Well Architected API Gateway

Default Configuration

Endpoint: Regional API Key: Required Tracing: Enabled Protocol Version: SecurityPolicyProtocol.TLS_V1_2_2021

Default ApiKey and Usage Plan

The default ApiKey and the corresponding Usage Plan is created unless the deployment is intentionally disabled by setting the deploy property to false. The default method options is set with ApiKey required at the root of the RestApi so that an ApiKey (could be a different one setup by the user) is required for all method invocations, unless specifically overridden by the user using additional method options for child methods. WaRestApi does allow the user to make ApiKey not required by default if the user set the ApiKeyRequired property to false intentionally in the root defaultMethodOptions when creating the WaRestApi construct instance. In this case, the default ApiKey and Usage Plan would still be created but the ApiKey would not be required. To completely disable the creation of the default ApiKey and Usage Plan, set the flag waDoNotCreateDefaultApiKey to true when creating the WaRestApi construct instance.

Access Logs

The default deployment stage of WaRestApi enables access logs using the destination of a specific CloudWatch LogGroup based on the name DefaultRestApiAccessLogGroup. The log entry format is the the CDK default Common Log Format.

To use a custom access log destination or use a custom log entry format, simply configured the accessLogDestination property or the accessLogFormat property in the deployOptions.

To turn off access log completely, though, the user has to set the property waDoNotEnableDefaultAccessLog to true. This property tells the WaRestApi construct to not enable the default access log at the default access log destination, but the user can still configure a custom access log destination if this property is set to true. If the user sets this property to true, and does not configure a custom access log destination, but configures an access log format, then an error will be thrown, same to the CDK RestApi under similar circumstances.

Default Alarms

  1. Server Error Alarm
    • Risk Level: Medium
    • Well Architected Pillar: Reliability, Performance


Default Usage

new WaRestApi(this, "LogicalId", {});

Custom Configuration

new WaRestApi(this, "LogicalId", {
deploy: true


It addresses the following compliance requirements

  1. APIs CloudWatch Logs
    • Risk Level: Medium
    • Compliance: GDPR, APRA, MAS, NIST4
    • Well Architected Pillar: Operational Excellence, Performance
  2. Detailed Metrics
    • Risk Level: Medium
    • Compliance: MAS, NIST4
    • Well Architected Pillar: Operational Excellence, Performance
  3. Enable API Cache
    • Risk Level: Medium
    • Compliance: NIST4
    • Well Architected Pillar: Performance
  4. API Cache encryption
    • Risk Level: High
    • Compliance: NIST4
    • Well Architected Pillar: Security
  5. Limit Rest API access
    • Risk Level: Medium
    • Compliance: NA
    • Well Architected Pillar: Security
  6. Tracing Enabled
    • Risk Level: Low
    • Compliance: MAS, NIST
    • Well Architected Pillar: Operational Excellence


  • RestApi
    • WaRestApi


  • Parameters

    Returns WaRestApi


alarms: Alarms = ...

All the default alarms configured for the Well Architected Rest API. You can add more alarms or delete default alarms from this Alarms object


  • Returns void

  • Parameters

    • endpointConfiguration: undefined | EndpointConfiguration
    • endpointTypes: undefined | EndpointType[]

    Returns undefined | EndpointType[]

  • Parameters

    • Optional waDoNotDeploy: boolean
    • Optional defaultMethodOptions: MethodOptions
    • Optional waDoNotCreateDefaultApiKey: boolean

    Returns undefined | MethodOptions

Generated using TypeDoc