Detections
Analytics

Ensure SSL Client Certificate is enabled for AWS API Gateway Stage

MEDIUM

Description

Client certificates can be used to authenticate an API Gateway as it transmits data to backend services. Doing this will help ensure that the requests to the backend system are from an authorized source. For more information, see the AWS documentation.
References:
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html

Remediation

API Gateways should be configured to use SSL certificates as best practice. For information on how to generate SSL certificates, see the AWS documentation (below).

In AWS Console -

  1. Sign in to the AWS console and go to the API Gateway console.
  2. Open the API for which you want to use the client certificate.
  3. Select stages under the selected API and then choose a stage.
  4. In the Stage Editor panel, under the Client Certificate section, choose a certificate.
  5. Select Save Changes.
  6. Redeploy the REST API to a stage for the effects to take place.

In Terraform -

  1. In the aws_api_gateway_stage resource, configure the client_certificate_id to use the ID for the specific certificate.

References:
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html#generate-client-certificate
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#client_certificate_id

Policy Details

Rule Reference ID: AC_AWS_0013
CSP: AWS
Remediation Available: Yes
Domain: Infrastructure Security
Resource: aws_api_gateway_stage
Resource Category: Virtual Network
Resource Type: API Gateway

Frameworks