API Gateway methods should validate request parameters
Without request parameter validation at the API Gateway level, malformed or incomplete requests pass straight through to your backend. This wastes compute, inflates error rates, and feeds unexpected input to services that may not handle it gracefully.
API Gateway's built-in request validators reject invalid requests with a 400 before they reach Lambda, ECS, or EC2. Shifting that check to the edge reduces backend load and gives API consumers a consistent error format, rather than whatever your backend happens to return when it receives garbage input.
Retrofit consideration
Existing APIs may have methods without request validators. Adding parameter validation to live methods can break clients that currently send requests missing required parameters. Audit consumer traffic patterns before enabling.
Implementation
Choose the approach that matches how you manage Terraform.
Use AWS provider resources directly. See docs for the resources involved: aws_api_gateway_method.
resource "aws_api_gateway_rest_api" "this" {
name = "pofix-abc123"
}
resource "aws_api_gateway_method" "this" {
authorization = "AWS_IAM"
http_method = "GET"
request_validator_id = "abc123"
resource_id = "abc123"
rest_api_id = "abc123"
}
What this control checks
To pass, each aws_api_gateway_method resource must reference a request validator with validate_request_parameters set to true. Create an aws_api_gateway_request_validator with that flag enabled, then set request_validator_id on the method to its ID. It fails if request_validator_id is missing or if the referenced validator has validate_request_parameters set to false. Required parameters also need entries in the method's request_parameters map (e.g., "method.request.querystring.name" = true). Without those declarations, the validator has nothing to enforce.
Common pitfalls
Validator exists but does not validate parameters
Easy to miss:
validate_request_bodyandvalidate_request_parametersare independent flags onaws_api_gateway_request_validator. A validator configured only for body validation leaves parameter checking disabled. The method has a validator attached, the control still fails.Empty request_parameters map
Setting
request_validator_idon anaws_api_gateway_methodbut omitting all entries fromrequest_parametersmeans the validator has nothing to enforce. API Gateway accepts any request because no parameters are declared as required. Define parameters like"method.request.header.Authorization" = trueto make validation meaningful.Redeployment required after changes
After modifying
aws_api_gateway_methodoraws_api_gateway_request_validator, create a newaws_api_gateway_deploymentand associate it with the stage. REST API changes are not reflected in live stages until redeployment, so validation config updates can sit dormant in Terraform state without ever taking effect.HTTP API vs REST API confusion
This control applies to REST APIs (
aws_api_gateway_rest_api), not HTTP APIs (aws_apigatewayv2_api). HTTP APIs use a different validation model based on OpenAPI schema definitions and do not supportaws_api_gateway_request_validatorresources.
Audit evidence
Auditors expect Config rule results showing all API Gateway methods compliant, or equivalent output from a policy scanning tool. Supporting evidence includes Console screenshots of the Method Request panel with a validator assigned and parameter validation enabled, with required parameters listed. CloudTrail UpdateMethod and CreateRequestValidator events establish when validation was configured and by whom. For APIs imported via OpenAPI/Swagger, the exported definition with x-amazon-apigateway-request-validator annotations covers the documentation requirement.
Tool mappings
Use these identifiers to cross-reference this control across tools, reports, and evidence.
Compliance.tf Control:
api_gateway_method_request_parameter_validatedCheckov Check:
CKV2_AWS_53Powerpipe Control:
aws_compliance.control.api_gateway_method_request_parameter_validated
Last reviewed: 2026-03-08