By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

is it possible to disable tcp timestamps on api-gateway?

0

the latest pci compliance rules require disabling tcp timestamps as described in rfc1323 and rfc7323. is it possible to configure either api-gateway or the associated cloudfront proxy to disable this feature?

details:

the typical way to disable this feature on a linux server is to run this command: sysctl -w net.ipv4.tcp_timestamps=0

the latest pci compliance specification can be found here: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf

side note: it appears that aws randomizes the tcp timestamps on a per-connection basis to prevent an attacker from detecting server restarts, but i can't find any documentation to support this theory. is there any such documentation?

Topics
ServerlessFront-End Web & MobileNetworking & Content Delivery
Tags
Amazon API GatewayNetwork Security
Language
English
teldon james turner
asked 10 months ago286 views
1 Answer
3

Disabling TCP timestamps on API Gateway or its associated CloudFront proxy is not directly configurable. AWS does not provide an explicit option to disable TCP timestamps for these services. However, AWS randomizes TCP timestamps on a per-connection basis to mitigate risks like server restart detection, as you mentioned. Unfortunately, there doesn't seem to be official documentation confirming this randomization approach to my understanding: For PCI compliance, you might consider the following:

  • Alternative Mitigation: Since disabling TCP timestamps isn't feasible, you can document the randomization behavior as a compensating control for auditors. This approach aligns with AWS's security practices.
EXPERT
Kidd Ip
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content