Ensure that an API Key is required on a Method Request

API keys are string tokens that you provide to client application developers to grant access to your APIs. You can use API keys together with usage plans or Lambda authorizers to control access to your APIs. API Gateway can generate API keys on your behalf, or you can import them from a CSV file.

Risk Level: High
Cloud Entity: Amazon API Gateway
CloudGuard Rule ID: D9.CFT.NET.06
Covered by Spectral: Yes
Category: Networking & Content Delivery


AWS_ApiGateway_Method should have ApiKeyRequired='true'


From CFT
Set AWS::ApiGateway::Method ApiKeyRequired property to be other than 'None'


  1. https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-setup-api-key-with-console.html
  2. https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-create-api.html

Amazon API Gateway

Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. With a few clicks in the AWS Management Console, you can create REST and WebSocket APIs that act as a ���front door��� for applications to access data, business logic, or functionality from your backend services, such as workloads running on Amazon Elastic Compute Cloud (Amazon EC2), code running on AWS Lambda, any web application, or real-time communication a

Compliance Frameworks

  • AWS CloudFormation ruleset