AWS ApiGateway
Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes
AWS Security Best Practices
API Gateway provides a number of security features to consider as you design and implement your security architecture. Here are some key considerations.
Implement least privilege access
Use IAM policies to implement least privilege access for creating, reading, updating, or deleting API Gateway APIs
Implement logging
Use CloudWatch Logs or Amazon Kinesis Data Firehose to log requests to your APIs
Implement Amazon CloudWatch alarms
Using CloudWatch alarms, you watch a single metric over a time period that you specify. If the metric exceeds a given threshold, a notification is sent to an Amazon Simple Notification Service topic or AWS Auto Scaling policy. CloudWatch alarms do not invoke actions when a metric is in a particular state. Rather, the state must have changed and been maintained for a specified number of periods
Enable AWS CloudTrail
CloudTrail provides a record of actions taken by a user, role, or an AWS service in API Gateway. Using the information collected by CloudTrail, you can determine the request that was made to API Gateway, the IP address from which the request was made, who made the request, when it was made, and additional details
Design Guidance:
Cloud Watch Role Arn |
Access Log Setting-Destination Arn | ||
Access Log Setting-Format | ||
Stage Description-Data Trace Enabled | ||
Stage Description-Logging Level | ||
Method Settings-Data Trace Enabled | ||
Method Settings-Logging Level | ||
Method Settings-Metrics Enabled |
Access Log Setting-Destination Arn | ||
Access Log Setting-Format | ||
Method Settings-Logging Level | ||
Access Log Setting |
Design Guidance:
Description | ||
Enabled | ||
Value |
Identity Source | ||
Identity Validation Expression | ||
Provider Arns | ||
Type |
Api Key Required |
Design Guidance:
Tags |
Stage Description-Tags |
Tags |
Tags |
Tags |
Tags |
Design Guidance:
Description | ||
Stage Description | ||
Stage Description-Description | ||
Stage Description-Documentation Version | ||
Stage Description-Method Settings | ||
Method Settings-Resource Path | ||
Stage Name |
Domain Name |
Response Parameters | ||
Response Type |
Path Part |
Body | ||
Description | ||
Fail On Warnings |
Description | ||
Method Settings | ||
Method Settings-Resource Path | ||
Stage Name | ||
Variables |
Api Stages-Stage | ||
Description | ||
Usage Plan Name |
Integration-Type | ||
Integration-Uri |
Design Guidance:
Stage Description-Cache Data Encrypted | ||
Method Settings-Cache Data Encrypted |
Method Settings-Cache Data Encrypted |
Design Guidance:
Stage Description-Cache Ttl In Seconds | ||
Method Settings-Cache Ttl In Seconds | ||
Stage Description-Caching Enabled | ||
Method Settings-Caching Enabled |
Method Settings-Cache Ttl In Seconds | ||
Method Settings-Caching Enabled |
Design Guidance:
Stage Description-Client Certificate Id |
Client Certificate Id |
Mutual TLS Authentication | ||
Mutual TLS Authentication-Truststore Uri | ||
Mutual TLS Authentication-Truststore Version |
Design Guidance:
Method Settings-HTTP Method |
Method Settings-HTTP Method |
HTTP Method | ||
Integration-Integration HTTP Method |
Design Guidance:
Method Settings-Throttling Burst Limit | ||
Method Settings-Throttling Rate Limit | ||
Stage Description-Throttling Burst Limit | ||
Stage Description-Throttling Rate Limit |
Method Settings-Throttling Burst Limit | ||
Method Settings-Throttling Rate Limit |
Api Stages-Throttle | ||
[a-z A-z0-9]+-Burst Limit | ||
[a-z A-z0-9]+-Rate Limit | ||
Throttle-Burst Limit | ||
Throttle-Rate Limit |
Design Guidance:
Pattern Properties-[a-z A-z0-9]+ |
Validate Request Body | ||
Validate Request Parameters |
Integration-Request Parameters | ||
Integration-Request Templates |
Design Guidance:
Endpoint Configuration-Types |
Endpoint Configuration-Types |
Integration-Connection Type |
Design Guidance:
Certificate Arn | ||
Regional Certificate Arn | ||
Security Policy |
Design Guidance:
Response Templates |
Integration-Integration Responses | ||
Integration Responses-Response Parameters | ||
Integration Responses-Response Templates | ||
Method Responses | ||
Method Responses-Response Models | ||
Method Responses-Response Parameters |
Design Guidance:
Status Code |
Integration Responses-Selection Pattern | ||
Integration Responses-Status Code | ||
Method Responses-Status Code |
Design Guidance:
Policy |
Design Guidance:
Quota-Limit | ||
Quota-Offset | ||
Quota-Period |
Design Guidance:
Auth Type | ||
Authorizer Credentials | ||
Authorizer Uri |