Links

AWS ApiGatewayV2

Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes
AWS Security Best Practices
API Gateway provides a number of security features to consider as you design and implement your security architecture. Here are some key considerations.
Implement least privilege access Use IAM policies to implement least privilege access for creating, reading, updating, or deleting API Gateway APIs
Implement logging Use CloudWatch Logs or Amazon Kinesis Data Firehose to log requests to your APIs
Implement Amazon CloudWatch alarms Using CloudWatch alarms, you watch a single metric over a time period that you specify. If the metric exceeds a given threshold, a notification is sent to an Amazon Simple Notification Service topic or AWS Auto Scaling policy. CloudWatch alarms do not invoke actions when a metric is in a particular state. Rather, the state must have changed and been maintained for a specified number of periods
Enable AWS CloudTrail CloudTrail provides a record of actions taken by a user, role, or an AWS service in API Gateway. Using the information collected by CloudTrail, you can determine the request that was made to API Gateway, the IP address from which the request was made, who made the request, when it was made, and additional details

Information Flow Routing

AWS::ApiGatewayV2::Api

Route Selection Expression
Terraform
Route Key
Terraform

AWS::ApiGatewayV2::Route

Route Key
Terraform

AWS::ApiGatewayV2::Stage

Default Route Settings
Terraform

AWS::ApiGatewayV2::Route

Request Models
Terraform
Model Selection Expression
Terraform

AWS::ApiGatewayV2::RouteResponse

Route Response Key
Terraform
Route Id
Terraform
Model Selection Expression
Terraform
Response Models
Terraform

Application Lifecycle Management

Design Guidance:

AWS::ApiGatewayV2::Api

Fail On Warnings
Terraform
Name
Terraform
Version
Terraform
Protocol Type
Terraform
Body
Terraform

AWS::ApiGatewayV2::ApiMapping

Domain Name
Terraform
Stage
Terraform
Api Mapping Key
Terraform
Api Id
Terraform

AWS::ApiGatewayV2::Deployment

Description
Terraform
Stage Name
Terraform
Api Id
Terraform

AWS::ApiGatewayV2::DomainName

Domain Name
Terraform

AWS::ApiGatewayV2::Model

Description
Terraform
Api Id
Terraform
Name
Terraform

AWS::ApiGatewayV2::Stage

Deployment Id
Terraform
Description
Terraform
Auto Deploy
Terraform
Stage Name
Terraform
Api Id
Terraform

AWS::ApiGatewayV2::Authorizer

Api Id
Terraform
Name
Terraform

AWS::ApiGatewayV2::Integration

Description
Terraform
Integration Uri
Terraform
Integration Subtype
Terraform
Api Id
Terraform
Integration Type
Terraform

AWS::ApiGatewayV2::IntegrationResponse

Integration Id
Terraform
Integration Response Key
Terraform
Api Id
Terraform

AWS::ApiGatewayV2::Route

Api Id
Terraform

AWS::ApiGatewayV2::RouteResponse

Api Id
Terraform

Design for Minimum Necessary Information Flows

Design Guidance:

AWS::ApiGatewayV2::Api

Disable Execute Api Endpoint
Terraform

Input Validation

Design Guidance:

AWS::ApiGatewayV2::Api

Disable Schema Validation
Terraform

AWS::ApiGatewayV2::Model

Content Type
Terraform
Schema
Terraform

AWS::ApiGatewayV2::Integration

Payload Format Version
Terraform
Request Templates
Terraform

AWS::ApiGatewayV2::Route

Request Parameters
Terraform

Access Policy Enforcement

Design Guidance:

AWS::ApiGatewayV2::Api

Credentials Arn
Terraform

AWS::ApiGatewayV2::Authorizer

Authorizer Uri
Terraform
Authorizer Credentials Arn
Terraform
Authorizer Type
Terraform
Authorizer Payload Format Version
Terraform

