The API Gateway must audit rate limiting events.

STIG ID: SRG-APP-000095-API-001755  |  SRG: SRG-APP-000095 |  Severity: medium |  CCI: CCI-000130 |  Vulnerability Id: V-274526

Vulnerability Discussion

The API Gateway must audit rate-limiting events to ensure robust security, performance, and compliance across all APIs it manages. Rate-limiting is a critical mechanism to protect APIs from abuse, such as denial-of-service (DoS) attacks or excessive resource consumption by malicious users. By auditing these events, the gateway can track and log instances where rate limits are exceeded, providing valuable insights into abnormal traffic patterns or attempts to bypass limits. This helps identify potential threats early, allowing for timely interventions. Additionally, auditing rate-limiting events allows for detailed logging and reporting, which are essential for troubleshooting, performance monitoring, and ensuring fair usage of API resources.

Check

If an API Gateway is not in use, this is Not Applicable.

1. Access the API Gateway's configuration to verify rate limiting is enabled. Rate limiting will specify how many requests are allowed per time period (e.g., 1000 requests per hour).

2. Verify rate-limiting events are configured to be logged. This includes events where a user exceeds their allowed request rate, triggering rate-limiting actions.

3. After triggering rate-limiting events, check the API's audit or access logs. Entries should:
- Indicate when a rate limit was exceeded.
- Include details about the API key or user who exceeded the limit.
- Provide the rate-limiting threshold (e.g., "rate limit exceeded: 1000 requests per hour").
- Mention the specific API endpoint that was accessed.

4. Test the API to verify it behaves correctly when a rate limit is exceeded. For example, the API should return an appropriate status code (e.g., HTTP 429 Too Many Requests).

5. Check the API Gateway logs to determine if the gateway logs rate-limiting events properly, including identifying when the threshold is exceeded and what actions are taken (e.g., temporary block).

6. Review the organization's security policies to ensure rate-limiting events are properly audited as per requirements.

If the API Gateway is not auditing rate limiting events, this is a finding.

Fix

Build or configure the API Gateway to enforce rate limits and log these events, including the thresholds for triggering rate limiting.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.