> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# API Gateway APIs Should Use SSL Certificates

### More Info:

Your Amazon API Gateway APIs should be using SSL certificates to verify that HTTP requests made to your backend system are from API Gateway service.

### Risk Level

Medium

### Address

Security

### Compliance Standards

NIST

### Triage and Remediation

<Tabs>
  <Tab title="Cause">
    ### Check Cause

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        1. Sign in to the AWS Management Console.
        2. Navigate to the API Gateway service by typing 'API Gateway' in the search bar and selecting it from the dropdown menu.
        3. In the API Gateway dashboard, you will see a list of all your APIs. Select the API you want to check.
        4. Once you've selected the API, navigate to the 'Custom Domain Names' section in the left-hand menu. Here, you can see if an SSL certificate is associated with your API. If there is no SSL certificate, or if it's expired, then it's a misconfiguration.
      </Accordion>

      <Accordion title="Using CLI">
        1. First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the API Gateway services.

        2. Once the AWS CLI is set up, you can list all the APIs in the API Gateway by using the following command:

           ```
           aws apigateway get-rest-apis
           ```

           This command will return a list of all the APIs in the API Gateway.

        3. To check if an API is using SSL certificates, you need to get the details of each API. You can do this by using the following command:

           ```
           aws apigateway get-rest-api --rest-api-id {rest-api-id}
           ```

           Replace `{rest-api-id}` with the ID of the API you want to check. This command will return the details of the specified API.

        4. In the returned details, look for the `endpointConfiguration` field. If the `types` field under `endpointConfiguration` is set to `EDGE`, it means the API is using a CloudFront distribution and SSL certificates are managed by AWS. If the `types` field is set to `REGIONAL` or `PRIVATE`, you need to manually manage SSL certificates.
      </Accordion>

      <Accordion title="Using Python">
        1. Install the necessary Python libraries: Before you start, make sure you have the necessary Python libraries installed. You will need the boto3 library, which is the Amazon Web Services (AWS) SDK for Python. It allows Python developers to write software that makes use of services like Amazon S3, Amazon EC2, etc. You can install it using pip:

           ```python theme={null}
           pip install boto3
           ```

        2. Configure AWS Credentials: You need to configure your AWS credentials. You can do this in several ways, but the simplest is to use the AWS CLI. Run `aws configure` and then enter your access key, secret access key, and default region when prompted.

        3. Python Script: Now you can use the following Python script to check if API Gateway APIs are using SSL certificates:

           ```python theme={null}
           import boto3

           def check_api_gateway_ssl():
               client = boto3.client('apigateway')
               response = client.get_rest_apis()
               for api in response['items']:
                   api_id = api['id']
                   api_name = api['name']
                   response = client.get_stages(restApiId=api_id)
                   for stage in response['item']:
                       if 'clientCertificateId' not in stage:
                           print(f"API Gateway '{api_name}' does not use SSL certificate.")
                       else:
                           print(f"API Gateway '{api_name}' uses SSL certificate.")

           check_api_gateway_ssl()
           ```

           This script retrieves all the API Gateways and checks if they have a client certificate ID associated with them. If they don't, it means they are not using SSL certificates.

        4. Run the Script: Finally, you can run the script using a Python interpreter. If any API Gateway is not using SSL certificates, it will be printed out.

           Please note that this script only checks for the existence of a client certificate ID, not whether the certificate is valid or expired. You may need to add additional checks depending on your requirements.
      </Accordion>
    </AccordionGroup>
  </Tab>

  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the misconfiguration "API Gateway APIs should use SSL Certificates" in AWS using the AWS console, follow the below steps:

        1. Login to the AWS Management Console and navigate to the Amazon API Gateway service.

        2. Select the API that needs to be remediated.

        3. In the left-hand panel, select the "Stages" option.

        4. Select the stage that needs to be remediated.

        5. In the "Settings" tab, scroll down to the "Security" section.

        6. In the "Security" section, select the "Edit" button.

        7. In the "Edit Security" dialog box, select the "Enable HTTPS" checkbox.

        8. Choose the SSL certificate from the dropdown list or upload a new one.

        9. Click "Save Changes" to remediate the misconfiguration.

        10. Repeat the above steps for all the APIs that are not using SSL certificates.

        By following the above steps, you can remediate the "API Gateway APIs should use SSL Certificates" misconfiguration in AWS using the AWS console.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the misconfiguration "API Gateway APIs Should Use SSL Certificates" for AWS using AWS CLI, follow these steps:

        1. Open the AWS CLI and run the following command to list all the APIs in the API Gateway:

           ```
           aws apigateway get-rest-apis
           ```

           This will return a list of all the APIs in the API Gateway.

