Ensure API Gateway endpoints has client certificate authentication

This rule checks if the API Gateway endpoints in your AWS environment have client certificate authentication enabled. Client certificates provide an additional layer of security, ensuring that only trusted clients can access your APIs.

Risk Level: Low
Cloud Entity: Amazon API Gateway
CloudGuard Rule ID: D9.AWS.CRY.89
Covered by Spectral: No
Category: Networking & Content Delivery


ApiGateway should have stages contain-all [ clientCertificateId ]


From Portal

  1. Navigate to the AWS Management Console.
  2. Open the Amazon API Gateway console.
  3. Choose the desired API from the navigation pane.
  4. For each stage, check if there's a client certificate associated.
  5. If not, associate a client certificate to strengthen the API's security.

From TF

resource "aws_api_gateway_domain_name" "example" {
	certificate_name = "example"
	certificate_body = "..."
	certificate_private_key = "..."
	certificate_chain = "..."

From Command Line

  1. list API stages to identify those without client certificate authentication:
aws apigateway get-stages --rest-api-id your-rest-api-id
  1. Associate a client certificate to stages that don't have it:
aws apigateway update-stage --rest-api-id REST_API_ID --stage-name STAGE_NAME --patch-operations op='add',path='/clientCertificateId',value='CERTIFICATE_ID'


  1. https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_client_certificate

Amazon API Gateway

Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. With a few clicks in the AWS Management Console, you can create REST and WebSocket APIs that act as a ���front door��� for applications to access data, business logic, or functionality from your backend services, such as workloads running on Amazon Elastic Compute Cloud (Amazon EC2), code running on AWS Lambda, any web application, or real-time communication a

Compliance Frameworks

  • CloudGuard AWS All Rules Ruleset