My Saved Presets
You must be logged in to view saved presets

Loading Library ...

Cloudformation Guard Rules for API Gateway

CloudFormation guard rules template for API Gateway resources

The following rules are included:

  • REST API Client Certificate Enabled
  • No Public REST APIs
  • REST API Stage Access Logging Enabled
  • REST API Stage Tracing Enabled

let apigateway_stages = Resources.*[
	Type == "AWS::ApiGateway::Stage"
]

let apigateway_restapis = Resources.*[
	Type == "AWS::ApiGateway::RestApi"
]

rule restapi_client_certificate_enabled when %apigateway_stages !empty {
	%apigateway_stages {
		Properties {
			ClientCertificateId exists <<ClientCertificateId is not configured.>>
		}
	}
}

rule restapi_private_public when %apigateway_restapis !empty {
	%apigateway_restapis {
		Properties {
			EndpointConfiguration exists <<EndpointConfiguration is not configured.>>
			when EndpointConfiguration exists {
				EndpointConfiguration {
					Types exists <<Types is not configured.>>
					when Types exists {
						Types == ["PRIVATE"] <<API gateway is not private.>>
					}
				}
			}
		}
	}
}

rule stage_access_logging when %apigateway_stages !empty {
	%apigateway_stages {
		Properties {
			AccessLogSetting exists <<AccessLogSetting is not configured.>>
		}
	}
}

rule restapi_stage_tracing_enabled when %apigateway_stages !empty {
	%apigateway_stages {
		Properties {
			TracingEnabled exists <<TracingEnabled is not configured.>>
			when TracingEnabled exists {
				TracingEnabled == true <<X-Ray tracing is disabled.>>
			}
		}
	}
}

Actions



Customize Template

* Required field

© 2025 asecurecloud. All rights reserved.