Best practice rules for Amazon API Gateway
Trend Micro Cloud One™ – Conformity monitors Amazon API Gateway with the following rules:
- API Gateway Integrated With AWS WAF
Use AWS WAF to protect Amazon API Gateway APIs from common web exploits.
- API Gateway Tracing Enabled
Ensure APIs created with Amazon API Gateway have active tracing support for AWS X-Ray enabled.
- APIs CloudWatch Logs
Ensure APIs created with Amazon API Gateway have AWS CloudWatch logging enabled.
- APIs Detailed CloudWatch Metrics
Ensure detailed CloudWatch metrics are enabled for Amazon API Gateway APIs stages.
- Client Certificate
Use client-side SSL certificates for HTTP backend authentication within AWS API Gateway.
- Content Encoding
Ensure APIs created with Amazon API Gateway have Content Encoding feature enabled.
- Enable API Cache
Ensure that REST APIs created with Amazon API Gateway have response caching enabled.
- Enable Encryption for API Cache
Ensure that stage-level cache encryption is enabled for your Amazon API Gateway APIs.
- Limit REST API Access by IP Address
Ensure that the access to your REST APIs is allowed to trusted IP addresses only.
- Private Endpoint
Ensure APIs created with Amazon API Gateway are only accessible via private endpoints.
- Rotate Expiring SSL Client Certificates
Ensure that SSL certificates associated with API Gateway REST APIs are rotated periodically.