Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Client Certificate

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: AG-006

Ensure that your Amazon API Gateway APIs are using SSL certificates to verify that HTTP requests made to your backend system are from API Gateway service. This allows your HTTP backend to authorize only requests originating from Amazon API Gateway, even if the HTTP backend is publicly accessible.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

To ensure that the HTTP requests made to your backend services are originating from your Amazon API Gateway APIs, it is strongly recommended to use client-side SSL certificates to verify the requester's authenticity.


Audit

To determine if your Amazon API Gateway API stages are using client-side SSL certificates, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs to open the APIs listing page.

04 Choose the API that you want to examine then click on its name to access the API configuration.

05 In the navigation panel, inside the API submenu, click Stages to list the stages created for the selected API.

06 Under Stages, choose the API stage that you want to examine, then select the Settings tab from the dashboard top panel.

07 On the Settings panel, in the Client Certificate section, check the Certificate dropdown list for any entries. If there are no SSL certificates available in the Certificate list, the selected Amazon API Gateway API stage is not using client-side SSL certificates for HTTP requests authentication.

08 Repeat steps no. 6 and 7 to check other API stages created within the selected API for SSL certificates.

09 Repeat steps no. 4 – 8 to verify other Amazon API Gateway APIs available in the current region.

10 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run get-rest-apis command (OSX/Linux/UNIX) using custom query filters to list the IDs of the APIs available in the selected AWS region:

aws apigateway get-rest-apis
	--region us-east-1
	--output table
	--query 'items[*].id'

02 The command output should return a table with the available API IDs:

----------------
|  GetRestApis |
+--------------+
|  abcdabcdab  |
|  aabbccaabb  |
+--------------+ 

03 Run get-stages command (OSX/Linux/UNIX) using the ID of the API that you want to examine as identifier and custom query filters to get the name(s) of the API stage(s) created for the selected API:

aws apigateway get-stages
	--region us-east-1
	--rest-api-id abcdabcdab
	--output table
	--query 'item[*].stageName'

04 The command output should return the requested API stage name(s):

----------------
|   GetStages  |
+--------------+
|  Staging     |
|  Development |
+--------------+ 

05 Run get-stages command (OSX/Linux/UNIX) using the name of the API stage that you want to examine as identifier and custom query filters to return the ID of the SSL certificate attached to the selected API stage:

aws apigateway get-stages
	--region us-east-1
	--rest-api-id abcdabcdab
	--query 'item[?(stageName==`Staging`)].clientCertificateId'

06 The command output should return the requested certificate identifier:

[]

If get-stages command output returns an empty array, i.e. [], the selected Amazon API Gateway API stage is not using client-side SSL certificates to verify the API requester's authenticity.

07 Repeat step no. 5 and 6 to check other API stages within the selected API for client SSL certificates.

08 Repeat steps no. 3 – 7 to verify other AWS API Gateway APIs available in the selected region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the entire process for other regions.

Remediation / Resolution

To generate an SSL certificate and associate it with your Amazon API Gateway API, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select Client Certificates to access the SSL certificates listing page.

04 Click Generate Client Certificate button from the dashboard top menu to create a new client-side SSL certificate.

05 (Optional) Click the Edit link and add a descriptive title for the generated certificate within the Description box, then click Save to apply the changes.

06 Go back to the navigation panel and select APIs to open the APIs listing page.

07 Choose the API that you want to reconfigure, then click on its name to access the API configuration.

08 In the navigation panel, inside the API submenu, click Stages to list the stages available for the selected API.

09 Under Stages, choose the API stage that you want to update and select the Settings tab to access the stage configuration panel.

10 In the Client Certificate section, select the name/ID of the SSL certificate created earlier in the process from the Certificate dropdown list, then click Save Changes to attach your new client-side SSL certificate to the selected API stage. Note that if the selected Amazon API Gateway API has been previously deployed, you will need to redeploy it for the changes to take effect. Once the SSL certificate is successfully implemented, the AWS API Gateway service uses the certificate for all calls to HTTP integrations within your API.

11 Now you can download a copy of the newly created SSL certificate and configure your backend servers and services to verify the client certificate.

12 Repeat steps no. 9 – 11 to attach your new SSL certificate to other API stages created for the selected API.

13 Repeat steps no. 3 – 12 to reconfigure other Amazon API Gateway APIs available within the selected region.

14 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run generate-client-certificate command (OSX/Linux/UNIX) to generate a new a client-side SSL certificate for Amazon API Gateway service:

aws apigateway generate-client-certificate
	--region us-east-1
	--description "SSL Certificate for HTTP requests authentication."

02 The command output should return the SSL certificate metadata:

{
    "clientCertificateId": "abcabc",
    "expirationDate": 1579948577,
    "createdDate": 1548412577,
    "pemEncodedCertificate": "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----",
    "description": "SSL Certificate for HTTP requests authentication."
}

03 Run update-stage command (OSX/Linux/UNIX) using the name of the API stage that you want to reconfigure as identifier (see Audit section part II to identify the right API stage) to attach the client certificate created at the previous steps to the selected API stage. If the selected Amazon API Gateway API has been previously deployed, you will need to redeploy it for the changes to take effect. Once the SSL certificate is attached, the AWS API Gateway service uses the certificate for all calls to HTTP integrations within your API. The following command example associates an SSL certificates with the ID "abcabc" with an API stage named "Staging", available for an API identified by the ID "abcdabcdab":

aws apigateway update-stage
	--region us-east-1
	--rest-api-id abcdabcdab
	--stage-name 'Staging'
	--patch-operations op=replace,path=/clientCertificateId,value=abcabc

04 The command output should return the command request metadata:

{
    "clientCertificateId": "abcabc",
    "tracingEnabled": true,
    "stageName": "Staging",
    "cacheClusterEnabled": false,
    "cacheClusterStatus": "NOT_AVAILABLE",
    "deploymentId": "aaabbb",
    "lastUpdatedDate": 1548412905,
    "createdDate": 1548406023,
    "methodSettings": {}
}

05 Run get-client-certificate command (OSX/Linux/UNIX) to extract the PEM-encoded public key of the SSL certificate created earlier in the process. The public key can be used to configure certificate authentication at the integration endpoint level (e.g. servers level):

aws apigateway get-client-certificate
	--region us-east-1
	--client-certificate-id abcabc
	--query "pemEncodedCertificate"

06 The command output should return the PEM-encoded public key requested, e.g.:

"-----BEGIN CERTIFICATE-----\r\nMIC63 ... Xqk3S==\r\n-----END CERTIFICATE-----" 

07 Now you can configure your backend servers and services to verify the associated client SSL certificate.

08 Repeat step no. 3 and 4 to attach your new SSL certificate to other API stages created for the selected API.

09 Repeat steps no. 1 – 8 to reconfigure other Amazon API Gateway APIs available within the selected region.

10 Change the AWS region by updating the --region command parameter value and repeat the entire remediation/resolution process for other regions.

References

Publication date Jan 27, 2019