API Gateway cached responses are not encrypted Affecting API Gateway (REST APIs) service in AWS

Snyk CCSS

Data / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CSA-CCM GDPR HIPAA ISO-27001 NIST-800-53 SOC-2

Snyk ID SNYK-CC-00287
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

If someone gains unauthorized access to the cache storage location, the contents will be readable, which may disclose sensitive information.

How to fix?

Set the settings.cache_data_encrypted attribute to true.

Example Configuration

resource "aws_api_gateway_method_settings" "allowed" {
  rest_api_id = aws_api_gateway_rest_api.example.id
  stage_name  = aws_api_gateway_stage.example.stage_name
  method_path = "*/*"

  settings {
    cache_data_encrypted = true
  }
}

Terraform

Resource: aws_api_gateway_method_settings

References

Data encryption in Amazon API Gateway