Skip to main content
LOWAPI GatewayReliability

API Gateway Stage Missing Throttling

apigateway-throttling-missing

What this rule checks

Detects API Gateway stages that configure no method-level rate or burst limits, leaving backends exposed to traffic spikes and uncontrolled cost.

How to fix it

  1. 1Add MethodSettings with ThrottlingRateLimit and ThrottlingBurstLimit (e.g. for HttpMethod "*")
  2. 2Tune per-method limits for hot paths
FlaggedThe stage sets no method throttling, so a traffic spike can overwhelm backends and run up cost.
import * as apigateway from 'aws-cdk-lib/aws-apigateway';

new apigateway.CfnStage(this, 'Stage', {
  restApiId: 'abcdef1234',
  deploymentId: 'deploy1234',
  stageName: 'prod',
});
FixedMethod settings with throttlingRateLimit and throttlingBurstLimit cap request rates, protecting integrations and controlling cost.
import * as apigateway from 'aws-cdk-lib/aws-apigateway';

new apigateway.CfnStage(this, 'Stage', {
  restApiId: 'abcdef1234',
  deploymentId: 'deploy1234',
  stageName: 'prod',
  methodSettings: [
    {
      httpMethod: '*',
      resourcePath: '/*',
      throttlingRateLimit: 100,
      throttlingBurstLimit: 200,
    },
  ],
});

CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.

Affected resource types

AWS::ApiGateway::Stage

Compliance frameworks

SOC2

AWS documentation

Read the AWS guidance

Intentional? Suppress this finding

Sometimes a flag is deliberate β€” a genuinely public endpoint, say. You can dismiss apigateway-throttling-missing and the reason is kept in the report, not silently hidden.

In .cdk-insights.json:

{
  "ignoreRules": [
    { "id": "apigateway-throttling-missing", "reason": "Why this is intentional" }
  ]
}

Or inline in your CDK code:

Validations.of(scope).acknowledge({
  id: 'cdk-insights::apigateway-throttling-missing',
  reason: 'Why this is intentional',
});

Use the rule ID apigateway-throttling-missing shown above β€” not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs β†’

Catch this in your stack

$ npx cdk-insights scan

CDK Insights runs this and 118+ other rules locally against your synthesised CDK app β€” free, no account, your code never leaves your machine.

More API Gateway rules