More Info:

Content Encoding feature should be enabled for your Amazon API Gateway APIs in order to facilitate API payload compression.

Risk Level

Low

Address

Reliability, Security

Compliance Standards

CBP

Triage and Remediation

Check Cause

Using Console

  1. Log in to the AWS Management Console and navigate to the API Gateway service.
  2. In the API Gateway dashboard, select the API you want to inspect.
  3. In the left navigation pane, under the selected API, click on “Resources”. This will display a list of all the resources and methods associated with the selected API.
  4. Click on a method (like GET or POST) under a resource. In the Method Execution pane, click on “Method Response”. If the HTTP status row (like 200) does not have “Content-Encoding: gzip” in the “Response Headers for 200” section, then content encoding is not enabled for the API.
  1. First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the API Gateway.
  2. Once the AWS CLI is installed and configured, you can list all the APIs in the API Gateway by using the following command: 
    aws apigateway get-rest-apis
    This command will return a list of all the APIs in the API Gateway.
  3. To check the content encoding for a specific API, you need to get the API’s ID from the list obtained in the previous step. Then, use the following command to get the details of the specific API: 
    aws apigateway get-rest-api --rest-api-id {api-id}
    Replace {api-id} with the ID of the API you want to check. This command will return the details of the specific API.
  4. In the returned details, look for the contentEncodingEnabled field. If the value of this field is false, then content encoding is not enabled for the API. If the field is not present, it also means that content encoding is not enabled.
  1. Install the necessary Python libraries: Before you start, make sure you have the necessary Python libraries installed. You will need the boto3 library, which is the Amazon Web Services (AWS) SDK for Python. It allows Python developers to write software that makes use of services like Amazon S3, Amazon EC2, etc. You can install it using pip: 
    pip install boto3
  2. Configure AWS Credentials: Boto3 needs your AWS credentials (access key and secret access key) to call the AWS services. You can configure it in several ways. One way is to use the AWS CLI: 
    aws configure
    It will prompt you for your Access Key Id, Secret Access Key, Default Region Name, and Default Output Format. You can find these details from your AWS console.
  3. Write a Python script to check if Content Encoding is enabled for APIs in API Gateway: 
    import boto3

def check_content_encoding():
    client = boto3.client('apigateway')
    response = client.get_rest_apis()
    for api in response['items']:
        api_id = api['id']
        resources = client.get_resources(restApiId=api_id)
        for resource in resources['items']:
            if 'resourceMethods' in resource:
                for method in resource['resourceMethods']:
                    method_response = client.get_method(restApiId=api_id, resourceId=resource['id'], httpMethod=method)
                    if 'methodIntegration' in method_response:
                        if 'contentHandling' not in method_response['methodIntegration'] or method_response['methodIntegration']['contentHandling'] != 'CONVERT_TO_BINARY':
                            print(f"API {api['name']} with method {method} does not have content encoding enabled")

check_content_encoding()
    This script will list all the APIs in your AWS account and check if content encoding is enabled for each method in each API. If content encoding is not enabled, it will print the API name and the method.
  4. Run the Python script: You can run the Python script using any Python environment. Make sure you have the necessary permissions to call the AWS services. If content encoding is not enabled for any API, it will print the API name and the method.

Additional Reading: