API Gateway Tracing Enabled

Risk level: Low (generally tolerable level of risk)

Rule ID: AG-003

Ensure that active tracing is enabled for your Amazon API Gateway API stages to sample incoming requests and send traces to AWS X-Ray. Once this feature is enabled, X-Ray service will trace and analyze user requests as these travel through your AWS API Gateway APIs to the underlying services.

This rule can help you with the following compliance standards:

MAS
NIST 800-53 (Rev. 4)

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Operational
excellence

When an API Gateway API stage has active tracing feature enabled, Amazon API Gateway service automatically samples API invocation requests based on the sampling algorithm specified by AWS X-Ray. Then X-Ray can provide you an end-to-end view of an entire HTTP request, so you can analyze latencies in your APIs and their backend services.

Note: API Gateway supports active tracing for all API Gateway endpoint types, i.e. regional, private and edge-optimized. You can enable active tracing for your APIs in all AWS regions where X-Ray service is available.

Audit

To determine if your API Gateway API stages have active tracing feature enabled, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs to open the APIs listing page.

04 Choose the API that you want to examine then click on its name (link) to access the API details and configuration.

05 In the navigation panel, within the API submenu, click Stages to list the stages created for the selected API.

06 Under Stages, select the API stage that you want to examine.

07 Select Logs/Tracing tab from the dashboard top panel.

08 On the Logs/Tracing panel, within X-Ray Tracing section, check Enable X-Ray Tracing setting status. If Enable X-Ray Tracing setting checkbox is not checked, the selected Amazon API Gateway API stage does not have active tracing (i.e. X-Ray tracing) enabled.

09 Repeat steps no. 6 – 8 to verify the X-Ray tracing setting status for other API stages created for the selected API.

10 Repeat steps no. 4 – 8 to verify other AWS API Gateway APIs available within the current region.

11 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run get-rest-apis command (OSX/Linux/UNIX) using custom query filters to list the IDs of the APIs available in the selected AWS region:

aws apigateway get-rest-apis
	--region us-east-1
	--output table
	--query 'items[*].id'

02 The command output should return a table with the requested API IDs:

----------------
|  GetRestApis |
+--------------+
|  aabbccddee  |
|  abcdabcdab  |
|  aaabbbbccc  |
+--------------+

03 Run get-stages command (OSX/Linux/UNIX) using the ID of the API that you want to examine as identifier and custom query filters to get the name(s) of the API stage(s) created for the selected API:

aws apigateway get-stages
	--region us-east-1
	--rest-api-id aabbccddee
	--output table
	--query 'item[*].stageName'

04 The command output should return a table with the API stage name(s):

----------------
|   GetStages  |
+--------------+
|  Production  |
|  Staging     |
|  Testing     |
|  Development |
+--------------+

05 Execute again get-stages command (OSX/Linux/UNIX) using the name of the API stage that you want to examine as identifier, e.g. "Production", and custom query filters to obtain the configuration status for the active tracing feature:

aws apigateway get-stages
	--region us-east-1
	--rest-api-id aabbccddee
	--query 'item[?(stageName==`Production`)].tracingEnabled | []'

06 The command output should return the requested configuration information:

[
    false
]

If get-stages command output returns false, as shown in the example above, the selected Amazon API Gateway API stage does not have X-Ray tracing currently enabled.

07 Repeat step no. 5 and 6 to check the active tracing feature status for other API stages created for the selected API.

08 Repeat steps no. 3 – 7 to verify other AWS API Gateway APIs available in the selected region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the audit process for other regions.

Remediation / Resolution

To enable X-Ray tracing (also known as active tracing) for your Amazon API Gateway API stages, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to API Gateway dashboard at https://console.aws.amazon.com/apigateway/.

03 In the left navigation panel, select APIs.

04 Choose the API that you want to reconfigure, then click on its name (link) to access the API configuration.

05 In the navigation panel, in the API submenu, click Stages to list the stages created for the selected API.

06 Under Stages, select the API stage that you want to reconfigure in order to enable tracing (see Audit section part I to identify the right stage).

07 Select Logs/Tracing tab from the dashboard top panel.

08 On the API stage Logs/Tracing panel, under X-Ray Tracing, select Enable X-Ray Tracing setting checkbox.

09 Click Save Changes to apply the new configuration changes. Now that the active tracing feature is enabled, you can use the AWS X-Ray Management Console to view the traces and service maps.

10 Repeat steps no. 6 – 9 to enable X-Ray tracing for other API stages created for the selected API.

11 Repeat steps no. 4 – 10 to reconfigure other Amazon API Gateway APIs available within the current region.

12 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run update-stage command (OSX/Linux/UNIX) using the name of the API stage that you want to reconfigure as identifier (see Audit section part II to identify the right API stage) to enable X-Ray tracing for the selected Amazon API Gateway API stage. The following command example enables active tracing for an API stage named "Production", created for an API identified by the ID "aabbccddee":

aws apigateway update-stage
	--region us-east-1
	--rest-api-id aabbccddee
	--stage-name 'Production'
	--patch-operations op=replace,path=/tracingEnabled,value=true

02 The command output should return the command request metadata:

{
    "tracingEnabled": true,
    "stageName": "Production",
    "cacheClusterEnabled": false,
    "cacheClusterStatus": "NOT_AVAILABLE",
    "deploymentId": "abcabc",
    "lastUpdatedDate": 1537957517,
    "createdDate": 1537954386,
    "methodSettings": {}
}

03 Repeat step no. 1 and 2 to enable X-Ray tracing for other API stages created for the selected API.

04 Repeat steps no. 1 –3 to update the configuration of other Amazon API Gateway APIs available in the current region.

05 Change the AWS region by updating the --region command parameter value and repeat the entire remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
apigateway
get-rest-apis
get-stages
update-stage

Publication date Oct 15, 2018

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

API Gateway Tracing Enabled

Risk level: Low

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related APIGateway rules