Amazon API Gateway

API Gateway Certificate Expired

This plugin plays a crucial role in ensuring that the expiration dates of the SSL certificates are more than the rotation limit.

Risk Level: High

Description: 

This plugin plays a crucial role in ensuring that the expiration dates of the SSL certificates are more than the rotation limit.

Keeping the expiration dates of certificates more than the rotation limit provides API security even after the expiration of certificates.

About the Service

API (Application Programming Interface) Gateway is an AWS service that lies between the client and tons of backend services. The actions performed by API Gateways include creating, deploying, and managing RESTful API and WebSocket API.

The Amazon API Gateway Service uses SSL certificates services that are valid for 365 days.

Impact

The consequences of expired certificates will result in an insecure connection. Insecure connection tend to be a feast to malicious hackers. The hackers can eavesdrop or obtain sensitive information which they can utilize to exploit the organizations or perform other malicious activities.

Steps to reproduce

  1. Log in to AWS Management Console.
  2. Navigate to the API Gateway Dashboard.
  3. On the top left,select the APIs option.
  4. We can select from a list of APIs to  examine.
  5. On the selected API,click on its name to access the details.
  6. In the selected submenu, select the Stages option.
  7. Under Stages, choose the API stage that you want to examine and select Settings. Further in Settings, in the Client Certificate Section note the ID of the SSL certificate associated.
  8. Head back to the navigation panel and select Client Certificates.
  9. Now look for the expiration date of the certificate.

Steps for remediation

Rotate the certificate attached to API Gateway API

 

  1. Log in to AWS Management Console.
  2. Navigate to the API Gateway Dashboard.
  3. On the top left,select the APIs option.
  4. We can select from a list of APIs to  examine.
  5. Further, select Client Certificates.
  6. Click on Generate Client Certificate button to create new SSL certificate.
  7. Once the certificate is created, click on the Edit button and provide the certificate with a descriptive title and click save.
  8. In order to include the new certificate update the backend server.
  9. Again, select the APIs option and then move to Stages. Under stages choose the APIs for reconfiguration and select the Settings option.
  10. Now move to the Client Certificate section, and select the ID of the previous certificate created and click Save Changes.
  11. Update the backend server to  remove the old SSL certificate.
  12. Now Delete the old certificate from the API Gateway Service Dashboard.