Check-list for going live with API Gateway and Lambda

You can become a serverless blackbelt. Enrol to my 4-week online workshop Production-Ready Serverless and gain hands-on experience building something from scratch using serverless technologies. At the end of the workshop, you should have a broader view of the challenges you will face as your serverless architecture matures and expands. You should also have a firm grasp on when serverless is a good fit for your system as well as common pitfalls you need to avoid. Sign up now and get 15% discount with the code yanprs15!

Disclaimer: this is a long list, you don’t need to tick every box to go-live. Think of them as a ladder, the more critical a system the higher you should try and climb.


  1. Enable detailed monitoring to get per-method metrics (e.g. latency for GET /index). Without this, CloudWatch only reports aggregated metrics for all your endpoints. Which is close to useless… There’s no way to figure out which endpoint is experiencing slow response time or high error rate.
  2. Set up per-method alarms on tail latency. Use Latency metric instead of Integration Latency. Set the alarm on p90, p95 or p99 depending on your business requirement/SLA.
  3. Set up per-method alarms on high error RATES. Error count is easily skewed by request count – one error at 10,000 RPS is not worth waking up at 3am, but one error out of 10 RPS might be. Use the Average statistics for the 4xxError and 5xxError metrics. See this page for more detail on the available API Gateway metrics.
  4. Set up per-method alarms on low success RATE. Similar to the above, but you have to use computed metrics to calculate the success rate (i.e. 200 count / request count) instead.
  5. Enable X-Ray active tracing. This allows you to see traces in X-Ray when requests flow through API Gateway and Lambda. If you invest time into instrumenting the Lambda functions, then this will help you in identifying performance issues.
  6. Add custom metrics for application-specific metrics. For APIs, you should record custom metrics asynchronously by publishing them to CloudWatch Logs first (by writing to stdout). This avoids adding extra latency to the Lambda invocation, and you won’t have to worry about error handling and retries when CloudWatch has a problem. You can use this SAR app to parse and forward these custom metrics to CloudWatch.
  7. Ensure you have tags. Consider adding tags for TEAM, FEATURE, COST CENTRE, etc. This helps you with cost tracking in AWS Billing.

As you can see, you have to configure a lot of alarms! To make your life easier, I created a CloudFormation macro that can auto-generate the aforementioned latency and error alarms. Check it out! It also supports other resources such as Lambda, SQS and Step Functions.


  1. Review the default rate limiting configuration. The default setting leaves you vulnerable to DoS attack against the whole region. Choose a sensible rate limit for every method.
  2. Configure WAF and enable IP-based rate limiting rule. This offers you some protection against DoS attacks and can be enabled at either API Gateway or CloudFront layer.
  3. Configure WAF and enable SQLi rule. This WAF rule protects you against basic SQL injection attacks.
  4. Have you protected the endpoints with authentication? Most endpoints in an API should be authenticated. For user-facing API endpoints, consider using Cognito User Pools or Custom Lambda Authorizer. For internal APIs (to be used by other internal systems), considering using AWS_IAM. For a SASS platform that needs to enforce usage quota by client, then use API Key.
  5. Enable API Gateway request validation. Take advantage of API Gateway’s request validation capability so you don’t pay for invalid requests.
  6. Implement response validation. Similar to the above, but validates the response instead. This prevents data exfiltration in the event an attacker is able to launch an injection attack and manipulate your function into fetching data it shouldn’t return. Unfortunately, API Gateway has no built-in response validation. You would have to implement this in your Lambda function. For Node.js function, the middy middleware engine has a built-in validator middleware which supports response validation.


  1. As a rule of thumb, cache as much as you can. You can implement caching at different layers, have a look at this post for more details. By default, try to cache at the edge with CloudFront where possible.
  2. Ensure Lambda has short timeout. API Gateway has a max integration timeout of 29s, so Lambda’s timeout must be smaller than this. For user facing APIs, the Lambda timeout should be less than 3 seconds. If your API needs to perform long-running tasks, then consider adopting the decoupled invocation pattern.


  1. Set up for multi-region, active-active. To protect against region-wide failures in AWS, you should consider going for a multi-region, active-active setup. Have a look at this post for more details.
  2. Implement circuit-breakers with fallbacks. The circuit breaker pattern protects you against problems such as retry storms. And when combined with fallbacks, it protects you from cascade failures where a failing service can take down all its upstream systems.


  1. Test the API end-to-end. Don’t stop at testing the functions locally with mocks & stubs. You should test the API end-to-end by talking to it through its HTTP interface and ensure everything actually works, including permissions settings and request validation.
  2. Consider adopting consumer-driven contract testing. This is really useful in a large organization where teams often depend on other teams’ APIs. Consumer-driven contract testing helps prevent one team accidentally releasing contract (which can be behavioural) changes that breaks an upstream system. Pact is the most prominent framework for implementing consumer-driven contract testing tool.
  3. Run load test with realistic user journeys. While API Gateway and Lambda are both scalable, you still need to ensure you understand the scaling behaviour of the whole system. These tests would also stress your downstream systems (databases, queues, other APIs, etc.) to highlight where your scaling bottlenecks are.


  1. Publish the Swagger/API spec. This helps share information about your service, and can be done as part of your CI process. To do this, you need to call getExport against the API id.
Liked this article? Support me on Patreon and get direct help from me via a private Slack channel or 1-2-1 mentoring.
Subscribe to my weekly newsletter

Hi, I’m Yan. I’m an AWS Serverless Hero and I help companies go faster for less by adopting serverless technologies successfully.

Are you struggling with serverless or need guidance on best practices? Do you want someone to review your architecture and help you avoid costly mistakes down the line? Whatever the case, I’m here to help.

Hire me.

Skill up your serverless game with this hands-on workshop.

My 4-week Production-Ready Serverless online workshop is back!

This course takes you through building a production-ready serverless web application from testing, deployment, security, all the way through to observability. The motivation for this course is to give you hands-on experience building something with serverless technologies while giving you a broader view of the challenges you will face as the architecture matures and expands.

We will start at the basics and give you a firm introduction to Lambda and all the relevant concepts and service features (including the latest announcements in 2020). And then gradually ramping up and cover a wide array of topics such as API security, testing strategies, CI/CD, secret management, and operational best practices for monitoring and troubleshooting.

If you enrol now you can also get 15% OFF with the promo code “yanprs15”.

Enrol now and SAVE 15%.

Check out my new podcast Real-World Serverless where I talk with engineers who are building amazing things with serverless technologies and discuss the real-world use cases and challenges they face. If you’re interested in what people are actually doing with serverless and what it’s really like to be working with serverless day-to-day, then this is the podcast for you.

Check out my new course, Learn you some Lambda best practice for great good! In this course, you will learn best practices for working with AWS Lambda in terms of performance, cost, security, scalability, resilience and observability. We will also cover latest features from re:Invent 2019 such as Provisioned Concurrency and Lambda Destinations. Enrol now and start learning!

Check out my video course, Complete Guide to AWS Step Functions. In this course, we’ll cover everything you need to know to use AWS Step Functions service effectively. There is something for everyone from beginners to more advanced users looking for design patterns and best practices. Enrol now and start learning!