Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Encryption for API Cache

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (act today)
Rule ID: AG-009

Ensure that your Amazon API Gateway REST APIs are configured to encrypt API cached responses in order to protect data while in transit (as it travels to and from Amazon API Gateway).

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When working with production and sensitive data, it is strongly recommended to enforce encryption for API cached responses in order to protect your data from unauthorized access and fulfill compliance requirements for API data encryption within your organization. This prevents potential attackers from getting access to API's data in case of data interception and theft.

Audit

To determine if your REST API stage-level cached responses are encrypted, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon API Gateway console at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs to access the Amazon API Gateway APIs listing page.

04 Click on the name (link) of the REST API that you want to examine to access the API configuration. To identify a REST API check the value available in the Protocol column for each listed API.

05 In the navigation panel, within the API submenu, click Stages to list the stages created for the selected API.

06 Under Stages, choose the API stage that you want to examine.

07 Select the Settings tab from the console top panel to access the stage settings.

08 On the Settings panel, within Cache Settings section, check the Encrypt cache data setting status. If the Encrypt cache data setting is not available in the Cache Settings section, the response caching is not enabled for the selected API stage. If the Encrypt cache data setting is available but the checkbox is not selected, the stage-level cache encryption is not enabled for the selected Amazon API Gateway API stage.

09 Repeat steps no. 6 – 8 to determine the cache encryption status for other stages created for the selected API.

10 Repeat steps no. 4 – 9 to verify other REST APIs available within the current AWS cloud region.

11 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run get-rest-apis command (OSX/Linux/UNIX) with custom query filters to list the IDs of the REST APIs created in the selected AWS region: 

aws apigateway get-rest-apis
  --region us-east-1
  --output table
  --query 'items[*].id'

02 The command output should return a table with the requested API identifiers (IDs): 

----------------
|  GetRestApis |
+--------------+
|  aaabbbbccc  |
|  aabbccddee  |
|  abcdabcdab  |
+--------------+

03 Run get-stages command (OSX/Linux/UNIX) using the ID of the REST API that you want to examine as identifier and custom query filters to get the name(s) of the API stage(s) created for the selected API: 

aws apigateway get-stages
  --region us-east-1
  --rest-api-id aaabbbbccc
  --output table
  --query 'item[*].stageName'

04 The command output should return a table with the API stage name(s): 

----------------
|   GetStages  |
+--------------+
|  Production  |
|  Testing     |
|  Development |
+--------------+

05 Execute get-stages command (OSX/Linux/UNIX) using the name of the API stage that you want to examine as identifier parameter and custom query filters to describe the API caching feature configuration attributes available for the selected API stage: 

aws apigateway get-stages
  --region us-east-1
  --rest-api-id aaabbbbccc
  --query 'item[?(stageName==`Production`)].methodSettings | []'

06 The command output should return the requested configuration information. If an empty object (i.e. {}) is returned instead, the response caching is not enabled for the selected API stage: 

[
	{
		"*/*": {
			"throttlingRateLimit": 10000.0,
			"dataTraceEnabled": True,
			"metricsEnabled": false,
			"unauthorizedCacheControlHeaderStrategy": "SUCCEED_WITH_RESPONSE_HEADER",
			"cacheTtlInSeconds": 3600,
			"cacheDataEncrypted": false,
			"cachingEnabled": true,
			"throttlingBurstLimit": 5000,
			"requireAuthorizationForCacheControl": true
		}
	}
]

If get-stages command output returns false for the "cacheDataEncrypted" configuration attribute (highlighted), as shown in the example above, the stage-level cache encryption is not enabled for the selected Amazon API Gateway API stage.

07 Repeat step no. 5 and 6 to determine the cache encryption status for other stages created for the selected API.

08 Repeat steps no. 3 – 7 to check other REST APIs available in the selected AWS cloud region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the entire audit process for other regions.

