Profile Applicability:
Level 1

Description:
This control ensures that an API Gateway stage is configured to require client certificates for accessing the backend endpoint. Enabling client certificates for authentication ensures that only authorized clients can access the API, adding an additional layer of security to protect sensitive backend resources. Client certificates allow API Gateway to verify the identity of the client making the request, providing stronger security compared to traditional token-based or password-based authentication methods.

Rationale:
Requiring client certificates for API access helps prevent unauthorized or malicious clients from accessing the backend services by ensuring that only clients with a valid certificate can communicate with the API. This is particularly important for scenarios requiring sensitive data or actions, ensuring that all connections are made by verified entities. It also supports compliance with security frameworks like CIS, SOC 2, ISO 27001, and NIST 800-53, which emphasize strict identity verification for accessing sensitive resources.

Impact:
Positive Impact: Enhances API security by verifying client identity, preventing unauthorized access, and protecting sensitive backend endpoints.
Negative Impact: Requires clients to manage and use client certificates, which may involve additional setup and maintenance overhead.

Default Value:
By default, API Gateway does not require client certificates for API access, leaving the endpoint open to all clients that can authenticate via other means (e.g., API keys, IAM, or Lambda authorizers).

Pre-Requisite:

  • IAM permissions required: apigateway:UpdateStage, apigateway:DescribeStage, apigateway:CreateClientCertificate.

  • A client certificate must be created in API Gateway or imported into the system for use.

Test Plan 
Using AWS Console:

  1. Sign in to the AWS Management Console with the necessary permissions.

  2. Navigate to API Gateway → APIs.

  3. Select the API of interest and go to the Stages section.

  4. For each stage, verify that Client Certificate is enabled under the Client Certificate settings.

    • If client certificate settings are not enabled, the API Gateway stage is non-compliant.

Implementation Plan 
Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to API Gateway → APIs and select the API that needs the client certificate enabled.

  3. Go to the Stages section and choose the desired stage.

  4. In the Stage Editor, scroll down to the Client Certificate settings.

  5. Click Enable Client Certificate and either create a new certificate or import an existing client certificate.

  6. Click Save Changes.

  7. Test the API to ensure that only requests with a valid client certificate can access the backend endpoint.

Backout Plan:

  1. If the client certificate causes connectivity issues for authorized clients, disable the certificate requirement temporarily.

  2. Reconfigure the client certificate settings to ensure proper certificate validation and testing for production environments.

References: