False positive for apigateway:TagResource and apigateway:UntagResource actions (W3037)

[rk-17]

CloudFormation Lint Version

1.40.0 and 1.40.4

What operating system are you using?

Mac, Ubuntu, Amazon Linux 2023

Describe the bug

cfn-lint incorrectly reports a W3037 warning for valid IAM actions apigateway:TagResource and apigateway:UntagResource.

These actions are officially supported by AWS API Gateway and are required for tagging and untagging API Gateway resources. However, cfn-lint flags them as invalid operations under API Gateway, preventing valid CloudFormation templates from passing lint checks.

Expected behavior

Expected behavior
cfn-lint should recognize apigateway:TagResource and apigateway:UntagResource as valid AWS API Gateway IAM actions and should not raise a W3037 warning.

These actions are officially documented by AWS and are required for tagging and untagging API Gateway resources. The linter should allow these permissions without flagging them as invalid operations.

Reproduction template

To Reproduce
Steps to reproduce the behavior:

1. Create a simple CloudFormation template containing the following IAM policy:
   Policies:
   • PolicyName: ApiGatewayTagging
     PolicyDocument:
     Version: 2010-09-09
     Statement:
     - Effect: Allow
     Action:
     - apigateway:TagResource
     - apigateway:UntagResource
     Resource: "*"
2. Run the cfn-lint command:
   cfn-lint -t template.yaml
3. Observe the output:
   W3037 '*resource' is not one of ['addcertificatetodomain', 'createaccessassociation', 'createroutingrule', 'delete', 'deleteroutingrule', 'get', 'getroutingrule', 'listroutingrules', 'patch', 'post', 'put', 'rejectaccessassociation', 'removecertificatefromdomain', 'setwebacl', 'updatedomainnamemanagementpolicy', 'updatedomainnamepolicy', 'updaterestapipolicy', 'updateroutingrule']
   bootstrap/CrossAccount-Deploy-Role.yaml:1062:25

W3037 'untagresource' is not one of ['addcertificatetodomain', 'createaccessassociation', 'createroutingrule', 'delete', 'deleteroutingrule', 'get', 'getroutingrule', 'listroutingrules', 'patch', 'post', 'put', 'rejectaccessassociation', 'removecertificatefromdomain', 'setwebacl', 'updatedomainnamemanagementpolicy', 'updatedomainnamepolicy', 'updaterestapipolicy', 'updateroutingrule']
bootstrap/CrossAccount-Deploy-Role.yaml:1062:25

[kddejong]

IAM Access Analyzer also does not like apigateway:TagResource additionally it doesn't seem to be in the docs. Not all APIs directly map to IAM actions so need to figure out if this is an actual action or not.

[shehenshah14]

One can certainly test it by deploying a API Gateway resource using the below Cloudformation template

rApiGateway:
   Type: AWS::Serverless::Api
   Properties:
     AlwaysDeploy: True
     DefinitionUri:
       Bucket: <bucket-name>
       Key: <key>
     AccessLogSetting:
       DestinationArn: <api-log-group-arn>
       Format: <access-logs-format>
     MethodSettings:
       - HttpMethod: "*"
         LoggingLevel: INFO
         MetricsEnabled: true
         ResourcePath: "/*"
     StageName: <stage-name>
     Tags:
       Name: <api-gateway-name>
       Environment: <environment>
       Region: <region>```