Cloudwatch Metrics Must Be Enabled For All APIs
More Info:
Detailed CloudWatch metrics should be enabled for all APIs created with AWS API Gateway service in order to monitor API stages caching, latency and detected errors at a more granular level and set alarms accordingly.Risk Level
LowAddress
Operational MaturityCompliance Standards
HIPAA, SOC2, HITRUST, NISTCSF, PCIDSSTriage and Remediation
Check Cause
Using Console
Using Console
- Log in to the AWS Management Console and navigate to the API Gateway service.
- In the API Gateway dashboard, select the APIs section on the left-hand side.
- In the APIs list, select the API you want to check. This will open the API’s settings.
- In the API settings, navigate to the Stages section. Here, you can see if CloudWatch metrics are enabled for each stage of the API. If the CloudWatch metrics are not enabled, it indicates a misconfiguration.
Using CLI
Using CLI
-
Install and configure AWS CLI: Before you can start using AWS CLI, you need to install it on your local machine and configure it with your AWS account credentials. You can do this by running the following commands:
Installation:
Configuration:You will be prompted to enter your AWS Access Key ID, Secret Access Key, Default region name, and Default output format.
-
List all APIs: Use the following command to list all the APIs in API Gateway:
This command will return a list of all the APIs in your AWS account.
-
Check Cloudwatch Metrics for each API: For each API in the list, you need to check if Cloudwatch Metrics are enabled. You can do this by running the following command for each API:
Replace
<api-id>with the ID of the API and<stage-name>with the name of the stage you want to check. This command will return the details of the specified stage. -
Verify Cloudwatch Metrics: In the output of the previous command, look for the
metricsEnabledfield. If its value istrue, then Cloudwatch Metrics are enabled for that API. If its value isfalseor if themetricsEnabledfield is not present, then Cloudwatch Metrics are not enabled for that API.
Using Python
Using Python
-
Setup AWS SDK (Boto3):
First, you need to set up AWS SDK (Boto3) in your Python environment. You can install it using pip:
After installing boto3, configure your AWS credentials either by setting up environment variables or by using the AWS CLI.
-
List all APIs in API Gateway:
Use the
get_rest_apisfunction from theapigatewayclient in boto3 to get a list of all APIs in API Gateway. Here is a sample script:This script will print the names of all APIs in API Gateway. -
Check CloudWatch Metrics for each API:
For each API, check if CloudWatch metrics are enabled. You can do this by checking the
metricsEnabledattribute of themethodSettingsfor each method of each resource of the API. Here is a sample script:This script will print the names of APIs, resources, and methods for which CloudWatch Metrics are not enabled. - Interpret the Results: If the script prints any APIs, resources, and methods, it means that CloudWatch Metrics are not enabled for them. If it doesn’t print anything, it means that CloudWatch Metrics are enabled for all APIs in API Gateway.