[APIGateway.5]
API Gateway REST API cache data should be encrypted at rest
Description
All methods in API Gateway REST API stages that have cache enabled should be encrypted. Encrypting data at rest reduces the chances of a non-authenticated user accessing the data stored on disk. This provides an added layer of security. This rule is COMPLIANT when all methods of a stage have encryption enabled.
Details
| Property | Value |
|---|---|
| Category | Protect > Data protection > Encryption of data at rest |
| Compliance Control ID | APIGateway.5 |
| FortifyFox ID | FF100060 |
| Link | APIGateway.5 Compliance |
| Resource Type(s) | AWS::ApiGateway::Deployment |
| Severity | Medium |
Remediation
Use the following CloudFormation templates to deploy a REST API compliant with APIGateway.5
YAML Template
Resources:
restAPI:
Type: AWS::ApiGateway::Deployment
Properties:
RestApiId: !Ref YOUR_API_ID
StageDescription:
CacheClusterEnabled: true
CacheDataEncrypted: true
JSON Template
{
"Resources": {
"restAPI": {
"Type": "AWS::ApiGateway::Deployment",
"Properties": {
"RestApiId": {
"Ref": "YOUR_API_ID"
},
"StageDescription": {
"CacheClusterEnabled": true,
"CacheDataEncrypted": true
}
}
}
}
}
You will need to replace Your_API_ID with the ID of your RestAPI.
📓 Notes
- This rule only applied to methods that have caching enabled. If your methods do not have caching enabled, you do not need to worry about enabling encryption.