Ensure stage cache have encryption enabled for AWS API Gateway Method Settings

MEDIUM

Description

API Gateway caching encryption can be enabled and configured to encrypt the cache data while at rest. Encrypting the cache can help protect sensitive data while it is stored temporarily on disk. For more information on stage cache encryption, see the AWS API Gateway documentation.
References:
https://docs.aws.amazon.com/apigateway/latest/developerguide/data-protection-encryption.html

Remediation

In AWS Console -

  1. Go to the API Gateway console.
  2. Select the API.
  3. Select the Stages.
  4. In the Stages list for the API, choose the stage.
  5. Choose the Settings tab.
  6. Go to Cache settings API cache.
  7. Check the Encrypt cache data setting.

In Terraform -

  1. In the aws_api_gateway_method_settings resource, set 'settings.cache_data_encrypted' to 'true'.

References:
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_settings#cache_data_encrypted

Policy Details

Rule Reference ID: AC_AWS_0009
CSP: AWS
Remediation Available: Yes
Resource Category: Virtual Network
Resource Type: API Gateway

Frameworks