Profile Applicability:
- Level 1
Description:
Amazon API Gateway enables you to create, manage, and secure APIs for accessing AWS services. When using API Gateway with caching enabled, cached responses are stored to improve performance and reduce backend load. It is important to ensure that the cache data is encrypted at rest to protect sensitive information. By default, API Gateway does not automatically encrypt the cache, and you need to enable encryption for better security and compliance.
Rationale:
Encrypting cache data at rest protects sensitive information that might be temporarily stored in API Gateway’s cache. Without encryption, cached data could be exposed to unauthorized access if someone gains access to the underlying storage. By ensuring that the cache is encrypted at rest, you align with security best practices, regulatory compliance, and data protection requirements.
Impact:
Pros:
Ensures that sensitive data cached by API Gateway is encrypted and secure.
Complies with security and regulatory standards for data protection.
Reduces the risk of data breaches or unauthorized access to sensitive cache data.
Cons:
Enabling encryption at rest may slightly increase costs due to the overhead associated with encryption.
There may be a slight impact on performance due to encryption and decryption operations.
Default Value:
By default, API Gateway cache data is not encrypted at rest. It must be manually configured to ensure encryption for sensitive data.
Pre-requisite:
AWS IAM permissions:
apigateway:GET
apigateway:DescribeCache
apigateway:UpdateCache
AWS CLI installed and configured.
Familiarity with API Gateway cache settings and security configurations.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon API Gateway under the Services menu.
In the left navigation panel, select APIs.
Select the desired REST API for which you want to verify cache encryption.
In the API settings, select Stages under the API section.
In the Stage Editor, go to the Cache Settings section.
Check if the Cache Data Encryption option is enabled.
If Encryption is not enabled, the setting will show as disabled.
If encryption is enabled, it will show enabled.
Using AWS CLI:
To check if cache data encryption is enabled, run the following command:
aws apigateway get-stage --rest-api-id <api-id> --stage-name <stage-name> --query 'cacheClusterEnabled'
If the output shows that cacheClusterEnabled is true, proceed with the next step to check if encryption is enabled for the cache.
Run the following command to verify if cache encryption is enabled:
aws apigateway get-stage --rest-api-id <api-id> --stage-name <stage-name> --query 'cacheClusterEncryptionEnabled'
If the result shows false, it means that encryption at rest is not enabled for the API Gateway cache.
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console
Navigate to Amazon API Gateway.
Select the API you want to configure.
Under the Stages section, select the Stage to configure.
In the Cache Settings section, enable Cache Data Encryption.
Save the changes and redeploy the stage to apply the updated cache configuration.
Using AWS CLI:
To enable cache encryption for a specific stage, run the following command:
aws apigateway update-stage --rest-api-id <api-id> --stage-name <stage-name> --patch-operations op=replace,path=/cacheClusterEncryptionEnabled,value=true
Verify the cache settings again to confirm that encryption is enabled:
aws apigateway get-stage --rest-api-id <api-id> --stage-name <stage-name> --query 'cacheClusterEncryptionEnabled'
Backout Plan:
If enabling cache encryption causes issues or is not required:
Disable cache encryption by using the following command:
aws apigateway update-stage --rest-api-id <api-id> --stage-name <stage-name> --patch-operations op=replace,path=/cacheClusterEncryptionEnabled,value=false
Verify the cache settings to confirm encryption has been disabled.
Document the restoration actions for compliance and auditing purposes.