Links

AWS ApiGateway

Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes
AWS Security Best Practices
API Gateway provides a number of security features to consider as you design and implement your security architecture. Here are some key considerations.
Implement least privilege access Use IAM policies to implement least privilege access for creating, reading, updating, or deleting API Gateway APIs
Implement logging Use CloudWatch Logs or Amazon Kinesis Data Firehose to log requests to your APIs
Implement Amazon CloudWatch alarms Using CloudWatch alarms, you watch a single metric over a time period that you specify. If the metric exceeds a given threshold, a notification is sent to an Amazon Simple Notification Service topic or AWS Auto Scaling policy. CloudWatch alarms do not invoke actions when a metric is in a particular state. Rather, the state must have changed and been maintained for a specified number of periods
Enable AWS CloudTrail CloudTrail provides a record of actions taken by a user, role, or an AWS service in API Gateway. Using the information collected by CloudTrail, you can determine the request that was made to API Gateway, the IP address from which the request was made, who made the request, when it was made, and additional details

Logging

Design Guidance:

AWS::ApiGateway::Account

Cloud Watch Role Arn
Terraform

AWS::ApiGateway::Deployment

Access Log Setting-Destination Arn
Terraform
Access Log Setting-Format
Terraform
Stage Description-Data Trace Enabled
Terraform
Stage Description-Logging Level
Terraform
Method Settings-Data Trace Enabled
Terraform
Method Settings-Logging Level
Terraform
Method Settings-Metrics Enabled
Terraform

AWS::ApiGateway::Stage

Access Log Setting-Destination Arn
Terraform
Access Log Setting-Format
Terraform
Method Settings-Logging Level
Terraform
Access Log Setting
Terraform

Identification and Authentication

Design Guidance:

AWS::ApiGateway::ApiKey

Description
Terraform
Enabled
Terraform
Value
Terraform

AWS::ApiGateway::Authorizer

Identity Source
Terraform
Identity Validation Expression
Terraform
Provider Arns
Terraform
Type
Terraform

AWS::ApiGateway::Method

Api Key Required
Terraform

Asset Inventory

Design Guidance:

AWS::ApiGateway::ApiKey

Tags
Terraform

AWS::ApiGateway::Deployment

Stage Description-Tags
Terraform

AWS::ApiGateway::DomainName

Tags
Terraform

AWS::ApiGateway::RestApi

Tags
Terraform

AWS::ApiGateway::Stage

Tags
Terraform

AWS::ApiGateway::UsagePlan

Tags
Terraform

Application Lifecycle Management

Design Guidance:

AWS::ApiGateway::Deployment

Description
Terraform
Stage Description
Terraform
Stage Description-Description
Terraform
Stage Description-Documentation Version
Terraform
Stage Description-Method Settings
Terraform
Method Settings-Resource Path
Terraform
Stage Name
Terraform

AWS::ApiGateway::DomainName

Domain Name
Terraform

AWS::ApiGateway::GatewayResponse

Response Parameters
Terraform
Response Type
Terraform

AWS::ApiGateway::Resource

Path Part
Terraform

AWS::ApiGateway::RestApi

Body
Terraform
Description
Terraform
Fail On Warnings
Terraform

AWS::ApiGateway::Stage

Description
Terraform
Method Settings
Terraform
Method Settings-Resource Path
Terraform
Stage Name
Terraform
Variables
Terraform

AWS::ApiGateway::UsagePlan

Api Stages-Stage
Terraform
Description
Terraform
Usage Plan Name
Terraform

AWS::ApiGateway::Method

Integration-Type
Terraform
Integration-Uri
Terraform

Transparent Data Encryption

Design Guidance:

AWS::ApiGateway::Deployment

Stage Description-Cache Data Encrypted
Terraform
Method Settings-Cache Data Encrypted
Terraform

AWS::ApiGateway::Stage

Method Settings-Cache Data Encrypted
Terraform

Cache Management

Design Guidance:

