AWS API Gateway Method Settings
This page shows how to write Terraform and CloudFormation for API Gateway Method Settings and write them securely.
aws_api_gateway_method_settings (Terraform)
The Method Settings in API Gateway can be configured in Terraform with the resource name aws_api_gateway_method_settings
. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_api_gateway_method_settings" "all" {
rest_api_id = aws_api_gateway_rest_api.ok_example.id
stage_name = aws_api_gateway_stage.ok_example.stage_name
method_path = "*/*"
settings {
resource "aws_api_gateway_method_settings" "all" {
rest_api_id = aws_api_gateway_rest_api.ok_example.id
stage_name = aws_api_gateway_stage.ok_example.stage_name
method_path = "*/*"
settings {
resource "aws_api_gateway_method_settings" "all" {
rest_api_id = aws_api_gateway_rest_api.ok_example.id
stage_name = aws_api_gateway_stage.ok_example.stage_name
method_path = "*/*"
settings {
resource "aws_api_gateway_method_settings" "path_specific" {
rest_api_id = aws_api_gateway_rest_api.example.id
stage_name = aws_api_gateway_stage.example.stage_name
method_path = "path1/GET"
settings {
Security Best Practices for aws_api_gateway_method_settings
There is 1 setting in aws_api_gateway_method_settings that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure that API Gateway stage-level cache is encrypted
It is better to enable the stage-level cache encryption which reduces the risk of data leakage.
Parameters
-
id
optional computed - string -
method_path
required - string -
rest_api_id
required - string -
stage_name
required - string -
settings
list block-
cache_data_encrypted
optional computed - bool -
cache_ttl_in_seconds
optional computed - number -
caching_enabled
optional computed - bool -
data_trace_enabled
optional computed - bool -
logging_level
optional computed - string -
metrics_enabled
optional computed - bool -
require_authorization_for_cache_control
optional computed - bool -
throttling_burst_limit
optional - number -
throttling_rate_limit
optional - number -
unauthorized_cache_control_header_strategy
optional computed - string
-
Explanation in Terraform Registry
Manages API Gateway Stage Method Settings. For example, CloudWatch logging and metrics.
NOTE: It is recommended to use this resource in conjunction with the
aws_api_gateway_stage
resource instead of a stage managed by theaws_api_gateway_deployment
resource optionalstage_name
argument. Stages managed by theaws_api_gateway_deployment
resource are recreated on redeployment and this resource will require a second apply to recreate the method settings.
Tips: Best Practices for The Other AWS API Gateway Resources
In addition to the aws_api_gateway_domain_name, AWS API Gateway has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_api_gateway_domain_name
Ensure to use modern TLS protocols
It is better to adopt TLS v1.2+.
aws_api_gateway_stage
Ensure to enable access logging of your API Gateway stage (v1)
It is better to enable the access logging of your API Gateway stage (v1).
aws_api_gateway_method
Ensure that your API Gateway method blocks unwanted access
It is better that the API Gateway method does not allow public access.
AWS::ApiGateway::Deployment MethodSetting (CloudFormation)
The Deployment MethodSetting in ApiGateway can be configured in CloudFormation with the resource name AWS::ApiGateway::Deployment MethodSetting
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
CacheDataEncrypted
Indicates whether the cached responses are encrypted.
Required: No
Type: Boolean
Update requires: No interruption
CacheTtlInSeconds
The time-to-live (TTL) period, in seconds, that specifies how long API Gateway caches responses.
Required: No
Type: Integer
Update requires: No interruption
CachingEnabled
Indicates whether responses are cached and returned for requests. You must enable a cache cluster on the stage to cache responses. For more information, see Enable API Gateway Caching in a Stage to Enhance API Performance in the API Gateway Developer Guide.
Required: No
Type: Boolean
Update requires: No interruption
DataTraceEnabled
Indicates whether data trace logging is enabled for methods in the stage. API Gateway pushes these logs to Amazon CloudWatch Logs.
Required: No
Type: Boolean
Update requires: No interruption
HttpMethod
The HTTP method.
Required: No
Type: String
Update requires: No interruption
LoggingLevel
The logging level for this method. For valid values, see the loggingLevel
property of the Stage resource in the Amazon API Gateway API Reference.
Required: No
Type: String
Update requires: No interruption
MetricsEnabled
Indicates whether Amazon CloudWatch metrics are enabled for methods in the stage.
Required: No
Type: Boolean
Update requires: No interruption
ResourcePath
The resource path for this method. Forward slashes (/
) are encoded as ~1
and the initial slash must include a forward slash. For example, the path value /resource/subresource
must be encoded as /~1resource~1subresource
. To specify the root path, use only a slash (/
).
Required: No
Type: String
Update requires: No interruption
ThrottlingBurstLimit
The number of burst requests per second that API Gateway permits across all APIs, stages, and methods in your AWS account. For more information, see Manage API Request Throttling in the API Gateway Developer Guide.
Required: No
Type: Integer
Update requires: No interruption
ThrottlingRateLimit
The number of steady-state requests per second that API Gateway permits across all APIs, stages, and methods in your AWS account. For more information, see Manage API Request Throttling in the API Gateway Developer Guide.
Required: No
Type: Double
Update requires: No interruption
Explanation in CloudFormation Registry
The
MethodSetting
property type configures settings for all methods in a stage.The
MethodSettings
property of the Amazon API Gateway Deployment StageDescription property type contains a list ofMethodSetting
property types.
Frequently asked questions
What is AWS API Gateway Method Settings?
AWS API Gateway Method Settings is a resource for API Gateway of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS API Gateway Method Settings?
For Terraform, the melscoop-test/check, SnidermanIndustries/checkov-fork and bridgecrewio/checkov source code examples are useful. See the Terraform Example section for further details.