Missing API Gateway Client Certificate

This plugin plays a crucial role in ensuring that Amazon API Gateway stages use Client-Side SSL certificates to ensure API security authorization.

Risk Level: Medium

Description: 

This plugin plays a crucial role in ensuring that Amazon API Gateway stages use Client-Side SSL certificates to ensure API security authorization.

PingSafe strongly recommends attaching client certificates to API Gateway API stages.

About the Service :

API(Application Programming Interface) Gateway is an AWS service that lies between the client and tons of backend services. The actions performed by API Gateways include creating, deploying, and managing RESTful API and WebSocket API.

API Gateway generates SSL certificates that are signed by themselves and only the public key of a certificate may be seen in either the API Gateway interface or API.

Impact : 

In case the Client Certificate is missing it will result in the authorization of the requests originating outside Amazon API Gateway too. This authorization will weaken the security and API management will fail to secure access to APIs that happens by using client certificates.

Steps to reproduce :

  1. Log in to AWS Management Console.
  2. Navigate to the API Gateway Dashboard.
  3. On the top left, select the APIs option.
  4. We can select from a list of APIs to examine.
  5. On the selected API, click on its name to access the details.
  6. In the selected submenu, select the Stages option.
  7. Under Stages, choose the API stage that you want to examine and select Settings. 
  8. Further in Settings, in the Client Certificate Section check for the SSL certificates available in the Certificate list. If there are no certificates then the API Gateway is not using Client-Side SSL certificates.

Steps for remediation :

  1. Log in to AWS Management Console.
  2. Navigate to the API Gateway Dashboard.
  3. On the top left, select the APIs option.
  4. We can select from a list of APIs to examine.
  5. Further, select Client Certificates.
  6. Click on Generate Client Certificate button to create a new SSL certificate.
  7. Once the certificate is created, click on the Edit button and provide the certificate with a descriptive title and click save.
  8. In order to include the certificate update the backend server.
  9. Again, select the APIs option and then move to Stages. Under stages choose the APIs for reconfiguration and select the Settings option.
  10. In the Client Certificate section, select the name/ID of the SSL certificate created earlier, then click Save Changes to attach your new client-side SSL certificate to the selected API stage.
  11. Now you can configure the backend servers with the new certificate.

References: