AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Cloudwatch Metrics Must Be Enabled For All APIs
More Info:
Detailed CloudWatch metrics should be enabled for all APIs created with AWS API Gateway service in order to monitor API stages caching, latency and detected errors at a more granular level and set alarms accordingly.
Risk Level
Low
Address
Operational Maturity
Compliance Standards
HIPAA, SOC2, HITRUST, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration “Cloudwatch Metrics Must Be Enabled For All APIs” for AWS using AWS console, follow the below steps:
-
Open the AWS Management Console and go to the Amazon API Gateway service.
-
Select the API for which you want to enable CloudWatch metrics.
-
Click on the “Stages” option from the left-hand side menu.
-
Select the stage for which you want to enable CloudWatch metrics.
-
Click on the “Logs/Tracing” tab.
-
Under the “CloudWatch Settings” section, check the box next to “Enable CloudWatch Logs” and “Enable CloudWatch Metrics”.
-
Select the appropriate log format for your API.
-
Click on the “Save Changes” button.
-
Repeat the above steps for all the APIs and stages that you want to enable CloudWatch metrics for.
By following these steps, you can remediate the misconfiguration “Cloudwatch Metrics Must Be Enabled For All APIs” for AWS using AWS console.
To remediate the misconfiguration “Cloudwatch Metrics Must Be Enabled For All APIs” in AWS using AWS CLI, follow the below steps:
- Open the AWS CLI on your local machine and run the following command to enable CloudWatch metrics for all existing APIs in your AWS account:
aws apigateway update-account --metrics-enabled
- To ensure that CloudWatch metrics are enabled for all new APIs created in your account, run the following command:
aws apigateway update-rest-api --rest-api-id <rest-api-id> --patch-operations op=replace,path=/metrics/enabled,value=true
Note: Replace <rest-api-id> with the ID of your REST API.
- To verify that CloudWatch metrics are enabled for all APIs, run the following command:
aws apigateway get-account
This command should return a JSON object with the following key-value pair:
"metricsEnabled": true
- To verify that CloudWatch metrics are enabled for a specific API, run the following command:
aws apigateway get-rest-api --rest-api-id <rest-api-id>
This command should return a JSON object with the following key-value pair:
"metrics": {
"enabled": true
}
Note: Replace <rest-api-id> with the ID of your REST API.
By following these steps, you will have successfully remediated the misconfiguration “Cloudwatch Metrics Must Be Enabled For All APIs” in AWS using AWS CLI.
To remediate the misconfiguration “Cloudwatch Metrics Must Be Enabled For All APIs” for AWS using Python, you can follow these steps:
- Import the necessary AWS SDK for Python (Boto3) library.
import boto3
- Create a Boto3 client for the Amazon API Gateway service.
apigateway = boto3.client('apigateway')
- Get a list of all the APIs in your AWS account using the
get_rest_apismethod.
response = apigateway.get_rest_apis()
- Loop through the list of APIs and enable CloudWatch metrics for each one using the
update_stagemethod.
for api in response['items']:
stages = apigateway.get_stages(restApiId=api['id'])
for stage in stages['item']:
apigateway.update_stage(restApiId=api['id'], stageName=stage['stageName'], patchOperations=[{'op': 'replace', 'path': '/metrics/enabled', 'value': 'true'}])
This code snippet will enable CloudWatch metrics for all APIs and stages in your AWS account. You can run this code as a Python script or integrate it into your existing infrastructure-as-code (IaC) pipeline to ensure that CloudWatch metrics are always enabled for your APIs.