Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Tracing Enabled

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: AG-003

Ensure that active tracing with X-Ray is enabled for your Amazon API Gateway API stages in order to sample incoming requests and send traces to Amazon X-Ray. Once this feature is enabled, the X-Ray service will trace and analyze user requests as the requests travel through your API Gateway APIs to the underlying services.

This rule can help you with the following compliance standards:

  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Operational
excellence
Sustainability

When an API stage has active tracing enabled, the Amazon API Gateway service automatically samples API invocation requests based on the sampling algorithm specified by Amazon X-Ray. Then X-Ray can provide you an end-to-end view of an entire HTTP request, so you can analyze latencies found in your APIs and their backend services.

Note: API Gateway supports active tracing for all API Gateway endpoint types, i.e. regional, private, and edge-optimized. You can enable active tracing for your APIs in all AWS regions where X-Ray service is available.


Audit

To determine if your API Gateway API stages have active tracing enabled, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to API Gateway console at https://console.aws.amazon.com/apigateway/.

03 In the main navigation panel, select APIs to access your API Gateway APIs.

04 Click on the name (link) of the API that you want to examine.

05 Choose Stages from the API menu to access the stages created for the selected API.

06 Click on the name of the API stage that you want to examine and choose the Logs/Tracing tab.

07 On the Logs/Tracing panel, in X-Ray Tracing section, check Enable X-Ray Tracing setting status. If the Enable X-Ray Tracing setting is disabled (i.e. setting checkbox is not checked), the selected Amazon API Gateway API stage does not have active X-Ray tracing enabled.

08 Repeat steps no. 6 and 7 for each API stage created for the selected API.

09 Repeat steps no. 4 – 8 for each Amazon API Gateway API available within the current region.

10 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run get-rest-apis command (OSX/Linux/UNIX) using custom query filters to list the ID of each API Gateway API available in the selected AWS region:

aws apigateway get-rest-apis
  --region us-east-1
  --output table
  --query 'items[*].id'

02 The command output should return a table with the requested API ID(s):

----------------
|  GetRestApis |
+--------------+
|  abcabcabca  |
|  abcdabcdab  |
+--------------+

03 Run get-stages command (OSX/Linux/UNIX) using the ID of the Amazon API Gateway API that you want to examine as the identifier parameter and custom query filters to get the names of the API stages created for the selected API:

aws apigateway get-stages
  --region us-east-1
  --rest-api-id abcabcabca
  --output table
  --query 'item[*].stageName'

04 The command output should return the requested API stage name(s):

----------------
|  GetStages   |
+--------------+
|  Production  |
|  Staging     |
|  Development |
+--------------+

05 Run get-stages command (OSX/Linux/UNIX) using the name of the API stage that you want to examine as the identifier parameter and custom query filters to return the active tracing feature status available for the selected API stage:

aws apigateway get-stages
  --region us-east-1
  --rest-api-id abcabcabca
  --query 'item[?(stageName==`Production`)].tracingEnabled | []'

06 The command output should return the requested feature status (true for enabled, false for disabled):

[
    false
]

If the get-stages command output returns false, the active X-Ray tracing feature is not enabled for the selected Amazon API Gateway API stage.

07 Repeat steps no. 5 and 6 for each API stage created for the selected API.

08 Repeat steps no. 3 – 7 for each Amazon API Gateway API available in the selected region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable X-Ray tracing (also known as active tracing) for your Amazon API Gateway APIs, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
   "AWSTemplateFormatVersion":"2010-09-09",
   "Description":"Enable Active (X-Ray) Tracing for API Stages",
   "Resources":{
      "RestAPI": {
         "Type": "AWS::ApiGateway::RestApi",
         "Properties": {
           "Name": "WebServiceAPI",
           "Description" : "A simple API Gateway REST API"
         }
      },
      "StageDeployment": {
           "Type": "AWS::ApiGateway::Deployment",
           "Properties": {
               "RestApiId": {
                  "Ref": "RestAPI"
               }
            }
      },
      "APIStage": {
         "Type": "AWS::ApiGateway::Stage",
         "Properties": {
             "DeploymentId": {
                "Ref": "StageDeployment"
             },
             "RestApiId": {
                  "Ref": "RestAPI"
             },
             "StageName" : "Staging",
             "TracingEnabled" : true
         }
      }
   }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Active (X-Ray) Tracing for API Stages
Resources:
  RestAPI:
    Type: AWS::ApiGateway::RestApi
    Properties:
      Name: WebServiceAPI
      Description: A simple API Gateway REST API
  StageDeployment:
    Type: AWS::ApiGateway::Deployment
    Properties:
      RestApiId: !Ref 'RestAPI'
  APIStage:
    Type: AWS::ApiGateway::Stage
    Properties:
      DeploymentId: !Ref 'StageDeployment'
      RestApiId: !Ref 'RestAPI'
      StageName: Staging
      TracingEnabled: true

