AWS securityhub documentation change
Summary
Removed control APIGateway.10 which required API Gateway V2 integrations to use HTTPS for private connections
Security assessment
The removal of a security control documentation doesn't indicate a specific security vulnerability. While the control enforced HTTPS for private connections, its removal appears to be a documentation update rather than addressing an incident. No evidence of a security issue is provided in the diff.
Diff
diff --git a/securityhub/latest/userguide/apigateway-controls.md b/securityhub/latest/userguide/apigateway-controls.md index a92a13ba2..a0e4e4247 100644 --- a//securityhub/latest/userguide/apigateway-controls.md +++ b//securityhub/latest/userguide/apigateway-controls.md @@ -5 +5 @@ -[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled[APIGateway.4] API Gateway should be associated with a WAF Web ACL[APIGateway.5] API Gateway REST API cache data should be encrypted at rest[APIGateway.8] API Gateway routes should specify an authorization type[APIGateway.9] Access logging should be configured for API Gateway V2 Stages[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections +[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication[APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled[APIGateway.4] API Gateway should be associated with a WAF Web ACL[APIGateway.5] API Gateway REST API cache data should be encrypted at rest[APIGateway.8] API Gateway routes should specify an authorization type[APIGateway.9] Access logging should be configured for API Gateway V2 Stages @@ -191,22 +190,0 @@ To set up access logging, see [Set up CloudWatch API logging using the API Gatew -## [APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections - -**Category:** Protect > Data Protection > Encryption of data-in-transit - -**Severity:** Medium - -**Resource type:** `AWS::ApiGatewayV2::Integration` - -**AWS Config rule:** [apigatewayv2-integration-private-https-enabled](https://docs.aws.amazon.com/config/latest/developerguide/apigatewayv2-integration-private-https-enabled.html) - -**Schedule type:** Change triggered - -**Parameters:** None - -This control checks whether an API Gateway V2 integration has HTTPS enabled for private connections. The control fails if a private connection doesn't have TLS configured. - -VPC Links connect API Gateway to private resources. While VPC Links create private connectivity, they don't inherently encrypt data. Configuring TLS ensures use of HTTPS for end-to-end encryption from client through API Gateway to backend. Without TLS, sensitive API traffic flows unencrypted across private connections. HTTPS encryption protects the traffic through private connections from data interception, man-in-the-middle attacks and credential exposure. - -### Remediation - -To enable encryption in transit for private connections in an API Gateway v2 Integration, see [Update a private integration](https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-private-integration.html#set-up-private-integration-update) in the _Amazon API Gateway Developer Guide_. Configure [TLS configuration](https://docs.aws.amazon.com/apigatewayv2/latest/api-reference/apis-apiid-integrations-integrationid.html#apis-apiid-integrations-integrationid-model-tlsconfig) so that the private integration uses HTTPS protocol. -