For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible/aws/api_gateway_without_ssl_certificate.md. A documentation index is available at /llms.txt.

API Gateway without SSL certificate

This product is not supported for your selected Datadog site. ().

Metadata

Id: ansible-aws-api-gateway-without-ssl-certificate

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Insecure Configurations

Learn More

Description

API Gateway integrations must validate TLS/SSL certificates to ensure backend endpoints are authentic and prevent man-in-the-middle attacks that can expose credentials or sensitive data.

The validate_certs property in Ansible community.aws.api_gateway and api_gateway tasks must be defined and set to a truthy value (Ansible yes or true). Resources missing this property or with validate_certs set to no or false are flagged.

If your backend uses self-signed certificates, prefer adding the CA to a trusted store or using proper certificate management rather than disabling certificate validation.

Secure example Ansible task:

- name: Create API Gateway with TLS validation
  community.aws.api_gateway:
    name: my-api
    state: present
    validate_certs: yes

Compliant Code Examples

- name: update API v2
  community.aws.api_gateway:
    name: my-api
    api_id: abc123321cba
    state: present
    swagger_file: my_api.yml
    validate_certs: yes
- name: Setup AWS API Gateway setup on AWS and deploy API definition v2
  community.aws.api_gateway:
    name: my-api-v2
    swagger_file: my_api.yml
    stage: production
    cache_enabled: true
    cache_size: '1.6'
    tracing_enabled: true
    endpoint_type: EDGE
    state: present
    validate_certs: yes

Non-Compliant Code Examples

- name: update API
  community.aws.api_gateway:
    name: my-api
    api_id: 'abc123321cba'
    state: present
    swagger_file: my_api.yml
    validate_certs: no
- name: update API v1
  community.aws.api_gateway:
    name: my-api-v1
    api_id: 'abc123321cba'
    state: present
    swagger_file: my_api.yml
- name: Setup AWS API Gateway setup on AWS and deploy API definition
  community.aws.api_gateway:
    name: my-api-v2
    swagger_file: my_api.yml
    stage: production
    cache_enabled: true
    cache_size: '1.6'
    tracing_enabled: true
    endpoint_type: EDGE
    state: present
    validate_certs: no
- name: Setup AWS API Gateway setup on AWS and deploy API definition v1
  community.aws.api_gateway:
    name: my-api-v3
    swagger_file: my_api.yml
    stage: production
    cache_enabled: true
    cache_size: '1.6'
    tracing_enabled: true
    endpoint_type: EDGE
    state: present