For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-serverless-api-without-content-encoding.md.
A documentation index is available at /llms.txt.
Serverless APIs should enable response compression by configuring MinimumCompressionSize to reduce response sizes, lower bandwidth costs, and limit the risk of backend resource exhaustion from large uncompressed payloads. The MinimumCompressionSize property on AWS::Serverless::Api resources must be defined as an integer between 0 and 10485759 (that is, greater than -1 and less than 10485760). Resources missing this property or with values less than 0 or greater than 10485759 will be flagged. A typical secure configuration sets a threshold in bytes (for example, 1024) to compress responses larger than that size:
AWSTemplateFormatVersion:'2010-09-09'Transform:AWS::Serverless-2016-10-31Description:AWS SAM template with a simple API definitionResources:ApiGatewayApi4:Type:AWS::Serverless::ApiProperties:StageName:prodTracingEnabled:trueCacheClusterEnabled:trueAccessLogSetting:DestinationArn:'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'Format:>- {"requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
"caller":"$context.identity.caller",
"user":"$context.identity.user","requestTime":"$context.requestTime",
"eventType":"$context.eventType","routeKey":"$context.routeKey",
"status":"$context.status","connectionId":"$context.connectionId"}MinimumCompressionSize:114
Non-Compliant Code Examples
AWSTemplateFormatVersion:'2010-09-09'Transform:AWS::Serverless-2016-10-31Description:AWS SAM template with a simple API definitionResources:ApiGatewayApi:Type:AWS::Serverless::ApiProperties:StageName:prodTracingEnabled:trueCacheClusterEnabled:trueAccessLogSetting:DestinationArn:'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'Format:>- {"requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
"caller":"$context.identity.caller",
"user":"$context.identity.user","requestTime":"$context.requestTime",
"eventType":"$context.eventType","routeKey":"$context.routeKey",
"status":"$context.status","connectionId":"$context.connectionId"}
AWSTemplateFormatVersion:'2010-09-09'Transform:AWS::Serverless-2016-10-31Description:AWS SAM template with a simple API definitionResources:ApiGatewayApi2:Type:AWS::Serverless::ApiProperties:StageName:prodTracingEnabled:trueCacheClusterEnabled:trueAccessLogSetting:DestinationArn:'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'Format:>- {"requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
"caller":"$context.identity.caller",
"user":"$context.identity.user","requestTime":"$context.requestTime",
"eventType":"$context.eventType","routeKey":"$context.routeKey",
"status":"$context.status","connectionId":"$context.connectionId"}MinimumCompressionSize:-1
AWSTemplateFormatVersion:'2010-09-09'Transform:AWS::Serverless-2016-10-31Description:AWS SAM template with a simple API definitionResources:ApiGatewayApi3:Type:AWS::Serverless::ApiProperties:StageName:prodTracingEnabled:trueCacheClusterEnabled:trueAccessLogSetting:DestinationArn:'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'Format:>- {"requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
"caller":"$context.identity.caller",
"user":"$context.identity.user","requestTime":"$context.requestTime",
"eventType":"$context.eventType","routeKey":"$context.routeKey",
"status":"$context.status","connectionId":"$context.connectionId"}MinimumCompressionSize:11485759
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
