Best practice rules for Amazon API Gateway
Trend Micro Cloud One™ – Conformity monitors Amazon API Gateway with the following rules:
- API Gateway Integrated With AWS WAF
Use AWS WAF to protect Amazon API Gateway APIs from common web exploits.
- APIs CloudWatch Logs
Ensure that AWS CloudWatch logs are enabled for all your APIs created with Amazon API Gateway service in order to track and analyze execution behavior at the API stage level.
- APIs Detailed CloudWatch Metrics
Ensure that detailed CloudWatch metrics are enabled for all APIs created with AWS API Gateway service in order to monitor API stages caching, latency and detected errors at a more granular level and set alarms accordingly.
- Check for Unknown Cross Account API Access
Ensure that Amazon API Gateway APIs do not allow unknown cross-account access.
- Check the Minimum TLS Version Configured for API Gateway Domains
Ensure that Amazon API Gateway domains are configured with the latest version of TLS protocol.
- Client Certificate
Use client-side SSL certificates for HTTP backend authentication within AWS API Gateway.
- Content Encoding
Ensure Content Encoding is enabled for your APIs.
- Enable API Cache
Ensure that REST APIs created with Amazon API Gateway have response caching enabled.
- Enable Access Logs for API Gateway V2 API Stages
Ensure that access logging is enabled for all Amazon API Gateway V2 API stages.
- Enable Control Access to REST APIs using Keys or Tokens
Ensure that access to your API Gateway REST APIs is controlled using keys or tokens.
- Enable Encryption for API Cache
Ensure that stage-level cache encryption is enabled for your Amazon API Gateway APIs.
- Limit REST API Access by IP Address
Ensure that the access to your REST APIs is allowed to trusted IP addresses only.
- Private Endpoint
Ensure Amazon API Gateway APIs are only accessible through private API endpoints.
- Rotate Expiring SSL Client Certificates
Ensure that SSL certificates associated with API Gateway REST APIs are rotated periodically.
- Tracing Enabled
Ensure that tracing is enabled for all stages in all APIs created with AWS API Gateway service in order to analyze latencies in APIs and their backend services.