API Gateway stage without usage plan associated This product is not supported for your selected
Datadog site . (
).
Id: cloudformation-aws-api-gateway-stage-without-api-gateway-usage-plan-associated
Provider: AWS
Platform: CloudFormation
Severity: Low
Category: Resource Management
Learn More Description API Gateway stages must be associated with an API Gateway usage plan to enforce throttling and quota limits and enable API key–based access control. Without a usage plan, a stage is vulnerable to abusive clients, excessive request rates, service exhaustion, and unexpected costs.
Verify the template includes an AWS::ApiGateway::UsagePlan resource and that its Properties.ApiStages array contains an entry where:
ApiId equals the stage’s RestApiIdStage equals the stage’s StageNameResources missing a usage plan or whose usage plan ApiStages does not include a matching ApiId/Stage pair will be flagged. Use intrinsic references so values match, for example:
MyApi :
Type : AWS::ApiGateway::RestApi
MyStage :
Type : AWS::ApiGateway::Stage
Properties :
RestApiId : !Ref MyApi
StageName : prod
MyUsagePlan :
Type : AWS::ApiGateway::UsagePlan
Properties :
UsagePlanName : MyUsagePlan
ApiStages :
- ApiId : !Ref MyApi
Stage : !Ref MyStage
Compliant Code Examples AWSTemplateFormatVersion : "2010-09-09"
Description : "Router53"
Resources :
Prod :
Type : AWS::ApiGateway::Stage
Properties :
StageName : Prod
Description : Prod Stage
RestApiId : !Ref MyRestApi
DeploymentId : !Ref TestDeployment
DocumentationVersion : !Ref MyDocumentationVersion
ClientCertificateId : !Ref ClientCertificate
Variables :
Stack : Prod
MethodSettings :
- ResourcePath : /
HttpMethod : GET
MetricsEnabled : 'true'
DataTraceEnabled : 'false'
- ResourcePath : /stack
HttpMethod : POST
MetricsEnabled : 'true'
DataTraceEnabled : 'false'
ThrottlingBurstLimit : '999'
- ResourcePath : /stack
HttpMethod : GET
MetricsEnabled : 'true'
DataTraceEnabled : 'false'
ThrottlingBurstLimit : '555'
usagePlan :
Type : 'AWS::ApiGateway::UsagePlan'
Properties :
ApiStages :
- ApiId : !Ref MyRestApi
Stage : !Ref Prod
Description : Customer ABC's usage plan
Quota :
Limit : 5000
Period : MONTH
Throttle :
BurstLimit : 200
RateLimit : 100
UsagePlanName : Plan_ABC
{
"Resources" : {
"Prod" : {
"Type" : "AWS::ApiGateway::Stage" ,
"Properties" : {
"ClientCertificateId" : "ClientCertificate" ,
"Variables" : {
"Stack" : "Prod"
},
"MethodSettings" : [
{
"ResourcePath" : "/" ,
"HttpMethod" : "GET" ,
"MetricsEnabled" : "true" ,
"DataTraceEnabled" : "false"
},
{
"ResourcePath" : "/stack" ,
"HttpMethod" : "POST" ,
"MetricsEnabled" : "true" ,
"DataTraceEnabled" : "false" ,
"ThrottlingBurstLimit" : "999"
},
{
"MetricsEnabled" : "true" ,
"DataTraceEnabled" : "false" ,
"ThrottlingBurstLimit" : "555" ,
"ResourcePath" : "/stack" ,
"HttpMethod" : "GET"
}
],
"StageName" : "Prod" ,
"Description" : "Prod Stage" ,
"RestApiId" : "MyRestApi" ,
"DeploymentId" : "TestDeployment" ,
"DocumentationVersion" : "MyDocumentationVersion"
}
},
"usagePlan" : {