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region  = "us-east-1"
}

resource "aws_api_gateway_rest_api" "rest-api" {
  name = "web-service-api"
  description = "A simple API Gateway REST API"
}

resource "aws_api_gateway_deployment" "rest-api-deployment" {
  rest_api_id = aws_api_gateway_rest_api.rest-api.id
}

resource "aws_api_gateway_stage" "api-stage" {
  deployment_id = aws_api_gateway_deployment.rest-api-deployment.id
  rest_api_id   = aws_api_gateway_rest_api.rest-api.id
  stage_name    = "Production"

  # Enable Active (X-Ray) Tracing for API Stages
  xray_tracing_enabled = true

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to API Gateway console at https://console.aws.amazon.com/apigateway/.

03 In the main navigation panel, select APIs to access your API Gateway APIs.

04 Click on the name of the API that you want to reconfigure.

05 Choose Stages from the API menu to access the stages created for the selected API.

06 Click on the name of the API stage that you want to access and choose the Logs/Tracing tab.

07 On the Logs/Tracing panel, in X-Ray Tracing section, select the Enable X-Ray Tracing setting checkbox to enable active X-Ray tracing for the selected Amazon API Gateway API. Choose Save Changes to apply the configuration changes.

08 Once the X-Ray tracing feature is enabled, you can use the Amazon X-Ray Console to view the API traces and service maps.

09 Repeat steps no. 6 – 8 to enable active X-Ray tracing for each required API stage created for the selected API.

10 Repeat steps no. 4 – 9 for each Amazon API Gateway API available within the current AWS region.

11 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run update-stage command (OSX/Linux/UNIX) using the name of the API stage that you want to reconfigure as the identifier parameter, to enable the X-Ray tracing feature for the selected API stage. The following command request example enables active tracing for an API stage named "Production", created for an API identified by the ID "abcabcabca":

aws apigateway update-stage
  --region us-east-1
  --rest-api-id abcabcabca
  --stage-name 'Production'
  --patch-operations op=replace,path=/tracingEnabled,value=true

02 The output should return the update-stage command request metadata:

{
    "deploymentId": "abcabc",
    "clientCertificateId": "abc123",
    "stageName": "Production",
    "description": "Web Prod Stage",
    "cacheClusterEnabled": false,
    "cacheClusterSize": "0.5",
    "cacheClusterStatus": "NOT_AVAILABLE",
    "methodSettings": {
        "*/*": {
            "metricsEnabled": false,
            "dataTraceEnabled": false,
            "throttlingBurstLimit": 5000,
            "throttlingRateLimit": 10000.0,
            "cachingEnabled": false,
            "cacheTtlInSeconds": 300,
            "cacheDataEncrypted": false,
            "requireAuthorizationForCacheControl": true,
            "unauthorizedCacheControlHeaderStrategy": "SUCCEED_WITH_RESPONSE_HEADER"
        }
    },
    "tracingEnabled": true,
    "createdDate": "2022-01-11T10:56:31+00:00",
    "lastUpdatedDate": "2022-01-11T17:31:25+00:00"
}

03 Repeat steps no. 1 and 2 to enable active X-Ray tracing for each necessary API stage created for the selected API.

04 Repeat steps no. 1 – 3 for each Amazon API Gateway API available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and perform the Remediation process for other regions.

References

Publication date Oct 15, 2018