AWS API Gateway Rest API Policy
This page shows how to write Terraform and CloudFormation for API Gateway Rest API Policy and write them securely.
aws_api_gateway_rest_api_policy (Terraform)
The Rest API Policy in API Gateway can be configured in Terraform with the resource name aws_api_gateway_rest_api_policy
. The following sections describe 3 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_api_gateway_rest_api_policy" "test" {
rest_api_id = aws_api_gateway_rest_api.test.id
policy = <<EOF
{
"Version": "2012-10-17",
resource "aws_api_gateway_rest_api_policy" "production" {
rest_api_id = aws_api_gateway_rest_api.production.id
policy = data.aws_iam_policy_document.api_gateway_policy.json
}
resource "aws_api_gateway_domain_name" "production" {
resource "aws_api_gateway_rest_api_policy" "example" {
rest_api_id = aws_api_gateway_rest_api.example.id
policy = file("policy.json")
depends_on = [aws_api_gateway_rest_api.example]
Parameters
-
id
optional computed - string -
policy
required - string -
rest_api_id
required - string
Explanation in Terraform Registry
Provides an API Gateway REST API Policy. -> Note: Amazon API Gateway Version 1 resources are used for creating and deploying REST APIs. To create and deploy WebSocket and HTTP APIs, use Amazon API Gateway Version 2 resources.
Tips: Best Practices for The Other AWS API Gateway Resources
In addition to the aws_api_gateway_method_settings, AWS API Gateway has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_api_gateway_method_settings
Ensure that API Gateway stage-level cache is encrypted
It is better to enable the stage-level cache encryption which reduces the risk of data leakage.
aws_api_gateway_domain_name
Ensure to use modern TLS protocols
It is better to adopt TLS v1.2+.
aws_api_gateway_stage
Ensure to enable access logging of your API Gateway stage (v1)
It is better to enable the access logging of your API Gateway stage (v1).
aws_api_gateway_method
Ensure that your API Gateway method blocks unwanted access
It is better that the API Gateway method does not allow public access.
AWS::ApiGateway::RestApi EndpointConfiguration (CloudFormation)
The RestApi EndpointConfiguration in ApiGateway can be configured in CloudFormation with the resource name AWS::ApiGateway::RestApi EndpointConfiguration
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
Types
A list of endpoint types of an API or its custom domain name. Valid values include:
EDGE
: For an edge-optimized API and its custom domain name.REGIONAL
: For a regional API and its custom domain name.PRIVATE
: For a private API.Required: No
Type: List of String
Update requires: No interruption
VpcEndpointIds
A list of VPC endpoint IDs of an API (AWS::ApiGateway::RestApi) against which to create Route53 ALIASes. It is only supported for PRIVATE
endpoint type.
Required: No
Type: List of String
Update requires: No interruption
Explanation in CloudFormation Registry
The
EndpointConfiguration
property type specifies the endpoint types of a REST API.
EndpointConfiguration
is a property of the AWS::ApiGateway::RestApi resource.
Frequently asked questions
What is AWS API Gateway Rest API Policy?
AWS API Gateway Rest API Policy is a resource for API Gateway of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS API Gateway Rest API Policy?
For Terraform, the Checkmarx/kics, bolbken/meandering-rocks and mkbehl/api source code examples are useful. See the Terraform Example section for further details.