Skip to content

Commit

Permalink
Remediation guides for plugins in API Gateway category
Browse files Browse the repository at this point in the history
  • Loading branch information
@nuhasha
nuhasha committed Nov 2, 2022
1 parent 4419f84 commit 752a5f0
Show file tree
Hide file tree
Showing 10 changed files with 263 additions and 0 deletions.
27 changes: 27 additions & 0 deletions en/aws/apigateway/api-gateway-certificate-rotation.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)

# AWS / API Gateway / API Gateway Certificate Rotation

## Quick Info

| | |
|-|-|
| **Plugin Title** | API Gateway Certificate Rotation |
| **Cloud** | AWS |
| **Category** | API Gateway |
| **Description** | Ensures that Amazon API Gateway APIs have certificates with expiration date more than the rotation limit. |
| **More Info** | API Gateway APIs should have certificates with long term expiry date to avoid API insecurity after certificate expiration. |
| **AWS Link** | https://docs.aws.amazon.com/apigateway/latest/developerguide/data-protection-encryption.html |
| **Recommended Action** | Rotate the certificate attached to API Gateway API |

## Detailed Remediation Steps
You must rotate the certificate before a client certificate on an API stage expires to avoid any downtime for the API. </br>
To rotate a client certificate in the console for a previously deployed API, do the following: </br>
1. Open the API Gateway console at https://console.aws.amazon.com/apigateway/. </br>
2. In the main navigation pane, choose Client Certificates. </br>
3. From the Client Certificates pane, choose Generate Client Certificate. </br>
4. From navigation pane again click on APIs. </br>
5. Open the API for which you want to use the client certificate. </br>
6. Choose Stages under the selected API and then choose a stage. </br>
7. In the Stage Editor panel, select the new certificate under the Client Certificate section. </br>
8. To save the settings, choose Save Changes. </br>
30 changes: 30 additions & 0 deletions en/aws/apigateway/api-gateway-client-certificate.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)

# AWS / API Gateway / API Gateway Client Certificate

## Quick Info

| | |
|-|-|
| **Plugin Title** | API Gateway Client Certificate |
| **Cloud** | AWS |
| **Category** | API Gateway |
| **Description** | Ensures that Amazon API Gateway API stages use client certificates |
| **More Info** | API Gateway API stages should use client certificates to ensure API security authorization. |
| **AWS Link** | https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html |
| **Recommended Action** | Attach client certificate to API Gateway API stages |

## Detailed Remediation Steps
Generate a client certificate using the API Gateway console: </br>
1. Open the API Gateway console at https://console.aws.amazon.com/apigateway/. </br>
2. Choose a REST API.
3. In the main navigation pane, choose Client Certificates. </br>
4. From the Client Certificates pane, choose Generate Client Certificate. </br>
5. Optionally, for Edit, choose to add a descriptive title for the generated certificate and choose Save to save the description. API Gateway generates a new certificate and returns the new certificate GUID. </br>

Now you need to configure an API to use SSL certificate:
1. In the API Gateway console, create or open an API for which you want to use the client certificate. Make sure that the API has been deployed to a stage. For more information on how to deploy see https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-deploy-api-with-console.html#how-to-deploy-api-console </br>
2. Choose Stages under the selected API and then choose a stage. </br>
3. In the Stage Editor panel, select a certificate under the Client Certificate section. </br>
4. To save the settings, choose Save Changes. </br>
5. If the API has been deployed previously in the API Gateway console, you'll need to redeploy it for the changes to take effect. For more information, see https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-deploy-api-with-console.html#apigateway-how-to-redeploy-api-console </br>
33 changes: 33 additions & 0 deletions en/aws/apigateway/api-gateway-cloudwatch-logs.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)

# AWS / API Gateway / API Gateway CloudWatch Logs

## Quick Info

| | |
|-|-|
| **Plugin Title** | API Gateway CloudWatch Logs |
| **Cloud** | AWS |
| **Category** | API Gateway |
| **Description** | Ensures that Amazon API Gateway API stages have Amazon CloudWatch Logs enabled |
| **More Info** | API Gateway API stages should have Amazon CloudWatch Logs enabled to help debug issues related to request execution or client access to your API. |
| **AWS Link** | https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html |
| **Recommended Action** | Modify API Gateway API stages to enable CloudWatch Logs |

