Best practice rules for GCP APIGateway
- Check for API Gateway Authentication Method
Ensure that API Gateway uses an authentication method to secure access to your API backend.
- Enable Data Access Audit Logs
Ensure that Data Access audit logs are enabled for Google Cloud API Gateway APIs.
- Enable Data Encryption for API Gateway Backend Integrations
Ensure that associated backend services are configured to communicate with API Gateway using HTTPS.
- Implement Least Privilege Access using Cloud IAM
Ensure that IAM roles with administrative permissions are not used for API access control.
- Protect API Gateway with Cloud Armor
Ensure that API Gateway leverages Cloud Armor as a network security service.
- Rate Limit API Usage with Quotas
Ensure that API Gateway is configured to use rate limiting with quotas for your APIs.
- Use Labels for Resource Management
Ensure that all Google Cloud API Gateway APIs are labeled for better resource management.