Remediation / Resolution

To enable stage-level cache encryption for your existing Amazon API Gateway REST APIs, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable API Cache",
	"Resources": {
		"RestAPI": {
			"Type": "AWS::ApiGateway::RestApi",
			"Properties": {
				"Name": "WebServiceRestAPI",
				"Description": "A simple API Gateway REST API"
			}
		},
		"StageDeployment": {
			"Type": "AWS::ApiGateway::Deployment",
			"Properties": {
				"RestApiId": {
					"Ref": "RestAPI"
				}
			}
		},
		"APIStage": {
			"Type": "AWS::ApiGateway::Stage",
			"Properties": {
				"DeploymentId": {
					"Ref": "StageDeployment"
				},
				"RestApiId": {
					"Ref": "RestAPI"
				},
				"StageName": "Production",
				"TracingEnabled": true,
				"MethodSettings": [
					{
						"ResourcePath": "/*",
						"HttpMethod": "*",
						"CachingEnabled": true,
						"CacheTtlInSeconds": 3600,
						"CacheDataEncrypted": true
					}
				]
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable API Cache
	Resources:
	RestAPI:
		Type: AWS::ApiGateway::RestApi
		Properties:
		Name: WebServiceRestAPI
		Description: A simple API Gateway REST API
	StageDeployment:
		Type: AWS::ApiGateway::Deployment
		Properties:
		RestApiId: !Ref 'RestAPI'
	APIStage:
		Type: AWS::ApiGateway::Stage
		Properties:
		DeploymentId: !Ref 'StageDeployment'
		RestApiId: !Ref 'RestAPI'
		StageName: Production
		TracingEnabled: true
		MethodSettings:
			- ResourcePath: /*
			HttpMethod: '*'
			CachingEnabled: true
			CacheTtlInSeconds: 3600
			CacheDataEncrypted: true

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_api_gateway_rest_api" "rest-api" {
	name = "web-service-rest-api"
	description = "A simple API Gateway REST API"
}

resource "aws_api_gateway_deployment" "rest-api-deployment" {
	rest_api_id = aws_api_gateway_rest_api.rest-api.id
}

resource "aws_api_gateway_stage" "api-stage" {
	deployment_id        = aws_api_gateway_deployment.rest-api-deployment.id
	rest_api_id          = aws_api_gateway_rest_api.rest-api.id
	stage_name           = "Production"
	xray_tracing_enabled = true
}

resource "aws_api_gateway_method_settings" "api-gateway-method-settings" {
	rest_api_id = aws_api_gateway_rest_api.rest-api.id
	stage_name  = aws_api_gateway_stage.api-stage.stage_name
	method_path = "*/*"
	settings {
		caching_enabled      = true
		cache_ttl_in_seconds = 3600
		cache_data_encrypted = true
	}
}

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon API Gateway console at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs.

04 Click on the name (link) of the REST API that you want to reconfigure, to access the API configuration settings.

05 In the navigation panel, in the API submenu, click Stages to list the stages created for the selected API.

06 Under Stages, choose the API stage that you want to reconfigure (see Audit section part I to identify the right stage).

07 Select the Settings tab from the console top panel to access the stage settings.

08 On the Settings panel, in the Cache Settings section, select the Encrypt cache data checkbox to enable encryption for API stage response caching. Choose Save Changes to apply the new configuration changes.

09 Repeat steps no. 6 – 8 to enable stage-level cache encryption for other stages created for the selected REST API.

10 Repeat steps no. 4 – 9 to reconfigure other Amazon API Gateway APIs available within the current AWS region.

11 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run update-stage command (OSX/Linux/UNIX) using the name of the API stage that you want to reconfigure as identifier parameter (see Audit section part II to identify the right API stage) to enable in-transit encryption for API stage response caching. The following command example enables cache encryption for an API stage named "Production", deployed for an API identified by the ID "aaabbbbccc": 

aws apigateway update-stage
  --region us-east-1
  --rest-api-id aaabbbbccc
  --stage-name 'Production'
  --patch-operations op=replace,path=/*/*/caching/dataEncrypted,value=true

02 The command output should return the metadata available for the reconfigured API stage: 

{
	"tracingEnabled": true,
	"stageName": "Production",
	"cacheClusterSize": "0.5",
	"cacheClusterEnabled": true,
	"cacheClusterStatus": "AVAILABLE",
	"deploymentId": "abcabc",
	"lastUpdatedDate": 1608634577,
	"createdDate": 1608629899,
	"methodSettings": {
		"*/*": {
			"throttlingRateLimit": 10000.0,
			"dataTraceEnabled": true,
			"metricsEnabled": false,
			"unauthorizedCacheControlHeaderStrategy": "SUCCEED_WITH_RESPONSE_HEADER",
			"cacheTtlInSeconds": 3600,
			"cacheDataEncrypted": true,
			"cachingEnabled": true,
			"throttlingBurstLimit": 5000,
			"requireAuthorizationForCacheControl": true
		}
	}
}

03 Repeat step no. 1 and 2 to enable stage-level cache encryption for other API stages deployed for the selected REST API.

04 Repeat steps no. 1 – 3 to reconfigure other Amazon API Gateway APIs available in the selected AWS region.

05 Change the AWS region by updating the --region command parameter value and repeat the entire remediation process for other regions.

References

Publication date Dec 30, 2020

Related APIGateway rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Encryption for API Cache

Risk Level: High