## Detailed Remediation Steps
1. Sign in to the API Gateway console at https://console.aws.amazon.com/apigateway. </br>
2. Choose a REST API. </br>
3. Choose Settings from the primary navigation panel and enter an ARN of an IAM role with appropriate permissions in CloudWatch log role ARN. You need to do this once. </br>
4. Choose an existing API and then choose a stage. </br>
5. Choose Logs/Tracing in the Stage Editor. </br>
6. To enable execution logging: </br>
a. Choose Enable CloudWatch Logs under CloudWatch Settings. </br>
b. Choose Error or Info from the dropdown menu. </br>
c. If desired, choose Log full requests/responses data to log the full API requests and responses. </br>
Warning: This can be useful to troubleshoot APIs, but can result in logging sensitive data. We recommend that you don't enable Log full requests/responses data for production APIs. </br>
d. If desired, choose Enable Detailed CloudWatch Metrics. </br>
7. To enable access logging: </br>
a. Choose Enable Access Logging under Custom Access Logging. </br>
b. Enter the ARN of a log group in Access Log Destination ARN. The ARN format is arn:aws:logs:{region}:{account-id}:log-group:log-group-name. </br>
c. Enter a log format in Log Format. You can choose CLF, JSON, XML, or CSV to use one of the provided examples as a guide. </br>
8. Choose Save Changes. </br>
22 changes: 22 additions & 0 deletions en/aws/apigateway/api-gateway-content-encoding.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)

# AWS / API Gateway / API Gateway Content Encoding

## Quick Info

| | |
|-|-|
| **Plugin Title** | API Gateway Content Encoding |
| **Cloud** | AWS |
| **Category** | API Gateway |
| **Description** | Ensures that Amazon API Gateway APIs have content encoding enabled. |
| **More Info** | API Gateway API should have content encoding enabled to enable compression of response payload. |
| **AWS Link** | https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-gzip-compression-decompression.html |
| **Recommended Action** | Enable content encoding and set minimum compression size of API Gateway API response |

## Detailed Remediation Steps
1. Sign in to the API Gateway console at https://console.aws.amazon.com/apigateway. </br>
2. Choose an existing API. </br>
3. In the primary navigation pane, choose Settings under the API you chose. </br>
4. Under the Content Encoding section in the Settings pane, select the Content Encoding enabled option to enable payload compression. Enter a number for the minimum compression size (in bytes) next to Minimum body size required for compression. </br>
5. Choose Save Changes.</br>
23 changes: 23 additions & 0 deletions en/aws/apigateway/api-gateway-detailed-cloudwatch-metrics.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)

# AWS / API Gateway / API Gateway Detailed CloudWatch Metrics

## Quick Info

| | |
|-|-|
| **Plugin Title** | API Gateway Detailed CloudWatch Metrics |
| **Cloud** | AWS |
| **Category** | API Gateway |
| **Description** | Ensures that API Gateway API stages have detailed CloudWatch metrics enabled. |
| **More Info** | API Gateway API stages should have detailed CloudWatch metrics enabled to monitor logs and events. |
| **AWS Link** | https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-metrics.html |
| **Recommended Action** | Add CloudWatch role ARN to API settings and enabled detailed metrics for each stage |

## Detailed Remediation Steps
1. Open the API Gateway console at https://console.aws.amazon.com/apigateway/. </br>
2. Choose an API. </br>
3. Choose a stage. </br>
4. On the Logs/Tracing tab, choose Enable Detailed CloudWatch Metrics. </br>
5. Choose Resources in the left side navigation panel. </br>
6. To redeploy the API with the new settings, choose the Actions dropdown, and then choose Deploy API. </br>
25 changes: 25 additions & 0 deletions en/aws/apigateway/api-gateway-private-endpoints.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)

# AWS / API Gateway / API Gateway Private Endpoints

## Quick Info

| | |
|-|-|
| **Plugin Title** | API Gateway Private Endpoints |
| **Cloud** | AWS |
| **Category** | API Gateway |
| **Description** | Ensures that Amazon API Gateway APIs are only accessible through private endpoints. |
| **More Info** | API Gateway APIs should be only accessible through private endpoints to ensure API security |
| **AWS Link** | https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints |
| **Recommended Action** | Set API Gateway API endpoint configuration to private |

## Detailed Remediation Steps
To convert a public endpoint from regional or edge-optimized to Private: </br>
1. Sign in to the API Gateway console at https://console.aws.amazon.com/apigateway. </br>
2. Choose an existing API. </br>
3. Choose Settings. </br>
4. Change the Endpoint Type option under Endpoint Configuration from Edge Optimized or from Regional to Private. </br>
5. You need to specify one or more VPC endpoints with your API and API Gateway will generate new Route 53 Alias records which you can use to invoke your API. </br>
6. If you don't have a VPC, then create one and then Create the VPC endpoint for API Gateway. See this for more details: https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints/ </br>
7. Choose Save Changes to start the update. </br>
25 changes: 25 additions & 0 deletions en/aws/apigateway/api-gateway-response-caching.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)

# AWS / API Gateway / API Gateway Response Caching

## Quick Info

| | |
|-|-|
| **Plugin Title** | API Gateway Response Caching |
| **Cloud** | AWS |
| **Category** | API Gateway |
| **Description** | Ensure that response caching is enabled for your Amazon API Gateway REST APIs. |
| **More Info** | A REST API in API Gateway is a collection of resources and methods that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services.You can enable API caching in Amazon API Gateway to cache your endpoint responses. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API. |
| **AWS Link** | https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html |
| **Recommended Action** | Modify API Gateway API stages to enable API cache |

