Amazon API Gateway

API Gateway Certificate About to Expire

This plugin plays a key role in ensuring that the SSL certificate expiry times are above the rotation limit.

Risk Level: Medium

Description: 

This plugin plays a key role in ensuring that the SSL certificate expiry times are above the rotation limit.

The API's security is delivered even after expired certificates if the expiry dates of certificates exceed the rotation limit.

Configuration Parameters

Certificate Rotation Limit: This parameter identifies the number of days before the expiration when the certificates should be rotated. An alert is generated when the certificates reach the default value that is specified as the rotation limit.

By default, the value of the rotation limit is set to 30 days.

About the Service :

API(Application Programming Interface) Gateway is an AWS service that lies between the client and tons of backend services. The actions performed by API Gateways include creating, deploying, and managing RESTful API and WebSocket API.

The Amazon API Gateway Service uses SSL certificates services that are valid for 365 days.

Impact : 

The consequences of expired certificates will result in an insecure connection. Insecure connections tend to be a feast to malicious hackers. The hackers can eavesdrop or obtain sensitive information which they can use to exploit the organizations or perform other malicious activities.

Steps to reproduce :

  1. Log in to AWS Management Console.
  2. Navigate to the API Gateway Dashboard.
  3. On the top left, select the APIs option.
  4. We can select from a list of APIs to examine.
  5. On the selected API, click on its name to access the details.
  6. In the selected submenu, select the Stages option.
  7. Under Stages, choose the API stage that you want to examine and select Settings. Further in Settings, in the Client Certificate Section note the ID of the SSL certificate associated.
  8. Head back to the navigation panel and select Client Certificates.
  9. Now look for the expiration date of the certificate.

Steps for remediation :

  1. Log in to AWS Management Console.
  2. Navigate to the API Gateway Dashboard.
  3. On the top left, select the APIs option.
  4. We can select from a list of APIs to examine.
  5. Further, select Client Certificates.
  6. Click on Generate Client Certificate button to create a new SSL certificate.
  7. Once the certificate is created, click on the Edit button and provide the certificate with a descriptive title and click save.
  8. In order to include the new certificate update the backend server.
  9. Again, select the APIs option and then move to Stages. Under stages choose the APIs for reconfiguration and select the Settings option.
  10. Now move to the Client Certificate section, and select the ID of the previous certificate created and click Save Changes.
  11. Update the backend server to remove the old SSL certificate.
  12. Now Delete the old certificate from the API Gateway Service Dashboard.