AWS apigateway documentation change
Summary
Expanded client certificate documentation to include WebSocket APIs, added detailed steps for certificate rotation via console and CLI, and removed redundant instructions.
Security assessment
The changes provide detailed steps for rotating expiring client certificates, which is a security best practice to prevent service disruptions due to expired certificates. However, there's no concrete evidence of addressing a specific existing security vulnerability, only general maintenance guidance.
Diff
diff --git a/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.md b/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.md index abac361e0..1edf16b5e 100644 --- a//apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.md +++ b//apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.md @@ -38 +38 @@ The SSL certificates that are generated by API Gateway are self-signed, and only - 2. Choose a REST API. + 2. Choose a REST or WebSocket API. @@ -57 +57 @@ These instructions assume that you already completed Generate a client certifica - 1. In the API Gateway console, create or open an API for which you want to use the client certificate. Make sure that the API has been deployed to a stage. + 1. In the API Gateway console, create or open an REST or WebSocket API for which you want to use the client certificate. Make sure that the API has been deployed to a stage. @@ -76 +76 @@ After a certificate is selected for the API and saved, API Gateway uses the cert - 1. Choose an API method. Choose the **Test** tab. You might need to choose the right arrow button to show the **Test** tab. + 1. Choose a REST API method. Choose the **Test** tab. You might need to choose the right arrow button to show the **Test** tab. @@ -120 +120,28 @@ For other HTTPS server, see the documentation for the server. -The client certificate generated by API Gateway is valid for 365 days. You must rotate the certificate before a client certificate on an API stage expires to avoid any downtime for the API. You can check the expiration date of certificate by calling [clientCertificate:by-id](https://docs.aws.amazon.com/apigateway/latest/api/API_GetClientCertificate.html) of the API Gateway REST API or the AWS CLI command of [get-client-certificate](https://docs.aws.amazon.com/cli/latest/reference/apigateway/get-client-certificate.html) and inspecting the returned [expirationDate](https://docs.aws.amazon.com/apigateway/latest/api/API_ClientCertificate.html#expirationDate) property. +The client certificate generated by API Gateway is valid for 365 days. You must rotate the certificate before a client certificate on an API stage expires to avoid any downtime for the API. + +### Rotate an expiring client certificate using the AWS Management Console + +The following procedure shows how to rotate a client certificate in the console for a previously deployed API. + + 1. In the main navigation pane, choose **Client certificates**. + + 2. From the **Client certificates** pane, choose **Generate certificate**. + + 3. Open the API for which you want to use the client certificate. + + 4. Choose **Stages** under the selected API and then choose a stage. + + 5. In the **Stage details** section, choose **Edit**. + + 6. For **Client certificate** , select the new certificate. + + 7. To save the settings, choose **Save changes**. + +You need to redeploy the API for the changes to take effect. For more information, see [Create a deployment for a REST API in API Gateway](./set-up-deployments.html). + + + + +### Rotate an expiring client certificate using the AWS CLI + +You can check the expiration date of certificate by calling [clientCertificate:by-id](https://docs.aws.amazon.com/apigateway/latest/api/API_GetClientCertificate.html) of the API Gateway REST API or the AWS CLI command of [get-client-certificate](https://docs.aws.amazon.com/cli/latest/reference/apigateway/get-client-certificate.html) and inspecting the returned [expirationDate](https://docs.aws.amazon.com/apigateway/latest/api/API_ClientCertificate.html#expirationDate) property. @@ -148 +175,3 @@ Some servers might require a restart to finish the update. Consult the server do -or by calling the CLI command of [update-stage](https://docs.aws.amazon.com/cli/latest/reference/apigateway/update-stage.html). +You can also use the [update-stage](https://docs.aws.amazon.com/cli/latest/reference/apigateway/update-stage.html) command. + +If you are using a WebSocket API, use the `apigatewayv2` [update-stage](https://docs.aws.amazon.com/cli/latest/reference/apigatewayv2/update-stage.html) command . @@ -156 +185 @@ or by calling the CLI command of [update-stage](https://docs.aws.amazon.com/cli/ -or by calling the CLI command of [delete-client-certificate](https://docs.aws.amazon.com/cli/latest/reference/apigateway/delete-client-certificate.html): +You can also call the [delete-client-certificate](https://docs.aws.amazon.com/cli/latest/reference/apigateway/delete-client-certificate.html) command: @@ -163,21 +191,0 @@ or by calling the CLI command of [delete-client-certificate](https://docs.aws.am -To rotate a client certificate in the console for a previously deployed API, do the following: - - 1. In the main navigation pane, choose **Client certificates**. - - 2. From the **Client certificates** pane, choose **Generate certificate**. - - 3. Open the API for which you want to use the client certificate. - - 4. Choose **Stages** under the selected API and then choose a stage. - - 5. In the **Stage details** section, choose **Edit**. - - 6. For **Client certificate** , select the new certificate. - - 7. To save the settings, choose **Save changes**. - -You need to redeploy the API for the changes to take effect. For more information, see [Create a deployment for a REST API in API Gateway](./set-up-deployments.html). - - - -