## Detailed Remediation Steps
To configure API caching for a given stage:
1. Sign in to the API Gateway console at https://console.aws.amazon.com/apigateway. </br>
2. Choose an existing API. </br>
3. Choose Stages. </br>
4. In the Stages list for the API, choose the stage. </br>
5. Choose the Settings tab. </br>
6. Choose Enable API cache. </br>
7. Wait for the cache creation to complete. </br>
26 changes: 26 additions & 0 deletions en/aws/apigateway/api-gateway-tracing-enabled.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)

# AWS / API Gateway / API Gateway Tracing Enabled

## Quick Info

| | |
|-|-|
| **Plugin Title** | API Gateway Tracing Enabled |
| **Cloud** | AWS |
| **Category** | API Gateway |
| **Description** | Ensures that Amazon API Gateway API stages have tracing enabled for AWS X-Ray. |
| **More Info** | API Gateway API stages should have tracing enabled to send traces to AWS X-Ray for enhanced distributed tracing. |
| **AWS Link** | https://docs.aws.amazon.com/xray/latest/devguide/xray-services-apigateway.html |
| **Recommended Action** | Enable tracing on API Gateway API stages |

## Detailed Remediation Steps
Enable active tracing on your API stages to sample incoming requests and send traces to X-Ray. </br>
1. Open the API Gateway console at https://console.aws.amazon.com/apigateway/. </br>
2. Choose an API. </br>
3. Choose a stage. </br>
4. On the Logs/Tracing tab, choose Enable X-Ray Tracing and then choose Save Changes. </br>
5. Choose Resources in the left side navigation panel. </br>
6. To redeploy the API with the new settings, choose the Actions dropdown, and then choose Deploy API. </br>
Note: API Gateway uses sampling rules that you define in the X-Ray console to determine which requests to record. </br>
For more info see: https://docs.aws.amazon.com/xray/latest/devguide/xray-console-sampling.html </br>
27 changes: 27 additions & 0 deletions en/aws/apigateway/api-gateway-waf-enabled.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)

# AWS / API Gateway / API Gateway WAF Enabled

## Quick Info

| | |
|-|-|
| **Plugin Title** | API Gateway WAF Enabled |
| **Cloud** | AWS |
| **Category** | API Gateway |
| **Description** | Ensures that API Gateway APIs are associated with a Web Application Firewall. |
| **More Info** | API Gateway APIs should be associated with a Web Application Firewall to ensure API security. |
| **AWS Link** | https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html |
| **Recommended Action** | Associate API Gateway API with Web Application Firewall |

## Detailed Remediation Steps
To associate an AWS WAF regional Web ACL with an API Gateway API stage using the API Gateway console </br>
1. Sign in to the API Gateway console at https://console.aws.amazon.com/apigateway. </br>
2. In the APIs navigation pane, choose the API, and then choose Stages. </br>
3. In the Stages pane, choose the name of the stage. </br>
4. In the Stage Editor pane, choose the Settings tab. </br>
5. To associate a Regional web ACL with the API stage: </br>
a. In the AWS WAF web ACL dropdown list, choose the Regional web ACL that you want to associate with this stage.
Note: </br>
If the web ACL you need doesn't exist yet, choose Create WebACL. Then choose Go to AWS WAF to open the AWS WAF console in a new browser tab and create a Regional web ACL. Then return to the API Gateway console to associate the web ACL with the stage. </br>
6. Choose Save Changes. </br>
25 changes: 25 additions & 0 deletions en/aws/apigateway/api-stage-level-cache-encryption.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)

# AWS / API Gateway / API Stage-Level Cache Encryption

## Quick Info

| | |
|-|-|
| **Plugin Title** | API Stage-Level Cache Encryption |
| **Cloud** | AWS |
| **Category** | API Gateway |
| **Description** | Ensure that your Amazon API Gateway REST APIs are configured to encrypt API cached responses. |
| **More Info** | It is strongly recommended to enforce encryption for API cached responses in order to protect your data from unauthorized access. |
| **AWS Link** | https://docs.aws.amazon.com/apigateway/latest/developerguide/data-protection-encryption.html |
| **Recommended Action** | Modify API Gateway API stages to enable encryption on cache data |

## Detailed Remediation Steps
To configure API caching for individual methods using the console: </br>
1. Sign in to the API Gateway console at https://console.aws.amazon.com/apigateway. </br>
2. Go to the API Gateway console. </br>
3. Choose the API. </br>
4. Choose Stages. </br>
5. In the Stages list for the API, expand the stage and choose a method in the API. </br>
6. Choose Override for this method in Settings. </br>
7. In Cache Settings, choose Encrypt cache data. (This section is shown only if stage-level caching is enabled.) </br>

0 comments on commit 752a5f0

Please sign in to comment.