TELCOSEC03-BP01 Secure the APIs used to expose telco network functionality

In modern telco networks, the Network Exposure Function (NEF) for 5G networks and the Service Capability Exposure Function (SCEF) for 4G networks provide APIs to expose network capabilities and services to external applications and partners. These APIs serve as the gateway for accessing sensitive network resources and data, making it crucial to implement robust security measures to protect them.

Level of risk exposed if this best practice is not established: High

Implementation guidance

Implement strong authentication mechanisms and enforce role-based access control to authorize API access based on client permissions and privileges. Manage user identities and generate secure JSON web tokens. Verify API communication is encrypted using HTTPS/TLS protocols and leverage web application firewalls to enforce and monitor security. Implement API rate limiting and throttling to block potential denial-of-service attacks. Perform input validation and sanitization on API requests and integrate comprehensive logging and monitoring to detect and respond to suspicious API activity. Manage API versioning and deprecation to verify clients use the latest secure versions and regularly assess API security through automated testing and vulnerability management.

Implementation steps

API traffic encryption:
- Verify API communication is encrypted using HTTPS/TLS protocols with AWS Certificate Manager to manage SSL/TLS certificates.
- Leverage AWS WAF (Web Application Firewall) to enforce SSL/TLS adherence and monitor TLS cipher suite usage.
API rate limiting and throttling:
- Implement API rate limiting and throttling using Amazon API Gateway's built-in throttling capabilities.
- Configure API Gateway to enforce rate limits and block potential denial-of-service (DoS) attacks.
API input validation and sanitization:
- Utilize AWS Lambda functions as API backends to perform input validation and sanitization using libraries like express-validator or Joi.
- Integrate Amazon API Gateway with AWS WAF to apply custom security rules for input validation and protection against common web application vulnerabilities.
API logging and monitoring:
- Enable comprehensive logging of API requests and responses using Amazon CloudWatch Logs.
- Set up Amazon CloudWatch alarms and Amazon SNS notifications to alert on suspicious API activity.
API versioning and deprecation:
- USe Amazon API Gateway's versioning capabilities to manage multiple versions of the NEF and SCEF APIs.
- Implement version-specific access controls using AWS IAM policies to verify clients use the latest secure API versions.
- Utilize Amazon API Gateway's stage management features to deprecate older API versions and provide clear migration guidelines.
API security assessments:
- Perform API security assessments using AWS Security Hub CSPM, which aggregates findings from various AWS security services.
- Address identified vulnerabilities using AWS Systems Manager for patch management and AWS Lambda for rapid remediation.

Resources

Key AWS services:

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

External interface security

TELSEC03-BP02 Deploy signaling firewall on the roaming and interconnecting interfaces with other telco networks