Open menu
-->

Enable Detailed CloudWatch Metrics for APIs

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Operational
excellence
Performance
efficiency

Risk level: Medium (should be achieved)

Ensure that detailed CloudWatch metrics are enabled for all APIs created with AWS API Gateway service in order to monitor API stages caching, latency and detected errors at a more granular level and set alarms accordingly.

The main benefit of enabling AWS CloudWatch metrics for API stages is getting more granular metric data which can help you to act fast and take immediate actions based on information delivered by these metrics through alarms. For example, if you developed a critical API and you need to be notified sooner when there is a sudden spike in 4xx or 5xx errors, you can set alarms that monitors and triggers on a per minute basis (instead of 5 minute period) using the data gathered by detailed CloudWatch metrics.

Audit

To determine if your API stages have AWS CloudWatch metrics enabled, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs to open the APIs listing page.

04 Choose the API that you want to examine then click on its name (link) to access the API configuration.

05 In the left navigation panel, under APIs, click Stages to list the stages created for the selected API.

06 Select the API stage that you want to examine.

07 On the API Stage Editor panel, select Logs tab to access the stage configuration settings.

08 In the CloudWatch Settings section, verify Enable Detailed CloudWatch Metrics setting status. If Enable Detailed CloudWatch Metrics checkbox is unchecked, AWS CloudWatch detailed metrics are not enabled for the selected API stage.

09 Repeat steps no. 6 – 8 to check the AWS CloudWatch detailed metrics setting for other API stages created for the selected API.

10 Repeat steps no. 4 – 8 to verify other AWS API Gateway APIs available within the current region.

11 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 Run get-rest-apis command (OSX/Linux/UNIX) using custom query filters to list the IDs of the APIs available in the selected region:

aws apigateway get-rest-apis
	--region us-east-1
	--output table
	--query 'items[*].id'

02 The command output should return a table with the requested API IDs:

----------------
|  GetRestApis |
+--------------+
|  aabbccddee  |
|  ccddeeffgg  |
|  bbccddeeff  |
+--------------+

03 Run get-stages command (OSX/Linux/UNIX) using the ID of the API that you want to examine and custom query filters to get information about the stages created for the selected API:

aws apigateway get-stages
	--region us-east-1
	--rest-api-id aabbccddee

04 The command output should return the API stages metadata:

{
    "item": [
        {
            "stageName": "Production",
            "cacheClusterSize": "0.5",
            "cacheClusterEnabled": false,
            "cacheClusterStatus": "NOT_AVAILABLE",
            "deploymentId": "z0haur",
            "lastUpdatedDate": 1509565551,
            "createdDate": 1509557971,
            "methodSettings": {
                "*/*": {
                    "cacheTtlInSeconds": 300,
                    "loggingLevel": "OFF",
                    "dataTraceEnabled": false,
                    "metricsEnabled": false,
                    "unauthorizedCacheControlHeaderStrategy": "SUCCEED_WITH_RESPONSE_HEADER",
                    "throttlingRateLimit": 10000.0,
                    "cacheDataEncrypted": false,
                    "cachingEnabled": false,
                    "throttlingBurstLimit": 5000,
                    "requireAuthorizationForCacheControl": true
                }
            }
        },
        {
            "stageName": "Staging",
            "cacheClusterSize": "0.5",
            "cacheClusterEnabled": false,
            "cacheClusterStatus": "NOT_AVAILABLE",
            "deploymentId": "z0haur",
            "lastUpdatedDate": 1509565545,
            "createdDate": 1509558509,
            "methodSettings": {
                "*/*": {
                    "cacheTtlInSeconds": 300,
                    "loggingLevel": "OFF",
                    "dataTraceEnabled": false,
                    "metricsEnabled": false,
                    "unauthorizedCacheControlHeaderStrategy": "SUCCEED_WITH_RESPONSE_HEADER",
                    "throttlingRateLimit": 10000.0,
                    "cacheDataEncrypted": false,
                    "cachingEnabled": false,
                    "throttlingBurstLimit": 5000,
                    "requireAuthorizationForCacheControl": true
                }
            }
        }
    ]
}

Each item object returned by the command output represents an API stage. Verify the metadata listed for each stage and if the metricsEnabled attribute (within methodSettings object) available for the specified API stage has the value set to false, detailed AWS CloudWatch metrics are not enabled for the selected API stage. Repeat the current step to check the CloudWatch metrics configuration for other API stages created for the selected API.

05 Repeat step no. 3 and 4 to verify other AWS API Gateway APIs available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire audit process for other regions.

Remediation / Resolution

To enable detailed CloudWatch metrics for your Amazon API Gateway APIs stages, perform the following actions:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs to open your APIs listing page.

04 Choose the API that you want to reconfigure (see Audit section part I to identify the right resource), then click on its name to access the API details and configuration.

05 In the left navigation panel, under APIs, click Stages to list the stages created for the selected API.

06 Select the API stage that you want to reconfigure.

07 On the API Stage Editor panel, select Logs tab to access the stage settings.

08 In the CloudWatch Settings section, check Enable Detailed CloudWatch Metrics checkbox to enable the feature.

09 Click Save Changes to apply the configuration changes and enable detailed metrics for the selected stage. Once enabled, each API method will begin to generate the following metrics: API calls, Latency, Integration Latency, 4xx and 5xx errors.

10 Repeat steps no. 6 – 9 to turn on the feature for other API stages created for the selected API.

11 Repeat steps no. 4 – 10 to enable detailed CloudWatch metrics for other APIs available within the current region.

12 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run update-stage command (OSX/Linux/UNIX) using the ID of the API and the name of the API stage that you want to reconfigure as identifiers to enable detailed CloudWatch metrics for the selected API stage. The following command example enables AWS CloudWatch detailed metrics for an API stage named "Production", created for an API identified by the ID "aabbccddee":

aws apigateway update-stage
	--region us-east-1
	--rest-api-id aabbccddee
	--stage-name 'Production' --patch-operations op=replace,path=/*/*/metrics/enabled,value=true

02 The command output should return the API stage metadata:

{
    "stageName": "Production",
    "cacheClusterSize": "0.5",
    "cacheClusterEnabled": false,
    "cacheClusterStatus": "NOT_AVAILABLE",
    "deploymentId": "z0haur",
    "lastUpdatedDate": 1509619221,
    "createdDate": 1509557971,
    "methodSettings": {
        "*/*": {
            "cacheTtlInSeconds": 300,
            "loggingLevel": "OFF",
            "dataTraceEnabled": false,
            "metricsEnabled": true,
            "unauthorizedCacheControlHeaderStrategy": "SUCCEED_WITH_RESPONSE_HEADER",
            "throttlingRateLimit": -1.0,
            "cacheDataEncrypted": false,
            "cachingEnabled": false,
            "throttlingBurstLimit": -1,
            "requireAuthorizationForCacheControl": true
        }
    }
}

03 Repeat step no. 1 and 2 to activate the feature for other API stages created for the selected API.

04 Repeat steps no. 1 – 3 to enable detailed CloudWatch metrics for other APIs available within the current region.

05 Change the AWS region by updating the --region command parameter value and repeat the process for other regions.

References

Publication date Nov 2, 2017