AWS::ApiGateway::Deployment

Stage Description-Cache Ttl In Seconds
Terraform
Method Settings-Cache Ttl In Seconds
Terraform
Stage Description-Caching Enabled
Terraform
Method Settings-Caching Enabled
Terraform

AWS::ApiGateway::Stage

Method Settings-Cache Ttl In Seconds
Terraform
Method Settings-Caching Enabled
Terraform

Source Authentication

Design Guidance:

AWS::ApiGateway::Deployment

Stage Description-Client Certificate Id
Terraform

AWS::ApiGateway::Stage

Client Certificate Id
Terraform

AWS::ApiGateway::DomainName

Mutual TLS Authentication
Terraform
Mutual TLS Authentication-Truststore Uri
Terraform
Mutual TLS Authentication-Truststore Version
Terraform

Secure Response Headers

Design Guidance:

AWS::ApiGateway::Deployment

Method Settings-HTTP Method
Terraform

AWS::ApiGateway::Stage

Method Settings-HTTP Method
Terraform

AWS::ApiGateway::Method

HTTP Method
Terraform
Integration-Integration HTTP Method
Terraform

Transaction Rate-limiting

Design Guidance:

AWS::ApiGateway::Deployment

Method Settings-Throttling Burst Limit
Terraform
Method Settings-Throttling Rate Limit
Terraform
Stage Description-Throttling Burst Limit
Terraform
Stage Description-Throttling Rate Limit
Terraform

AWS::ApiGateway::Stage

Method Settings-Throttling Burst Limit
Terraform
Method Settings-Throttling Rate Limit
Terraform

AWS::ApiGateway::UsagePlan

Api Stages-Throttle
Terraform
[a-z A-z0-9]+-Burst Limit
Terraform
[a-z A-z0-9]+-Rate Limit
Terraform
Throttle-Burst Limit
Terraform
Throttle-Rate Limit
Terraform

Input Validation

Design Guidance:

AWS::ApiGateway::Deployment

Pattern Properties-[a-z A-z0-9]+
Terraform

AWS::ApiGateway::RequestValidator

Validate Request Body
Terraform
Validate Request Parameters
Terraform

AWS::ApiGateway::Method

Integration-Request Parameters
Terraform
Integration-Request Templates
Terraform

Network Isolation and Segregation

Design Guidance:

AWS::ApiGateway::DomainName

Endpoint Configuration-Types
Terraform

AWS::ApiGateway::RestApi

Endpoint Configuration-Types
Terraform

AWS::ApiGateway::Method

Integration-Connection Type
Terraform

TLS

Design Guidance:

AWS::ApiGateway::DomainName

Certificate Arn
Terraform
Regional Certificate Arn
Terraform
Security Policy
Terraform

Output Validation

Design Guidance:

AWS::ApiGateway::GatewayResponse

Response Templates
Terraform

AWS::ApiGateway::Method

Integration-Integration Responses
Terraform
Integration Responses-Response Parameters
Terraform
Integration Responses-Response Templates
Terraform
Method Responses
Terraform
Method Responses-Response Models
Terraform
Method Responses-Response Parameters
Terraform

Reconnaissance Prevention

Design Guidance:

AWS::ApiGateway::GatewayResponse

Status Code
Terraform

AWS::ApiGateway::Method

Integration Responses-Selection Pattern
Terraform
Integration Responses-Status Code
Terraform
Method Responses-Status Code
Terraform

Access Control Policy

Design Guidance:

AWS::ApiGateway::RestApi

Policy
Terraform

Connection Limiting

Design Guidance:

AWS::ApiGateway::UsagePlan

Quota-Limit
Terraform
Quota-Offset
Terraform
Quota-Period
Terraform

Access Policy Enforcement

Design Guidance:

AWS::ApiGateway::Authorizer

Auth Type
Terraform
Authorizer Credentials
Terraform
Authorizer Uri
Terraform

AWS::ApiGateway::Method

Authorization Scopes
Terraform
Authorization Type
Terraform