From 6448eaaad1b4edaa2779c2d379f37a7c50d08d00 Mon Sep 17 00:00:00 2001
From: David Kaleko <kaleko@amazon.com>
Date: Wed, 25 Mar 2026 18:04:49 +0000
Subject: [PATCH] fix: enable API Gateway cache encryption at rest

Adds cache_data_encrypted/cacheDataEncrypted to both Terraform and CDK
API Gateway method settings. Resolves KICS critical finding for
unencrypted API Gateway cache.
---
 infra-cdk/lib/backend-stack.ts              | 1 +
 infra-terraform/modules/backend/feedback.tf | 1 +
 2 files changed, 2 insertions(+)

diff --git a/infra-cdk/lib/backend-stack.ts b/infra-cdk/lib/backend-stack.ts
index d4fb97bb..2f838d9f 100644
--- a/infra-cdk/lib/backend-stack.ts
+++ b/infra-cdk/lib/backend-stack.ts
@@ -551,6 +551,7 @@ export class BackendStack extends cdk.NestedStack {
         throttlingRateLimit: 100,
         throttlingBurstLimit: 200,
         cachingEnabled: true,
+        cacheDataEncrypted: true,
         cacheClusterEnabled: true,
         cacheClusterSize: "0.5",
         cacheTtl: cdk.Duration.minutes(5),
diff --git a/infra-terraform/modules/backend/feedback.tf b/infra-terraform/modules/backend/feedback.tf
index d532b356..01880347 100644
--- a/infra-terraform/modules/backend/feedback.tf
+++ b/infra-terraform/modules/backend/feedback.tf
@@ -384,6 +384,7 @@ resource "aws_api_gateway_method_settings" "all" {
     throttling_rate_limit  = local.api_throttling_rate_limit
     throttling_burst_limit = local.api_throttling_burst_limit
     caching_enabled        = true
+    cache_data_encrypted   = true
     cache_ttl_in_seconds   = local.api_cache_ttl_seconds
     logging_level          = "INFO"
     metrics_enabled        = true