AWS and Cloudanix team co-authored this blog: Real-Time Threat and Anomaly Detection for Workloads on AWS

Cloudanix

AWS API Gateway Audit

AWS Web Application Firewall (WAF) should be integrated with API Gateway to protect your APIs from common web exploits such as SQLi attacks, XSS attacks and Cross-Site Request Forgery (CSRF) attacks.

API Gateway Should Be Integrated With WAF

AWS Web Application Firewall (WAF) should be integrated with API Gateway to protect your APIs from common web exploits such as SQLi attacks, XSS attacks and Cross-Site Request Forgery (CSRF) attacks.

Active Tracing Should Be Enabled For API Gateway Stages

Active tracing should be enabled for your Amazon API Gateway API stages to sample incoming requests and send traces to AWS X-Ray. Then X-Ray can provide you an end-to-end view of an entire HTTP request, so you can analyze latencies in your APIs and their backend services.

Cloudwatch Logs Must Be Enabled For All APIs

AWS CloudWatch logs should be enabled for all your APIs created with Amazon API Gateway service in order to track and analyze execution behavior at the API stage level.

Cloudwatch Metrics Must Be Enabled For All APIs

Detailed CloudWatch metrics should be enabled for all APIs created with AWS API Gateway service in order to monitor API stages caching, latency and detected errors at a more granular level and set alarms accordingly.

API Gateway APIs Should Use SSL Certificates

Your Amazon API Gateway APIs should be using SSL certificates to verify that HTTP requests made to your backend system are from API Gateway service.

Content Encoding Should Be Enabled For APIs

Content Encoding feature should be enabled for your Amazon API Gateway APIs in order to facilitate API payload compression.

Default Execution Endpoint Should Not Be Enabled

Default Execution Endpoint should not be enabled for your Amazon API Gateway APIs in order to secure your APIs.

Only Private End-Points Should Access APIs

Amazon API Gateway APIs should be accessible only through private API endpoints and must not be visible to the public Internet.

Expiring SSL Client Certificates Should Be Rotated

The client-side SSL certificates used by your Amazon API Gateway REST APIs for secure authentication at the API integration endpoint level should be rotated before their expiration date

Ready to see your graph?

Connect a cloud account in under 30 minutes. See every finding rooted in identity, asset, and blast radius — with a fix path attached.

Book a Demo

CLOUDANIX

Insights from Cloudanix

Explore guides, checklists, and blogs that simplify cloud security and help you secure your infrastructure.