Stages
  11. In the stages click on the listed stage which you want to enable the client certificate
  12. Go to the Settings tab
  13. Scroll down and go to Client Certificate in the drop-down menu of Certificate select newly created Client-Side Certificate
  14. This client certificate that API Gateway will use to call your integration endpoints.
  15. Click on the Save Changes button


Using the AWS CLI: 

To create a client-Side SSL Certificate

aws API gateway generate-client-certificate --description 'Client Side Certificate'


Backout Plan:

  1. Sign in to AWS Management Console and go to the API Gateway dashboard at https://console.aws.amazon.com/apigateway/.
  2. Click on APIs in the left navigation pane
  3. Click on API in the APIs listing page.
  4. In the left navigation pane click on the Stages.
  5. In the stages click on the listed stage which you want to remove the client certificate.
  6. Scroll down and go to Client Certificate in the drop-down menu of Certificate select None option
  7. Click on the Save Changes button 


Before Delete, Client-Side Certificate remove it from the API stage 

You got a pop-up to confirm “Do you want to proceed? this action cannot be undone click on the delete button 

Using AWS CLI:

To delete a client certificate