AWS ApiGatewayV2
Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes
AWS Security Best Practices
API Gateway provides a number of security features to consider as you design and implement your security architecture. Here are some key considerations.
Implement least privilege access
Use IAM policies to implement least privilege access for creating, reading, updating, or deleting API Gateway APIs
Implement logging
Use CloudWatch Logs or Amazon Kinesis Data Firehose to log requests to your APIs
Implement Amazon CloudWatch alarms
Using CloudWatch alarms, you watch a single metric over a time period that you specify. If the metric exceeds a given threshold, a notification is sent to an Amazon Simple Notification Service topic or AWS Auto Scaling policy. CloudWatch alarms do not invoke actions when a metric is in a particular state. Rather, the state must have changed and been maintained for a specified number of periods
Enable AWS CloudTrail
CloudTrail provides a record of actions taken by a user, role, or an AWS service in API Gateway. Using the information collected by CloudTrail, you can determine the request that was made to API Gateway, the IP address from which the request was made, who made the request, when it was made, and additional details
Route Selection Expression | ||
Route Key |
Route Key |
Default Route Settings |
Request Models | ||
Model Selection Expression |
Route Response Key | ||
Route Id | ||
Model Selection Expression | ||
Response Models |
Design Guidance:
Fail On Warnings | ||
Name | ||
Version | ||
Protocol Type | ||
Body |
Domain Name | ||
Stage | ||
Api Mapping Key | ||
Api Id |
Description | ||
Stage Name | ||
Api Id |
Domain Name |
Description | ||
Api Id | ||
Name |
Deployment Id | ||
Description | ||
Auto Deploy | ||
Stage Name | ||
Api Id |
Api Id | ||
Name |
Description | ||
Integration Uri | ||
Integration Subtype | ||
Api Id | ||
Integration Type |
Integration Id | ||
Integration Response Key | ||
Api Id |
Api Id |
Api Id |
Design Guidance:
Disable Execute Api Endpoint |
Design Guidance:
Disable Schema Validation |
Content Type | ||
Schema |
Payload Format Version | ||
Request Templates |
Request Parameters |
Design Guidance:
Credentials Arn |
Authorizer Uri | ||
Authorizer Credentials Arn | ||
Authorizer Type | ||
Authorizer Payload Format Version |
Credentials Arn |
Authorizer Id | ||
Authorization Scopes | ||
Authorization Type |
Design Guidance:
Cors Configuration | ||
Cors Configuration-Allow Origins | ||
Cors Configuration-Allow Credentials | ||
Cors Configuration-Expose Headers | ||
Cors Configuration-Allow Headers | ||
Cors Configuration-Max Age |
Design Guidance:
Cors Configuration-Allow Methods |
Integration Method |
Design Guidance:
Tags |
Tags |
Tags |
Design Guidance:
Api Key Selection Expression |
Design Guidance:
Mutual TLS Authentication | ||
Mutual TLS Authentication-Truststore Version | ||
Mutual TLS Authentication-Truststore Uri |
Client Certificate Id |
Design Guidance:
Domain Name Configurations-Security Policy |
TLS Config-Server Name To Verify |
Design Guidance:
Domain Name Configurations-Endpoint Type |
Connection Type |
Design Guidance:
Domain Name Configurations-Certificate Name | ||
Domain Name Configurations-Certificate Arn |
Api Key Required |
Identity Source |
Design Guidance:
Access Log Settings | ||
Access Log Settings-Format | ||
Access Log Settings-Destination Arn | ||
Default Route Settings-Logging Level | ||
Default Route Settings-Data Trace Enabled | ||
Default Route Settings-Detailed Metrics Enabled |
Design Guidance:
Default Route Settings-Throttling Burst Limit | ||
Default Route Settings-Throttling Rate Limit |
Design Guidance:
Jwt Configuration | ||
Jwt Configuration-Issuer | ||
Jwt Configuration-Audience |
Design Guidance:
Authorizer Result Ttl In Seconds |
Timeout In Millis |
Design Guidance:
Enable Simple Responses |
Design Guidance:
Passthrough Behavior |
Design Guidance:
Response Templates | ||
Template Selection Expression | ||
Response Parameters | ||
Content Handling Strategy |
Response Parameters |