[APIGateway.2]
API Gateway REST API stages should be configured to use SSL certificates for backend authentication
Description
All stages of a REST API must have an SSL certificate configured. This control is COMPLIANT when APIGateway REST API stages use an Secure Sockets Layer (SSL) certificate.
Details
| Property | Value |
|---|---|
| Category | Protect > Data Protection |
| Compliance Control ID | APIGateway.2 |
| FortifyFox ID | FF100058 |
| Link | APIGateway.2 Compliance |
| Resource Type(s) | AWS::ApiGateway::RestApi, AWS::ApiGateway::Deployment |
| Severity | Medium |
Remediation
Use the following CloudFormation templates to deploy a REST API compliant with APIGateway.2
YAML Template
Resources:
SSLCertificate:
Type: AWS::ApiGateway::ClientCertificate
restAPI:
Type: AWS::ApiGateway::Deployment
Properties:
RestApiId: !Ref Your_API_ID
StageDescription:
ClientCertificateId: !Ref SSLCertificate
JSON Template
{
"Resources": {
"SSLCertificate": {
"Type": "AWS::ApiGateway::ClientCertificate"
},
"restAPI": {
"Type": "AWS::ApiGateway::Deployment",
"Properties": {
"RestApiId": {
"Ref": "Your_API_ID"
},
"StageDescription": {
"ClientCertificateId": {
"Ref": "SSLCertificate"
}
}
}
}
}
}
You will need to replace Your_API_ID with the ID of your RestAPI.
📓 Notes
- If you have an existing SSL Certificate, you can omit the
SSLCertificateresource and replaceSSLCertificatewith the ID of your existing certificate.