        2. Identify the API that does not have an SSL certificate attached to it.

        3. Run the following command to create an SSL certificate:

           ```
           aws acm request-certificate --domain-name <your_domain_name> --validation-method DNS
           ```

           Replace `<your_domain_name>` with the domain name that you want to use for the SSL certificate. This will create a new SSL certificate.

        4. Run the following command to get the ARN of the SSL certificate:

           ```
           aws acm list-certificates
           ```

           This will return a list of all the SSL certificates that have been created.

        5. Identify the ARN of the SSL certificate that you just created.

        6. Run the following command to update the API Gateway to use the SSL certificate:

           ```
           aws apigateway update-rest-api --rest-api-id <your_rest_api_id> --patch-operations op=replace,path=/protocolType,value=HTTPS op=add,path=/tlsConfig/serverName,value=<your_domain_name> op=add,path=/tlsConfig/serverCertificateId,value=<your_ssl_certificate_arn>
           ```

           Replace `<your_rest_api_id>` with the ID of the API that you want to update. Replace `<your_domain_name>` with the domain name that you used for the SSL certificate. Replace `<your_ssl_certificate_arn>` with the ARN of the SSL certificate that you just created.

        7. Verify that the API is now using the SSL certificate by accessing the API using HTTPS.

        By following these steps, you can remediate the "API Gateway APIs Should Use SSL Certificates" misconfiguration for AWS using AWS CLI.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the issue of API Gateway APIs not using SSL certificates in AWS, you can use the following steps using Python:

        1. Import the necessary AWS SDK libraries for Python, including `boto3` and `botocore`.

        ```
        import boto3
        from botocore.exceptions import ClientError
        ```

        2. Create a new `boto3` client for the API Gateway service.

        ```
        api_gateway_client = boto3.client('apigateway')
        ```

        3. Get a list of all APIs in the API Gateway service using the `get_rest_apis()` method.

        ```
        api_list = api_gateway_client.get_rest_apis()
        ```

        4. Loop through each API in the list and check if it has an SSL certificate attached to it using the `get_domain_name()` method.

        ```
        for api in api_list['items']:
            api_id = api['id']
            try:
                domain_name = api_gateway_client.get_domain_name(restApiId=api_id)
                if domain_name['securityPolicy'] == 'TLS_1_0':
                    # SSL certificate not attached, remediate the issue
                    # ...
            except ClientError as e:
                # Handle any errors that occur during the API check
                print(e)
        ```

        5. If the API does not have an SSL certificate attached, you can remediate the issue by creating a new SSL certificate using the AWS Certificate Manager service and attaching it to the API using the `create_domain_name()` and `update_domain_name()` methods.

        ```
        # Create a new SSL certificate using AWS Certificate Manager
        acm_client = boto3.client('acm')
        certificate_arn = acm_client.request_certificate(
            DomainName='example.com',
            ValidationMethod='DNS'
        )['CertificateArn']

        # Attach the SSL certificate to the API using API Gateway
        api_gateway_client.create_domain_name(
            domainName='example.com',
            certificateArn=certificate_arn,
            securityPolicy='TLS_1_2'
        )

        # Update the API Gateway API to use the new SSL certificate
        api_gateway_client.update_domain_name(
            domainName='example.com',
            patchOperations=[
                {
                    'op': 'replace',
                    'path': '/certificateArn',
                    'value': certificate_arn
                }
            ]
        )
        ```

        6. Repeat steps 4 and 5 for each API that does not have an SSL certificate attached.

        Note: Make sure to replace the `DomainName` parameter in step 5 with the actual domain name of your API.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html](https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html)
