Logo of Trend Micro

Content Encoding

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: AG-004

Ensure that Content Encoding feature is enabled for your Amazon API Gateway APIs in order to facilitate API payload compression. Once Content Encoding is enabled, the API Gateway service allows compression of response bodies based on client's Accept-Encoding header. API payload compression is triggered when the response body size is greater than or equal to the threshold configured as the minimum compression size (in bytes). You can set this threshold to a non-negative integer between 0 and 10485760 (10M bytes). The compression types supported by Amazon API Gateway service are GZIP, DEFLATE and identity.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Performance
efficiency

Amazon API Gateway allows your client to call your API with compressed payloads using one of the supported compression types. API Gateway service supports decompression of the request payload, however, you must configure your API to enable compression of the response payload. Enabling compression for your API payload will help you improve your API performance and reduce bandwidth utilization.

Audit

To determine if your Amazon API Gateway APIs have Content Encoding feature enabled, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs to open the APIs listing page.

04 Choose the API that you want to examine by clicking on the API name (link).

05 In the navigation panel, within the API submenu, click Settings to access the selected API configuration.

06 On the API Settings page, within Content Encoding section, check the Content Encoding enabled configuration setting. If Content Encoding enabled setting checkbox is unchecked, the Content Encoding feature is not enabled for the selected Amazon API Gateway API, therefore the API payload is not compressed.

07 Repeat steps no. 4 – 6 to determine the feature status for other AWS API Gateway APIs available in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run get-rest-apis command (OSX/Linux/UNIX) using custom query filters to list the IDs of the APIs available within the selected region: 

aws apigateway get-rest-apis
	--region us-east-1
	--output table
	--query 'items[*].id'

02 The command output should return a table with the requested API IDs: 

----------------
|  GetRestApis |
+--------------+
|  abcdabcdab  |
|  aaaabbbbab  |
+--------------+

03 Run get-rest-api command (OSX/Linux/UNIX) using the ID of the API that you want to examine and custom query filters to get the minimumCompressionSize configuration attribute value: 

aws apigateway get-rest-api
	--region us-east-1
	--rest-api-id abcdabcdab
	--query 'minimumCompressionSize'

04 The command output should return the minimumCompressionSize value, a nullable integer (between 0 and 10485760) that is used to enable compression: 

null

If the get-rest-api command output returns null, as shown in the example above, the minimumCompressionSize attribute value is not configured and so compression is disabled, therefore the Content Encoding feature is not enabled for the selected Amazon API Gateway API.

05 Repeat step no. 3 and 4 to determine the feature status for other AWS API Gateway APIs available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.

Remediation / Resolution

To enable Amazon API Gateway API payload compression using Content Encoding feature, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs to open the APIs listing page.

04 Choose the API that you want to reconfigure (see Audit section part I to identify the right resource), then click on its name to access the API details and configuration.

05 In the navigation panel, in the API submenu, click Settings to access the selected API configuration.

06 On the Settings page, within Content Encoding section, perform the following:

  1. Select Content Encoding enabled checkbox to enable API payload compression.
  2. Set your own threshold value for the minimumCompressionSize attribute within the within Minimum body size required for compression box. The minimumCompressionSize configuration attribute measures the compression threshold and requires a non-negative integer value between 0 and 10485760 (10M bytes). If your API payload size is smaller than this value, compression is not applied. Setting it to zero allows compression for any payload size.

07 Click Save Changes to apply the configuration changes and enable API payload compression for the selected Amazon API Gateway API.

08 Repeat steps no. 4 – 7 to enable the Content Encoding feature (i.e. API payload compression) for other APIs available within the current region.

09 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run update-rest-api command (OSX/Linux/UNIX) using the ID of the API that you want to reconfigure as identifier (see Audit section part II to identify the right resource) to enable API payload compression for the selected Amazon API Gateway API using a threshold value of 5Kb for the minimumCompressionSize attribute which represents the minimum body size required for payload compression: 

aws apigateway update-rest-api
	--region us-east-1
	--rest-api-id abcdabcdab
	--patch-operations op=replace,path=/minimumCompressionSize,value=5000

02 The command output should return the request metadata: 

{
    "apiKeySource": "HEADER",
    "description": "REST sample API that integrates via HTTP with CC endpoints",
    "endpointConfiguration": {
        "types": [
            "REGIONAL"
        ]
    },
    "minimumCompressionSize": 5000,
    "createdDate": 1539965965,
    "id": "abcdabcdab",
    "name": "SampleAPI"
}

03 Repeat step no. 1 and 2 to enable API payload compression (i.e. Content Encoding) for other APIs available in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Oct 24, 2018

Related APIGateway rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Content Encoding

Risk level: Medium