API Gateway deployment without usage plan associated
This product is not supported for your selected
Datadog site. (
).
Id: 783860a3-6dca-4c8b-81d0-7b62769ccbca
Cloud Provider: AWS
Platform: CloudFormation
Severity: Low
Category: Observability
Learn More
Description
API Gateway deployments must be associated with a usage plan to enforce throttling and quotas. This mitigates abuse, denial-of-service risks, and unexpected cost spikes from unbounded API traffic.
For each AWS::ApiGateway::Deployment, there must be an AWS::ApiGateway::UsagePlan resource whose Properties.ApiStages array contains an entry with:
ApiId equal to the deployment’s Properties.RestApiIdStage equal to the deployment’s Properties.StageName
Resources missing a usage plan or with no ApiStages entry matching the deployment’s RestApiId and StageName will be flagged.
Secure configuration example (CloudFormation YAML):
MyApi:
Type: AWS::ApiGateway::RestApi
MyDeployment:
Type: AWS::ApiGateway::Deployment
Properties:
RestApiId: !Ref MyApi
StageName: prod
MyUsagePlan:
Type: AWS::ApiGateway::UsagePlan
Properties:
UsagePlanName: api-usage-plan
ApiStages:
- ApiId: !Ref MyApi
Stage: prod
Throttle:
RateLimit: 100
BurstLimit: 200
Quota:
Limit: 10000
Period: MONTH
Compliant Code Examples
AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Resources:
Deployment:
Type: 'AWS::ApiGateway::Deployment'
Properties:
RestApiId: !Ref MyRestApi
Description: My deployment
StageName: Prod
usagePlan:
Type: 'AWS::ApiGateway::UsagePlan'
Properties:
ApiStages:
- ApiId: !Ref MyRestApi
Stage: !Ref Prod
Description: Customer ABC's usage plan
Quota:
Limit: 5000
Period: MONTH
Throttle:
BurstLimit: 200
RateLimit: 100
UsagePlanName: Plan_ABC
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Router53",
"Resources": {
"Deployment": {
"Type": "AWS::ApiGateway::Deployment",
"Properties": {
"RestApiId": "MyRestApi",
"Description": "My deployment",
"StageName": "Prod"
}
},
"usagePlan": {
"Type": "AWS::ApiGateway::UsagePlan",
"Properties": {
"ApiStages": [
{
"ApiId": "MyRestApi",
"Stage": "Prod"
}
],
"Description": "Customer ABC's usage plan",
"Quota": {
"Limit": 5000,
"Period": "MONTH"
},
"Throttle": {
"RateLimit": 100,
"BurstLimit": 200
},
"UsagePlanName": "Plan_ABC"
}
}
}
}
Non-Compliant Code Examples
AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Resources:
Deployment1:
Type: 'AWS::ApiGateway::Deployment'
Properties:
RestApiId: !Ref MyRestApi
Description: My deployment
StageName: Prod
usagePlan1:
Type: 'AWS::ApiGateway::UsagePlan'
Properties:
ApiStages:
- ApiId: !Ref MyRestApi
Stage: !Ref Prod1
Description: Customer ABC's usage plan
Quota:
Limit: 5000
Period: MONTH
Throttle:
BurstLimit: 200
RateLimit: 100
UsagePlanName: Plan_ABC
AWSTemplateFormatVersion: "2010-09-09"
Description: "Router53"
Resources:
Deployment2:
Type: 'AWS::ApiGateway::Deployment'
Properties:
RestApiId: !Ref MyRestApi
Description: My deployment
StageName: Prod1
usagePlan2:
Type: 'AWS::ApiGateway::UsagePlan'
Properties:
ApiStages:
- ApiId: !Ref MyRestApi
Stage: !Ref Prod
Description: Customer ABC's usage plan
Quota:
Limit: 5000
Period: MONTH
Throttle:
BurstLimit: 200
RateLimit: 100
UsagePlanName: Plan_ABC
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Router53",
"Resources": {
"Deployment1": {
"Properties": {
"RestApiId": "MyRestApi",
"Description": "My deployment",
"StageName": "Prod"
},
"Type": "AWS::ApiGateway::Deployment"
},
"usagePlan1": {
"Properties": {
"Quota": {
"Limit": 5000,
"Period": "MONTH"
},
"Throttle": {
"BurstLimit": 200,
"RateLimit": 100
},
"UsagePlanName": "Plan_ABC",
"ApiStages": [
{
"ApiId": "MyRestApi",
"Stage": "Prod1"
}
],
"Description": "Customer ABC's usage plan"
},
"Type": "AWS::ApiGateway::UsagePlan"
}
}
}
