Profile Applicability:

  • Level 1

Description:

Amazon API Gateway enables you to create, manage, and secure APIs for accessing AWS services. When using API Gateway with caching enabled, cached responses are stored to improve performance and reduce backend load. It is important to ensure that the cache data is encrypted at rest to protect sensitive information. By default, API Gateway does not automatically encrypt the cache, and you need to enable encryption for better security and compliance.

Rationale:

Encrypting cache data at rest protects sensitive information that might be temporarily stored in API Gateway’s cache. Without encryption, cached data could be exposed to unauthorized access if someone gains access to the underlying storage. By ensuring that the cache is encrypted at rest, you align with security best practices, regulatory compliance, and data protection requirements.

Impact:

Pros:

  • Ensures that sensitive data cached by API Gateway is encrypted and secure.

  • Complies with security and regulatory standards for data protection.

  • Reduces the risk of data breaches or unauthorized access to sensitive cache data.

Cons:

  • Enabling encryption at rest may slightly increase costs due to the overhead associated with encryption.

  • There may be a slight impact on performance due to encryption and decryption operations.

Default Value:

By default, API Gateway cache data is not encrypted at rest. It must be manually configured to ensure encryption for sensitive data.

Pre-requisite:

  • AWS IAM permissions:

    • apigateway:GET

    • apigateway:DescribeCache

    • apigateway:UpdateCache

  • AWS CLI installed and configured.

  • Familiarity with API Gateway cache settings and security configurations.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon API Gateway under the Services menu.

     

  1. In the left navigation panel, select APIs.

     

  1. Select the desired REST API for which you want to verify cache encryption.

     

  1. In the API settings, select Stages under the API section.

           

  1. In the Stage Editor, go to the Cache Settings section.

         

  1. Check if the Cache Data Encryption option is enabled.

    • If Encryption is not enabled, the setting will show as disabled.

    • If encryption is enabled, it will show enabled.

   

Using AWS CLI:

To check if cache data encryption is enabled, run the following command:

aws apigateway get-stage --rest-api-id <api-id> --stage-name <stage-name> --query 'cacheClusterEnabled'

If the output shows that cacheClusterEnabled is true, proceed with the next step to check if encryption is enabled for the cache.

Run the following command to verify if cache encryption is enabled:

aws apigateway get-stage --rest-api-id <api-id> --stage-name <stage-name> --query 'cacheClusterEncryptionEnabled'

If the result shows false, it means that encryption at rest is not enabled for the API Gateway cache.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console 

  2. Navigate to Amazon API Gateway.

   

  1. Select the API you want to configure.

       

  1. Under the Stages section, select the Stage to configure.

       

  1. In the Cache Settings section, enable Cache Data Encryption.

       

  1. Save the changes and redeploy the stage to apply the updated cache configuration.

Using AWS CLI:

To enable cache encryption for a specific stage, run the following command:

aws apigateway update-stage --rest-api-id <api-id> --stage-name <stage-name> --patch-operations op=replace,path=/cacheClusterEncryptionEnabled,value=true

Verify the cache settings again to confirm that encryption is enabled:

aws apigateway get-stage --rest-api-id <api-id> --stage-name <stage-name> --query 'cacheClusterEncryptionEnabled'

Backout Plan:

If enabling cache encryption causes issues or is not required:

Disable cache encryption by using the following command:

aws apigateway update-stage --rest-api-id <api-id> --stage-name <stage-name> --patch-operations op=replace,path=/cacheClusterEncryptionEnabled,value=false
  1. Verify the cache settings to confirm encryption has been disabled.

  2. Document the restoration actions for compliance and auditing purposes.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.