AWS API Gateway
API Gateway must be integrated with AWS WAF
Ensure that AWS Web Application Firewall (WAF) is integrated with Amazon API Gateway to protect your APIs from common web exploits such as SQLi attacks, XSS attacks and Cross-Site Request Forgery (CSRF) attacks that could affect API availability and performance.
Use SSL Certificates
Ensure that your Amazon API Gateway APIs are using SSL certificates to verify that HTTP requests made to your backend system are from API Gateway service
Only Private end-points can access APIs
Ensure that your Amazon API Gateway APIs are only accessible through private API endpoints and not visible to the public Internet
Rotate Expiring SSL Client Certificates
Ensure that the client-side SSL certificates used by your Amazon API Gateway REST APIs for secure authentication at the API integration endpoint level are rotated before their expiration date
Active Tracing must be Enabled
Ensure that active tracing is enabled for your Amazon API Gateway API stages to sample incoming requests and send traces to AWS X-Ray
Cloudwatch Logs must be enaled
Ensure that AWS CloudWatch logs are enabled for all your APIs created with Amazon API Gateway service in order to track and analyze execution behavior at the API stage level.
Cloudwatch Metrics must be enabled
Ensure that detailed CloudWatch metrics are enabled for all APIs created with AWS API Gateway service in order to monitor API stages caching, latency and detected errors at a more granular level and set alarms accordingly.
Content Encoding must be enabled
Ensure that Content Encoding feature is enabled for your Amazon API Gateway APIs in order to facilitate API payload compression.
Help Us Improve!
If you have any suggestions to improve this checklist, please let us know by filling out