APIs Detailed CloudWatch Metrics
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that detailed CloudWatch metrics are enabled for all APIs created with AWS API Gateway service in order to monitor API stages caching, latency and detected errors at a more granular level and set alarms accordingly.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
The main benefit of enabling AWS CloudWatch metrics for API stages is getting more granular metric data which can help you to act fast and take immediate actions based on information delivered by these metrics through alarms. For example, if you developed a critical API and you need to be notified sooner when there is a sudden spike in 4xx or 5xx errors, you can set alarms that monitors and triggers on a per minute basis (instead of 5 minute period) using the data gathered by detailed CloudWatch metrics.
To determine if your API stages have AWS CloudWatch metrics enabled, perform the following:
01 Login to the AWS Management Console.
02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.
03 In the left navigation panel, select APIs to open the APIs listing page.
04 Choose the API that you want to examine then click on its name (link) to access the API configuration.
05 In the left navigation panel, under APIs, click Stages to list the stages created for the selected API.
06 Select the API stage that you want to examine.
07 On the API Stage Editor panel, select Logs tab to access the stage configuration settings.
08 In the CloudWatch Settings section, verify Enable Detailed CloudWatch Metrics setting status. If Enable Detailed CloudWatch Metrics checkbox is unchecked, AWS CloudWatch detailed metrics are not enabled for the selected API stage.
09 Repeat steps no. 6 – 8 to check the AWS CloudWatch detailed metrics setting for other API stages created for the selected API.
10 Repeat steps no. 4 – 8 to verify other AWS API Gateway APIs available within the current region.
11 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.
01 Run get-rest-apis command (OSX/Linux/UNIX) using custom query filters to list the IDs of the APIs available in the selected region:
aws apigateway get-rest-apis --region us-east-1 --output table --query 'items[*].id'
02 The command output should return a table with the requested API IDs:
---------------- | GetRestApis | +--------------+ | aabbccddee | | ccddeeffgg | | bbccddeeff | +--------------+
03 Run get-stages command (OSX/Linux/UNIX) using the ID of the API that you want to examine and custom query filters to get information about the stages created for the selected API:
aws apigateway get-stages --region us-east-1 --rest-api-id aabbccddee
04 The command output should return the API stages metadata:
{
"item": [
{
"stageName": "Production",
"cacheClusterSize": "0.5",
"cacheClusterEnabled": false,
"cacheClusterStatus": "NOT_AVAILABLE",
"deploymentId": "z0haur",
"lastUpdatedDate": 1509565551,
"createdDate": 1509557971,
"methodSettings": {
"*/*": {
"cacheTtlInSeconds": 300,
"loggingLevel": "OFF",
"dataTraceEnabled": false,
"metricsEnabled": false,
"unauthorizedCacheControlHeaderStrategy": "SUCCEED_WITH_RESPONSE_HEADER",
"throttlingRateLimit": 10000.0,
"cacheDataEncrypted": false,
"cachingEnabled": false,
"throttlingBurstLimit": 5000,
"requireAuthorizationForCacheControl": true
}
}
},
{
"stageName": "Staging",
"cacheClusterSize": "0.5",
"cacheClusterEnabled": false,
"cacheClusterStatus": "NOT_AVAILABLE",
"deploymentId": "z0haur",
"lastUpdatedDate": 1509565545,
"createdDate": 1509558509,
"methodSettings": {
"*/*": {
"cacheTtlInSeconds": 300,
"loggingLevel": "OFF",
"dataTraceEnabled": false,
"metricsEnabled": false,
"unauthorizedCacheControlHeaderStrategy": "SUCCEED_WITH_RESPONSE_HEADER",
"throttlingRateLimit": 10000.0,
"cacheDataEncrypted": false,
"cachingEnabled": false,
"throttlingBurstLimit": 5000,
"requireAuthorizationForCacheControl": true
}
}
}
]
}
05 Repeat step no. 3 and 4 to verify other AWS API Gateway APIs available in the current region.
06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the entire audit process for other regions.
To enable detailed CloudWatch metrics for your Amazon API Gateway APIs stages, perform the following actions:
01 Login to the AWS Management Console.
02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.
03 In the left navigation panel, select APIs to open your APIs listing page.
04 Choose the API that you want to reconfigure (see Audit section part I to identify the right resource), then click on its name to access the API details and configuration.
05 In the left navigation panel, under APIs, click Stages to list the stages created for the selected API.
06 Select the API stage that you want to reconfigure.
07 On the API Stage Editor panel, select Logs tab to access the stage settings.
08 In the CloudWatch Settings section, check Enable Detailed CloudWatch Metrics checkbox to enable the feature.
09 Click Save Changes to apply the configuration changes and enable detailed metrics for the selected stage. Once enabled, each API method will begin to generate the following metrics: API calls, Latency, Integration Latency, 4xx and 5xx errors.
10 Repeat steps no. 6 – 9 to turn on the feature for other API stages created for the selected API.
11 Repeat steps no. 4 – 10 to enable detailed CloudWatch metrics for other APIs available within the current region.
12 Change the AWS region from the navigation bar and repeat the process for other regions.
01 Run update-stage command (OSX/Linux/UNIX) using the ID of the API and the name of the API stage that you want to reconfigure as identifiers to enable detailed CloudWatch metrics for the selected API stage. The following command example enables AWS CloudWatch detailed metrics for an API stage named "Production", created for an API identified by the ID "aabbccddee":
aws apigateway update-stage --region us-east-1 --rest-api-id aabbccddee --stage-name 'Production' --patch-operations op=replace,path=/*/*/metrics/enabled,value=true
02 The command output should return the API stage metadata:
{
"stageName": "Production",
"cacheClusterSize": "0.5",
"cacheClusterEnabled": false,
"cacheClusterStatus": "NOT_AVAILABLE",
"deploymentId": "z0haur",
"lastUpdatedDate": 1509619221,
"createdDate": 1509557971,
"methodSettings": {
"*/*": {
"cacheTtlInSeconds": 300,
"loggingLevel": "OFF",
"dataTraceEnabled": false,
"metricsEnabled": true,
"unauthorizedCacheControlHeaderStrategy": "SUCCEED_WITH_RESPONSE_HEADER",
"throttlingRateLimit": -1.0,
"cacheDataEncrypted": false,
"cachingEnabled": false,
"throttlingBurstLimit": -1,
"requireAuthorizationForCacheControl": true
}
}
}
03 Repeat step no. 1 and 2 to activate the feature for other API stages created for the selected API.
04 Repeat steps no. 1 – 3 to enable detailed CloudWatch metrics for other APIs available within the current region.
05 Change the AWS region by updating the --region command parameter value and repeat the process for other regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial
Let’s Chat