Serverless API cache cluster disabled

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Serverless API cache cluster disabled

Metadata

Id: 60a05ede-0a68-4d0d-a58f-f538cf55ff79

Cloud Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Insecure Configurations

Learn More

Provider Reference

Description

Amazon API Gateway caching should be enabled for Serverless APIs to reduce backend load and lower latency, helping prevent request amplification that can degrade performance or cause service outages. The CacheClusterEnabled property on AWS::Serverless::Api resources must be defined and set to true. Resources where CacheClusterEnabled is missing, null, or set to false will be flagged. Also consider configuring CacheClusterSize to provision adequate cache capacity for your expected traffic.

Secure configuration example:

MyApi:
  Type: AWS::Serverless::Api
  Properties:
    StageName: Prod
    CacheClusterEnabled: true

Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  ApiGatewayApi3:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod
      TracingEnabled: true
      CacheClusterEnabled: true

Non-Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  ApiGatewayApi2:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod
      TracingEnabled: true
      CacheClusterEnabled: false

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  ApiGatewayApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod
      TracingEnabled: true