Terraform AWS API Gateway v2

HTTP and WebSocket APIs with routes, stages, custom domains, TLS certificates, access logs, JWT or Lambda authorizers, throttling, and private or public integrations.

Controls enforced

These compliance controls are checked at terraform plan time.

API Gateway V2 stages should have access logging configured(low effort)

Quick start

module "apigateway-v2" {
  source  = "acscessentialeight.compliance.tf/terraform-aws-modules/apigateway-v2/aws"
  version = "1.0"

  # ... your arguments here
}

module "apigateway-v2" {
  source  = "awswellarchitected.compliance.tf/terraform-aws-modules/apigateway-v2/aws"
  version = "1.0"

  # ... your arguments here
}

module "apigateway-v2" {
  source  = "iso27001.compliance.tf/terraform-aws-modules/apigateway-v2/aws"
  version = "1.0"

  # ... your arguments here
}

module "apigateway-v2" {
  source  = "nis2.compliance.tf/terraform-aws-modules/apigateway-v2/aws"
  version = "1.0"

  # ... your arguments here
}

module "apigateway-v2" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/apigateway-v2/aws"
  version = "1.0"

  # ... your arguments here
}

module "apigateway-v2" {
  source  = "soc2.compliance.tf/terraform-aws-modules/apigateway-v2/aws"
  version = "1.0"

  # ... your arguments here
}

See the Get Started guide and Registry Endpoints for details on how to customize the module for your requirements.

Migration from upstream

Already using terraform-aws-modules? Change only the source URL:

module "apigateway-v2" {
  source  = "terraform-aws-modules/apigateway-v2/aws"
  version = "1.0"
}

module "apigateway-v2" {
  source  = "soc2.compliance.tf/terraform-aws-modules/apigateway-v2/aws"
  version = "1.0"
}

Same arguments. Same outputs. Controls are checked at terraform plan. See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL:

module "apigateway-v2" {
  source  = "terraform-aws-modules/apigateway-v2/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

ACSC-EE-ML2-7.7: Multi-factor authentication ML2

API Gateway V2 stages should have access logging configured

Detection

API Gateway V2 stages should have access logging configured

A.8.15 Logging

API Gateway V2 stages should have access logging configured

11 Access control

API Gateway V2 stages should have access logging configured

3 Incident handling

API Gateway V2 stages should have access logging configured

10.2.1.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

API Gateway V2 stages should have access logging configured

10.2.1.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

API Gateway V2 stages should have access logging configured

10.2.1.3: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

API Gateway V2 stages should have access logging configured

10.2.1.4: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

API Gateway V2 stages should have access logging configured

10.2.1.5: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

API Gateway V2 stages should have access logging configured

10.2.1.6: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

API Gateway V2 stages should have access logging configured

10.2.1.7: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

API Gateway V2 stages should have access logging configured

10.2.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

API Gateway V2 stages should have access logging configured

10.2.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

API Gateway V2 stages should have access logging configured

10.3.1: Audit logs are protected from destruction and unauthorized modifications.

API Gateway V2 stages should have access logging configured

10.6.3: Time-synchronization mechanisms support consistent time settings across all systems.

API Gateway V2 stages should have access logging configured

5.3.4: Anti-malware mechanisms and processes are active, maintained, and monitored.

API Gateway V2 stages should have access logging configured

A1.2.1: Multi-tenant service providers facilitate logging and incident response for all customers.

API Gateway V2 stages should have access logging configured

A1.2.3: Processes or mechanisms are implemented for reporting and addressing suspected or confirmed security incidents and vulnerabilities

API Gateway V2 stages should have access logging configured

A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives

API Gateway V2 stages should have access logging configured

PI1.2 System inputs are measured and recorded completely, accurately, and timely to meet the entity's processing integrity commitments and system requirements

API Gateway V2 stages should have access logging configured

Framework coverage

Which controls from this module are active under each framework endpoint.

Control	PCI DSS v4.0	SOC 2
API Gateway V2 stages should have access logging configured	●	●

● enforced by default · ○ not activated by this endpoint