---
title: API Gateway without SSL certificate
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > API Gateway without SSL certificate
---

# API Gateway without SSL certificate

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `terraform-aws-api-gateway-without-ssl-certificate` 

**Provider:** AWS

**Platform:** Terraform

**Severity:** Medium

**Category:** Insecure Configurations

#### Learn More{% #learn-more %}

- [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#client_certificate_id)

### Description{% #description %}

When configuring an `aws_api_gateway_stage` resource in Terraform, the `client_certificate_id` attribute should be set to enable SSL client certificate authentication. Without specifying `client_certificate_id`, clients can access your API Gateway stage without presenting a valid client-side certificate, leaving the API vulnerable to unauthorized access. Enabling this attribute, as shown below, ensures that only clients with a valid certificate can establish SSL connections:

```
resource "aws_api_gateway_stage" "example" {
  stage_name            = "prod"
  rest_api_id           = aws_api_gateway_rest_api.test.id
  deployment_id         = aws_api_gateway_deployment.test.id
  client_certificate_id = "12131323"
}
```

## Compliant Code Examples{% #compliant-code-examples %}

```terraform
resource "aws_api_gateway_stage" "negative1" {
  stage_name    = "prod"
  rest_api_id   = aws_api_gateway_rest_api.test.id
  deployment_id = aws_api_gateway_deployment.test.id


  client_certificate_id = "12131323"

}
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```terraform
resource "aws_api_gateway_stage" "positive1" {
  stage_name    = "prod"
  rest_api_id   = aws_api_gateway_rest_api.test.id
  deployment_id = aws_api_gateway_deployment.test.id

}
```