AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
API Gateway X-Ray Should Be Enabled
More Info:
Ensure XRAY is enabled for API Gateway
Risk Level
Low
Address
Reliability, Operational Maturity, Security
Compliance Standards
CBP
Triage and Remediation
Check Cause
- Sign in to the AWS Management Console.
- Navigate to the API Gateway console. You can do this by typing “API Gateway” into the search bar at the top of the console, then selecting “API Gateway” from the dropdown menu.
- In the API Gateway console, select the API you want to check.
- In the settings for the selected API, look for the “Tracing” section. If X-Ray is enabled, there will be a checkmark next to “Enable X-Ray Tracing”. If there is no checkmark, then X-Ray is not enabled for this API.
-
Install and configure AWS CLI: Before you can start using AWS CLI, you need to install it on your local machine and configure it with your AWS account credentials. You can do this by running the following commands:
Installation:
pip install awscli
Configuration:
aws configure
You will be prompted to provide your AWS Access Key ID, Secret Access Key, Default region name, and Default output format.
-
List all API Gateways: Use the following AWS CLI command to list all the API Gateways in your AWS account:
aws apigateway get-rest-apis
This command will return a list of all the REST APIs in your account. Note down the “id” of the API Gateway you want to check.
-
Get API Gateway details: Use the following AWS CLI command to get the details of the specific API Gateway:
aws apigateway get-rest-api --rest-api-id {api-id}
Replace "" with the id of the API Gateway you noted down in the previous step. This command will return the details of the API Gateway.
-
Check X-Ray tracing: In the output of the previous command, look for the “tracingEnabled” field. If the value of this field is “true”, then X-Ray tracing is enabled for the API Gateway. If the value is “false” or the field is not present, then X-Ray tracing is not enabled.
-
Install the necessary Python libraries: Before you start, you need to install the AWS SDK for Python (Boto3) in your environment. This can be done using pip:
pip install boto3
-
Configure AWS Credentials: You need to configure your AWS credentials. You can configure it in several ways, but the simplest is to use the AWS CLI:
aws configure
You’ll be prompted to enter your AWS Access Key ID, Secret Access Key, default region name, and default output format.
-
Create a Python script to list all API Gateway and check if X-Ray is enabled:
import boto3 def check_xray_enabled(): client = boto3.client('apigateway') response = client.get_rest_apis() for api in response['items']: if 'xrayTracingEnabled' in api: if api['xrayTracingEnabled']: print(f"X-Ray is enabled for API Gateway: {api['name']}") else: print(f"X-Ray is not enabled for API Gateway: {api['name']}") else: print(f"X-Ray is not enabled for API Gateway: {api['name']}") if __name__ == "__main__": check_xray_enabled()
This script will list all your API Gateways and check if X-Ray is enabled. If it’s enabled, it will print “X-Ray is enabled for API Gateway: ”, otherwise it will print “X-Ray is not enabled for API Gateway: ”.
-
Run the Python script: You can run the Python script using the following command:
python check_xray_enabled.py
This will print the status of X-Ray for all your API Gateways.