AWS::ApiGatewayV2::Integration

Credentials Arn
Terraform

AWS::ApiGatewayV2::Route

Authorizer Id
Terraform
Authorization Scopes
Terraform
Authorization Type
Terraform

CORS Headers

Design Guidance:

AWS::ApiGatewayV2::Api

Cors Configuration
Terraform
Cors Configuration-Allow Origins
Terraform
Cors Configuration-Allow Credentials
Terraform
Cors Configuration-Expose Headers
Terraform
Cors Configuration-Allow Headers
Terraform
Cors Configuration-Max Age
Terraform

Secure Response Headers

Design Guidance:

AWS::ApiGatewayV2::Api

Cors Configuration-Allow Methods
Terraform

AWS::ApiGatewayV2::Integration

Integration Method
Terraform

Asset Inventory

Design Guidance:

AWS::ApiGatewayV2::Api

Tags
Terraform

AWS::ApiGatewayV2::DomainName

Tags
Terraform

AWS::ApiGatewayV2::Stage

Tags
Terraform

Destination Authentication

Design Guidance:

AWS::ApiGatewayV2::Api

Api Key Selection Expression
Terraform

Source Authentication

Design Guidance:

AWS::ApiGatewayV2::DomainName

Mutual TLS Authentication
Terraform
Mutual TLS Authentication-Truststore Version
Terraform
Mutual TLS Authentication-Truststore Uri
Terraform

AWS::ApiGatewayV2::Stage

Client Certificate Id
Terraform

TLS

Design Guidance:

AWS::ApiGatewayV2::DomainName

Domain Name Configurations-Security Policy
Terraform

AWS::ApiGatewayV2::Integration

TLS Config-Server Name To Verify
Terraform

Network Isolation and Segregation

Design Guidance:

AWS::ApiGatewayV2::DomainName

Domain Name Configurations-Endpoint Type
Terraform

AWS::ApiGatewayV2::Integration

Connection Type
Terraform

Identification and Authentication

Design Guidance:

AWS::ApiGatewayV2::DomainName

Domain Name Configurations-Certificate Name
Terraform
Domain Name Configurations-Certificate Arn
Terraform

AWS::ApiGatewayV2::Route

Api Key Required
Terraform

AWS::ApiGatewayV2::Authorizer

Identity Source
Terraform

Logging

Design Guidance:

AWS::ApiGatewayV2::Stage

Access Log Settings
Terraform
Access Log Settings-Format
Terraform
Access Log Settings-Destination Arn
Terraform
Default Route Settings-Logging Level
Terraform
Default Route Settings-Data Trace Enabled
Terraform
Default Route Settings-Detailed Metrics Enabled
Terraform

Transaction Rate-limiting

Design Guidance:

AWS::ApiGatewayV2::Stage

Default Route Settings-Throttling Burst Limit
Terraform
Default Route Settings-Throttling Rate Limit
Terraform

Session Binding

Design Guidance:

AWS::ApiGatewayV2::Authorizer

Jwt Configuration
Terraform
Jwt Configuration-Issuer
Terraform
Jwt Configuration-Audience
Terraform

Session Limits

Design Guidance:

AWS::ApiGatewayV2::Authorizer

Authorizer Result Ttl In Seconds
Terraform

AWS::ApiGatewayV2::Integration

Timeout In Millis
Terraform

Access Control Policy

Design Guidance:

AWS::ApiGatewayV2::Authorizer

Enable Simple Responses
Terraform

Managed Inspection Points

Design Guidance:

AWS::ApiGatewayV2::Integration

Passthrough Behavior
Terraform

Output Validation

Design Guidance:

AWS::ApiGatewayV2::IntegrationResponse

Response Templates
Terraform
Template Selection Expression
Terraform
Response Parameters
Terraform
Content Handling Strategy
Terraform

AWS::ApiGatewayV2::RouteResponse

Response Parameters
Terraform