# API Gateway security hardening checklist (2026)

## Edge

- [ ] AWS WAF WebACL associated (API stage or CloudFront distribution in front)
- [ ] Rate-based rules on auth and checkout paths
- [ ] Managed rule groups: Core, Known Bad Inputs; add anonymous IP / bot control if abuse seen
- [ ] Shield Standard on by default; Shield Advanced only if DDoS response SLA justifies cost

## Authn / Authz

- [ ] No open methods without intentional public design
- [ ] Cognito JWT authorizer or IAM or AVP Lambda authorizer on every protected method
- [ ] Resource policy denies unexpected principals / VPCs for private APIs
- [ ] Token TTL and refresh rotation reviewed; revoke path tested

## Network

- [ ] Private APIs use VPC endpoints; resource policy scoped to VPC/VPCE
- [ ] Security groups: least privilege to backends
- [ ] If VPC Lattice: SG rules allow gateway ↔ target on 443 only as documented

## Abuse & ops

- [ ] Usage plans / API keys only as metering — not as sole auth
- [ ] Throttling burst/rate set below backend saturation
- [ ] CloudWatch: 4XX/5XX, latency, WAF blocked requests alarms
- [ ] Access logging to S3/CloudWatch with PII redaction plan