"Type" : "AWS::ApiGateway::UsagePlan" ,
"Properties" : {
"ApiStages" : [
{
"Stage" : "Prod" ,
"ApiId" : "MyRestApi"
}
],
"Description" : "Customer ABC's usage plan" ,
"Quota" : {
"Period" : "MONTH" ,
"Limit" : 5000
},
"Throttle" : {
"BurstLimit" : 200 ,
"RateLimit" : 100
},
"UsagePlanName" : "Plan_ABC"
}
}
},
"AWSTemplateFormatVersion" : "2010-09-09" ,
"Description" : "Router53"
}
Non-Compliant Code Examples AWSTemplateFormatVersion : "2010-09-09"
Description : "Router53"
Resources :
Prod :
Type : AWS::ApiGateway::Stage
Properties :
StageName : Prod
Description : Prod Stage
RestApiId : !Ref MyRestApi
DeploymentId : !Ref TestDeployment
DocumentationVersion : !Ref MyDocumentationVersion
ClientCertificateId : !Ref ClientCertificate
Variables :
Stack : Prod
MethodSettings :
- ResourcePath : /
HttpMethod : GET
MetricsEnabled : 'true'
DataTraceEnabled : 'false'
- ResourcePath : /stack
HttpMethod : POST
MetricsEnabled : 'true'
DataTraceEnabled : 'false'
ThrottlingBurstLimit : '999'
- ResourcePath : /stack
HttpMethod : GET
MetricsEnabled : 'true'
DataTraceEnabled : 'false'
ThrottlingBurstLimit : '555'
AWSTemplateFormatVersion : "2010-09-09"
Description : "Router53"
Resources :
Prod1 :
Type : AWS::ApiGateway::Stage
Properties :
StageName : Prod
Description : Prod Stage
RestApiId : !Ref MyRestApi
DeploymentId : !Ref TestDeployment
DocumentationVersion : !Ref MyDocumentationVersion
ClientCertificateId : !Ref ClientCertificate
Variables :
Stack : Prod
MethodSettings :
- ResourcePath : /
HttpMethod : GET
MetricsEnabled : 'true'
DataTraceEnabled : 'false'
- ResourcePath : /stack
HttpMethod : POST
MetricsEnabled : 'true'
DataTraceEnabled : 'false'
ThrottlingBurstLimit : '999'
- ResourcePath : /stack
HttpMethod : GET
MetricsEnabled : 'true'
DataTraceEnabled : 'false'
ThrottlingBurstLimit : '555'
usagePlan1 :
Type : 'AWS::ApiGateway::UsagePlan'
Properties :
ApiStages :
- ApiId : !Ref MyRestApi
Stage : !Ref Prod1
Description : Customer ABC's usage plan
Quota :
Limit : 5000
Period : MONTH
Throttle :
BurstLimit : 200
RateLimit : 100
UsagePlanName : Plan_ABC
AWSTemplateFormatVersion : "2010-09-09"
Description : "Router53"
Resources :
Prod2 :
Type : AWS::ApiGateway::Stage
Properties :
StageName : Prod
Description : Prod Stage
RestApiId : !Ref MyRestApi1
DeploymentId : !Ref TestDeployment
DocumentationVersion : !Ref MyDocumentationVersion
ClientCertificateId : !Ref ClientCertificate
Variables :
Stack : Prod
MethodSettings :
- ResourcePath : /
HttpMethod : GET
MetricsEnabled : 'true'
DataTraceEnabled : 'false'
- ResourcePath : /stack
HttpMethod : POST
MetricsEnabled : 'true'
DataTraceEnabled : 'false'
ThrottlingBurstLimit : '999'
- ResourcePath : /stack
HttpMethod : GET
MetricsEnabled : 'true'
DataTraceEnabled : 'false'
ThrottlingBurstLimit : '555'
usagePlan2 :
Type : 'AWS::ApiGateway::UsagePlan'
Properties :
ApiStages :
- ApiId : !Ref MyRestApi
Stage : !Ref Prod
Description : Customer ABC's usage plan
Quota :
Limit : 5000
Period : MONTH
Throttle :
BurstLimit : 200
RateLimit : 100
UsagePlanName : Plan_ABC
