Security best practices in Amazon API Gateway - Amazon API Gateway
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security best practices in Amazon API Gateway

API Gateway provides a number of security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations rather than prescriptions.

Implement least privilege access

Use IAM policies to implement least privilege access for creating, reading, updating, or deleting API Gateway APIs. To learn more, see Identity and access management for Amazon API Gateway. API Gateway offers several options to control access to APIs that you create. To learn more, see Control and manage access to REST APIs in API Gateway, Control and manage access to WebSocket APIs in API Gateway, and Control access to HTTP APIs with JWT authorizers in API Gateway.

Implement logging

Use CloudWatch Logs or Amazon Data Firehose to log requests to your APIs. To learn more, see Monitor REST APIs in API Gateway, Configure logging for WebSocket APIs in API Gateway, and Configure logging for HTTP APIs in API Gateway.

Implement Amazon CloudWatch alarms

Using CloudWatch alarms, you watch a single metric over a time period that you specify. If the metric exceeds a given threshold, a notification is sent to an Amazon Simple Notification Service topic or Amazon Auto Scaling policy. CloudWatch alarms do not invoke actions when a metric is in a particular state. Rather, the state must have changed and been maintained for a specified number of periods. For more information, see Monitor REST API execution with Amazon CloudWatch metrics.

Enable Amazon CloudTrail

CloudTrail provides a record of actions taken by a user, role, or an Amazon service in API Gateway. Using the information collected by CloudTrail, you can determine the request that was made to API Gateway, the IP address from which the request was made, who made the request, when it was made, and additional details. For more information, see Logging Amazon API Gateway API calls using Amazon CloudTrail.

Enable Amazon Config

Amazon Config provides a detailed view of the configuration of Amazon resources in your account. You can see how resources are related, get a history of configuration changes, and see how relationships and configurations change over time. You can use Amazon Config to define rules that evaluate resource configurations for data compliance. Amazon Config rules represent the ideal configuration settings for your API Gateway resources. If a resource violates a rule and is flagged as noncompliant, Amazon Config can alert you using an Amazon Simple Notification Service (Amazon SNS) topic. For details, see Monitoring API Gateway API configuration with Amazon Config.

Use Amazon Security Hub

Monitor your usage of API Gateway as it relates to security best practices by using Amazon Security Hub. Security Hub uses security controls to evaluate resource configurations and security standards to help you comply with various compliance frameworks. For more information about using Security Hub to evaluate API Gateway resources, see Amazon API Gateway controls in the Amazon Security Hub User Guide.