Amazon API Gateway Best Practices

Best practice rules for Amazon API Gateway

Trend Micro Cloud One™ – Conformity monitors Amazon API Gateway with the following rules:

• API Gateway Integrated With AWS WAF

  Use AWS WAF to protect Amazon API Gateway APIs from common web exploits.

• API Gateway Tracing Enabled

  Ensure APIs created with Amazon API Gateway have active tracing support for AWS X-Ray enabled.

• APIs CloudWatch Logs

  Ensure APIs created with Amazon API Gateway have AWS CloudWatch logging enabled.

• APIs Detailed CloudWatch Metrics

  Ensure detailed CloudWatch metrics are enabled for Amazon API Gateway APIs stages.

• Client Certificate

  Use client-side SSL certificates for HTTP backend authentication within AWS API Gateway.

• Content Encoding

  Ensure APIs created with Amazon API Gateway have Content Encoding feature enabled.

• Enable API Cache

  Ensure that REST APIs created with Amazon API Gateway have response caching enabled.

• Enable Encryption for API Cache

  Ensure that stage-level cache encryption is enabled for your Amazon API Gateway APIs.

• Private Endpoint

  Ensure APIs created with Amazon API Gateway are only accessible via private endpoints.

• Rotate Expiring SSL Client Certificates

  Ensure that SSL certificates associated with API Gateway REST APIs are rotated periodically.