Description:
This policy checks if a REST API stage uses a Secure Sockets Layer (SSL) certificate. This rule is NON_COMPLIANT if the REST API stage does not have an associated SSL certificate. You can use API Gateway to generate an SSL certificate and then use its public key in the backend to verify that HTTP requests to your backend system are from API Gateway.
Rationale:
The SSL certificates that are generated by API Gateway are self-signed, and only the public key of a certificate is visible in the API Gateway console or through the APIs.
Impact:
This allows your HTTP backend to control and accept only requests that originate from Amazon API Gateway, even if the backend is publicly accessible.
Default Value:
By default, the API Gateway server is configured with a self-signed certificate and it is recommended to change to CA-signed certificate
Pre-requisites:
AWS Identity and Access Management (IAM) user with administrator permissions and use that for all work that does not require root credentials. Create a password for console access, and access keys to use command line tools
Remediation:
Test plan:
Login to AWS management console
Go to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.
In the left panel, select APIs to open the APIs listing page
In the navigation panel, inside the API submenu, click Stages to list the stages created for the selected API.
Under Stages, choose the API stage that you want to examine, then select the Settings tab from the dashboard top panel
On the Settings panel, in the Client Certificate section, check the Certificate dropdown list for any entries.
If there are no SSL certificates available in the Certificate list, the selected Amazon API Gateway then API stage is not using client-side SSL certificates for HTTP requests authentication.
Using AWS CLI:
- Run get-stages command (OSX/Linux/UNIX) using the name of the API stage that
you want to examine as identifier and custom query filters to return the ID of the
SSL certificate attached to the selected API stage: aws apigateway get-stages --region <region-name> --rest-api-id abcdabcdab --query 'item[?(stageName==`Staging`)].clientCertificateId'
Implementation steps:
Sign in to AWS Management Console.
Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.
In the left panel, click on Client Certificates to access the SSL certificates page.
Click Generate Client Certificate button from the dashboard to create a new client-side SSL certificate.
(Optional) Click the Edit link and add a descriptive title for the generated certificate within the Description box, then click Save to apply the changes.
Go back to the navigation panel and select APIs to open the APIs listing page.
Choose the API that you want to reconfigure, then click on its name to access the API configuration.
In the navigation panel, inside the API submenu, click Stages to list the stages available for the selected API.
Under Stages, choose the API stage that you want to update and select the Settings tab to access the stage configuration panel.
In the Client Certificate section, select the name/ID of the SSL certificate created earlier in the process from the Certificate dropdown list, then click Save Changes to attach your new client-side SSL certificate to the selected API stage. Note that if the selected Amazon API Gateway API has been previously deployed, you will need to redeploy it for the changes to take effect.
Once the SSL certificate is successfully implemented, the AWS API Gateway service uses the certificate for all calls to HTTP integrations within your API.
Now you can download a copy of the newly created SSL certificate and configure your backend servers and services to verify the client certificate.
Using AWS CLI:
aws apigateway update-stage --region <region-name> --rest-api-id <name> --stage-name '<stage-name>' --patch-operations op=replace,path=/clientCertificateId,value=<value>
- Run generate-client-certificate command (OSX/Linux/UNIX) to generate a new a
client-side SSL certificate for Amazon API Gateway service: --region <region-name> --description "SSL Certificate for HTTP requests authentication."
- Run get-client-certificate command (OSX/Linux/UNIX) to extract thePEM-encoded public key of the SSL certificate created earlier in the process.The public key can be used to configure certificate authentication at theintegration endpoint level (e.g. servers level):
aws apigateway get-client-certificate --region <region-name> --client-certificate-id abcabc --query "pemEncodedCertificate"
Backout Plan:
Choose the API that you want to reconfigure, then click on its name to access the API configuration.
In the navigation panel, inside the API submenu, click Stages to list the stages available for the selected API.
Under Stages, choose the API stage that you want to update and select the Settings tab to access the stage configuration panel.
In the Client Certificate section, select None
To save the settings, choose Save Changes.
If the API has been deployed previously in the API Gateway console, you'll need to redeploy it for the changes to take effect
References :
- https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html