AWS API Gateway endpoints without client certificate authentication
Description
This policy detects AWS API Gateway endpoints that do not use client certificate authentication. Client certificate authentication provides an additional layer of security by requiring clients to present a valid certificate issued by a trusted Certificate Authority (CA) in order to authenticate and establish a secure connection with the API Gateway endpoint.
Code Example
terraform
resource "aws_api_gateway_stage" "example" {
stage_name = "prod"
rest_api_id = aws_api_gateway_rest_api.example.id
deployment_id = aws_api_gateway_deployment.example.id
+ client_certificate_id = aws_api_gateway_client_certificate.example.id
}
resource "aws_api_gateway_client_certificate" "example" {
certificate_body = filebase64("client_certificate.pem")
certificate_chain = filebase64("certificate_chain.pem")
private_key = filebase64("private_key.pem")
}Remediation
Terraform
- Resource: aws_api_gateway_stage
- Arguments: client_certificate_id
To fix the issue, the `client_certificate_id` argument should be provided in the `aws_api_gateway_stage` resource. This argument allows you to specify the identifier of the ClientCertificate resource that represents the client certificate to use for authentication.
Secure code example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0485 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AWS_51 |