More Info:

Detailed CloudWatch metrics should be enabled for all APIs created with AWS API Gateway service in order to monitor API stages caching, latency and detected errors at a more granular level and set alarms accordingly.

Risk Level

Low

Address

Operational Maturity

Compliance Standards

HIPAA, SOC2, HITRUST, NISTCSF, PCIDSS

Triage and Remediation

Check Cause

Using Console

  1. Log in to the AWS Management Console and navigate to the API Gateway service.
  2. In the API Gateway dashboard, select the APIs section on the left-hand side.
  3. In the APIs list, select the API you want to check. This will open the API’s settings.
  4. In the API settings, navigate to the Stages section. Here, you can see if CloudWatch metrics are enabled for each stage of the API. If the CloudWatch metrics are not enabled, it indicates a misconfiguration.
  1. Install and configure AWS CLI: Before you can start using AWS CLI, you need to install it on your local machine and configure it with your AWS account credentials. You can do this by running the following commands: Installation: 
    pip install awscli
    Configuration: 
    aws configure
    You will be prompted to enter your AWS Access Key ID, Secret Access Key, Default region name, and Default output format.
  2. List all APIs: Use the following command to list all the APIs in API Gateway: 
    aws apigateway get-rest-apis
    This command will return a list of all the APIs in your AWS account.
  3. Check Cloudwatch Metrics for each API: For each API in the list, you need to check if Cloudwatch Metrics are enabled. You can do this by running the following command for each API: 
    aws apigateway get-stage --rest-api-id <api-id> --stage-name <stage-name>
    Replace <api-id> with the ID of the API and <stage-name> with the name of the stage you want to check. This command will return the details of the specified stage.
  4. Verify Cloudwatch Metrics: In the output of the previous command, look for the metricsEnabled field. If its value is true, then Cloudwatch Metrics are enabled for that API. If its value is false or if the metricsEnabled field is not present, then Cloudwatch Metrics are not enabled for that API.
  1. Setup AWS SDK (Boto3): First, you need to set up AWS SDK (Boto3) in your Python environment. You can install it using pip: 
    pip install boto3
    After installing boto3, configure your AWS credentials either by setting up environment variables or by using the AWS CLI.
  2. List all APIs in API Gateway: Use the get_rest_apis function from the apigateway client in boto3 to get a list of all APIs in API Gateway. Here is a sample script: 
    import boto3

def list_apis():
    client = boto3.client('apigateway')
    response = client.get_rest_apis()
    return response['items']

apis = list_apis()
for api in apis:
    print(api['name'])
    This script will print the names of all APIs in API Gateway.
  3. Check CloudWatch Metrics for each API: For each API, check if CloudWatch metrics are enabled. You can do this by checking the metricsEnabled attribute of the methodSettings for each method of each resource of the API. Here is a sample script: 
    import boto3

def check_metrics(api):
    client = boto3.client('apigateway')
    resources = client.get_resources(restApiId=api['id'])['items']
    for resource in resources:
        methods = resource.get('resourceMethods', {})
        for method in methods:
            settings = client.get_method_settings(
                restApiId=api['id'],
                resourceId=resource['id'],
                httpMethod=method
            )
            if not settings['methodSettings']['metricsEnabled']:
                print(f"CloudWatch Metrics not enabled for API {api['name']}, resource {resource['path']}, method {method}")

apis = list_apis()
for api in apis:
    check_metrics(api)
    This script will print the names of APIs, resources, and methods for which CloudWatch Metrics are not enabled.
  4. Interpret the Results: If the script prints any APIs, resources, and methods, it means that CloudWatch Metrics are not enabled for them. If it doesn’t print anything, it means that CloudWatch Metrics are enabled for all APIs in API Gateway.

Additional Reading: